The Good, the Bad, and the Actively Verified

We believe that we can use active probing for compromise recovery. Our intent is to exploit the differences in behavior between compromised and uncompromised systems and use that information to identify those which are not behaving as expected. Those differences may indicate a deviation in either con figuration or implementation from what we expect on the network, either of which suggests that the misbehaving entity might not be trustworthy. In this work, we propose and build a case for a method for using altered behavior directly resulting from or introduced as a side-effect of the compromise of a network service to detect the presence of such a compromise. We use several case studies to illustrate our technique, and demonstrate its feasibility with a software tool developed using our method

Towards a Trustworthy Thin Terminal for Securing Enterprise Networks

Organizations have many employees that lack the technical knowledge to securely operate their machines. These users may open malicious email attachments/links or install unverified software such as P2P programs. These actions introduce significant risk to an organization\u27s network since they allow attackers to exploit the trust and access given to a client machine. However, system administrators currently lack the control of client machines needed to prevent these security risks. A possible solution to address this issue lies in attestation. With respect to computer science, attestation is the ability of a machine to prove its current state. This capability can be used by client machines to remotely attest to their state, which can be used by other machines in the network when making trust decisions. Previous research in this area has focused on the use of a static root of trust (RoT), requiring the use of a chain of trust over the entire software stack. We would argue this approach is limited in feasibility, because it requires an understanding and evaluation of the all the previous states of a machine. With the use of late launch, a dynamic root of trust introduced in the Trusted Platform Module (TPM) v1.2 specification, the required chain of trust is drastically shortened, minimizing the previous states of a machine that must be evaluated. This reduced chain of trust may allow a dynamic RoT to address the limitations of a static RoT. We are implementing a client terminal service that utilizes late launch to attest to its execution. Further, the minimal functional requirements of the service facilitate strong software verification. The goal in designing this service is not to increase the security of the network, but rather to push the functionality, and therefore the security risks and responsibilities, of client machines to the network€™s servers. In doing so, we create a platform that can more easily be administered by those individuals best equipped to do so with the expectation that this will lead to better security practices. Through the use of late launch and remote attestation in our terminal service, the system administrators have a strong guarantee the clients connecting to their system are secure and can therefore focus their efforts on securing the server architecture. This effectively addresses our motivating problem as it forces user actions to occur under the control of system administrators

Ordered Merkle Tree a Versatile Data-Structure for Security Kernels

Hidden undesired functionality is an unavoidable reality in any complex hardware or software component. Undesired functionality — deliberately introduced Trojan horses or accidentally introduced bugs — in any component of a system can be exploited by attackers to exert control over the system. This poses a serious security risk to systems — especially in the ever growing number of systems based on networks of computers. The approach adopted in this dissertation to secure systems seeks immunity from hidden functionality. Specifcally, if a minimal trusted computing base (TCB) for any system can be identifed, and if we can eliminate hidden functionality in the TCB, all desired assurances regarding the operation of the system can be guaranteed. More specifcally, the desired assurances are guaranteed even if undesired functionality may exist in every component of the system outside the TCB. A broad goal of this dissertation is to characterize the TCB for various systems as a set of functions executed by a trusted security kernel. Some constraints are deliberately imposed on the security kernel functionality to reduce the risk of hidden functionality inside the security kernel. In the security model adopted in this dissertation, any system is seen as an interconnection of subsystems, where each subsystem is associated with a security kernel. The security kernel for a subsystem performs only the bare minimal tasks required to assure the integrity of the tasks performed by the subsystem. Even while the security kernel functionality may be different for each system/subsystem, it is essential to identify reusable components of the functionality that are suitable for a wide range of systems. The contribution of the research is a versatile data-structure — Ordered Merkle Tree (OMT), which can act as the reusable component of various security kernels. The utility of OMT is illustrated by designing security kernels for subsystems participating in, 1) a remote fle storage system, 2) a generic content distribution system, 3) generic look-up servers, 4) mobile ad-hoc networks and 5) the Internet’s routing infrastructure based on the border gateway protocol (BGP)

Authoritative and Unbiased Responses to Geographic Queries

Trust in information systems stem from two key properties of responses to queries regarding the state of the system, viz., i) authoritativeness, and ii) unbiasedness. That the response is authoritative implies that i) the provider (source) of the response, and ii) the chain of delegations through which the provider obtained the authority to respond, can be verified. The property of unbiasedness implies that no system data relevant to the query is deliberately or accidentally suppressed. The need for guaranteeing these two important properties stem from the impracticality for the verifier to exhaustively verify the correctness of every system process, and the integrity of the platform on which system processes are executed. For instance, the integrity of a process may be jeopardized by i) bugs (attacks) in computing hardware like Random Access Memory (RAM), input/output channels (I/O), and Central Processing Unit( CPU), ii) exploitable defects in an operating system, iii) logical bugs in program implementation, and iv) a wide range of other embedded malfunctions, among others. A first step in ensuing AU properties of geographic queries is the need to ensure AU responses to a specific type of geographic query, viz., point-location. The focus of this dissertation is on strategies to leverage assured point-location, for i) ensuring authoritativeness and unbiasedness (AU) of responses to a wide range of geographic queries; and ii) useful applications like Secure Queryable Dynamic Maps (SQDM) and trustworthy redistricting protocol. The specific strategies used for guaranteeing AU properties of geographic services include i) use of novel Merkle-hash tree- based data structures, and ii) blockchain networks to guarantee the integrity of the processes

Attacks on WebView in the Android System

WebView is an essential component in both Android and iOS platforms, enabling smartphone and tablet apps to embed a simple but powerful browser inside them. To achieve a better interaction between apps and their embedded\browsers , WebView provides a number of APIs, allowing code in apps to invoke and be invoked by the JavaScript code within the web pages, intercept their events, and modify those events. Using these features, apps can become customized \browsers for their intended web applications. Currently, in the Android market, 86 percent of the top 20 most downloaded apps in 10 diverse categories use WebView. The design ofWebView changes the landscape of theWeb, especially from the security perspective. Two essential pieces of the Web\u27s security infrastructure are weakened if Web- View and its APIs are used: the Trusted Computing Base (TCB) at the client side, and the sandbox protection implemented by browsers. As results, many attacks can be launched either against apps or by them. The objective of this paper is to present these attacks, analyze their fundamental causes, and discuss potential solutions

Certificate polygamy: a matter of trust

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O acesso a serviços disponíveis na Internet expõe os utilizadores a diversos ataques, tal como o Man-in-the-Middle (MitM). As defesas para estes ataques, tais como autenticação mútua através de uma Public Key Infrastructure (PKI), baseiam-se em infra-estruturas complexas que os utilizadores não estão disponíveis para utilizar e suportar. A enorme aceitação de métodos de autenticação designados por “acto de fé” (leap-of-faith) ou “confiar na primeira utilização” (TOFU, trust-on-first-use), utilizado em implementações comuns de SSH e TLS/SSL, dão sinais claros da pré-disposição dos utilizadores em sacrificar a segurança em prol de uma melhor usabilidade. Aliás, este é um comportamento comum na vida quotidiana das pessoas. Se alguém se apresentar apenas com um cartão de visita, teremos tendência a confiar no seu conteúdo. Apenas desconfiaremos se, mais tarde, outra identificação for apresentada. Por outras palavras, confiamos nas primeiras credenciais apresentadas. Esta temática foi abordada por soluções como o Perspectives, que fornecem autenticação tipo SSH com sondagens através de múltiplos caminhos/acessos, descrito em [1]. Através da observação e recolha das chaves públicas observadas ao longo do tempo por servidores espalhados geograficamente, designados por Notários, o Perspectives impede muitos dos ataques possíveis num cenário de TOFU. Um utilizador pode solicitar o historial de chaves de um determinado serviço, comparando-o à chave oferecida na utilização corrente, e com esse historial tomar uma decisão mais informada quanto ao aceitar uma chave que não exista em cache. No entanto, o Perspectives assume um certificado por sítio, o que não é um pressuposto válido em muitos casos. Nesse caso, como pode o utilizador distinguir entre um certificado adicional introduzido pelo serviço a que está a aceder, e uma situação de ataque, em que o certificado está a ser fornecido pelo atacante? A presente tese endereça esta temática de poligamia de certificados, aumentando a visão dos Notários por forma a fornecer uma visão consolidada de diversos certificados. Adicionalmente, sugerimos alterações a alguns módulos do Perspectives, nomeadamente o módulo de sondagem (probing) for forma a lidar com questões tais como existência de mecanismos de caching acoplados aos serviços, pela utilização de, por exemplo, proxies.Users are vulnerable to attacks, such as Man-in-the-Middle (MitM) attack, whenever they resort to services in the Internet. Common defenses for these attacks, like mutual authentication based, for example, on a Public Key Infrastructure (PKI), rely on complex infra-structures that users are unwilling to support. Huge acceptance of simple methods like Trust-on-first-use (TOFU, also known as “leap-of-faith” authentication), employed by popular implementations of SSH and TLS/SSL, clearly indicate that users are prepared to sacrifice security for the sake of low-cost and more usable solutions. Moreover, this is a behavior that users are familiar with. If one meets a person who hands over some credentials, such as nickname, email address or even a business card, one will bind those credentials to that person in all future contacts, without initially asking for his or her ID. In other words, one trusts these credentials on the first time they are seen, and then uses them in all future interactions with that person. This topic has been addressed previously in solutions like Perspectives, which provides SSH-style Host Authentication with Multi-Path Probing, as described in [1]. By observing and collecting the server’s public keys over time, maintaining them in a set of geographically disperse servers known as “Notaries”, Perspective thwarts many of the attacks that are possible in a TOFU scenario. A user can download such records on demand, comparing them with the current key provided by the site being accessed. Although not secure to all attacks, users can make a more educated decision on accepting or rejecting each certificate. However, Perspectives assumes one certificate per site, which is a false assumption in some cases. So, how can users differentiate between a distinct, legitimate certificate provided by the site, and a fake certificate provided by an attacker? This thesis addresses this certificate polygamy issue, by enhancing the concept of the Notaries used in Perspectives, and provides a consistent view of a set of certificates to the user. Moreover, it suggests changes in modules like the probing module, to keep a clear and consistent observation of certificates, despite caching and reutilization made by components such as proxies. By allowing the user (or, by company policies) to fine tune some configuration parameters, the proposed solution will provide different levels of confidence to the observed server’s public keys, thus satisfying distinct levels of security, or user proficiency