1 Introduction
-
We show how RV in conjunction with HSM can be used to securely execute cryptographic protocols, both in terms of correct implementation as well as resilience to malware infection. Most importantly our approach only requires extending, rather than replacing, existing stock hardware.
-
We demonstrate the feasibility of our approach on real-world web browser code, both in terms of monitoring the correct execution of a third party ECDHE protocol implementation, as well as practical execution overheads.
-
We also present quantitative results regarding the use of RV for taint inference in combination with the SeCube hardware security module. The aim of this experiment to demonstrate RV-TEE’s effectiveness in securely executing cryptographic primitives and in detecting data that might be attemptedly being exfiltrated outside the trust boundary. For this purpose we simulate a real-world banking trojan attack.This contribution is novel and has not appeared in our workshop paper [18].
2 Background and related work
2.1 Runtime verification
2.2 Trusted execution environments (TEE) and hardware security modules (HSM)
2.3 Practical binary instrumentation
2.4 Information-stealing malware
3 RV-Tee: an RV-centric TEE
Control/Threat level | High | Medium | Low | H/W |
---|---|---|---|---|
RV-TEE | \(\bullet \)Verify adherence | \(\bullet \)Isolated crypto | \(\bullet \)Software | \(\bullet \)Side-channel |
to protocol design | execution | vulnerability | resistance | |
\(\bullet \)Exfiltration | detection | \(\bullet \)Tamper-evident | ||
detection | (offline) | |||
\(\bullet \)Verify adherence | – | – | – | |
to protocol design | ||||
RV - taint inference [67] | – | \(\bullet \)Exfiltration | – | – |
detection | ||||
– | – | \(\bullet \)Software | – | |
vulnerability | ||||
detection | ||||
– | \(\bullet \)Isolated crypto | – | \(\bullet \)Side-channel | |
execution | resistance | |||
\(\bullet \)Tamper-evident |
4 RV function call tracing
4.1 Applying RV to the context
sslImport
and prConnect
).close
.
abort.send
in line 10) to other automata for which an abort is relevant.
NSS3
, although freebl3
has to be re-compiled with debug symbols to allow for locating EC_ValidatePublicKey
.
4.2 Firefox case study
SSL_ImportFD
and PR_Close
for the same fd. This pair and all intervening entries are extracted into their own slice, non-destructively (line 2).
Match_ArgsRetVal
. Similarly all entries, and sub-calls, with a corresponding NSS context (cx) argument (referred to as \(cx_{\textit{fd}}\)) are also included, since NSS’s cx
is pinned to NSPR’s fd.SSL_AuthCertificateComplete
and PR_Close
and their sub-calls. These sub-calls obviously belong to the same thread of execution of their callers, and comprise various PKCS#11 key derivation/encryption functions. Once these sub-calls are included within the current trace as established by GetKeyAddressesSubCalls
(lines 13-14 followed by 18), what remains missing are all other PKCS#11 calls that do not happen to be in these sub-calls, along with all other required hooked functions. Multiple iterations have to be executed in order to do so, adding function calls for every matching key-related argument or return value as established by GetKeyAddressesSubCalls
(lines 16 followed by 18). All these arguments and return values are addresses of key storage locations in memory. Iterations are executed until no further entries are made (line 20), with the completed individual session passed on to the RV monitor (line 21) as an output stream.SSL_AuthCertificateComplete
, or calls PK11_Encrypt
on session completion (by PR_Close
). The former occurs whenever the certificate verification thread loses the race with the ECDHE protocol thread, while the latter happens whenever Firefox knows it is sending the final GET
/POST
HTTP request and closes its end of the TCP connection.Dataset | TLS sessions | Properties | |||||
---|---|---|---|---|---|---|---|
1a
|
1b
|
2a
|
2b
|
3a
|
3b
| ||
Bad_SSL
| 11 | 11 | 0 | 0 | 0 | 11 | 0 |
Top_100
| 3,366 | 0 | 0 | 1,342 | 0 | 1,405 | 6 |
Configuration | Overheads | Overheads | Significance test |
---|---|---|---|
ms | % | p-value | |
RV function tracing
| 363.98 | 5.26 | 0.281 |
RV for taint inference
| 18.999 | 0.7 | 0.129 |
SECKEY_DestroyPrivateKey
calls, indicating some implementation quirk occurring during automated browser sessions. In fact this scenario could not be reproduced with manual browser sessions.5 RV for taint inference
5.1 Algorithm overview
s
might match a sub-string of t
even though they might not be any exact s
in t
. This is useful given that data might be modified during flow in which case taint inference using exact sub-string matching is likely to produce false negatives. With the aim of optimization, the approach initially adopts a coarse-grained sub-string matching algorithm based on multisets, i.e., it just compares the number of occurrences of each alphabet character under consideration. This has the advantage that, for each character, the shorter input string is slided over the longer input string for comparison, the additional computation is a constant (reducing the count of the character which falls outside the sliding window and conversely for the character which becomes visible in the window).5.2 Adaptations
5.3 Algorithm and complexity analysis
5.4 Implementation
ssl3_UnprotectRecord
and tls13_UnprotectRecord
. Both are internal functions to NSS3
, and which therefore necessitates re-compilation with debug symbols. Together, these two hooks cover all HTTP payloads decrypted within TLS \(< =\) 1.2 and 1.3 sessions respectively. In both cases the sslBuffer
output parameter is used to dump the corresponding decrypted buffers. The PR_Write
, PR_Writev
, and NSS3
exported functions provide taint sink monitoring. The corresponding buffers are dumped using the buf
output parameter.6 Real-world environment considerations for RV-TEE deployment
6.1 The SECube HSM
Sites | Load Time | Data size | NSS | SECube | Overheads | Overheads | Significance test |
---|---|---|---|---|---|---|---|
ms
|
bytes
|
ms
|
ms
|
ms
|
%
| p-value | |
https://www.google.com | 1158 | 1 367 595 | 6.942 | 913.599 | 906.657 | 78.76 |
\(2.5\times 10^{-3}\)
|
https://www.youtube.com | 1303 | 810 458 | 4.135 | 575.439 | 571.304 | 43.98 |
\(2.5\times 10^{-3}\)
|
https://www.facebook.com | 1045 | 1 511 775 | 7.717 | 944.329 | 936.612 | 90.29 |
\(2.5\times 10^{-3}\)
|
https://www.baidu.com | 6775 | 1 265 391 | 6.778 | 818.825 | 812.047 | 12 |
\(2.5\times 10^{-3}\)
|
https://www.wikipedia.org | 698 | 99 336 | 0.654 | 64.916 | 64.262 | 9.22 |
\(2.5\times 10^{-3}\)
|
Top_100 average | 5204.576 | 3 171 550 | 12.355 | 1735.728 | 1723.373 | 33.19 |
\(2.1\times 10^{-21}\)
|
6.2 Plaintext exfiltration case study
procdump
[26], and without the need to break the Firefox sandbox [50]. Overall, this setup mirrors a malware infection that is very difficult to detect both at the host and the network levels, and is, therefore, representative of those scenarios where protection responsibility would fall on RV-TEE.ssl3_UnprotectRecord
and tls13_
UnprotectRecord
in NSS3.dll
for the taint sources. Moreover, the RV-TEE’s implementation was extended to perform function call tracing over all external processes that obtain a handle to any of the Firefox processes. Through this extension it becomes possible to hook potential taint sinks for the stolen plaintext, irrespective of whether malware gets injected into Firefox or else plaintext is stolen by abusing process tracing. The full set of traced taint sinks comprises: Toolhelp32ReadProcessMemory
and Read
ProcessMemory
in Kernel32.dll
, and Read
ProcessMemory
in Kernelbase.dll
. In this manner we aim for early taint sink hooks, thereby avoiding the limitation of taint inference whenever sink strings are obfuscated or encrypted.
0
values occurring more frequently than random. These occurrences are a result of i) memory pages being zeroed out before page re-allocation by operating systems, ii) wide-character encoding used by web-browsers to support Unicode character sets, and iii) data structure padding employed by compilers. Beyond lowering the sub-string matching threshold we therefore also extended RV-TEE’s implementation to convert all wide-character strings to single-byte ones whenever all individual characters in the string have a leading 0
byte. Furthermore, all-0
string matches are discarded, and which in any case carry no information. Finally, all excessively small source strings, specifically those less than 20 bytes, were not considered.live.com
webmail site and initiated an authenticated session. While the connection was protected through authenticated encryption over a TLS1.3 session, the simulated malware nonetheless exfiltrated the decrypted email content directly from the browser’s memory to a 1.07 GB dump file, and which was then subsequently transferred to the C2 server.
7 Conclusions and future work
-
Program comprehension is required, both for setting up function hooks as well as to enable individual TLS session monitoring. Moreover, real-world code tends to be written in a manner to favor efficient execution rather than monitorability, hence the need for an algorithm to filter individual sessions in our case study. However, in case RV is used on one’s own code-base, support for RV could be thought out from inception, with these issues being somewhat alleviated.
-
Adding RV to a system naturally requires trust of the introduced code. There are however several ways in which concerns in this regard can be addressed: (i) the RV code is generated automatically from a finite state automaton, thus reducing the possibilities of bugs; (ii) more importantly, only the hooking code interacts directly with the monitored code. This separation ensures that RV interferes as little as possible with the monitored system.