![Page 1: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Gavin Hill
Breaking Closed Systems with Code-Signing and Mitigation Techniques
HT-F01
Director of Threat IntelligenceVenafi
![Page 2: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/2.jpg)
#RSAC
Learning Objectives
2
Code Signing OverviewCommon use cases (today & tomorrow)Comparing open systems with closed systems
Threat LandscapeUnderground market (Theft & Services)Bypassing security controlsThe Carbon problem
Mitigating Code Signing abuse
![Page 3: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/3.jpg)
#RSAC
Why Code Signing?
3
Can I trust the code?
Has the code been tampered with since it was signed?
![Page 4: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/4.jpg)
#RSAC
Code Signing Process
4
010010101010000010000101111000
01001010101000001000
01001010101000001000
010010101010000010000101111000 0100101010
1000001000
Hash of code created with hashing algorithm
Private key used to sign hash
Package bundled together with certificate
![Page 5: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/5.jpg)
#RSAC
Common Use Cases
5
App Publishing
Software distribution
Container Security
Execution of scripts- Start / Stop services- Deploy codeFile
distribution
Software upgrades
![Page 6: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/6.jpg)
#RSAC
Open Systems
6
Software issuers are trusted by default with a vetting process Users are given the choice to trust a publisher or not
Certificate automatically accepted without user warning
![Page 7: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/7.jpg)
#RSAC
Closed Systems
7
Publisher certs are not trusted, only manufacturer Doesn’t provide ways to sideload apps
Legally DMCA prohibits breaking any signature schemaHackers do it anyway!
• Tesla hack -> Weak encryption• GM/Chrysler -> Firmware vulnerabilities to bypass validation• iOS -> Buffer overflow to root / jailbreak devices • Weak hashing or key length
![Page 8: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/8.jpg)
#RSAC
Threat Landscape
![Page 9: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/9.jpg)
#RSAC
Rise of Attacks on Trust
9
![Page 10: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/10.jpg)
#RSAC
Marketplace for Stolen Certificates
10
Up to $980/ea400x more valuable than stolen credit card
3x more valuable than bitcoin
![Page 11: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/11.jpg)
#RSAC
Underground Certificates-as-a-service (CaaS)
11
InfoArmor: GovRAT
![Page 12: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/12.jpg)
#RSAC
Underground Certificates-as-a-service (CaaS)
12
InfoArmor: GovRAT
![Page 13: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/13.jpg)
#RSAC
Blind Trust in Signed Code
13
“Programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher.” Microsoft
Ref: https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/)
• Easily acquired • Inexpensive or free • Very little validation
performed
Domain Validated (DV) Certificate Extended Validation (EV) Certificate
• Rigorous process to acquire
• Expensive • Extensive validation
![Page 14: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/14.jpg)
#RSAC
Signed-Malware Continues to Increase
14
![Page 15: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/15.jpg)
#RSAC
The Ugly Truth – Revocation Doesn’t Work
15
Oct 1, 2015 -> Sign malware with stolen code signing certificate with timestamp Oct 1, 2015
Nov 1, 2015 -> Code signing certificate revoked Malware can’t run on systems that check CRL
Dec 31, 2015 -> Code signing certificate expires and is removed from CRL
Jan 1, 2016 -> malware runs again as trusted on systems
![Page 16: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/16.jpg)
#RSAC
Signed Malware
16
Note the expiration date of the certificates used to sign the malware and when it was discovered
![Page 17: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/17.jpg)
#RSAC
The Carbon Problem
17
![Page 18: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/18.jpg)
#RSAC
Bypassing Security Controls
18
Year Organization Attack Source
2012 Adobe Compromised code signing server used to sign malware
Compromised code signing server
2013 Bit9 Stolen code-signing certificate used to sign malware
Stolen from developer machine
2014 HP Stolen code-signing certificate used to sign malware
Stolen from developer machine
2015 Dell Sign fake certificates for MITM attacks or malicious code
eDellRoot self-signed CA installed on all new Dell machines*
2016 SBO Invest multiple code signing certificates used to sign Spymel
Stolen code signing certificates
![Page 19: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/19.jpg)
#RSAC
Who’s Responsible for Protecting the Keys?
19
27%
66%
7%
Responsible for Management of Code-Signing Certificates
Developers
PKI Admin
Security Operations
Venafi 2016 survey
![Page 20: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/20.jpg)
#RSAC
Protecting Against a Compromise
20
PKI Admin Access Only30%
Manual Audits30%
No Controls20%
Don't know10%
Next Gen AV 10%
CONTROLS IN PLACE TO ENSURE CODE-SIGNING PROGRAM IS NOT AT RISK OF A COMPROMISE
At least
70% don’t have effective controls in place
Venafi 2016 survey
![Page 21: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/21.jpg)
#RSAC
The Problems with Closed Systems
21
Not using signatures at all to validate updates (Automotive, Embedded Devices).
Signing Keys/Certificates are blindly trusted and can’t be revoked in case of CA/key compromise (IoT).
Closed System CAs are not subjected to the usual public CAs security audits (WebTrust only has an audit criteria for EV Code Signing issuing CA).
![Page 22: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/22.jpg)
#RSAC
How Do Attacks on Closed Systems Happen
22
Exploiting the code signing process.
Exploiting the update/upgrade process:MITM attacks when updates are retrieved (either exploit TLS connection validation issues in existing client libraries)Exploit signature validation vulnerabilities during manual update process
Exploit another vulnerability in the firmware to get access to the device and then use the upgrade/update path to gain further access.
![Page 23: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/23.jpg)
#RSAC
3 Suggested Steps To Mitigating Code Signing Abuse
![Page 24: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/24.jpg)
#RSAC
Mitigating Code Signing Abuse – Step 1
24
Find out what signed code you have
Find out who is performing the code-signing in your organization
Find out where code-signing certificates are stored and who has access to them
![Page 25: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/25.jpg)
#RSAC
Mitigating Code Signing Abuse – Step 2
25
Start publishing code-signing usage
Require CAs to publish code signing certificate issuance
![Page 26: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/26.jpg)
#RSAC
Mitigating Code Signing Abuse – Step 3
26
Establish security controls to limit access to code signing certificates
Identify any misuse or irregularities for code signing practices within your organization
Validate: What code is being signed Who is signing it Where it is being signed When it was signed
“Certificates can no longer be blindly trusted.”
![Page 27: Breaking Closed Systems with Code-Signing and Mitigation Techniques](https://reader031.vdocuments.us/reader031/viewer/2022030313/58a9faf11a28abec248b50e1/html5/thumbnails/27.jpg)
#RSAC
Questions?
27