Tải bản đầy đủ - 0 (trang)
Chapter 15. Crimeware and Trusted Computing

Chapter 15. Crimeware and Trusted Computing

Tải bản đầy đủ - 0trang

datatobestoredonthesedevices[401,429].Crimewaretechnology

representsaseriousandviablethreattobothconsumerandcorporate

data.

Asaconsequenceoftheperpetualincreasesinthevolume,complexity,

andscopeofcrimewareattacks,aquestionnaturallyarises:Howcan

userstrustthesoftwareenvironmentswithwhichtheyinteract?Trusted

computingtechnologypartiallyaddressesthisquestionbyprovidinga

meansforendusers(andthirdparties)toderiveincreasedconfidencein

theplatformswithwhichtheyinterface,aswellasprovidingstandardized

mechanismstoprotectuserdataandinformationfromsoftwareattack.In

thischapter,weexaminehowtrustedcomputingtechnologiescanbe

usedtoimpedethedistribution,infection,andexecutionofcrimeware

applications.Indoingso,wenoteacounterintuitivebutimportantuseof

trustedcomputing,asapossiblefacilitatorofcybercrime.

Thischapterisstructuredasfollows.Section15.2examinesthelifecycle

ofacrimewareattack.Section15.3providesanoverviewoftrusted

computing–relatedconceptsandexamineshowtrustedcomputing–

enhancedplatformscanbeusedtoimpedecrimewareateachstageof

itslifecycle.Thissectionalsoexamineshowtrustedcomputingmay

actuallycompoundthethreatposedbycrimeware.Section15.4presents

twocasestudies:Onethatlooksattheuseoftrustedcomputingin

combatingonlinecreditcardfraud,andasecondthatlooksathow

trustedcomputingcanaidrightsmanagementforcontentprotectionon

mobileplatforms.



Chapter15.CrimewareandTrustedComputing

ShaneBalfe,EimearGallery,ChrisJ.Mitchell,andKennethG.

Paterson

Trustedcomputingtechnologyhasbeenputforwardasapotentially

revolutionaryadditiontothefieldofinformationsecurity.Inthischapter,

weexaminehowtrustedcomputingmaybeusedtodefendagainstthe

ever-growingthreatposedbycrimeware.Wealsohighlighta

counterintuitivebutimportantuseoftrustedcomputing,asapossible

facilitatorofcybercrime.



15.1.Introduction

TheanonymousandinternationalnatureoftheInternetmakes

cybercrimeapotentiallylow-risk,high-returnactivity.Traditionally,the

appropriationofuserdatathrough"phishing"attackshasreliedonsocial

engineeringtechniquesinwhichauseristrickedintoperformingan

actionthatresultsintherevelationofsensitiveinformation.However,as

attacksbecomemoresophisticated,socialengineeringisbeing

supersededbytechniquesthatdirectlytargetvulnerabilitiesinend-user

platforms.Thesevulnerabilities,onceexploited,allowcrimewaretobe

surreptitiouslyinstalled,leavingtheplatformpronetodataexposure.

Crimewaresuchaskeystrokeloggers,viruses,worms,rootkits,and

trojanhorsescanexecutesilentlyinthebackground;canmonitor,log,

andreportkeystrokesenteredbyauser;andcanstealcommercially

sensitivedataorbeusedinthefurtheranceofadditionalcriminal

activities.

Recentstudiesthatexaminedtheevolution,proliferation,and

propagationofcrimewarehavenotedamarkedandsteadyriseinboth

thenumberandthecomplexityofapplicationsusedinthecommissionof

cybercrime[160,401].Crimewareisbeginningtocombinecharacteristics

ofviruses,worms,andtrojanhorseswithserverandInternet

vulnerabilities,fusingnumerousmethodsforcompromisingend-user

systemswithmultiplemeansofpropagationtoothernetworkedmachines

[401].Additionally,itispredictedthatmobiledevices(suchas

smartphonesandPDAs)willincreasinglybecometargetsofcrimewarein

thecomingyears,especiallyasorganizationsbegintoallowcorporate



datatobestoredonthesedevices[401,429].Crimewaretechnology

representsaseriousandviablethreattobothconsumerandcorporate

data.

Asaconsequenceoftheperpetualincreasesinthevolume,complexity,

andscopeofcrimewareattacks,aquestionnaturallyarises:Howcan

userstrustthesoftwareenvironmentswithwhichtheyinteract?Trusted

computingtechnologypartiallyaddressesthisquestionbyprovidinga

meansforendusers(andthirdparties)toderiveincreasedconfidencein

theplatformswithwhichtheyinterface,aswellasprovidingstandardized

mechanismstoprotectuserdataandinformationfromsoftwareattack.In

thischapter,weexaminehowtrustedcomputingtechnologiescanbe

usedtoimpedethedistribution,infection,andexecutionofcrimeware

applications.Indoingso,wenoteacounterintuitivebutimportantuseof

trustedcomputing,asapossiblefacilitatorofcybercrime.

Thischapterisstructuredasfollows.Section15.2examinesthelifecycle

ofacrimewareattack.Section15.3providesanoverviewoftrusted

computing–relatedconceptsandexamineshowtrustedcomputing–

enhancedplatformscanbeusedtoimpedecrimewareateachstageof

itslifecycle.Thissectionalsoexamineshowtrustedcomputingmay

actuallycompoundthethreatposedbycrimeware.Section15.4presents

twocasestudies:Onethatlooksattheuseoftrustedcomputingin

combatingonlinecreditcardfraud,andasecondthatlooksathow

trustedcomputingcanaidrightsmanagementforcontentprotectionon

mobileplatforms.



15.2.AnatomyofanAttack

Cybercrimecanbroadlybedefinedasany"crimethatisfacilitatedor

committedusingacomputer,network,orhardwaredevice,"wherethe

computer,network,ordevicemaybetheagentofthecrime,thefacilitator

ofthecrime,orthetargetofthecrime[152].Morespecifically,the

CouncilofEurope'sConventiononCybercrimeusesthistermtoreferto

criminalactivityrangingfromoffensesagainstcomputerdataand

systemstodigitalcontentandcopyrightinfringements[282].

Irrespectiveoftheactualmotivationforsuchactivity,acrimewareattack

—or,moregenerally,amalwareattack—musttypicallypassthrough

threestagestofulfillitsgoal[430]:

1. Distribution.Distributionreferstothemeansbywhichmalware

arrivesataplatform.Traditionally,malwarehasbeenheavilyreliant

onsocialengineeringasameansofdistribution.Thatis,auseris

trickedintodownloadingmalwarefromacompromisedserver,

openinganemailorinstantmessageattachmentcontaining

malware,orinstallingmalwarethathasbeenintegratedintoan

apparentlyusefulapplication.However,suchdistributionmethods

arebeingdisplacedbymethodsthatdirectlytargetandexploit

vulnerabilitiesonaplatform.

2. Infection.Infectionistheprocessbywhichmalwarepenetratesa

platform.Malwaremaybeephemeralandleavebehindnolasting

executable,asisthecasewithsystemreconfigurationattacks,such

asDNSpoisoning.Alternatively,malwaremaypersistentlyresidein

memoryorbeexecuteduponloadinganinfectedcomponent.The

infectionmaytargetuser-spaceobjects,asisthecasewith

maliciousbrowserhelpobjectsandapplicationprograms,orkernel

objects,asisthecasewithdevicedrivers.

Todisguiseaninfection,rootkitsaresometimesdeployed.Basic

rootkitssimplyreplaceuser-levelexecutableswithtrojanized

versions—forexample,replacingtheLinuxprocessesstatus

commandwithaversionthatincorrectlyreportsrunningprocesses.

Suchattacksaretriviallydetectablegivencurrentantivirus

technology.Unfortunately,morerecentrootkitsarebecomingadept

atcircumventingantiviraldefenses,suchasvariantsoftheFUrootkit



[133]ornewrootkitsthatexploithardware-basedvirtualization,such

asMicrosoft'sproof-of-conceptrootkit,Subvirt[215].Subvirt

attemptstomodifyasystem'sbootsequencesothatthelegacy

operatingsystem(OS)isloadedintoavirtualmachinemonitor.This

allowsanysystemcallmadebytheOStobeobservedandmodified

bytheSubvirtapplication.

3. Execution.Itisduringtheexecutionstagethatthemalicious

objectivesofthemalwarearerevealed.Themalwaremayattemptto

gainunauthorizedaccesstoinformation,captureuser-entered

details,orstealproprietarydata.Forexample,theBankash.Gtrojan

horseattemptstostealuseraccountdetailssuchasusernamesand

passwordsorcreditcardinformationfromacompromisedcomputer

[402].Thisdataiscollatedbythecrimewareandtransmittedbackto

theattackerforprocessing.AnothertrojanhorsecalledArchiveus

[403](classifiedasransomware)bundlesrandomlyselectedfileson

theplatformonwhichitisexecutingintoapassword-protected

archiveanddeletestheoriginalfiles.Theplatformuseristhen

requestedtopurchaseanyproductfromaspecifiedsiteinexchange

forthepasswordrequiredtoretrievehisorherfiles.



15.3.CombatingCrimewarewithTrusted

Computing

Trustedcomputingrelatesdirectlytothetypesofsystemsproposedby

theTrustedComputingGroup(TCG).Namely,atrustedsystemisone

thatwillbehaveinaparticularmannerforaspecificpurpose.

ThecurrentdocumentationfromtheTCGencompassesavastsetof

specificationsrangingfromspecificationsforpersonalcomputer(PC)

[409]andserversystems[408]tospecificationsfortrustednetworking

[413]andtrustedmobileplatforms[414].However,itistheTCG's

specificationsformicrocontrollerdesignthathaveperhapsbecomemost

synonymouswithtrustedcomputing.TheTrustedPlatformModule(TPM)

specifications[410,411,412]formthecoreofalltrustedcomputing

implementations.Thesespecificationsdescribeamicrocontrollerwith

cryptographiccoprocessorcapabilitiesthatprovidesaplatformwiththe

followingfunctionality:

Anumberofspecialpurposeregistersforrecordingplatformstate

Ameansofreportingthisstatetoremoteentities

Securevolatileandnonvolatilememory

Randomnumbergeneration

ASHA-1hashingengine

Asymmetrickeygeneration,encryption,anddigitalsignature

capabilities

However,thespecificationsetproducedbytheTCGisbynomeansthe

onlyworkontrustedcomputing.Trustedcomputingalsoencompasses

newprocessordesigns[7,191]aswellasOSsupport[309,310].The

interestedreadermaywishtoconsultintroductorytextsontrusted

computing[259,307].

Sinceitsintroduction,trustedcomputinghasbecomesynonymouswith

threefundamentalconcepts:integritymeasurementandstorage,

attestation,andprotectedstorage.However,recentlythedefinitionof

whatconstitutestrustedcomputingfunctionalityhasbeenrevisedand



extendedtoincorporatetheconceptsofsecurebootandsoftware

isolation.Inthissection,weconsiderhowthesefundamentalconcepts

canbeusedtoimpedethedistribution,infection,andexecutionof

crimeware.



15.3.1.IntegrityMeasurementandStorage

Anintegritymeasurementisthecryptographicdigestorhashofa

platformcomponent(i.e.,apieceofsoftwareexecutingontheplatform)

[310].Forexample,anintegritymeasurementofaprogramcanbe

calculatedbycomputingacryptographicdigestofitsinstruction

sequence,itsinitialstate(i.e.,theexecutablefile),anditsinput.An

integritymetricisadigestofoneormoreintegritymeasurements[307].

Integritymetricsarestoredinspecial-purposeregisterswithintheTPM

calledPlatformConfigurationRegisters(PCRs).

Duringaplatform'sbootsequence,theentireplatformstatecanbe

reliablycapturedandstored,asshowninFigure15.1.Duringthis

process,theintegrityofapredefinedsetofplatformcomponents

(typicallythePOSTBIOS,optionROMs,theOSloader,andtheOS)are

measuredandtheresultingmeasurementsstoredintheTPM'sPCRs.

Figure15.1.Integritymeasurementandstorage.

[Viewfullsizeimage]



Inisolation,integritymeasurementandstoragefunctionalitydonot

provideameansofdefendingagainstcrimeware.Theydo,however,

providethefoundationforanumberofservicesusefulincombatingthe

distribution,infection,andexecutionofcrimeware,asdescribedin

Sections15.3.2through15.3.5.



15.3.2.Attestation

PlatformattestationenablesaTPMtoreliablyreportinformationabout

thecurrentstateofthehostplatform.Onrequestfromachallenger,a

trustedplatformcan,usingaprivateattestationkey,signintegritymetrics

reflecting(allorpartof)theplatform'ssoftwareenvironment.The

challengerusesthisinformationtodeterminewhetheritissafetotrust

theplatformfromwhichthestatementoriginatedand(allorpartof)the

softwareenvironmentrunningontheplatform.Thisisachievedby

validatingtheintegritymetricsreceivedfromthetrustedplatformagainst

softwareintegritymeasurementsprovidedbyatrustedthirdparty,such

asasoftwarevendor.

Attestationprovidesapowerfultechniquewithwhichtocombat

crimewaredistributionandinfection.Aplatform,uponrequestingaccess

toacompany'sintranet,mayberequiredtodemonstratethrough

attestationthatithasup-to-dateantivirussoftwarewiththelatest



signaturedefinitions,thatitsspamfiltersareoperatingcorrectly,andthat

ithasinstalledthelatestOSsecuritypatches.Similarly,aclientcould

requestthataserveratteststoitsoperatingenvironmentpriorto

disclosinganysensitivedata.

AttestationfeaturesformanimportantfocusoftheTCG'sTrusted

NetworkConnect(TNC)specifications[413].TNCoffersawayof

verifyinganendpoint'sintegritytoensurethatitcomplieswithaparticular

predefinedpolicybeforebeinggrantednetworkaccess.Theprocessof

assayingendpointintegrityforcompliancewithpolicyoccursinthree

distinctphases:assessment,isolation,andremediation.Theassessment

phaseprimarilyinvolvesaplatformthatrequiresaccesstoarestricted

network,attestingtoitscurrentstate.Aserverexaminesthisattestation

andcomparestheplatform'sintegritymetricstoitsnetworkaccess

policies.Basedontheoutcomeofthiscomparison,theserverwillallow

access,denyaccess,orplacetheplatforminanquarantinednetwork

(isolation).Inthisisolatednetwork,aplatformwouldtypicallybeableto

obtaintherequisiteintegrity-relatedupdatesthatwillallowittosatisfythe

server'saccesspolicyandbegrantedaccess.



15.3.3.ProtectedStorage:BindingandSealing

Protectedstoragefunctionalityusesasymmetricencryptiontoprotectthe

confidentialityofdataonaTPMhostplatform.Protectedstoragealso

providesimplicitintegrityprotectionforTPMobjects.Bothdataandkeys

canbeassociatedwithastringof20bytesofauthorizationdatabefore

beingencrypted.Whendecryptionisrequested,theauthorizationdata

mustbesubmittedtotheTPM.Thesubmittedauthorizationdataisthen

comparedtotheauthorizationdatainthedecryptedstring,andthe

decryptedobjectisreleasedonlyifthevaluesmatch.

Thenotionsofbindingandsealingareoffundamentalimportanceto

trustedcomputing.Bindingreferstotheencryptionofdatawithapublic

keyforwhichthecorrespondingprivatekeyisnonmigratablefromthe

recipient'sTPM.Inthisway,onlytheTPMthatmanagesthe

nonmigratableprivatekeywillbecapableofdecryptingthemessage.

Sealingtakesbindingonestepfurther.Sealingistheprocessbywhich

sensitivedatacanbeassociatedwithasetofintegritymetrics

representingaparticularplatformconfiguration,andthenencrypted.The

protecteddatawillbedecryptedandreleasedforusebyaTPMonly



whenthecurrentstateoftheplatformmatchestheintegritymetricsto

whichthedataissealed.

Usingsealedstorage,enduserscanprotecttheirprivatedata(e.g.,

creditcardnumbers)bymakingrevelationofthatdatacontingentona

platformbeinginaparticularstate.Forexample,ausermightsealcredit

carddatatoastatethatrequiresaparticularbankingapplicationtobe

runningontheplatform,andnothingmore.Thepresenceofcrimeware

wouldchangetheplatformstate.Thisfeaturewould,therefore,ensure

thatmalicioussoftware,suchastheBankash.Gtrojanhorse,couldnot

gainaccesstosecuritysensitivedatathathasbeensealed.

AlsaidandMitchell[6]attempttoaddresstheproblemofauser

unknowinglyrevealingsensitivedatatoaphishingsiteusingtheTPM's

protectedstoragecapabilities.TheyproposeSSLclient-side

authenticationtoestablishamutuallyauthenticatedSSLtunnelover

whichausername/passwordcanbecommunicated.Inthisapproach,the

SSLprivatekey(forwhichthepublickeyhasreceivedcertification)is

nonmigratablefromtheclient'sTPM.Consequently,whenauservisitsa

phishingsiteandistrickedintorevealingausernameandpassword,a

phisherwillnotbeabletoimpersonatetheuserbecausethephisherwill

nothaveaccesstotheprivatekeyusedtocompleteclient-sideSSL

authentication.Unfortunately,suchanapproachdoesnotprevent

crimewareresidentontheTPM-hostplatformfromcapturingthe

username/passwordandusingtheTPM-protectedprivatekeyto

establishillegitimatesessionsandfraudulentlyimpersonateauser.This

approachcouldbeenhancedbysealingtheTPM-protectedprivatekeyto

atrustworthyplatformstate.



15.3.4.SecureBoot

Asecurebootprocessextendstheintegritymeasurementandstorage

functionalitydescribedinSection15.3.1.Duringasecureboot,a

platform'sstateisreliablycaptured,comparedagainstmeasurements

indicativeofatrustworthyplatformstate,andstored.Ifadiscrepancyis

discoveredbetweenthecomputedmeasurementsandtheexpected

measurements,thentheplatformhaltsthebootprocess.

Securebootfunctionalitycandetectthemaliciousoraccidental

modificationorremovalofsecurity-criticalsoftwareatboottime.For



example,suchfunctionalitycoulddetecttheSubvirtrootkit,which

modifiesasystem'sbootsequence.Inasimilarway,secureboot

functionalitycouldbeusedtopreventamaliciouslymodifiedserverfrom

helpingtodistributecrimeware;thiswouldreducetheeffectivenessofa

servermodificationattacktoadenialofservice.

SecurebootfunctionalityisnotcurrentlydescribedaspartoftheTPM

specifications.However,aTCGspecificationdoesdescribehowitcanbe

enabledonatrustedmobileplatform[414].Secureboothasalsobeen

independentlystudiedbyTygarandYee[428];Clark[56];Arbaugh,

Farber,andSmith[19];andItoietal.[194].



15.3.5.Hardware-EnforcedIsolation

IsolationtechnologieshaveevolvedfromOS-hostedvirtualmachine

monitors(VMMs)[461]throughstand-aloneVMMs[142]toparavirtualizationtechniques[33].Morerecentdevelopmentsinisolation

technology,suchasMicrosoft'sNextGenerationSecureComputingBase

(NGSCB)[309,310],incorporatetheconceptofanisolationlayer

designedtotakeadvantageofCPUandchipsetextensionsdescribedin

Intel'sLaGrande[191]andAMD'sPresidioinitiatives.Anisolated

executionenvironment,independentofhowitisimplemented,should

providethefollowingservicestohostedsoftware[310]:

Nointerference:Ensuresthattheprogramisfreefrominterference

fromentitiesoutsideitsexecutionspace.

Trustedpath:Ensuresthepresenceofatrustedpathbetweena

programandaninputdevice.

Secureinterprocesscommunication:Enablesoneprogramto

communicatewithanother,withoutcompromisingtheconfidentiality

andintegrityofitsownmemorylocations.

Non-observation:Ensuresthatanexecutingprocessandthe

memorylocationsitisworkinguponarefreefromobservationby

otherprocesses.

Hardware-enforcedsoftwareisolationenablesthesegregationof

security-criticalsoftwareanddatasothattheycannotbeobservedor

modifiedinanunauthorizedmannerbysoftwareexecutinginparallel



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 15. Crimeware and Trusted Computing

Tải bản đầy đủ ngay(0 tr)

×