Fengwei Zhang
ABSTRACT
With the increasing prevalence of Web 2.0 and cloud computing, password-based logins play an increasingly important role on user-end systems. We use passwords to authenticate ourselves to countless applications and services. However, login credentials can be easily stolen by attackers. In this paper, we present a framework, TrustLogin, to secure password-based logins on commodity operating systems. TrustLogin leverages System Management Mode to protect the login credentials from malware even when OS is compromised. TrustLogin does not modify any system software in either client or server and is transparent to users, applications, and servers. We conduct two study cases of the framework on legacy and secure applications, and the experimental results demonstrate that TrustLogin is able to protect login credentials from real-world keyloggers on Windows and Linux platforms. TrustLogin is robust against spoofing attacks. Moreover, the experimental results also show TrustLogin introduces a low overhead with the tested applications.
- C-Scale Frequency Reference Guide for Musicians. http://www.ronelmm.com/tones/cscale.html.Google Scholar
- Common Vulnerabilities and Exposures list. http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-7/cvssscoremax-7.99/Linux-Linux-Kernel.html. Access time: 07/06/2014.Google Scholar
- Credit Card Data Breach at Barnes & Noble Stores. http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html_r=3&.Google Scholar
- Free Keylogger Pro. http://freekeyloggerpro.com/.Google Scholar
- Intel 64 and IA-32 Architectures Optimization Reference Manual. http://www.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-optimization-manual.html.Google Scholar
- Keyboard Scan Code Set 1. http://www.computer-engineering.org/ps2keyboard/scancodes1.html.Google Scholar
- Keylogger Malware Found on UC Irvine Health Center Computers. http://www.scmagazine.com/keylogger-malware-found-on-three-uc-irvine-health-center-computers/article/347204/.Google Scholar
- Keylogger Products. http://www.keylogger.org.Google Scholar
- Logkeys Linux keylogger. https://code.google.com/p/logkeys/.Google Scholar
- NSA's ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware. http://Leaksource.wordpress.com.Google Scholar
- OpenSSH. http://www.openssh.com. Access time: 09/01/2014.Google Scholar
- Advanced Micro Devices, Inc. BIOS and Kernel Developer's Guide for AMD Athlon 64 and AMD Opteron Processors. http://support.amd.com/TechDocs/26094.PDF.Google Scholar
- A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. HyperSentry: Enabling Stealthy In-Context Measurement of Hypervisor Integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10), 2010. Google ScholarDigital Library
- A. M. Azab, P. Ning, and X. Zhang. SICE: A Hardware-level Strongly Isolated Computing Environment for x86 Multi-core Platforms. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS'11), 2011. Google ScholarDigital Library
- K. Borders and A. Prakash. Securing network input via a trusted input proxy. In Proceedings of the 2nd USENIX workshop on Hot topics in security, 2007. Google ScholarDigital Library
- Y. Bulygin, J. Loucaides, A. Furtak, O. Bazhaniuk, and A. Matrosov. Summary of Attacks Against BIOS and Secure Boot. In Defcon-22, 2014.Google Scholar
- J. Butterworth, C. Kallenberg, and X. Kovah. BIOS Chronomancy: Fixing the Core Root of Trust for Measurement. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13), 2013. Google ScholarDigital Library
- N. Collignon. In-memory Extraction of SSL Private Keys. http://c0decstuff.blogspot.com/2011/01/in-memory-extraction-of-ssl-private.html, 2011.Google Scholar
- Coreboot. Open-Source BIOS. http://www.coreboot.org/.Google Scholar
- S. Embleton, S. Sparks, and C. Zou. SMM rootkits: A New Breed of OS Independent Malware. In Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm'08), 2008. Google ScholarDigital Library
- Y. Fu and Z. Lin. Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P'12), 2012. Google ScholarDigital Library
- T. Holz, M. Engelberth, and F. Freiling. Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. In Proceedings of The 14th European Symposium on Research in Computer Security (ESORICS'09), 2009. Google ScholarDigital Library
- Intel. Enhanced Host Controller Interface Specification for Universal Serial Bus. http://www.intel.com/content/dam/www/public/us/en/documents/technical-specifications/ehci-specification-for-usb.pdf.Google Scholar
- Intel. eXtensible Host Controller Interface for Universal Serial Bus (xHCI). http://www.intel.com/content/dam/www/public/us/en/documents/technical-specifications/extensible-host-controler-interface-usb-xhci.pdf.Google Scholar
- Intel. PCI/PCI-X GbE Family of Controllers: Software Developer Manual. http://www.intel.com/content/www/us/en/ethernet-controllers/pci-pci-x-family-gbe-controllers-software-dev-manual.html.Google Scholar
- Intel. Universal Host Controller Interface (UHCI) Design Guide. ftp.netbsd.org/pub/NetBSD/misc/blymn/uhci11d.pdf.Google Scholar
- B. Jain, M. B. Baig, D. Zhang, D. E. Porter, and R. Sion. SoK: Introspections on Trust and the Semantic Gap. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P'14), 2014. Google ScholarDigital Library
- X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection Through VMM-based Out-of-the-box Semantic View Reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), 2007. Google ScholarDigital Library
- E. Ladakis, L. Koromilas, G. Vasiliadis, M. Polychronakis, and S. Ioannidis. You Can Type, but You Can't Hide: A Stealthy GPU-based Keylogger. In Proceedings of the European Workshop on System Security (EuroSec'13) 2013.Google Scholar
- T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (S&P'11), 2011. Google ScholarDigital Library
- M. Mannan and P. van Oorschot. Leveraging Personal Devices for Stronger Password Authentication from Untrusted Computers. Journal of Computer Security, 2011. Google ScholarDigital Library
- L. Martignoni, P. Poosankam, M. Zaharia, J. Han, S. McCamant, D. Song, V. Paxson, A. Perrig, S. Shenker, and I. Stoica. Cloud Terminal: Secure Access to Sensitive Applications from Untrusted Systems. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference (USENIX ATC'12), 2012. Google ScholarDigital Library
- J. McCune, B. Parno, A. Perrig, M. Reiter, and H. Isozaki. Flicker: An Execution Infrastructure for TCB Minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, 2008. Google ScholarDigital Library
- J. M. McCune, A. Perrig, and M. K. Reiter. Safe passage for passwords and other sensitive data. In NDSS, 2009.Google Scholar
- Ohloh. Black Duck Software, Inc. http://www.ohloh.net. Access time: 7/16/2014.Google Scholar
- A. Reina, A. Fattori, F. Pagani, L. Cavallaro, and D. Bruschi. When Hardware Meets Software: A Bulletproof Solution to Forensic Memory Acquisition. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'12), 2012. Google ScholarDigital Library
- S. Sagiroglu and G. Canbek. Keyloggers. Technology and Society Magazine, IEEE, 2009.Google Scholar
- J. Schiffman and D. Kaplan. The SMM Rootkit Revisited: Fun with USB. In Proceedings of 9th International Conference on Availability, Reliability and Security (ARES'14), 2014. Google ScholarDigital Library
- H.-M. Sun, Y.-H. Chen, and Y.-H. Lin. oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks. Information Forensics and Security, IEEE Transactions on, 2012. Google ScholarDigital Library
- K. Sun, J. Wang, F. Zhang, and A. Stavrou. SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes. In Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS'12), 2012.Google Scholar
- A. Vasudevan, B. Parno, N. Qu, V. Gligor, and A. Perrig. Lockdown: A Safe and Practical Environment for Security Applications (Carnegie Mellon University-CyLab-09-011). Technical report, 2009.Google Scholar
- VIA. VT8237R Southbridge. http://www.via.com.tw/.Google Scholar
- F. Wecherowski. A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers. Phrack Magazine, 2009.Google Scholar
- H. William, S. A. Teukolsky, W. T. Vetterling, and B. P. Flannery. Numerical Recipes: The Art of Scientific Computing. Cambridge University Press, New York, 2007. Google ScholarDigital Library
- R. Wojtczuk and C. Kallenberg. Attacking UEFI Boot Script. http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2566/original/venamis_whitepaper.pdf, 2014.Google Scholar
- R. Wojtczuk and J. Rutkowska. Attacking SMM Memory via Intel CPU Cache Poisoning, 2009.Google Scholar
- F. Zhang, K. Leach, K. Sun, and A. Stavrou. SPECTRE: A Dependable Introspection Framework via System Management Mode. In Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'13), 2013. Google ScholarDigital Library
- F. Zhang, H. Wang, K. Leach, and A. Stavrou. A Framework to Secure Peripherals at Runtime. In Proceedings of The 19th European Symposium on Research in Computer Security (ESORICS'14), 2014.Google ScholarDigital Library
- F. Zhang, J. Wang, K. Sun, and A. Stavrou. HyperCheck: A Hardware-assisted Integrity Monitor. In IEEE Transactions on Dependable and Secure Computing (TDSC'14), 2014.Google Scholar
Index Terms
- TrustLogin: Securing Password-Login on Commodity Operating Systems
Recommendations
Kernel Service Protection for Client Security
Authentication within the X86 CPU system management mode has significant benefits for system security because the entire process is conducted within a secure environment. So, authentication itself can be guaranteed to a much higher degree. The author ...
Analysis of Botnet Counter-Counter-Measures
CISR '15: Proceedings of the 10th Annual Cyber and Information Security Research ConferenceBotnets evolve quickly to outwit police and security researchers. Since they first appeared in 1993, there have been significant botnet countermeasures. Unfortunately, countermeasures, especially takedown operations, are not particularly effective. They ...
Accessing Password-Protected Resources without the Password
CSIE '09: Proceedings of the 2009 WRI World Congress on Computer Science and Information Engineering - Volume 04Sometimes it is desirable to access password-protected resources, but undesirable to disclose the password to the machine in use. In such situations, providing the password is a task that can be delegated to a remote proxy server. This server has to ...
Comments