Friday 2 October 12:00 - 12:30, Red roomDorottya Papp (CrySyS Lab)
Balázs Kócsó (CrySyS Lab)
Tamás Holczer (CrySyS Lab)
Levente Buttyán (CrySyS Lab)
Boldizsár Bencsáth (CrySyS Lab) download slides (PDF)Recent targeted malware attacks, e.g. Stuxnet, Duqu and Flame, used digitally signed components that appeared to originate from legitimate software makers. In case of Stuxnet and Duqu, the private code-signing keys of legitimate companies were suspected to have been compromised and used by the attackers. In case of Flame, the attackers generated a fake certificate that appeared to be a valid code-signing certificate issued by Microsoft, and used the corresponding private key to sign their malware.The purpose of code signing is to ensure the authenticity and integrity of software packages. However, ultimately the effectiveness of code signing as a security mechanism also depends on the security of the underlying Public Key Infrastructure (PKI). As the examples above show, attackers have already started to exploit weaknesses in the PKI system supporting code signing, and we expect that this trend will become stronger. Consequently, there is an urgent need to strengthen the PKI which code signing relies on. At the same time, given its size and complexity, making the entire PKI system 100% secure is illusionary, and one should rather adopt a best effort approach that raises the bar for the attackers even if attacks cannot completely be eliminated.Motivated by the Stuxnet, Duqu and Flame cases, the specific problem that we address in our work is that standard signature verification procedures used in today's PKI systems do not allow for detecting key compromise and fake certificates. Therefore, the objective of the work is to augment the standard signature verification workflow with checking of reputation information on signers and signed objects.For this purpose, we built a data collection framework and a data repository for signed software and code-signing certificates, we implemented services that use the repository for providing reputation information for signed objects, such as when a given signed object has first been seen and how often it was looked up by users, and we also provide alert services for private key owners that help them detect when their signing keys have been used illegitimately.Our system, called Repository of Signed Code (ROSCO), does not aim to replace the entire code-signing infrastructure. Rather, it complements existing PKI functions with useful services that can be used by different participants to increase their confidence in the legitimacy of signed code. For end-users, the benefits are obvious: our repository serves them when they have to decide about the trustworthiness of a to-be-installed code. For software makers, our repository can be used to detect the malicious use of their signing key. For security companies, our repository could be an invaluable source of information, which they can use to detect malicious campaigns and trends in signing malicious code.Click here for more details about the conference.