flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > Software update system


Do you think this project could be useful for you ?
Yes
40%
 40%  [ 2 ]
Perhaps
0%
 0%  [ 0 ]
No
60%
 60%  [ 3 ]
Total Votes : 5

Author
Thread Post new topic Reply to topic
Gilles



Joined: 25 Oct 2004
Posts: 24
Gilles
Hi everybody,
My recent idea is to build (for the program I'm writing) an update system. here is a picture :

--------
| Server |
--------
|
| <------- Protocol1
|
--------
| Agent |
--------
|
| <------- Protocol2
|
----------------------------
| Client built in the |
| released program (RP) |
----------------------------

Description:

Server (Part of the update system)
Listening on a port defined in protocol1

Agent (Part of the update system)

- Program (dll or exe).
- Not directly related to the RP.
- Is distributed independentlyof the RP
- Undestand the protocol1 and protocol2
- Can be updated

Release Program (Only half Part of the update system)

- Program (exe)
- The one for which this system is build for.
- Have a protocol2 client builtin for :
* Binary package Update request
* Optionally source package request

Why ?

1) Personnal challenge
- Write the whole stuff needed using only FASM
- Learning network programming
- Security thought

2) I want my future distributed program to be able to request for new update.
All that will be left to the user is the authorization to install, no more need
for users to search throught the net for latest release of the program.

3) also source code could be delivered instantly and privately.

4) Protocol1 and protocol2 will define an authentication process.

Operating system target
-----------------------
Window XP (It's the version of window I'm currently working with)


What is your opinion ?
Post 24 Jul 2008, 11:32
View user's profile Send private message Visit poster's website Reply with quote
AxelDominatoR



Joined: 11 Aug 2004
Posts: 12
AxelDominatoR
I find auto-update systems an interesting matter. They can be useful in many places, if designed well.
I can offer some help, if needed, but I'm under Gentoo Linux.
Post 24 Jul 2008, 12:11
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1137
Location: Russian Federation
comrade
Why do you need a custom server? Why not have it based on HTTP + XML, like .NET's automatic updates?
Post 24 Jul 2008, 13:12
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
My two cents:

No reboots. Ever. You should know how pleasant it is: "You've been upgraded to version XX.YY, now shut up and shutdown/reboot" Wink
Post 07 Sep 2008, 16:35
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I would like some cryptography added too, some way the agent can check that the update really comes from the official server and not from a spoofed one like http://www.thetechherald.com/article.php/200831/1598/Kaminsky-DNS-flaw-used-as-an-example-in-testing-of-Evilgrade and many other ways (especially on LAN environments). So update signing is one of the things that should be added IMHO.

As for protocol I recommend you to use HTTP all you can because it is the most widely allowed to use (e.g. a LAN inside an office could have HTTP port 80 access to the Internet only).
Post 07 Sep 2008, 17:53
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Best way to implement this is put the updates at the project website and just use HTTP GET method using sockets to download the stuff.

Maybe you could also use gzipped updates and use zlib to unpack.
Post 08 Sep 2008, 20:04
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
LocoDelAssembly wrote:
…So update signing is one of the things that should be added IMHO…
Code signing is such a pain-in-the-arse for small to medium Wink business so nobody really cares… MD5/SHA hash check will be sufficient (BTW, it's what code signing does Wink).

_________________
"Don't belong. Never join. Think for yourself. Peace." – Victor Stone.
Post 27 Sep 2008, 20:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16843
Location: In your JS exploiting you and your system
revolution
baldr wrote:
LocoDelAssembly wrote:
…So update signing is one of the things that should be added IMHO…
Code signing is such a pain-in-the-arse for small to medium Wink business so nobody really cares… MD5/SHA hash check will be sufficient (BTW, it's what code signing does Wink).
Sure, code signing uses hashes but there needs to be a way to securely deliver the hashes else the hash will just be spoofed also. A simple asymmetric key function can suffice, either RSA or preferably (because of the smaller keys) ECC.
Post 28 Sep 2008, 09:10
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
What comrade, LocoDelAssembly and revolution said.

HTTP, XML definition files, and pubkey-crypto signing. The first two make things easier for both you and users, the second is to prevent against all the really nasty attacks you can face in today's brutal world.
Post 28 Sep 2008, 13:55
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.