Wayne State University - TrustLogin: Securing …...who shopped at 63 Barnes & Noble stores using...
Transcript of Wayne State University - TrustLogin: Securing …...who shopped at 63 Barnes & Noble stores using...
TrustLogin: Securing Password-Login OnCommodity Operating Systems
Fengwei Zhang 1 Kevin Leach 2 Haining Wang 3
Angelos Stavrou 1
1Wayne State University
2University of Virginia
3University of Delaware
November 16, 2015
1
Overview of The Talk
I Motivation
I Background: System Management Mode (SMM)
I System Framework
I Evaluation Results
I Conclusions and Future Directions
2
Overview of The Talk
I Motivation
I Background: System Management Mode (SMM)
I System Framework
I Evaluation Results
I Conclusions and Future Directions
3
Motivation
Keylogger examples
I Keylogger malware found on UC Irvine health center in May2014, and about two thousand students were impacted [1]
I Attackers have stolen credit card information for customerswho shopped at 63 Barnes & Noble stores using keyloggers [2]
I A case study has shown that 10,775 unique bank accountcredentials were stolen by keyloggers in a seven-monthperiod [3]
Protecting login credentials is a critical part of daily life
4
Motivation
I OS as a trusted computing base, which has a large amount ofsource code
I Linux kernel has 17M lines of codeI CVE shows 240 vulnerabilities for the Linux kernel
I An attacker can compromise the OS and install a stealthykeylogger
I Banking, SSH login passwords
5
Our Approach
We present TrustLogin, a framework to securely perform loginoperations using System Management Mode (SMM)
I Prevent rootkits and stealthy keyloggers without trusting theOS
I Does not change any software on the client and server sides
I Transparent to users and applications
6
Overview of The Talk
I Motivation
I Background: System Management Mode (SMM)
I System Framework
I Evaluation Results
I Conclusions and Future Directions
7
Background: System Management Mode
System Management Mode (SMM) is special CPU mode existingin x86 architecture, and it can be used as a hardware isolatedexecution environment.
I Originally designed for implementing system functions (e.g.,power management)
I Isolated System Management RAM (SMRAM) that isinaccessible from OS
I Only way to enter SMM is to trigger a System ManagementInterrupt (SMI)
I Executing RSM instruction to resume OS (Protected Mode)
8
Background: System Management Mode
Approaches for Triggering a System Management Interrupt (SMI)
I Software-based: Write to an I/O port specified by Southbridgedatasheet (e.g., 0x2B for Intel)
I Hardware-based: Network card, keyboard, hardware timers
Protected Mode
Normal OS
System Management Mode
Isolated Execution Environment
SMIHandler
Isolated SMRAM
Highest privilege
Interrupts disabled
SMM entry
SMM exit
Softwareor
Hardware
Trigger SMI
RSM
9
Background: Software Layers
Application
Operating System
Hypervisor (VMM)
Firmware (BIOS) SMM
Hardware
10
Overview of The Talk
I Motivation
I Background: System Management Mode (SMM)
I System Framework
I Evaluation Results
I Conclusions and Future Directions
11
System Framework
I SMM provides a secure world; we move the security sensitiveoperations into it.
Operating Systemin Protected Mode
System Management Mode
Keyboard NIC
Input Device Output Device
Trigger an SMI
Resume
Trigger an SMI
Resume
UserInputs
NetworkPackets
Figure: Architecture of TrustLogin
12
TrustLogin
3 Steps for a password-login
I Entering secure input mode: Ctrl+Alt+1
I Intercepting keystrokes and generating placeholders
I Intercepting network packets
13
Case Study of TrustLogin
I Legacy Applications: FTPI Unencrypted packets
I Secure Applications: SSHI encrypted packetsI session key searching
I TrustLogin requires application-specific efforts
14
Ensuring the Trust Path
Mitigating spoofing attacksI LED lights:
I Showing a special sequence of Num, Caps, and Scroll locksI User defines the sequence
I PC speaker:I Playing a melody (e.g., C major scale)
15
Overview of The Talk
I Motivation
I Background: System Management Mode (SMM)
I System Framework
I Evaluation Results
I Conclusions and Future Directions
16
Effectiveness of TrustLogin
I Testing TrustLogin against Keyloggers on Windows and LinuxPlatforms
I Windows: Free Keylogger Pro version 1.0I Linux: Logkeys version 0.1.1a
Keyloggers can only record random strings with TrustLoginenabled
17
Performance Evaluation
Table: Breakdown of TrustLogin Runtime
Operations Mean STDKeyboard SMI handler 32.58 ms 3.68NIC SMI handler 29.67 µs 1.18SMM Switching 3.29 µs 0.08SMM Resume 4.58 µs 0.10
18
Overview of The Talk
I Motivation
I Background: System Management Mode (SMM)
I System Framework
I Evaluation Results
I Conclusions and Future Directions
19
Conclusions and Future Directions
I We presented TrustLogin, a novel framework for securingpassword-login via System Management Mode
I It can prevent rootkits from stealing sensitive data from thelocal host
I It does not change any software on the client and server sidesI It is transparent to users and applications
I Defend against phishing attacks by validating the destinationIP/hostname
I Protect other sensitive data like password-logins on browsersand banking transactions
20
References I[1] “Keylogger Malware Found on UC Irvine Health Center Computers,” http://www.scmagazine.com/keylogger-
malware-found-on-three-uc-irvine-health-center-computers/article/347204/.
[2] “Credit Card Data Breach at Barnes & Noble Stores,”http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html? r=3&.
[3] T. Holz, M. Engelberth, and F. Freiling, “Learning More About the Underground Economy: A Case-Study ofKeyloggers and Dropzones,” in Proceedings of The 14th European Symposium on Research in ComputerSecurity (ESORICS’09), 2009.
21