Malsign:对签名和隐式可信恶意代码的威胁分析

2017 International Conference on Public Key Infrastructure and its Applications (PKIA) Pub Date : 2017-11-01 DOI:10.1109/PKIA.2017.8278956

Soumajit Pal, P. Poornachandran, Manu R. Krishnan, A. Sankar, Parvathy Sasikala

{"title":"Malsign:对签名和隐式可信恶意代码的威胁分析","authors":"Soumajit Pal, P. Poornachandran, Manu R. Krishnan, A. Sankar, Parvathy Sasikala","doi":"10.1109/PKIA.2017.8278956","DOIUrl":null,"url":null,"abstract":"Code signing which at present is the only methodology of trusting a code that is distributed to others. It heavily relies on the security of the software providers private key. Attackers employ targeted attacks on the code signing infrastructure for stealing the signing keys which are used later for distributing malware in disguise of genuine software. Differentiating a malware from a benign software becomes extremely difficult once it gets signed by a trusted software providers private key as the operating systems implicitly trusts this signed code. In this paper, we analyze the growing menace of signed malware by examining several real world incidents and present a threat model for the current code signing infrastructure. We also propose a novel solution that prevents this issue of malicious code signing by requiring additional verification of the executable. We also present the serious threat it poses and it consequences. To our knowledge this is the first time this specific issue of Malicious code signing has been thoroughly studied and an implementable solution is proposed.","PeriodicalId":393622,"journal":{"name":"2017 International Conference on Public Key Infrastructure and its Applications (PKIA)","volume":"60 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Malsign: Threat analysis of signed and implicitly trusted malicious code\",\"authors\":\"Soumajit Pal, P. Poornachandran, Manu R. Krishnan, A. Sankar, Parvathy Sasikala\",\"doi\":\"10.1109/PKIA.2017.8278956\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Code signing which at present is the only methodology of trusting a code that is distributed to others. It heavily relies on the security of the software providers private key. Attackers employ targeted attacks on the code signing infrastructure for stealing the signing keys which are used later for distributing malware in disguise of genuine software. Differentiating a malware from a benign software becomes extremely difficult once it gets signed by a trusted software providers private key as the operating systems implicitly trusts this signed code. In this paper, we analyze the growing menace of signed malware by examining several real world incidents and present a threat model for the current code signing infrastructure. We also propose a novel solution that prevents this issue of malicious code signing by requiring additional verification of the executable. We also present the serious threat it poses and it consequences. To our knowledge this is the first time this specific issue of Malicious code signing has been thoroughly studied and an implementable solution is proposed.\",\"PeriodicalId\":393622,\"journal\":{\"name\":\"2017 International Conference on Public Key Infrastructure and its Applications (PKIA)\",\"volume\":\"60 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 International Conference on Public Key Infrastructure and its Applications (PKIA)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/PKIA.2017.8278956\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Public Key Infrastructure and its Applications (PKIA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/PKIA.2017.8278956","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

代码签名目前是信任分发给其他人的代码的唯一方法。它在很大程度上依赖于软件提供商私钥的安全性。攻击者对代码签名基础设施进行有针对性的攻击，窃取签名密钥，用于伪装成正版软件分发恶意软件。一旦受信任的软件提供商的私钥对恶意软件进行了签名，由于操作系统隐式地信任该签名代码，因此区分恶意软件和良性软件就变得极其困难。在本文中，我们通过分析几个真实世界的事件来分析签名恶意软件日益增长的威胁，并提出了当前代码签名基础设施的威胁模型。我们还提出了一种新的解决方案，通过要求对可执行文件进行额外的验证来防止恶意代码签名的问题。我们还提出了它所构成的严重威胁及其后果。据我们所知，这是第一次对恶意代码签名的具体问题进行深入研究，并提出了一个可实现的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Malsign: Threat analysis of signed and implicitly trusted malicious code

Code signing which at present is the only methodology of trusting a code that is distributed to others. It heavily relies on the security of the software providers private key. Attackers employ targeted attacks on the code signing infrastructure for stealing the signing keys which are used later for distributing malware in disguise of genuine software. Differentiating a malware from a benign software becomes extremely difficult once it gets signed by a trusted software providers private key as the operating systems implicitly trusts this signed code. In this paper, we analyze the growing menace of signed malware by examining several real world incidents and present a threat model for the current code signing infrastructure. We also propose a novel solution that prevents this issue of malicious code signing by requiring additional verification of the executable. We also present the serious threat it poses and it consequences. To our knowledge this is the first time this specific issue of Malicious code signing has been thoroughly studied and an implementable solution is proposed.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2017 International Conference on Public Key Infrastructure and its Applications (PKIA)

自引率

0.00%

发文量