The problem of malware is greatly reduced if we can ensure that only software from trusted providers is executed. In this paper, we have built a prototype system on Windows which performs authentication of all binaries in Windows to ensure that only trusted software is executed and from the correct path. Binaries on Windows are made more complex because there are many kinds of binaries besides executables, e.g. DLLs, drivers, ActiveX controls, etc.We combine this with a simple software ID scheme for software management and vulnerability assessment which leverages on trusted infrastructure such as DNS and Certificate Authorities. Our prototype is lightweight and does not need to rely on PKI infrastructure; it does however take advantage of binaries with existing digital signatures. We provide a detailed security analysis of our authentication scheme. We demonstrate that our prototype has low overhead, around 2%, even when all binary code is authenticated.
Chapter PDF
Similar content being viewed by others
Keywords
- Medium Access Control
- Authentication Scheme
- Authentication System
- Trusted Platform Module
- Hash Algorithm
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
A. Apvrille, D. Gordon, S. Hallyn, M. Pourzandi and V. Roy, “DigSig: Run-time Authentica-tion of Binaries at Kernel Level”, Usenix LISA, 2004.
M.A. Williams, “Anti-Trojan and Trojan Detection with In-Kernel Digital Signature testing of Executables”, NetXSecure NZ Ltd.. http://www.netxsecure.net/downloads/ sigexec.pdf, 2002.
L. v. Doorn, G. Ballintijn, and W. A. Arbaugh, “Signed Executables for Linux”, Technical Report CS-TR-4256 University of Maryland, 2001.
H. Krawczyk, M. Bellare and R. Canetti, “HMAC: Keyed-Hashing for Message Authentication”, RFC 2104, 1997.
CERT,“Vulnerability Remediation Statistics”, http://www.cert.org/stats/vulnerability remediation.html, 2007.
R. Grimes,“Authenticode”, Microsoft Technet, http://www.microsoft.com/technet/archive/security/topics/secaps/authcode.mspx?mfr=true.
Microsoft TechNet,“KnownDLLs”, http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/29908.mspx.
“Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-006)”, http://www.microsoft.com/technet/security/bulletin/ms99- 006.mspx.
G.H. Kim and E.H. Spafford, “The Design and Implementation of Tripwire: A File System Integrity Checker”, ACM CCS, 1993.
E.R. Arnold,“The Trouble With Tripwire”, http://www.securityfocus.com/infocus/1398, 2001.
M. Slaviero, J. Kroon and M. S. Olivier, “Attacking Signed Binaries”, Proc. of the 5th Annual Information Security South Africa Conference (ISSA), 2005.
B. Acohido,“Security feature in Microsoft’s new Windows could drive users nuts”,USAToday,http://www.usatoday.com/tech/products/2006- 05- 15-vista-security x.htm?POE=TECISVA, 2006.
M. Schmid, F. Hill, A.K. Ghosh, and J.T. Bloch, “Preventing the Execution of Unauthorized Win32 Applications”, DARPA Information Survivability Conf. & Exposition II (DISCEX), 2001.
S. Patil, A. Kashyap, G. Sivathanu, E. Zadok, “I3FS: An In-Kernel Integrity Checker and Intrusion Detection File System”, USENIX LISA, 2004.
Sufatrio, R. Yap and L. Zhong, “A Machine-Oriented Integrated Vulnerability Database for Automated Vulnerability Detection and Processing”, USENIX LISA, 2004.
D.E. Eastlake and T. Hansen, “US Secure Hash Algorithms (SHA and HMAC-SHA)”, RFC 4634,2006.
X. Wang, H. Yu, “How to Break MD5 and Other Hash Functions”, Eurocrypt ’05, LNCS 3494, Springer, 2005.
“Sign Tool”, http://msdn2.microsoft.com/en-us/library/8s9b9yaz(vs. 80).aspx.
“Sigcheck”,http://www.microsoft.com/technet/sysinternals/Security/Sigcheck.mspx.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Halim, F., Ramnath, R., Sufatrio, Wu, Y., Yap, R.H.C. (2008). A Lightweight Binary Authentication System for Windows. In: Karabulut, Y., Mitchell, J., Herrmann, P., Jensen, C.D. (eds) Trust Management II. IFIPTM 2008. IFIP – The International Federation for Information Processing, vol 263. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09428-1_19
Download citation
DOI: https://doi.org/10.1007/978-0-387-09428-1_19
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09427-4
Online ISBN: 978-0-387-09428-1
eBook Packages: Computer ScienceComputer Science (R0)