Once the program has been completed, it must be distributed. Distribution involves placing the program in a repository where it cannot be altered except by authorized people, and from which it can be retrieved and sent to the intended recipients. This requires a policy for distribution. Specific factors to be considered are as follows.
Who can use the program? If the program is licensed to a specific organization, or to a specific host, then each copy of the program that is distributed must be tied to that organization or host so it cannot be redistributed or pirated. This is an originator controlled policy.68 One approach is to provide the licensee with a secret key and encipher the software with the same key. This prevents redistribution without the licensee’s consent, unless the attacker breaks the cryptosystem or steals the licensee’s key.69
How can the integrity of the master copy be protected? If an attacker can alter the master copy, from which distribution copies are made, then the attacker can compromise all who use the program.
EXAMPLE: The program tcp wrappers provides host-level access control for network servers. It is one of the most widely used programs in the UNIX community. In 1996, attackers broke into the site from which that program could be obtained . They altered the program to allow all connections to succeed. More than 50 groups obtained the program before the break-in was detected.
Part of the problem is credibility. If an attacker can pose as the vendor, then all who obtain the program from the attacker will be vulnerable to attack. This tactic undermines trust in the program and can be surprisingly hard to counter. It is analogous to generating a cryptographic checksum for a program infected with a computer virus.70 When an uninfected program is obtained, the integrity checker complains because the checksum is wrong. In our example, when the real vendor contacts the duped customer, the customer usually reacts with disbelief, or is unwilling to concede that his system has been compromised.
How can the availability of the program be ensured? If the program is sent through a physical medium, such as a read-only DVD, availability is equivalent to the availability of mail or messenger services between the vendor and the buyer. If the program is distributed through electronic means, however, the distributor must take precautions to ensure that the distribution site is available. Denial of service attacks such as SYN flooding may hamper the availability.
Like a program, the distribution is controlled by a policy. All considerations that affect a security policy affect the distribution policy as well.