How to Measure TLS, X.509 Certificates, and Web PKI: A Tutorial and Brief Survey

Transport Layer Security (TLS) is the base for many Internet applications and services to achieve end-to-end security. In this paper, we provide guidance on how to measure TLS deployments, including X.509 certificates and Web PKI. We introduce common data sources and tools, and systematically describe necessary steps to conduct sound measurements and data analysis. By surveying prior TLS measurement studies we find that diverging results are rather rooted in different setups instead of different deployments. To improve the situation, we identify common pitfalls and introduce a framework to describe TLS and Web PKI measurements. Where necessary, our insights are bolstered by a data-driven approach, in which we complement arguments by additional measurements

Do Androids Dream of Electric Sheep? On Privacy in the Android Supply Chain

The Android Open Source Project (AOSP) was first released by Google in 2008 and has since become the most used operating system [Andaf]. Thanks to the openness of its source code, any smartphone vendor or original equipment manufacturer (OEM) can modify and adapt Android to their specific needs, or add proprietary features before installing it on their devices in order to add custom features to differentiate themselves from competitors. This has created a complex and diverse supply chain, completely opaque to end-users, formed by manufacturers, resellers, chipset manufacturers, network operators, and prominent actors of the online industry that partnered with OEMs. Each of these stakeholders can pre-install extra apps, or implement proprietary features at the framework level. However, such customizations can create privacy and security threats to end-users. Preinstalled apps are privileged by the operating system, and can therefore access system APIs or personal data more easily than apps installed by the user. Unfortunately, despite these potential threats, there is currently no end-to-end control over what apps come pre-installed on a device and why, and no traceability of the different software and hardware components used in a given Android device. In fact, the landscape of pre-installed software in Android and its security and privacy implications has largely remained unexplored by researchers. In this thesis, I investigate the customization of Android devices and their impact on the privacy and security of end-users. Specifically, I perform the first large-scale and systematic analysis of pre-installed Android apps and the supply chain. To do so, I first develop an app, Firmware Scanner [Sca], to crowdsource close to 34,000 Android firmware versions from 1,000 different OEMs from all over the world. This dataset allows us to map the stakeholders involved in the supply chain and their relationships, from device manufacturers and mobile network operators to third-party organizations like advertising and tracking services, and social network platforms. I could identify multiple cases of privacy-invasive and potentially harmful behaviors. My results show a disturbing lack of transparency and control over the Android supply chain, thus showing that it can be damageable privacy- and security-wise to end-users. Next, I study the evolution of the Android permission system, an essential security feature of the Android framework. Coupled with other protection mechanisms such as process sandboxing, the permission system empowers users to control what sensitive resources (e.g., user contacts, the camera, location sensors) are accessible to which apps. The research community has extensively studied the permission system, but most previous studies focus on its limitations or specific attacks. In this thesis, I present an up-to-date view and longitudinal analysis of the evolution of the permissions system. I study how some lesser-known features of the permission system, specifically permission flags, can impact the permission granting process, making it either more restrictive or less. I then highlight how pre-installed apps developers use said flags in the wild and focus on the privacy and security implications. Specifically, I show the presence of third-party apps, installed as privileged system apps, potentially using said features to share resources with other third-party apps. Another salient feature of the permission system is its extensibility: apps can define their own custom permissions to expose features and data to other apps. However, little is known about how widespread the usage of custom permissions is, and what impact these permissions may have on users’ privacy and security. In the last part of this thesis, I investigate the exposure and request of custom permissions in the Android ecosystem and their potential for opening privacy and security risks. I gather a 2.2-million-app-large dataset of both pre-installed and publicly available apps using both Firmware Scanner and purpose-built app store crawlers. I find the usage of custom permissions to be pervasive, regardless of the origin of the apps, and seemingly growing over time. Despite this prevalence, I find that custom permissions are virtually invisible to end-users, and their purpose is mostly undocumented. While Google recommends that developers use their reverse domain name as the prefix of their custom permissions [Gpla], I find widespread violations of this recommendation, making sound attribution at scale virtually impossible. Through static analysis methods, I demonstrate that custom permissions can facilitate access to permission-protected system resources to apps that lack those permissions, without user awareness. Due to the lack of tools for studying such risks, I design and implement two tools, PermissionTracer [Pere] and PermissionTainter [Perd] to study custom permissions. I highlight multiple cases of concerning use of custom permissions by Android apps in the wild. In this thesis, I systematically studied, at scale, the vast and overlooked ecosystem of preinstalled Android apps. My results show a complete lack of control of the supply chain which is worrying, given the huge potential impact of pre-installed apps on the privacy and security of end-users. I conclude with a number of open research questions and future avenues for further research in the ecosystem of the supply chain of Android devices.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en Ingeniería Telemática por la Universidad Carlos III de MadridPresidente: Douglas Leith.- Secretario: Rubén Cuevas Rumín.- Vocal: Hamed Haddad

SoK: Delegation and Revocation, the Missing Links in the Web's Chain of Trust

The ability to quickly revoke a compromised key is critical to the security of any public-key infrastructure. Regrettably, most traditional certificate revocation schemes suffer from latency, availability, or privacy problems. These problems are exacerbated by the lack of a native delegation mechanism in TLS, which increasingly leads domain owners to engage in dangerous practices such as sharing their private keys with third parties. We analyze solutions that address the long-standing delegation and revocation shortcomings of the web PKI, with a focus on approaches that directly affect the chain of trust (i.e., the X.509 certification path). For this purpose, we propose a 19-criteria framework for characterizing revocation and delegation schemes. We also show that combining short-lived delegated credentials or proxy certificates with an appropriate revocation system would solve several pressing problems.Comment: IEEE European Symposium on Security and Privacy (EuroS&P) 202

Enhancing System Transparency, Trust, and Privacy with Internet Measurement

While on the Internet, users participate in many systems designed to protect their information’s security. Protection of the user’s information can depend on several technical properties, including transparency, trust, and privacy. Preserving these properties is challenging due to the scale and distributed nature of the Internet; no single actor has control over these features. Instead, the systems are designed to provide them, even in the face of attackers. However, it is possible to utilize Internet measurement to better defend transparency, trust, and privacy. Internet measurement allows observation of many behaviors of distributed, Internet-connected systems. These new observations can be used to better defend the system they measure. In this dissertation, I explore four contexts in which Internet measurement can be used to the aid of end-users in Internet-centric, adversarial settings. First, I improve transparency into Internet censorship practices by developing new Internet measurement techniques. Then, I use Internet measurement to enable the deployment of end-to-middle censorship circumvention techniques to a half-million users. Next, I evaluate transparency and improve trust in the Web public-key infrastructure by combining Internet measurement techniques and using them to augment core components of the Web public-key infrastructure. Finally, I evaluate browser extensions that provide privacy to users on the web, providing insight for designers and simple recommendations for end-users. By focusing on end-user concerns in widely deployed systems critical to end-user security and privacy, Internet measurement enables improvements to transparency, trust, and privacy.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/163199/1/benvds_1.pd

Understanding of Adversary Behavior and Security Threats in Public Key Infrastructures

Public Key Infrastructure (PKI) is designed to guarantee the authenticity and integrity of digital assets such as messages, executable binaries, etc. In PKIs, there are two representative applications: 1) the Web PKI and 2) the Code-Signing PKI. 1) The Web PKI enables entities (e.g., clients and web service providers) to securely communicate over untrusted networks such as the Internet, and 2) the Code-Signing PKI helps protect clients from executing files of unknown origin. However, anecdotal evidence has indicated that adversaries compromised and abused the PKIs, which poses security threats to entities. For example, CAs have mis-issued digital certificates to adversaries due to their failed vetting processes. Moreover, private keys that are supposed to be securely kept were stolen by adversaries. Such mis-issued certificates or stolen private keys were used to launch impersonation attacks. In this regard, we need to have a sound understanding of such security threats and adversaries' behaviors in the PKIs to mitigate them and further to enhance the security of the PKIs. In this dissertation, we conduct a large-scale measurement study in the two representative applications---the Web PKI and the Code-Signing PKI---to better understand adversaries' behaviors and the potential security threats. First, in 1) the Web PKI, we mainly focus on phishing websites served with TLS certificates. From the measurement study, we observe that certificate authorities (CAs) often fail in their vetting process and mis-issue TLS certificates to adversaries (i.e., phishing attackers). Also, CAs rarely revoke their issued TLS certificates that have been compromised. Second, in 2) the Code-Signing PKI, we characterize the weaknesses of the three actors (i.e., CAs, software publishers, and clients) that adversaries can exploit to compromise the Code-Signing PKI. Moreover, we measure the effectiveness of the primary defense, revocation, against the Code-Signing PKI abuses. We find that erroneous revocations (e.g., wrong effective revocation date setting) can pose additional security threats to clients who execute binaries because the revocations become ineffective. Such security threats stem from an inherent challenge of setting an effective revocation date in the Code-Signing PKI and CAs' misunderstanding of the PKI. These findings help Anti-Virus companies and a CA fix their flaws

Understanding the trust relationships of the web PKI

TLS and the applications it secures (e.g., email, online banking, social media) rely on the web PKI to provide authentication. Without strong authentication guarantees, a capable attacker can impersonate trusted network entities and undermine both data integrity and confidentiality. At its core, the web PKI succeeds as a global authentication system because of the scalability afforded by trust. Instead of requiring every network entity to directly authenticate every other network entity, network entities trust certification authorities (CAs) to perform authentication on their behalf. Prior work has extensively studied the TLS protocol and CA authentication of network entities (i.e., certificate issuance), but few have examined even the most foundational aspect of trust management and understood which CAs are trusted by which TLS user agents, and why. One major reason for this disparity is the opacity of trust management in two regards: difficult data access and poor specifications. It is relatively easy to acquire and test popular TLS client/server software and issued certificates. On the other hand, tracking trust policies/deployments and evaluating CA operations is less straightforward, but just as important for securing the web PKI. This dissertation is one of the first attempts to overcome trust management opacity. By observing new measurement perspectives and developing novel fingerprinting techniques, we discover the CAs that operate trust anchors, the default trust anchors that popular TLS user agents rely on, and a general class of injected trust anchors: TLS interceptors. This research not only facilitates new ecosystem visibility, it also provides an empirical grounding for trust management specification and evaluation. Furthermore, our findings point to many instances of questionable, and sometimes broken, security practices such as improperly identified CAs, inadvertent and overly permissive trust, and trivially exploitable injected trust. We argue that most of these issues stem from inadequate transparency, and that explicit mechanisms for linking trust anchors and root stores to their origins would help remedy these problems

UNDERSTAND, DETECT, AND BLOCK MALWARE DISTRIBUTION FROM A GLOBAL VIEWPOINT

Malware still is a vital security threat. Adversaries continue to distribute various types of malicious programs to victims around the world. In this study, we try to understand the strategies the miscreants take to distribute malware, develop systems to detect malware delivery and explore the benefit of a transparent platform for blocking malware distribution in advance. At the first part of the study, to understand the malware distribution, we conduct several measurements. We initiate the study by investigating the dynamics of malware delivery. We share several findings including the downloaders responsible for the malware delivery and the high ratio of signed malicious downloaders. We further look into the problem of signed malware. To successfully distribute malware, the attacker exploits weaknesses in the code-signing PKI, which falls into three categories: inadequate client-side protections, publisher-side key mismanagement, and CA-side verification failures. We propose an algorithm to identify malware that exploits those weaknesses and to classify to the corresponding weakness. Using the algorithm, We conduct a systematic study of the weaknesses of code-signing PKI on a large scale. Then, we move to the problem of revocation. Certificate revocation is the primary defense against the abuse in code-signing PKI. We identify the effective revocation process, which includes the discovery of compromised certificates, the revocation date setting, and the dissemination of revocation information; moreover, we systematically measure the problems in the revocation process and new threats introduced by these problems. For the next part, we explore two different approaches to detect the malware distribution. We study the executable files known as downloader Trojans or droppers, which are the core of the malware delivery techniques. The malware delivery networks instruct these downloaders across the Internet to access a set of DNS domain address to retrieve payloads. We first focus on the downloaded by relationship between a downloader and a payload recorded by different sensors and introduce the downloader graph abstraction. The downloader graph captures the download activities across end hosts and exposes large parts of the malware download activity, which may otherwise remain undetected, by connecting the dots. By combining telemetry from anti-virus and intrusion-prevention systems, we perform a large-scale analysis on 19 million downloader graphs from 5 million real hosts. The analysis revealed several strong indicators of malicious activity, such as the slow growth rate and the high diameter. Moreover, we observed that, besides the local indicators, taking into account the global properties boost the performance in distinguishing between malicious and benign download activity. For example, the file prevalence (i.e., the number of hosts a file appears on) and download patterns (e.g., number of files downloaded per domain) are different from malicious to benign download activities. Next, we target the silent delivery campaigns, which is the critical method for quickly delivering malware or potentially unwanted programs (PUPs) to a large number of hosts at scale. Such large-scale attacks require coordination activities among multiple hosts involved in malicious activity. We developed Beewolf, a system for detecting silent delivery campaigns from Internet-wide records of download events. We exploit the behavior of downloaders involved in campaigns for this system: they operate in lockstep to retrieve payloads. We utilize Beewolf to identify these locksteps in an unsupervised and deterministic fashion at scale. Moreover, the lockstep detection exposes the indirect relationships among the downloaders. We investigate the indirect relationships and present novel findings such as the overlap between the malware and PUP ecosystem. The two different studies revealed the problems caused by the opaque software distribution ecosystem and the importance of the global properties in detecting malware distribution. To address both of these findings, we propose a transparent platform for software distribution called Download Transparency. Transparency guarantees openness and accountability of the data, however, itself does not provide any security guarantees. Although there exists an anecdotal example showing the benefit of transparency, it is still not clear how beneficial it is to security. In the last part of this work, we explore the benefit of transparency in the domain of downloads. To measure the performance, we designed the participants and the policies they might take when utilizing the platform. We then simulate different policies with five years of download events and measure the block performance. The results suggest that the Download Transparency can help to block a significant part of the malware distribution before the community can flag it as malicious