Wireshark-dev: Re: [Wireshark-dev] Verification of user when running Wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 18 Oct 2010 16:14:37 -0700
On Oct 18, 2010, at 3:02 PM, Alex Lindberg wrote:

> I am creating a number of dissectors and my company has concerns regarding the security of Wireshark/Tshark if these propriety dissectors escape into the wild. 
> 
> Has anyone create a user authentication plugin for Wireshark/Tshark

No, because, for a given program or library, you can only create a plugin for operations where there are plugin hooks in the program or library, and Wireshark and TShark don't even have the notion of user authentication, much less a mechanism by which user authentication plugins can be added.  The types of plugins that Wireshark and TShark support are:

	1) dissectors;

	2) tap listeners;

	3) capture file format readers;

	4) codecs.

> that would require the user to have a certificate installed from a specific trusted authority?  The certificate should also be base on an interface of the computer running Wireshark.

If your proprietary dissectors are plugins that work with a standard distribution of Wireshark, a DRM mechanism for Wireshark/TShark itself wouldn't help - somebody could just plug the dissectors into a standard version of Wireshark, lacking that DRM mechanism, that they'd downloaded.  The *dissector plugins* would have to check for the certificate.

If your proprietary dissectors are built into a special version of Wireshark, you're already dealing with a modified version of the Wireshark source tree, so you could modify your version of Wireshark to do the certificate check.

Note, of course, that, as per the GNU Public License, Version 2, if you distribute an executable version of Wireshark to somebody, including a version built from source that you've modified (see section 2 of the GPLv3), you must do one of the following (see section 3 of the GPLv2):

    a) Accompany it with the complete corresponding machine-readable
    source code, which must be distributed under the terms of Sections
    1 and 2 above on a medium customarily used for software interchange; or,

    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your  
    cost of physically performing source distribution, a complete   
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,

    c) Accompany it with the information you received as to the offer
    to distribute corresponding source code.  (This alternative is 
    allowed only for noncommercial distribution and only if you
    received the program in object code or executable form with such
    an offer, in accord with Subsection b above.)

which means that, if you've given them a binary version of Wireshark that includes your proprietary dissectors and the DRM code to prevent people without the certificate from running that version, you must provide the source code that was used to build that version, including your proprietary dissectors and the DRM code to prevent people without the certificate from running that version.

Once they have that source code, they may, then, remove the DRM code and build their own version (see section 6 of the GPLv2), and I think they may even redistribute that version in source and binary form (at least as I read section 6 of the GPLv2).

I am not certain what the rules are about plugins, but, at least at one point on one of the Wireshark mailing lists, somebody claimed that a plugin for Wireshark must itself be licensed under the GPLv2; I'm not certain which part of the GPLv2 would require that.  Section 2 does say

  These requirements apply to the modified work as a whole.  If
  identifiable sections of that work are not derived from the Program,  
  and can be reasonably considered independent and separate works in
  themselves, then this License, and its terms, do not apply to those
  sections when you distribute them as separate works.  But when you
  distribute the same sections as part of a whole which is a work based  
  on the Program, the distribution of the whole must be on the terms of
  this License, whose permissions for other licensees extend to the
  entire whole, and thus to each and every part regardless of who wrote it.

but I don't know whether a plugin for Wireshark, not based on *ANY* GPLed dissector code for Wireshark (if it were based on any existing GPLed code, it would itself be GPLed), could be considered an "identifiable [section] of that work ... not derived from the Program".