TrustLogin: Securing Password-Login OnCommodity Operating Systems

Fengwei Zhang 1 Kevin Leach 2 Haining Wang 3

Angelos Stavrou 1

1Wayne State University

2University of Virginia

3University of Delaware

November 16, 2015

1

Overview of The Talk

I Motivation

I Background: System Management Mode (SMM)

I System Framework

I Evaluation Results

I Conclusions and Future Directions

2

Overview of The Talk

I Motivation

I Background: System Management Mode (SMM)

I System Framework

I Evaluation Results

I Conclusions and Future Directions

3

Motivation

Keylogger examples

I Keylogger malware found on UC Irvine health center in May2014, and about two thousand students were impacted [1]

I Attackers have stolen credit card information for customerswho shopped at 63 Barnes & Noble stores using keyloggers [2]

I A case study has shown that 10,775 unique bank accountcredentials were stolen by keyloggers in a seven-monthperiod [3]

Protecting login credentials is a critical part of daily life

4

Motivation

I OS as a trusted computing base, which has a large amount ofsource code

I Linux kernel has 17M lines of codeI CVE shows 240 vulnerabilities for the Linux kernel

I An attacker can compromise the OS and install a stealthykeylogger

I Banking, SSH login passwords

5

Our Approach

We present TrustLogin, a framework to securely perform loginoperations using System Management Mode (SMM)

I Prevent rootkits and stealthy keyloggers without trusting theOS

I Does not change any software on the client and server sides

I Transparent to users and applications

6

Overview of The Talk

I Motivation

I Background: System Management Mode (SMM)

I System Framework

I Evaluation Results

I Conclusions and Future Directions

7

Background: System Management Mode

System Management Mode (SMM) is special CPU mode existingin x86 architecture, and it can be used as a hardware isolatedexecution environment.

I Originally designed for implementing system functions (e.g.,power management)

I Isolated System Management RAM (SMRAM) that isinaccessible from OS

I Only way to enter SMM is to trigger a System ManagementInterrupt (SMI)

I Executing RSM instruction to resume OS (Protected Mode)

8

Background: System Management Mode

Approaches for Triggering a System Management Interrupt (SMI)

I Software-based: Write to an I/O port specified by Southbridgedatasheet (e.g., 0x2B for Intel)

I Hardware-based: Network card, keyboard, hardware timers

Protected Mode

Normal OS

System Management Mode

Isolated Execution Environment

SMIHandler

Isolated SMRAM

Highest privilege

Interrupts disabled

SMM entry

SMM exit

Softwareor

Hardware

Trigger SMI

RSM

9

Background: Software Layers

Application

Operating System

Hypervisor (VMM)

Firmware (BIOS) SMM

Hardware

10

Overview of The Talk

I Motivation

I Background: System Management Mode (SMM)

I System Framework

I Evaluation Results

I Conclusions and Future Directions

11

System Framework

I SMM provides a secure world; we move the security sensitiveoperations into it.

Operating Systemin Protected Mode

System Management Mode

Keyboard NIC

Input Device Output Device

Trigger an SMI

Resume

Trigger an SMI

Resume

UserInputs

NetworkPackets

Figure: Architecture of TrustLogin

12

TrustLogin

3 Steps for a password-login

I Entering secure input mode: Ctrl+Alt+1

I Intercepting keystrokes and generating placeholders

I Intercepting network packets

13

Case Study of TrustLogin

I Legacy Applications: FTPI Unencrypted packets

I Secure Applications: SSHI encrypted packetsI session key searching

I TrustLogin requires application-specific efforts

14

Ensuring the Trust Path

Mitigating spoofing attacksI LED lights:

I Showing a special sequence of Num, Caps, and Scroll locksI User defines the sequence

I PC speaker:I Playing a melody (e.g., C major scale)

15

Overview of The Talk

I Motivation

I Background: System Management Mode (SMM)

I System Framework

I Evaluation Results

I Conclusions and Future Directions

16

Effectiveness of TrustLogin

I Testing TrustLogin against Keyloggers on Windows and LinuxPlatforms

I Windows: Free Keylogger Pro version 1.0I Linux: Logkeys version 0.1.1a

Keyloggers can only record random strings with TrustLoginenabled

17

Performance Evaluation

Table: Breakdown of TrustLogin Runtime

Operations Mean STDKeyboard SMI handler 32.58 ms 3.68NIC SMI handler 29.67 µs 1.18SMM Switching 3.29 µs 0.08SMM Resume 4.58 µs 0.10

18

Overview of The Talk

I Motivation

I Background: System Management Mode (SMM)

I System Framework

I Evaluation Results

I Conclusions and Future Directions

19

Conclusions and Future Directions

I We presented TrustLogin, a novel framework for securingpassword-login via System Management Mode

I It can prevent rootkits from stealing sensitive data from thelocal host

I It does not change any software on the client and server sidesI It is transparent to users and applications

I Defend against phishing attacks by validating the destinationIP/hostname

I Protect other sensitive data like password-logins on browsersand banking transactions

20

References I[1] “Keylogger Malware Found on UC Irvine Health Center Computers,” http://www.scmagazine.com/keylogger-

malware-found-on-three-uc-irvine-health-center-computers/article/347204/.

[2] “Credit Card Data Breach at Barnes & Noble Stores,”http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html? r=3&.

[3] T. Holz, M. Engelberth, and F. Freiling, “Learning More About the Underground Economy: A Case-Study ofKeyloggers and Dropzones,” in Proceedings of The 14th European Symposium on Research in ComputerSecurity (ESORICS’09), 2009.

21

Thank you!

Email: fengwei@wayne.eduHomepage: http://fengwei.me

Questions?

22