TrustLogin: Securing Password-Login On Commodity Operating Systems - - PowerPoint PPT Presentation

trustlogin securing password login on commodity operating
SMART_READER_LITE
LIVE PREVIEW

TrustLogin: Securing Password-Login On Commodity Operating Systems - - PowerPoint PPT Presentation

TrustLogin: Securing Password-Login On Commodity Operating Systems Fengwei Zhang 1 Kevin Leach 2 Haining Wang 3 Angelos Stavrou 1 1 Wayne State University 2 University of Virginia 3 University of Delaware November 16, 2015 1 Overview of The Talk


slide-1
SLIDE 1

TrustLogin: Securing Password-Login On Commodity Operating Systems

Fengwei Zhang 1 Kevin Leach 2 Haining Wang 3 Angelos Stavrou 1

1Wayne State University 2University of Virginia 3University of Delaware

November 16, 2015

1

slide-2
SLIDE 2

Overview of The Talk

◮ Motivation ◮ Background: System Management Mode (SMM) ◮ System Framework ◮ Evaluation Results ◮ Conclusions and Future Directions

2

slide-3
SLIDE 3

Overview of The Talk

◮ Motivation ◮ Background: System Management Mode (SMM) ◮ System Framework ◮ Evaluation Results ◮ Conclusions and Future Directions

3

slide-4
SLIDE 4

Motivation

Keylogger examples

◮ Keylogger malware found on UC Irvine health center in May

2014, and about two thousand students were impacted [1]

◮ Attackers have stolen credit card information for customers

who shopped at 63 Barnes & Noble stores using keyloggers [2]

◮ A case study has shown that 10,775 unique bank account

credentials were stolen by keyloggers in a seven-month period [3] Protecting login credentials is a critical part of daily life

4

slide-5
SLIDE 5

Motivation

◮ OS as a trusted computing base, which has a large amount of

source code

◮ Linux kernel has 17M lines of code ◮ CVE shows 240 vulnerabilities for the Linux kernel

◮ An attacker can compromise the OS and install a stealthy

keylogger

◮ Banking, SSH login passwords 5

slide-6
SLIDE 6

Our Approach

We present TrustLogin, a framework to securely perform login

  • perations using System Management Mode (SMM)

◮ Prevent rootkits and stealthy keyloggers without trusting the

OS

◮ Does not change any software on the client and server sides ◮ Transparent to users and applications

6

slide-7
SLIDE 7

Overview of The Talk

◮ Motivation ◮ Background: System Management Mode (SMM) ◮ System Framework ◮ Evaluation Results ◮ Conclusions and Future Directions

7

slide-8
SLIDE 8

Background: System Management Mode

System Management Mode (SMM) is special CPU mode existing in x86 architecture, and it can be used as a hardware isolated execution environment.

◮ Originally designed for implementing system functions (e.g.,

power management)

◮ Isolated System Management RAM (SMRAM) that is

inaccessible from OS

◮ Only way to enter SMM is to trigger a System Management

Interrupt (SMI)

◮ Executing RSM instruction to resume OS (Protected Mode)

8

slide-9
SLIDE 9

Background: System Management Mode

Approaches for Triggering a System Management Interrupt (SMI)

◮ Software-based: Write to an I/O port specified by Southbridge

datasheet (e.g., 0x2B for Intel)

◮ Hardware-based: Network card, keyboard, hardware timers

Protected Mode Normal OS System Management Mode Isolated Execution Environment SMI Handler Isolated SMRAM Highest privilege Interrupts disabled

SMM entry SMM exit

Software

  • r

Hardware

Trigger SMI RSM

9

slide-10
SLIDE 10

Background: Software Layers

Application Operating System Hypervisor (VMM) Firmware (BIOS) SMM Hardware

10

slide-11
SLIDE 11

Overview of The Talk

◮ Motivation ◮ Background: System Management Mode (SMM) ◮ System Framework ◮ Evaluation Results ◮ Conclusions and Future Directions

11

slide-12
SLIDE 12

System Framework

◮ SMM provides a secure world; we move the security sensitive

  • perations into it.

Operating System in Protected Mode System Management Mode Keyboard NIC

Input Device Output Device

Trigger an SMI Resume Trigger an SMI Resume

User Inputs Network Packets

Figure: Architecture of TrustLogin

12

slide-13
SLIDE 13

TrustLogin

3 Steps for a password-login

◮ Entering secure input mode: Ctrl+Alt+1 ◮ Intercepting keystrokes and generating placeholders ◮ Intercepting network packets

13

slide-14
SLIDE 14

Case Study of TrustLogin

◮ Legacy Applications: FTP

◮ Unencrypted packets

◮ Secure Applications: SSH

◮ encrypted packets ◮ session key searching

◮ TrustLogin requires application-specific efforts

14

slide-15
SLIDE 15

Ensuring the Trust Path

Mitigating spoofing attacks

◮ LED lights:

◮ Showing a special sequence of Num, Caps, and Scroll locks ◮ User defines the sequence

◮ PC speaker:

◮ Playing a melody (e.g., C major scale) 15

slide-16
SLIDE 16

Overview of The Talk

◮ Motivation ◮ Background: System Management Mode (SMM) ◮ System Framework ◮ Evaluation Results ◮ Conclusions and Future Directions

16

slide-17
SLIDE 17

Effectiveness of TrustLogin

◮ Testing TrustLogin against Keyloggers on Windows and Linux

Platforms

◮ Windows: Free Keylogger Pro version 1.0 ◮ Linux: Logkeys version 0.1.1a

Keyloggers can only record random strings with TrustLogin enabled

17

slide-18
SLIDE 18

Performance Evaluation

Table: Breakdown of TrustLogin Runtime

Operations Mean STD Keyboard SMI handler 32.58 ms 3.68 NIC SMI handler 29.67 µs 1.18 SMM Switching 3.29 µs 0.08 SMM Resume 4.58 µs 0.10

18

slide-19
SLIDE 19

Overview of The Talk

◮ Motivation ◮ Background: System Management Mode (SMM) ◮ System Framework ◮ Evaluation Results ◮ Conclusions and Future Directions

19

slide-20
SLIDE 20

Conclusions and Future Directions

◮ We presented TrustLogin, a novel framework for securing

password-login via System Management Mode

◮ It can prevent rootkits from stealing sensitive data from the

local host

◮ It does not change any software on the client and server sides ◮ It is transparent to users and applications

◮ Defend against phishing attacks by validating the destination

IP/hostname

◮ Protect other sensitive data like password-logins on browsers

and banking transactions

20

slide-21
SLIDE 21

References I

[1] “Keylogger Malware Found on UC Irvine Health Center Computers,” http://www.scmagazine.com/keylogger- malware-found-on-three-uc-irvine-health-center-computers/article/347204/. [2] “Credit Card Data Breach at Barnes & Noble Stores,” http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html? r=3&. [3]

  • T. Holz, M. Engelberth, and F. Freiling, “Learning More About the Underground Economy: A Case-Study of

Keyloggers and Dropzones,” in Proceedings of The 14th European Symposium on Research in Computer Security (ESORICS’09), 2009. 21

slide-22
SLIDE 22

Thank you!

Email: fengwei@wayne.edu Homepage: http://fengwei.me

Questions?

22