ROSCO: Repository Of Signed COde

Friday 2 October 12:00 - 12:30, Red room

Dorottya Papp (CrySyS Lab)
Balázs Kócsó (CrySyS Lab)
Tamás Holczer (CrySyS Lab)
Levente Buttyán (CrySyS Lab)
Boldizsár Bencsáth (CrySyS Lab)

  download slides (PDF)

Recent targeted malware attacks, e.g. Stuxnet, Duqu and Flame, used digitally signed components that appeared to originate from legitimate software makers. In case of Stuxnet and Duqu, the private code-signing keys of legitimate companies were suspected to have been compromised and used by the attackers. In case of Flame, the attackers generated a fake certificate that appeared to be a valid code-signing certificate issued by Microsoft, and used the corresponding private key to sign their malware.

The purpose of code signing is to ensure the authenticity and integrity of software packages. However, ultimately the effectiveness of code signing as a security mechanism also depends on the security of the underlying Public Key Infrastructure (PKI). As the examples above show, attackers have already started to exploit weaknesses in the PKI system supporting code signing, and we expect that this trend will become stronger. Consequently, there is an urgent need to strengthen the PKI which code signing relies on. At the same time, given its size and complexity, making the entire PKI system 100% secure is illusionary, and one should rather adopt a best effort approach that raises the bar for the attackers even if attacks cannot completely be eliminated.

Motivated by the Stuxnet, Duqu and Flame cases, the specific problem that we address in our work is that standard signature verification procedures used in today's PKI systems do not allow for detecting key compromise and fake certificates. Therefore, the objective of the work is to augment the standard signature verification workflow with checking of reputation information on signers and signed objects.

For this purpose, we built a data collection framework and a data repository for signed software and code-signing certificates, we implemented services that use the repository for providing reputation information for signed objects, such as when a given signed object has first been seen and how often it was looked up by users, and we also provide alert services for private key owners that help them detect when their signing keys have been used illegitimately.

Our system, called Repository of Signed Code (ROSCO), does not aim to replace the entire code-signing infrastructure. Rather, it complements existing PKI functions with useful services that can be used by different participants to increase their confidence in the legitimacy of signed code. For end-users, the benefits are obvious: our repository serves them when they have to decide about the trustworthiness of a to-be-installed code. For software makers, our repository can be used to detect the malicious use of their signing key. For security companies, our repository could be an invaluable source of information, which they can use to detect malicious campaigns and trends in signing malicious code.

Click here for more details about the conference.

Levente Buttyán

Levente Buttyán

Levente Buttyán received an M.Sc. degree in computer science from the Budapest University of Technology and Economics (BME) in 1995, and earned his Ph.D. degree from the Swiss Federal Institute of Technology - Lausanne (EPFL) in 2002. In 2003, he joined the Department of Networked Systems and Services at BME, where he currently holds a position as an Associate Professor and leads the Laboratory of Cryptography and Systems Security (CrySyS Lab). He has done research on the design and analysis of secure protocols and privacy enhancing mechanisms for wireless networked embedded systems. Recently, he has been involved in the analysis of some high-profile targeted malware, such as Duqu, Flame, MiniDuke and TeamSpy. Since then his research has been focused on countermeasures for targeted attacks, and securing Industrial Control Systems. He is co-founder of Ukatemi Technologies, a company specialized in incident response and malware analysis; Tresorit, a company that delivers an encrypted cloud storage service; and Avatao, a company developing an on-line platform that supports practice-oriented learning in the field of IT. He also consults for IAEA in the domain of incident response and forensics analysis in nuclear facilities.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.