Whitelisted third-party programs should include signatures

[dcronqvist]

What is the problem?

Currently, SEB facilitates the ability to allow third-party programs to be launched and used during an examination, by providing their name e.g. excel.exe in the configuration file. When this program is launched, it utilizes the Windows Registry to find its full path to the executable file (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe). However, this registry key is obviously modifiable by a user/examinee prior to launching an exam, making it more than possible for a user/examinee to launch an arbitrary program.

# setup.ps1
$whitelistedExe = $args[0]
$targetExe = $args[1]
$targetExeDirectory = Split-Path $targetExe -Parent

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\$whitelistedExe" -Name "Path" -Value $targetExeDirectory

# Check if targetExe is already called the same as whitelistedExe
# If it isn't we need to create a copy of it with the same name as whitelistedExe
$targetExeName = Split-Path $targetExe -Leaf
if ($targetExeName -ne $whitelistedExe) {
    $targetExe | Copy-Item -Destination "$targetExeDirectory\$whitelistedExe"
}

Running a simple PowerShell script like the one above like this: PS > ./setup.ps1 excel.exe path/to/cheat.exe, will point the registry key to path/to and create a copy of path/to/cheat.exe and name it path/to/excel.exe. If an exam then allows the third-party program excel.exe, an examinee is able to actually launch cheat.exe, although with the name of the whitelisted executable. As long as there is at least one whitelisted program, an examinee can launch an arbitrary amount of executables, as long as they have the whitelisted name. This can be done by e.g. making a PowerShell script that launches any programs you want, and then turning it into an executable (with PS2EXE for example), and then running the setup.ps1 script to point the registry to it.

How can it be solved?

If the configuration file included a signature of the whitelisted executable file, e.g. a SHA256 of the executable with some provided salt in the config file, then SEB could generate that hash of the found executable on the host, and compare it to the one stored in the configuration file. If there is a mismatch, then that program is not valid and should not be allowed to launch. However, if it matches, then it is allowed and should be possible to launch.

Attached is an image of an exam which is configured to allow excel.exe, where a program that is very evidently not excel.exe is running.

[dbuechel]

Thanks for the excellent report. Yes indeed, this is actually an improvement we already have in the backlog and which we'll definitely need to tackle soon. We however need to work on the details of the implementation a bit along the way (e.g. take into account that there are a lot of applications which update automatically, thus potentially invalidating a signature, which in turn could be a problem for institutions which set up their exam configuration once a semester or alike).

[dbuechel]

A first basic version of the signature verification can now be tested in the latest beta build of SEB 3.6.0.

[dbuechel]

@dcronqvist It would be awesome if you could check the new functionality and provide feedback, otherwise I'd close the issue as completed for now.

[dcronqvist]

@dbuechel Hello! Cool, I unfortunately do not have time to do any kind of checking as the issue was raised during the time of a thesis (which now is completed). You can close the issue for now :)