Table of Content
Introduction
The long awaited package hashing feature made a rather quite entrance on the Symantec Management Platform 7.5. Today we turn the light on this feature and how this (and a few others we'll discuss along) helps greatly strengthen the security of Symantec Management Platform package delivery.
Snapshot creation
The package snapshots are created on the Management Platform once a package is defined and saved or during the delta and full package refresh schedule tasks. It can also be refreshed using the "update distribution point" context option on the package.
The snapshots are stored under the "C:\ProgramData\Symantec\SMP\Snapshots" directory. This directory contains the snapshot xml file (saved as <packageid>.xml and the snapshot xml signature file (saved as <packageid>.sig). More details are available on this in the next section.
The generated snapshot file will contain an xml tree structured that matches the package directory, with the following attributes for each files:
- File name
- File size
- File modified date
- File sha256 sum
And the following attributes for each folder:
- Folder name
- Total Size
- File count
- Folder count
Here is a sample from the a test package:
<FolderSnapShot path="C:\Snapshot Hashing & Signing" time="2014-01-24 11:24:47" hash="uX0HHLHJEQm4hQJAQjgUPQ==" PkgVersion="1390562687">
<Root size="66437" files="1" folders="3">
<File name="vlan.c" size="16592" fileHash="0u97LvW57zB122jy762pTiLVuazJ5qp4Mgyb+ruJG9U=" lastModifiedTime="2014-01-24 09:45:49" />
<Folder name="full_mod" size="16661" files="1" folders="0">
<File name="vlan.c" size="16661" fileHash="P2tFsZL76XFzMHEUXqJS2J6xdeK2c1Wc44qs8R3Yhx0=" lastModifiedTime="2014-01-24 09:50:58" />
</Folder>
<Folder name="source" size="16592" files="1" folders="0">
<File name="vlan.c" size="16592" fileHash="0u97LvW57zB122jy762pTiLVuazJ5qp4Mgyb+ruJG9U=" lastModifiedTime="2014-01-20 02:40:07" />
</Folder>
<Folder name="stealth_mod" size="16592" files="1" folders="0">
<File name="vlan.c" size="16592" fileHash="nmxDsiazHVdP5QWSGRg68K4/iAgfnczD75k/FCID9KM=" lastModifiedTime="2014-01-20 02:40:07" />
</Folder>
</Root>
</FolderSnapShot>Snapshot delivery
In order to validate that the snapshot available on the client is the same as the one produced on the SMP the server now signs the snapshot cryptographically using its private key.
The snapshot and the signature are transferred by GetPackageSnapshot.aspx (both NS & IIS PS cases). In UNC PS case the snapshot and the signature are downloaded by directly copying the corresponding files from the remote PS share.
The codebases (the list of servers from which the package files and snapshots are available to the client based on Site and Subnet configuration) are available from the SMP GetPackageInfo.aspx interface. This interface now encrypts the response using the public agent key and decryption is done by the client.
This adds two new levels of security: first we can ensure that the snapshot used by the client is the same as the one generated on the server, second we ensure that the agent receives accurate codebases (again to avoid man-in-the-middle type of attacks).
Package download tests
Now, let's test how the features really operate on the managed end-point. Here's how the tests will be conducted:
- Define and create the test package
- Create the test Software Release
- Create the test Managed Delivery
- Base delivery test
- Package Transmission corruption test
- Local package corruption test
Define and create the test package:
To this avail I have prepared a package that contains 3 versions of a file named "vlan.c". This is the vlan implementation file from the Linux Kernel 3.13. The 3 files are each in a folder indicating the file state compared to the original version:
- "source\vlan.c": a clean copy of the vlan.c file from the Linux Kernel.
- "full_mod\vlan.c": this file is a copy of the original vlan.c that was modified using a plain text editor. The file content and modified date differ from the original.
- "stealth_mod\vlan.c": this file is a copy of the original vlan.c touched up to match the original file timestamp and file size. Only the file content does differ.
And at the package root with have a copy of the original vlan.c. This is the file that we will replace with the full and stealth mod files for testing.
Here's the header of the original file:
/* * INET 802.1Q VLAN * Ethernet-type device handling. * * Authors: Ben Greear * Please send support related email to: netdev@vger.kernel.org * VLAN Home Page: http://www.candelatech.com/~greear/vlan.html * * Fixes: * Fix for packet capture - Nick Eggleston ; * Add HW acceleration hooks - David S. Miller ; * Correct all the locking - David S. Miller ; * Use hash table for VLAN groups - David S. Miller * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Here's the header of the full mod file (delta in bold italic):
/* * Ludovic FERRE, Symantec Corporation, Snapshot HAshing check #1 * * INET 802.1Q VLAN * Ethernet-type device handling. * * Authors: Ben Greear * Please send support related email to: netdev@vger.kernel.org * VLAN Home Page: http://www.candelatech.com/~greear/vlan.html * * Fixes: * Fix for packet capture - Nick Eggleston ; * Add HW acceleration hooks - David S. Miller ; * Correct all the locking - David S. Miller ; * Use hash table for VLAN groups - David S. Miller * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Here's the header of the stealth mod file (delta in bold italic):
/* * INET 802.1Q vla2 * Ethernet-type device handling. * * Authors: Ben Greear * Please send support related email to: netdev@vger.kernel.org * vla2 Home Page: http://www.candelatech.com/~greear/vla2.html * * Fixes: * Fix for packet capture - Nick Eggleston ; * Add HW acceleration hooks - David S. Miller ; * Correct all the locking - David S. Miller ; * Use hash table for vla2 groups - David S. Miller * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
I will not details here how to create a package. But here is how I named the it: "Snapshot Hashing and Signing"
Create the test Software Release
Here is an outline of the Software Release that was created for this test:
- Version: 3.13
- Name: Snapshot Hashing & Signing test SWR
- Package: Snapshot Hashing & Signing
- Command type: install / batch
- Command line: cmd /c
The release in itself is very simple.
Create the test Managed Delivery
Once the Software Release is saved you can right click on the object in the tree or select Action in the resource Manager > Create Managed Delivery Policy.
The policy needs to have a schedule starting in the future (I choose the end of the day) that is set to repeat so that it remains available on the Symantec Management Agent UI for us to run path the initial execution. It must use the "Snapshot Hashing & Signing" package and the install command line.
Base delivery test:
In this test we deliver the package on the agent from a package server, with all files matching the snapshot taken from the SMP.
This is how things do work normally, so I won't document the test results: all worked as expected.
Package transmission corruption test:
In this test we replace package files on the package server. This simulates network transmission error, or Package Server out-of-synchronization use case. On the local cache we delete the folder content and launch the Managed Delivery.
The test was done in multiple interesting conditions:
- A file content is valid but the timestamp is different from the snapshot
- A file content is invalid but the timestamp is the same as the snapshot
- A file content is invalid and the timestamp is different from the snapshot
Local package corruption test :
In this test we replace package files on the local package cache. This simulates local package corruption that can be caused by running the managed delivery itself (some programs do over-write existing file(s) on the running folder).
The test was done in multiple interesting conditions:
- A file content is valid but the timestamp is different from the snapshot
- A file content is invalid but the timestamp is the same as the snapshot
- A file content is invalid and the timestamp is different from the snapshot
Test results:
Thanks to an efficient design the Transmission corrupt / Remote out of Sync versus Local cache corruption are dealt with in the same manner when it comes to matching the snapshot, so both of the main tests above end up being the same (but we still had to run thru the tests to find this out) albeit the remediation is different: in the local corruption we download back from the PS immediately. In the transmission corruption case we have a 180 seconds delay before the download is triggered again.
Also the last 2 test conditions ended up with the same result: regardless of the timestamp, the file hash is found to not match, and causes the file to be deleted and re-downloaded all the same.
Now, this article should contain enough for anyone out here on Connect to run the tests on their own so I will not detail the tedious process I went thru nor add log data. Rather we'll show how the software behaved in the 2 test conditions.
1. The content is the same but the timestamp differs:
In this case the timestamp is altered to match the snapshot (see the warning entries below). This is safe to do in 7.5 as we can validate that the file content is the same as what we have on the server.
2. The content is not the same:
The invalid file is deleted and downloaded afresh.
Conclusion
The Symantec Management Agent 7.5 is built up with very strong security features that will prevent the delivered packages from running if any of the snapshot file do not match the snapshot that was defined on the Symantec Management Platform.