PhD Proposal: End-to-end measurements of security threats inherent in the code signing PKI

Doowon Kim
04.17.2019 13:00 to 15:00
IRB 5105

Code signing PKI guarantees the integrity and authenticity of an executable file using the digital signature mechanism. In the PKI, clients are able to ensure that the executable file is never altered after the file has been signed, and identify the software publisher of the executable. Most modern operating systems (OS) employ the code signing PKI to protect their clients from executing files of unknown origin.Anecdotal evidence has indicated that, particularly in Windows, executable files properly signed with legitimate certificates can be critical malware. For example, \textit{Stuxnet} is a sophisticated malware signed with two private keys of two reputable Taiwanese semiconductor companies. Because the two companies were never believed to be involved in the malicious activity, the private keys were very likely stolen and used to sign the malware. This valid digital signature was able to help evade Anti-Virus (AV) engines and this signed malware remain undetected for a relatively longer period than other malware. However, this type of abuse has not been highlighted and measured systematically. Accordingly, security threats potentially inherent in the Windows code signing PKI have been also not well understood. This ignorance ultimately hinders the improvement of the code signing PKI ecosystem; comparatively, security problems in the Web PKI have been well measured and known, which leads to the improvement of the Web PKI ecosystem.The primary goal of my dissertation is to fully highlight the security threats in the code signing PKI by systematically measuring the weaknesses inherent in the PKI and to better understand the malware authors' behaviors that exploit the weaknesses and abuse the PKI ecosystem. This can help ultimately improve the code signing PKI ecosystem. In my preliminary work, I have proposed a security threat model that highlights the three classes of weaknesses that adversaries are able to exploit: 1) CA-side verification failures, 2) publisher-side key mismanagement, and 3) inadequate client-side protections. Furthermore, I also have conducted a measurement study of the effectiveness of revocation since revocation is the primary defense against code signing abuse.In my proposal, I propose to examine the mis-issuances of code signing certificates to malware authors or black market vendors; specifically, what bad practices and weaknesses in CAs' vetting process can result in the mis-issuances. This measurement study will be two-fold: 1) "before-misissuance" and 2) "after-misissuance." At the stage of "before-misissuance," I will primarily examine what bad practices and weaknesses exist in the vetting process and how adversaries exploit them to obtain code signing certificates. In the second phase ("after-misissuance"), I will plan to measure malware authors' behaviors using trusted timestamping embedded in signed executable files. From this, I can understand how long signed malware takes to appear in the wild.
Examining Committee:

Chair: Dr. Tudor Dumitras Dept rep: Dr. Ashok Agrawala Members: Dr. Nirupam Roy