Presentation Transcript

1. Compartmentalization Architectures for Protection of Critical Credentials -and- Transactions from CPU Resident Malware

   Jim McAlear – June 10, 2012 jim.mcalear@ieee.org
2. Outline A different take on the malware issue Protection at PCs Protection for tablets and notebooks Protection within enterprise servers Protection at merchant servers Making solutions tamper-proof Conclusions
3. Thought Experiment Imagine a laptop in your house has a robotic arm and legs; now what could happen due to a malware presence on the laptop? The laptop could come alive one night, kill you in your sleep, take pictures of your dead body and drive away in your car Thankfully, our computers don’t have robotic arms and legs yet, but they do have electronic tentacles out to our banks and credit card accounts and other critical services we are all vulnerable to victimization
4. Need a New Law of Computing Everybody appreciates Asimov’s first law of robotics: “Do not harm humans” Back-casting that concept to suit our present age establishes the law: “Computers must not victimize users” It’s clear that this law is not an explicit design requirement of the computer industry police in Ottawa visit primary schools and tell children to tape over cameras and microphones of laptops/PCs an industry non-victimization requirement would lead to a design where cameras and microphones have user-only operable slide switches, with LED indicators when the function is operating such a requirement might have saved the life of a young Rutgers University student
5. Mission Contrast IEEE Mission Statement: Advancing Technology for (the benefit of) Humanity Malware Mafia Mission: Advancing Technology to Victimize Humanity We have an ethical duty to step up our game
6. Being Numb to Open-Ended Risk The architects of the deeply flawed US mortgage and financial instruments accepted the open-ended risk that these represented Everybody else went numb to these risks The resulting financial carnage has deeply affected millions of people – many may never fully recover Is the computer industry no better than those in the financial industry in addressing real risk?
7. Credentials & Transaction Protection at PCs
8. Protection at User’s PC – Current Situation Malware-in-the middle PC ☠ malware Monitor internet NIC Keyboard Malware resides between what a user sees and does and his network services – can potentially see and control everything
9. New Solution for Protection of Credentials Credentials transactions bypass CPU and malware PC ☠ malware Monitor internet ❶ NIC Keyboard display ❹ ❷ ❸ New NIC functionality and connection redirects credentials request message (http 401 message) around CPU/malware to new display on keyboard Conventional keyboard connection is blocked until transaction is complete No malware access to credentials
10. Keyboard-Display Details Keyboard displays URL of credentials-requesting web site allows user to confirm he is accessing desired site thwarts malware from surreptitiously directing user to a false-front web site that is operated by hacker NIC keeps independent record of DNS server responses User can also verify unique/private “welcome” phrase better understood than certificates [www.bank1.com] Jedi Sabersmith, enter password for xxxx-5476: <f1 - help> f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12
11. Display Validates Intended Transactions Prevents malware from making transactions behind scenes once user signs into bank/broker, require user to confirm risky transactions especially needed for transfers to 3rd party accounts or stock purchases not strictly necessary for modest transactions to well-established billers (phone, cable, electricity, gas, taxes etc.) as these are reliably reversible Prevent malware from tampering with purchase and shipping details user alerted to unintended purchases and delivery elsewhere [www.bank1.com] Transfer $128.64 to 3343-6546-8786 – enter PIN: <f1 - help> [www.broker1.com] Purchase 500 shares of Telus Preferred – enter PIN: <f1 - help> [chapters.indigo.ca] $55.95 purchase to 123 Main – enter MasterCard: <f3 - details>
12. Protection Goes Beyond Shared Secrets Can keep many types of credentials away from malware key loggers Passport number – to book international flights Driver’s license number – to renew license Social Insurance Number – for government interactions Property roll number/car registration – to apply for insurance Health card number/Insurance account number/Employee number … New passwords for free online accounts & other password changes Remote web site does not need pre-knowledge of credentials Can enter credit card of choice for spontaneous online purchases [intlbooking.aircanada.com] Enter passport number: <f1 - help> [renew.mto.on.ca] Enter driver’s license number: <f1 - help> [buy.merchant.ca] Enter Air Miles rewards number: <f1 - help>
13. Networking Parameters Lock-down NIC has independent record of key networking parameters DNS look-up addresses - to validate & display server names Router/proxy/gateway addresses Parameters set via network protocols - can allow user to view No CPU/malware access to parameters - prevent routing through bot Could also allow secure-insert cookies - unavailable to malware Other lock-downs No packet sniffing during transactions or host/emit DHCP service Should have manual/auto shutter for camera & mute of microphone <Press ctrl-alt-f1 – Show networking parameters> f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12
14. Credentials Memory Option Optional credentials storage unit offers powerful features can store frequently used web sites to provide for anti-phishing protection - e.g. highlighting malware directing a user to bankl.com instead of bank1.com can allow setting for one-touch release of credentials – best for email can keep an independent log of transactions, unalterable by malware storage of certificates, portability between computers & networks fingerprint or PIN protection of credentials in storage unit Portable credentials storage and transaction logs USB @ Possible fingerprint reader ????www.bankl.com???? Enter password: <?? f8 – warnings ??> OK f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12
15.  Transactions Normally Encrypted  SSL/TLS encryption protocol will normally protect credentials transactions from network eavesdroppers not generally easy for hackers to set up network eavesdropping positions core network equipment is purpose-built and operated by experts within a managed security regime unlike the situation of PCs which are loaded with a melange of a-dubious software and frequently operated by inept users simplest network threat is from rogue Wi-Fi presence though still a challenge to accomplish from half-a-world-away ever-present risk of prosecution & conviction for malicious local operator/insider  Strong password hashing for non-encrypted applications providing password protection for lower-risk web-mail etc.
16. Encryption Options - Imperfect One option has the NIC handle the encryption with the CPU supplying session plaintext - but obviously not credentials plaintext fully protects against network eavesdroppers, but large load on NIC some vulnerabilityto coordinated attack by malware & eavesdropper malware knows most of plaintext, eavesdropper gets all encrypted text a known-plaintext attack is possible – though still difficult password hashing adds strong, independent layer of protection An alternative has the CPU supply a cryptographic bit-stream to the NIC, with the NIC performing the final XOR step – with protected credentials fully protects against network eavesdroppers vulnerableto coordinated attack by PC malware and network eavesdropper PC malware captures the cryptographic parameters, and network eavesdropper captures encrypted text, allowing all plaintext - including credentials - to be revealed password hashing would add independent layer of protection
17. Encryption Options - Better More secure option has NIC set-up independent encrypted session for credentials/transaction submission network eavesdropper attacks not aided by PC resident malware – malware not specifically aware of any user-transmitted plaintext need nonce message randomization because some server-issued plaintext can be guessed by malware (e.g. “$24.95 purchase to 123 Main - Enter Visa:”) password hashing will add independent layer of protection This would allow encryption of main session (not containing credentials) to be fully handled by CPU likely CPU would need to tell NIC when credentials session is required malware denial-of-service threat unchanged user will notice any malware tampering if malware just blocks the message entirely, then user never gets to where he needs if malware pops-up credentials request on monitor, user notes it in wrong place
18. PC Retrofit Solution Potential retrofit is easy and affordable - needing new keyboard and NIC (shown external) PC ☠ malware Monitor internet NIC USB Keyboard display NIC (Though in comparison cost increment on new PC purchase would be truly minimal: $2-$5/unit)
19. Tablet Solution Tablet solution incorporates functions internally CPU/Main ☠ malware Touch/ Display Driver internet NIC Keyboard Driver  External lamp When NIC handles credentials/transactions, it blocks CPU/malware from access to touch screen and keyboard driver & lights/flashes external lamp Malware has no access to lamp – user can be confident that when lamp is lit he can enter/view transactions in secure mode (blocks malware simulation)
20. Notebook Solutions: Configuration Choices 1) Copy PC solution: withdisplay just forward of keyboard Regular size ? Stand-alone Compact 2) Adapt tablet solution: display overlay with lamp Desired Configuration ? 3) Use PC retrofit solution Closed notebook Docked ? (also Bluetooth options) Open notebook 4) Retrofit/stand-alone choice
21. 2) Standalone Compact Notebook Adapt external lamp solution from tablet configuration Pop-up display overlay and external lamp are exclusively under control of NIC pop-up display overlay  no room for LCD on compact keyboard Display overlays common on monitors – e.g. brightness/contrast controls Display overlays not accessible to OS – e.g. Print Screen can’t capture
22. 3) Docked, Closed Notebook Utilize conventional PC retrofit solution Monitor internet NIC Closed notebook Keyboard display Adapts well to corporate/wired environment Cheaper/greener to provision new NICs & keyboards than monitors USB hub would simplify keyboard/NIC connections
23. 3a) Bluetooth Variant NIC will present as USB hub/composite device to PC Monitor internet NIC + PC/notebook Bluetooth Keyboard display PC/notebook would see USB hub with conventional keyboard and NIC NIC+ would switch off keystrokes to PC/notebook in secure mode Display on keyboard helpful for marshalling Bluetooth connection Benefit to large screens/conference rooms: logins not on large display
24. PC Protection Functional Summary Keyboard and display work right off the line, just after encryption, and before any malware tampering Networking parameters Conventional PC functions ☠ internet H/W logic Transceiver Encryption Keyboard display Conventional PC function/malware cannot tamper with encryption nor networking parameters No PC access to keyboard (or keyboard display) in secure mode Can provide any credentials to any site of choice (not just shared secret) Protects credentials -and- transactions with human oversight
25. Credentials Protection at Servers
26. Credentials Protection for Enterprise Servers Organize for enterprise defence-in-depth Credentials protection solution to prevent server-resident malware from fraudulently accessing services on uninfected servers Solution also provides for independent transaction logs for detecting malware-driven fraudulent transactions ☠ infected server server internet firewall intranet pc pc pc
27. Protection at Enterprise Server - 1 Credentials not stored within server – not accessible by CPU/malware therefore cannot exploit services on other servers using valid credentials CMU loaded with credentials on stand-alone PC/device/separate network When server requires user authentication, it sends message to NIC to conduct transaction, and only receives a success/fail response returned (http) authentication headers stripped by NIC – cannot reach CPU CMU should keep an independent transaction log Resident malware can still attempt fraudulent transactions within server but cannot directly write to CMU to create corresponding fraudulent logs would need cooperation of malware of remote PCs, but if remote PCs also have credentials protection, no correct-seeming records can be created network connection ☠Server NIC CMU Removable Credentials Memory Unit
28. Protection at Enterprise Servers - 2 Scaling up for large enterprises Secure NICs can have second, private network interface Second network interface not visible to O/S & malware Permits central management of IDs & logging of transactions Local CMUs can provide back-up in case of connectivity problems Internet connection ☠Server NIC CMU More servers More servers … Private network /VPN Multiplexer No Internet presence Isolated authentication and logging (& fulfillment) server NIC
29. Credit Cards Transactions at Merchant Server Enhanced functionality to clear credit card transactions Three basic approaches for malware exploitation steal credit card numbers for higher payoff elsewhere fraudulent merchandise shipping set-up pirate merchant service (hidden from merchant) Card transactions: handle independently within NIC+/CMU+ NIC+ to grab all transactions (authentication headers) coming from users as long as user only enters cards numbers in protection mode at PC, card numbers will never reach CPU NIC+/CMU+ clear transactions with valid authority, CPU gets summary CPU cannot see or set merchant account numbers in CMU isolated fulfillment PC can combat fraudulent shipping network connection ☠Server NIC+ Fulfillment PC PC CMU+
30. Server Protection Functional Summary Authorizations and transaction logs work right off the line, just after encryption, and before any malware tampering Encryption Networking parameters internet Conventional server functions ☠ H/W logic Transceiver Private network /VPN Transceiver CMU User supplied authentication headers stripped off by NIC Credentials checking and transaction authorization within NIC Tamper-proof logs & options for enterprise scaling in private network Conventional server function has no access to transaction details Protects credentials -and- transactions from malware access
31. End-to-End Operation Transaction/purchase example internet Server PC N CMU Fulfillment PC PC → 1. User submits a transaction (☠) ↻ 2. Server collates transaction (☠) ←3. Server instructs NIC to confirm (☠) ←4. NIC issues confirmation details ☠- indicates possible malware tampering ↻5.Details reviewed on keyboard display →6. User issues credentials if correct ↻ 7. NIC validates response ↓8. NIC issues response to fulfillment PC Steps 7 & 8 at server don’t complete without human oversight at steps 5 & 6
32. Making NIC Tamper-Proof
33. Tamper-Proofing NIC Functions - Basics Obviously: no packet sniffing of credentials packets & no ability for CPU or network-side modifications of firmware if firmware modification desired, hide port on board or use keyboard port Use industry best practices – e.g. respect SANS Top 25 S/W Vulnerabilities though many common exploits are just not applicable to NIC: SQL injection, cross-site scripting, browser sandbox leaks, path traversals, uncensored string processing, privilege escalation, hard-coded credentials etc. Buffer-overflow is always a prime attack vector excellent overview of best practices: BinduMadhavi, HeeBengKuan Tan, “Defending against Buffer-Overflow Vulnerabilities”, IEEE Computer, November 2011, p. 53
34. Tamper-Proofing NIC Functions - Extra Buffer overflows overwrite instruction pointer return address on stack lets instruction pointer point to stack data to execute as arbitrary code Could hard-code value limits of an instruction pointer to reside only in range of firmware address space thus any overflow that results in pointer set to address of writable memory creates a CPU error condition & cause reset no way to inject arbitrary code, but might exploit existing code Could have compiler randomize method locations in firmware per NIC would make things very difficult for malware to exploit existing code Could equip CPU with memory cache dedicated as a return address stack Techniques are minor variants of existing approaches of modern CPUs & OSs
35. Conclusions
36. Credentials Protection Summary Current philosophical design of PCs, servers and networks maximizes potential for software to accomplish anything Accordingly, virtually all user activity is mediated by software only user overrides are for power, connections and destruction! don’t even have mechanical camera shutters or microphone switches But if software can potentially accomplish anything, then that‘s also true for malware Solutions covered here provide positive and independent human oversight over critically important activities
37. Users No Longer Helpless User can confirm web site name Can also validate welcome phrase Can verify transaction details & authorize Critical transactions can’t happen without user Able to inspect networking parameters Able to test operation in secure mode can use mouse to change focus to a text document and verify that no keystrokes get through [www.bank1.com] Jedi Sabersmith, enter password for xxxx-5476: <f1 - help> f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12
38. Can Engineers Learn from History? In the post-WW2 baby-boom, car ownership soared also driven by growth of suburbs and interstate highway system Car growth delivered increased traffic & accidents there was widespread carnage on the road (well beyond today’s levels) Sadly, industry resisted safety innovations like seatbelts were engineers so in love with their creations that they were blind to their faults? after too much carnage, governments finally had to step in to legislate safety Are computer engineers making the same mistakes?

39. Compartmentalization Architectures for Protection of Critical Credentials -and- Transactions from CPU Resident Malware

    Jim McAlear – June 10, 2012 jim.mcalear@ieee.org