Code Signing

From attackics
Jump to navigation Jump to search
Code Signing
Mitigation
ID M1045
NIST SP 800-53 Rev. 4 SI-7
IEC 62443-3-3:2013 SR 3.4
IEC 62443-4-2:2019 CR 3.4

Description

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.


Techniques Addressed by Mitigation

NameUse
MasqueradingRequire signed binaries.
Module FirmwareDevices should verify that firmware has been properly signed by the vendor before allowing installation.
Program DownloadUtilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.
Project File InfectionAllow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.
RootkitDigital signatures may be used to ensure application DLLs are authentic prior to execution.
Supply Chain CompromiseWhen available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.
System FirmwareDevices should verify that firmware has been properly signed by the vendor before allowing installation.
User ExecutionPrevent the use of unsigned executables, such as installers and scripts.