Recent targeted malware attacks, e.g., Stuxnet, Duqu, and Flame, used digitally signed components that appeared to originate from legitimate software makers. In case of Stuxnet and Duqu, the private code signing keys of legitimate companies were suspected to be compromised and used by the attackers. In case of Flame, the attackers generated a fake certificate that appeared to be a valid code signing certificate issued by Microsoft, and used the corresponding private key to sign their malware.
The purpose of code signing is to ensure the authenticity and integrity of software packages, however, ultimately the effectiveness of code signing as a security mechanism also depends on the security of the underlying Public Key Infrastructure (PKI). As the examples above show, attackers have already started to exploit weaknesses in the PKI system supporting code signing, and we expect that this trend will become stronger. Consequently, there is an urgent need to strengthen the PKI which code signing relies on. At the same time, given its size and complexity, making the entire PKI system 100% secure is illusionary, and one should rather adopt a best effort approach that raises the bar for the attackers even if attacks cannot be completely eliminated.
Motivated by the Stuxnet, Duqu, and Flame cases, the specific problem that we addressed in our work is that standard signature verification procedures used in today’s PKI systems do not allow for detecting key compromise and fake certificates. Therefore, the objective of the work was to augment the standard signature verification workflow with checking of reputation information on signers and signed objects.
For this purpose, we built a data collection framework and a data repository for signed software and code signing certificates, we implemented services that use the repository for providing reputation information for signed objects, such as when a given signed object has been first seen and what else the signer of a given object has signed before, and we also provide alert services for private key owners that help them detecting when their signing keys were illegitimately used.
Our system, called Repository of Signed Code (ROSCO), does not aim at replacing the entire code signing infrastructure. Rather, it complements existing PKI functions with useful services that can be used by different participants to increase their confidence in the legitimacy of signed code. For end users, the benefits are obvious: our repository serves them when they have to decide about the trustworthiness of a to-be-installed code. For software makers, our repository can be used to detect the malicious use of their signing key. For security companies, our repository could be an invaluable source of information, which they can use to detect malicious campaigns and trends in signing malicious code.
If you are interested in this project, you can read the Virus Bulletin conference paper at CrySyS Publications.
We implemented JSON API for the ROSCO system. This is a programming interface which can be used with API Key after the registration. For the easier usage we wrote a Python client. It can be found on GitHub.