Authentication and Data Protection under Strong Adversarial Model Lianying Zhao A thesis in The Concordia Institute for Information Systems Engineering Presented in Partial Ful(cid:28)llment of the Requirements For the Degree of Doctor of Philosophy (Information and Systems Engineering) at Concordia University MontrØal, QuØbec, Canada July 2018 (cid:13)c Lianying Zhao, 2018 Concordia University School of Graduate Studies This is to certify that the thesis prepared By: Mr. Lianying Zhao Entitled: Authentication and Data Protection under Strong Ad- versarial Model and submitted in partial ful(cid:28)llment of the requirements for the degree of Doctor of Philosophy (Information and Systems Engineering) complies with the regulations of this University and meets the accepted standards with respect to originality and quality. Signed by the (cid:28)nal examining commitee: Chair Dr. Ketra Schmitt External Examiner Dr. Urs Hengartner External to Program Dr. Otmane Ait Mohamed Examiner Dr. Jeremy Clark Examiner Dr. Lingyu Wang Thesis Supervisor Dr. Mohammad Mannan Approved by Dr. Chadi Assi, Graduate Program Director June 21, 2018 Dr. Amir Asif, Dean Faculty of Engineering and Computer Science Abstract Authentication and Data Protection under Strong Adversarial Model Lianying Zhao, Ph.D. Concordia University, 2018 We are interested in addressing a series of existing and plausible threats to cyberse- curity where the adversary possesses unconventional attack capabilities. Such uncon- ventionality includes, in our exploration but not limited to, crowd-sourcing, physi- cal/juridical coercion, substantial (but bounded) computational resources, malicious insiders, etc. Our studies show that unconventional adversaries can be counteracted with a special anchor of trust and/or a paradigm shift on a case-speci(cid:28)c basis. Complementing cryptography, hardware security primitives are the last defense in the face of co-located (physical) and privileged (software) adversaries, hence serving as the special trust anchor. Examples of hardware primitives are architecture-shipped features (e.g., with CPU or chipsets), security chips or tokens, and certain features on peripheral/storage devices. We also propose changes of paradigm in conjunction with hardware primitives, such as containing attacks instead of counteracting, pretended compliance, and immunization instead of detection/prevention. In this thesis, we demonstrate how our philosophy is applied to cope with sev- eral exemplary scenarios of unconventional threats, and elaborate on the prototype systems we have implemented. Speci(cid:28)cally, Gracewipe is designed for stealthy and veri(cid:28)able secure deletion of on-disk user secrets under coercion; Hypnoguard pro- tects in-RAM data when a computer is in sleep (ACPI S3) in case of various mem- ory/guessing attacks; Uvauth mitigates large-scale human-assisted guessing attacks iii by receiving all login attempts in an indistinguishable manner, i.e., correct creden- tials in a legitimate session and incorrect ones in a plausible fake session; Inuksuk is proposed to protect user (cid:28)les against ransomware or other authorized tampering. It augments the hardware access control on self-encrypting drives with trusted execu- tion to achieve data immunization. We have also extended the Gracewipe scenario to a network-based enterprise environment, aiming to address slightly di(cid:27)erent threats, e.g., malicious insiders. We believe the high-level methodology of these research topics can contribute to advancing the security research under strong adversarial assumptions, and the pro- motion of software-hardware orchestration in protecting execution integrity therein. iv Acknowledgments My thesis supervisor, Dr. Mohammad Mannan, has always been the driving force, reliable support and rigorous guide for my Ph.D. research, which lead to my smooth conversion to an academic mindset from the industry. I appreciate the meticulousness and rigorousness that are (cid:16)genetically(cid:17) implanted into my research habits and even the way I think, just because of him. I am grateful for all members of Madiba Security Research Group (especially Xavier de CarnØ de Carnavalet), as well as the rest of my research colleagues of the CIISE department, for the pleasant discussions we have had, regarding research, career and life. When disappointment or frustration comes, it is them who make me look forward. I also would like to express my gratitude to my family members, who have been backing me up and understanding the devoted nature of Ph.D. studies, without which this thesis would not have been possible. v Contents List of Figures xi List of Tables xii 1 Introduction 1 1.1 Unconventional Attack Capabilities . . . . . . . . . . . . . . . . . . . 1 1.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1 Hardware security primitives (cid:21) P1 . . . . . . . . . . . . . . . . 3 1.2.2 Passive but resilient defense (cid:21) P2 . . . . . . . . . . . . . . . . 4 1.3 Thesis Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4 Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.5 Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.6 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2 Deceptive Deletion Triggers under Coercion 10 2.1 Introduction and Motivation . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 Goals and Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.1 Goals and terminology . . . . . . . . . . . . . . . . . . . . . . 14 2.2.2 Threat model and assumptions . . . . . . . . . . . . . . . . . 16 2.3 Gracewipe Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.1 Overview and disk layout . . . . . . . . . . . . . . . . . . . . 18 2.3.2 Execution steps . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.3.3 Sealing in NVRAM . . . . . . . . . . . . . . . . . . . . . . . . 20 2.3.4 Password management . . . . . . . . . . . . . . . . . . . . . . 21 2.4 Implementation with TrueCrypt . . . . . . . . . . . . . . . . . . . . . 22 2.4.1 Implementing the wiper . . . . . . . . . . . . . . . . . . . . . 22 2.4.2 Adapting TrueCrypt . . . . . . . . . . . . . . . . . . . . . . . 23 vi 2.4.3 Orchestrating components . . . . . . . . . . . . . . . . . . . . 23 2.4.4 Windows and TPM issues . . . . . . . . . . . . . . . . . . . . 24 2.5 Extended Unlocking Schemes . . . . . . . . . . . . . . . . . . . . . . 25 2.5.1 Existing panic password schemes . . . . . . . . . . . . . . . . 26 2.5.2 Counter-based deletion trigger . . . . . . . . . . . . . . . . . . 27 2.5.3 Edit-distance-based password scheme . . . . . . . . . . . . . . 28 2.5.4 Other possible schemes . . . . . . . . . . . . . . . . . . . . . . 31 2.6 Performance Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.7 Generalized Work(cid:29)ow and Comparison . . . . . . . . . . . . . . . . . 34 2.8 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.9 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.10 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3 Extending Gracewipe to Network-based Environments 41 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.2 Threat Model and Assumptions . . . . . . . . . . . . . . . . . . . . . 43 3.3 An Analysis and Status-quo of Remote Secure Erase . . . . . . . . . 44 3.4 End-to-end Veri(cid:28)able Secure Deletion . . . . . . . . . . . . . . . . . . 47 3.4.1 Design considerations . . . . . . . . . . . . . . . . . . . . . . . 47 3.5 A Proof-of-concept on x86 PCs . . . . . . . . . . . . . . . . . . . . . 48 3.5.1 Assumptions and terminology . . . . . . . . . . . . . . . . . . 49 3.5.2 Design overview . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.5.3 Implementation of Gracewipe Remote . . . . . . . . . . . . . . 51 3.5.4 Adapting for server-coordinated remote wipe . . . . . . . . . . 54 3.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 4 Hypnoguard: Protecting Secrets across Sleep-wake Cycles 57 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4.2 Terminologies, Goals and Threat Model . . . . . . . . . . . . . . . . . 60 4.2.1 Terminologies . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 4.2.2 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 4.2.3 Threat model and assumptions . . . . . . . . . . . . . . . . . 61 4.3 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 4.3.1 Design choices and elements . . . . . . . . . . . . . . . . . . . 64 4.3.2 Unlock/deletion policy and deployment . . . . . . . . . . . . . 65 vii 4.3.3 How goals are achieved . . . . . . . . . . . . . . . . . . . . . . 67 4.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 4.4.1 Overview and execution steps . . . . . . . . . . . . . . . . . . 68 4.4.2 Instrumenting the S3 handler . . . . . . . . . . . . . . . . . . 70 4.4.3 Memory considerations . . . . . . . . . . . . . . . . . . . . . . 70 4.4.4 User interaction . . . . . . . . . . . . . . . . . . . . . . . . . . 71 4.4.5 Moving data around . . . . . . . . . . . . . . . . . . . . . . . 73 4.4.6 Unencrypted memory regions . . . . . . . . . . . . . . . . . . 73 4.5 High-speed Full Memory Encryption and Decryption . . . . . . . . . 74 4.5.1 Enabling techniques . . . . . . . . . . . . . . . . . . . . . . . 74 4.5.2 Performance analysis . . . . . . . . . . . . . . . . . . . . . . . 75 4.6 Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 4.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 4.9 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 5 Trusted Write-protection Against Privileged Data Tampering 85 5.1 Introduction and Motivation . . . . . . . . . . . . . . . . . . . . . . . 85 5.2 Threat Model and Assumptions . . . . . . . . . . . . . . . . . . . . . 89 5.3 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 5.3.1 Design goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 5.3.2 Trusted (cid:28)le versioning . . . . . . . . . . . . . . . . . . . . . . 92 5.3.3 Design choices . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 5.3.4 System components and work(cid:29)ow . . . . . . . . . . . . . . . . 96 5.3.5 A remote data vault . . . . . . . . . . . . . . . . . . . . . . . 97 5.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 5.4.1 Using Flicker to handle TXT sessions . . . . . . . . . . . . . . 99 5.4.2 OPAL access to SED inside TXT . . . . . . . . . . . . . . . . 99 5.4.3 Secure user interface . . . . . . . . . . . . . . . . . . . . . . . 100 5.4.4 OPAL implementation challenges . . . . . . . . . . . . . . . . 102 5.5 Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . 103 5.5.1 File system e(cid:30)ciency . . . . . . . . . . . . . . . . . . . . . . . 103 5.5.2 CPU slowdown in Flicker PAL . . . . . . . . . . . . . . . . . . 104 5.5.3 Adding support for DMA disk access . . . . . . . . . . . . . . 106 5.5.4 Usage scenarios and performance . . . . . . . . . . . . . . . . 106 viii 5.6 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 5.7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 5.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 6 COTS One-Time Programs 116 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 6.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 6.2.1 Design goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 6.2.2 Trusted execution environments . . . . . . . . . . . . . . . . . 121 6.2.3 Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 6.2.4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 6.2.5 Additional background . . . . . . . . . . . . . . . . . . . . . . 125 6.3 System 1: TXT-only . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 6.3.1 TXT-only provisioning at Alice’s site . . . . . . . . . . . . . . 127 6.3.2 TXT-only evaluation at Bob’s site . . . . . . . . . . . . . . . . 128 6.3.3 Trusted execution . . . . . . . . . . . . . . . . . . . . . . . . . 128 6.3.4 Performance evaluation . . . . . . . . . . . . . . . . . . . . . . 129 6.4 System 2: GC-based . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 6.4.1 The Frigate GC compiler . . . . . . . . . . . . . . . . . . . . . 132 6.4.2 Execution steps . . . . . . . . . . . . . . . . . . . . . . . . . . 133 6.4.3 Enhanced security: GC-based Plus . . . . . . . . . . . . . . . 135 6.4.4 Performance evaluation . . . . . . . . . . . . . . . . . . . . . . 135 6.5 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 6.5.1 Genomic test . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 6.5.2 GC-Based OTP implementation . . . . . . . . . . . . . . . . . 141 6.5.3 GC-based case study setup . . . . . . . . . . . . . . . . . . . . 142 6.5.4 TXT-only OTP implementation . . . . . . . . . . . . . . . . . 143 6.5.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 6.5.6 Porting e(cid:27)ort . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 6.6 Other Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 6.7 Security analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 6.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 6.9 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 ix 7 Explicit Authentication Response Considered Harmful 154 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 7.2 Threat Model and Assumptions . . . . . . . . . . . . . . . . . . . . . 157 7.3 Uvauth: User-veri(cid:28)able Authentication . . . . . . . . . . . . . . . . . 159 7.3.1 Implicit detection of an authentication outcome . . . . . . . . 160 7.3.2 Designing fake sessions . . . . . . . . . . . . . . . . . . . . . . 162 7.4 Distorted Image as a Communication Channel . . . . . . . . . . . . . 165 7.4.1 Captchas as a cipher . . . . . . . . . . . . . . . . . . . . . . . 165 7.4.2 Adaptation of regular captchas . . . . . . . . . . . . . . . . . 166 7.4.3 An example with VNC . . . . . . . . . . . . . . . . . . . . . . 167 7.5 Limitations and Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 167 7.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 7.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 8 Further Discussion 174 8.1 Onto Mobile Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 174 8.2 Open Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 8.3 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 A Glossary and Additional Information 214 x
Description: