Last mile authentication problem: Exploiting the missing link in end-to-end secure communication

Video thumbnail (Frame 0) Video thumbnail (Frame 1010) Video thumbnail (Frame 2237) Video thumbnail (Frame 5257) Video thumbnail (Frame 6502) Video thumbnail (Frame 7142) Video thumbnail (Frame 10412) Video thumbnail (Frame 12607) Video thumbnail (Frame 14662) Video thumbnail (Frame 15407) Video thumbnail (Frame 17351) Video thumbnail (Frame 20211) Video thumbnail (Frame 26934) Video thumbnail (Frame 30530) Video thumbnail (Frame 31547) Video thumbnail (Frame 32375) Video thumbnail (Frame 35061) Video thumbnail (Frame 36504) Video thumbnail (Frame 40148) Video thumbnail (Frame 41706) Video thumbnail (Frame 44725) Video thumbnail (Frame 46139) Video thumbnail (Frame 47772) Video thumbnail (Frame 48473)
Video in TIB AV-Portal: Last mile authentication problem: Exploiting the missing link in end-to-end secure communication

Formal Metadata

Title
Last mile authentication problem: Exploiting the missing link in end-to-end secure communication
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
With "Trust none over the Internet" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected. This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this "last mile" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable.
Authentication Link (knot theory) Link (knot theory) Interprozesskommunikation Information security
Group action Server (computing) Thermodynamischer Prozess Content management system Network switching subsystem Process (computing) Connectivity (graph theory) Open set Web browser Mereology Information privacy Focus (optics) Computer Interprozesskommunikation Front and back ends Web 2.0 Data model Mechanism design Cryptography Different (Kate Ryan album) Software Core dump Endliche Modelltheorie Information security Task (computing) Authentication Thermodynamischer Prozess Information Server (computing) Transport Layer Security Computer Computer network Client (computing) Database Interprozesskommunikation Cryptography Front and back ends Type theory Graphical user interface Word Software Personal digital assistant Telecommunication Public-key infrastructure Right angle Software architecture Information security
Observational study Authentication Virtual machine Exploit (computer security) Computer Interprozesskommunikation 2 (number) Mechanism design Different (Kate Ryan album) Vector graphics Personal digital assistant Data structure Endliche Modelltheorie Information security Metropolitan area network Authentication Thermodynamischer Prozess Multiplication Observational study Demo (music) Expert system Computer Interprozesskommunikation Cartesian coordinate system Virtual machine Data management Software Vector space Personal digital assistant Password Data structure
Point (geometry) Process (computing) Virtual machine Exploit (computer security) Insertion loss Login Computer Theory Interprozesskommunikation Malware Endliche Modelltheorie Metropolitan area network Physical system Domain name Thermodynamischer Prozess Enterprise architecture Default (computer science) Process (computing) Information Front and back ends Virtual machine Vector potential Personal computer Software Integrated development environment Personal digital assistant Universe (mathematics) Remote Access Service Family Window
Socket-Schnittstelle Server (computing) System call Identifiability Process (computing) Multiplication sign Semaphore line Client (computing) Computer Interprozesskommunikation Time domain Latent heat Semiconductor memory Different (Kate Ryan album) Shared memory File system Endliche Modelltheorie Message passing Installable File System Vulnerability (computing) Thermodynamischer Prozess Multiplication Process (computing) Weight Computer network Bit Semaphore line Interprozesskommunikation Exploit (computer security) Connected space Type theory Software Network socket Software architecture Window
Point (geometry) Server (computing) Socket-Schnittstelle Process (computing) Multiplication sign Source code Client (computing) Stack (abstract data type) Number Zugriffskontrolle Term (mathematics) Computer network Local ring Control system Multiplication Process (computing) Information Server (computing) Interface (computing) Keyboard shortcut Computer network Client (computing) Arithmetic mean Software Personal digital assistant Interface (computing) Local ring
Point (geometry) Discrete group Server (computing) Socket-Schnittstelle Game controller Implementation Computer file Process (computing) Multiplication sign View (database) Similarity (geometry) Instance (computer science) Client (computing) Computer Number Latent heat Roundness (object) Root Different (Kate Ryan album) Software architecture Traffic reporting Metropolitan area network Control system Socket-Schnittstelle Thermodynamischer Prozess Multiplication Process (computing) Information Server (computing) Software developer Electronic mailing list Computer network Client (computing) Menu (computing) Instance (computer science) Directory service Existence Connected space Similarity (geometry) Category of being Word Software Personal digital assistant Object (grammar) Software architecture Window Sinc function
Source code Client (computing) Open set Mechanism design Sign (mathematics) Personal digital assistant Information security Physical system Social class God Computer icon Thermodynamischer Prozess Observational study Mapping Software developer Keyboard shortcut Electronic mailing list Instance (computer science) Control flow Electronic signature Data management Reading (process) Slide rule Socket-Schnittstelle Computer file Password Online help Computer Interprozesskommunikation Latent heat Peripheral Term (mathematics) Computer hardware Communications protocol Metropolitan area network Form (programming) Authentication Default (computer science) Key (cryptography) Server (computing) Code Client (computing) Login Cartesian coordinate system Limit (category theory) Web browser Software Personal digital assistant Query language Window Multiplication sign Instance (computer science) Mereology Electronic signature Proper map Malware Network socket Formal verification Query language Flag Electronic visual display Endliche Modelltheorie Extension (kinesiology) Control system Vulnerability (computing) Email Process (computing) 3 (number) Connected space Software architecture Information security Sinc function Game controller Server (computing) Mobile app Implementation Identifiability Observational study Process (computing) Token ring Authentication Virtual machine Web browser Login Wave packet Zugriffskontrolle Proxy server Condition number User interface Dimensional analysis Database Interprozesskommunikation Computer hardware Password Point cloud Communications protocol Extension (kinesiology)
Asynchronous Transfer Mode Random number Mobile app Server (computing) Numerical digit Code Materialization (paranormal) Web browser Client (computing) Web 2.0 Formal verification Communications protocol Extension (kinesiology) Form (programming) Computer virus Matching (graph theory) Server (computing) Code Web browser Derivation (linguistics) Message passing String (computer science) Password Formal verification Electronic visual display Communications protocol Extension (kinesiology)
Mobile app Process (computing) Information Process (computing) Server (computing) Demo (music) Password Streaming media Web browser Cartesian coordinate system Web browser Interprozesskommunikation Data management Message passing Exterior algebra Computer configuration Different (Kate Ryan album) Password Network socket output Extension (kinesiology) YouTube Partial derivative Extension (kinesiology)
Boss Corporation Mobile app Password Client (computing) Web browser Client (computing) Instance (computer science) Interprozesskommunikation Connected space Data management Message passing Personal digital assistant Password Personal digital assistant Extension (kinesiology) Message passing Window Form (programming) Boss Corporation Extension (kinesiology)
Game controller Mobile app Server (computing) Observational study Dependent and independent variables Authentication Password Instance (computer science) Client (computing) Web browser 2 (number) Pi Representational state transfer Cryptography Personal digital assistant Touch typing Communications protocol Message passing Information security Metropolitan area network YouTube Form (programming) Boss Corporation Authentication Mobile app Standard deviation Dependent and independent variables Key (cryptography) Server (computing) Electronic mailing list Client (computing) Bit Instance (computer science) Public-key cryptography Web browser Connected space Electronic signature Message passing Online service provider Personal digital assistant Formal verification Right angle Figurate number Information security Communications protocol
Server (computing) Dependent and independent variables Ferry Corsten Tournament (medieval) Authentication Bit rate Web browser Computer Facebook Mechanism design Bit rate Network socket Touch typing Information security Authentication Process (computing) Key (cryptography) Sound effect Graphical user interface Type theory Personal digital assistant Hybrid computer Password Normal (geometry) Website Codec Authorization Information security Window
Dataflow Mobile app Server (computing) Thermodynamischer Prozess Password Limit (category theory) Client (computing) Web browser Computer Interprozesskommunikation Number Web 2.0 Mechanism design Cryptography Flow separation Query language Operating system Pairwise comparison Boss Corporation Focus (optics) Process (computing) Server (computing) Temporal logic Software developer Projective plane Token ring Transport Layer Security Computer Menu (computing) Computer network Client (computing) Binary file Cryptography Interprozesskommunikation Data transmission Data management Personal digital assistant Network socket Computer hardware Password Public-key infrastructure Authorization Software architecture Remote Access Service Communications protocol Window
Reading (process) Presentation of a group Process (computing) Software developer Process (computing) Server (computing) Software developer Computer Physicalism Client (computing) Interprozesskommunikation Type theory Message passing Software Software Software architecture Software architecture Musical ensemble Information security
okay so speak up today is Tang says give me a big hand hi everyone the title of our talk today is last-mile authentication problem using which we are going to showcase how one can exploit the missing link in end-to-end secure communication we will shortly deep Digger into knowing what is the last mile what is this missing link and everything but before that let me start by introducing myself and the research team behind this
I am Siddharth Rao I'm a doctoral candidate in Aalto University Finland and I research on security and privacy one of the other hats which aware is of Public Interest technologist I was a Ford Mozilla open web fellow for the last year as part of it I worked in an NGO called as European digital rights where I worked on the intersection of Technology and society along with me here I have my co-speaker tank boy who is also a doctoral researcher in Alpha University Finland researchers on security and privacy he just finished a summer internship and Google security team we also via here have dr. marko anti Kenan who is a seasoned security professional and a postdoctoral researcher in University of Helsinki in Finland we were supervised by dr. Thomas era who's a professor in secure system research group of Alto ok
so now let's get started we see network in software often with client-server architecture let's take the example of browser and web server in traditional threat threat model network threat model we always consider user device in the server and they are kind of typically trusted however the network is hostile and that's where an attacker can do various type of attacks such as man-in-the-middle to steal information from the network since we are already aware of this attacks we use cryptographic solutions such as TLS or web PKI to protect it since you already know this we are not going to bore with this because in reality not all the communication goes over the network certain part of the communication if not all happens within the computer so think of this as a network which is inside a computer so the computer consists of multiple processes that perform different tasks for example software is broken into different components say front-end which handles the GUI and the backend which says which handles the local database they are separate processes and they use a mechanism called as inter process communication or IPC to exchange data between them the communication whatever happens which stays inside the computer and it never leaves outside there can be untrusted components that runs inside the user device and protecting the user information of the data being exchanged over IPC is equally important as that of the network so for this reason we try to understand the security of the communication inside the computer mainly focusing on IPC so in this talk the titleist last-mile authentication problem so those of you are aware of telecom or cell phone networks you might be aware of the word that last mile in telco especially in case of landline connecting everything from core network till the mobile switching center is considered to be easier than that of connecting the last mile or the subscriber line which lasts from local switch your homes computer homes phone
an allowance to this we are trying to encrypt and secure every strands and layers of the communication in a drive to move towards end-to-end secure communication in that attempt you're not even bothering about this last mile of which stays inside the computer which happens the communication between multiple processes so the structure of the this is what we call as the last mile and that's the problem which we are going to talk so the structure of the talk is we first discuss a threat model what we call as man in the machine or MIT MA and then we warm up with basics of IPC it's Cavett's in attack vectors which we used to exploit and show that there are several software's which has vulnerable to MIT ma by going to different case studies of real-life software applications that are vulnerable to our threat model we also present some demos we try to show that this is a real problem finally we sum up with some mitigation mechanism so the key takeaway from our
talk is credentials and second factors that can be compromised inside a computer X by exploiting high PC as we show we expert many security critical applications such as password managers and USB security tokens using the aforementioned man-in-the-middle adversary alright so let's get started
first let's try to understand what has this man in the machine threat model who is this man in the machine we call the
attacker that try to exploit the IPC inside a computer as MIT MA or man on the machine the attacker can be any unprivileged user that tries to steal sensitive information from another user the example of potential MITM attackers include co-workers family members and also guests the target system here is am i to use a computer meaning the computer that can be accessed from multiple uses which are very common so think of enterprise systems or universities where everyone will have the computer to which they login using their own credentials peer in such environment even though everyone have the personal computer they can be accessed by other domain users of course with their credentials interestingly attacking can also be the guest user in many ways such as Ubuntu the guest account is enabled by default and even the seasoned security professional forget to turn it off it is important to notice that the computer here are not compromised or infected by malware in that case everything will be conference so we are not interested in mal waves but we're interested in legitimate looking processes which are intend to be there on the computer so the attackers method is to run malicious process process but from another login session not from victims logon session an example scenario is attacker science into victims computer with his own credentials are using guest account and run an evil process he then uses fast switching loss windows and leaves his login session in the background and switch back to victim session in unix commands like no hoop can be used to keep a process alive in the background so you don't have to keep the whole user session alive this way the background session continues to be on attack in the background and attackers process is trying to steal whatever is happening in the IPC of another user things could be worse if there is a remote access to the computer such as SSH or Windows RDP enabled on it and also it is important to notice that attacker and tries no privilege escalation even though in theory he can but we didn't concentrate on that the attack scenario is similar to that of impersonation or man-in-the-middle in network but in our talk everything is happening inside one computer so at this point we might be
wondering how to exploit IPC of other users to understand that let's dig deeper to know little bit more about IPC
and it's Gavin's multiple processes inside a computer talk to each other using inter process communication method there are many types of AI pieces such as signals semaphores shared memory filesystem net sockets pipes which includes unnamed as well as anonymous pipes some of them are unique specific some of them are window specific some of them are available on all flavors of OS but they are implemented differently not all of them are vulnerable to our attack model but the common feature of the vulnerable IPC methods are that there is a server process which binds to a specific name or an identifier and waits for the connection from the client in that sense we focus on three IPC methods network sockets windows name pipes and USB so strictly speaking USB is not an IPC but still it is similar to that of sockets or name pipes mainly because they also fall into the client-server architecture and USB communication happens inside a computer so that the MITM attacker can exploit it IPC methods that are secure against our attack model for example is unnamed pipes the difference is that in onion pipes both the communication endpoints are created at the same time by the same user so that leaves no of no opportunity for any any untrusted process to get in mid way so let us now take a deeper look into insecure IPC methods one by one
let's let's start with network sockets most of us think of computer networks when we hear the term network sockets even though they are used widely in computer networks it is also one of the most widely used IPC methods so here network sockets are used when the server listens on a local host interface and they are bind to a specific port number as long as the port number is more than thousand 24 because anything below thousand 24 our standard dedicated ports as long as does more than thousand 20 for any process regardless of its owner can connect on the port I can listen them listen on the port there will be one server process and multiple client processes that can connect also network sockets doesn't have any inbuilt access control mechanism to restrict who can access the endpoint this leaves the local attacker like mid-part to export them so one of the obvious things an attacker can do is client impersonation so attacker can find the port numbers either by a documentation or source code or just by running commands like net stack and he just connects to the local server on a special on that specific port they report there could be cases where the local server just accept connection so if the attacker comes late to the party his request to join will be discarded so in such cases the attacker just impersonate the client process before the legitimate kindness so if client personation can be done then it also possible to do the server impersonation right well yes the
attacker has to just start the local server before the legitimate server does mainly opening a specific port there is nothing which can stop this the client would not notice it and just simply connects to the port and start exchanging information at this point some of you have might notice that legitimate and the malicious server cannot bind to a port at the same time so does this mean that the attacker can do man-in-the-middle along with client and server impersonation the answer is
yes first the attacker has to perform the server impersonation that is he runs the local server on a specific port and once this primary port is open he receives information he receives connection from the benign client many softwares while running local servers like this failover to another port if the primary port is already taken so this property of port agility makes sense from development point of view mainly because anyhow these are not standard ports so it could be the one of the other processes legitimate process in the computer would have already taken it so it makes sense from a development point of view to have a predefined list of ports where the servers which drove us to the second report so what attacker does is he takes the advantage of quote agility property and what he does is after doing this server impersonation and blocking the primary port he would allow the benign server to fall into the second report and then in the second report he performs the trying to impersonation so in that way he becomes man in the middle and he exchanges information between the benign client and the server there could be rare cases where such port agility is not implemented in such cases the attacker can switch roles time it well and exchange information it could be slow but it is still a possibility so now that we know know about network sockets on localhost available to meet MA how about other artisan methods name pipes
are available both on Windows and Linux however they differ in their implementation we are interested in Windows min pipes in Windows named pipe have similar client-server architecture kinds of architecture that of network sockets so instead of localhost here they are placed in a special path which is dot pipe which is in the root directory and instead of the port number here pipes will have a specific name so all users including guests have access to the specific path in network socket there is always one server and multiple friends however in name pipe there can be multiple instance of the pipe that share the same name so multiple climb server instances exist but in each each case there will be one server one client so every instance will be one server and client pair when the PI process runs it waits for the pipeline to join once the client joins the pipe can create another pipe instance and wait again for the new client to join new clients are connected in round robin fashion and the number of instances that can coexist can also be controlled after the similarities there is one major difference between network sockets and name pipes Windows named pipes that is Windows named pipes are they do have inbuilt access control mechanisms since pipes are Windows objects they have discrete discretionary access control list or de sel associated with them the word discretionary refers to the fact that object owner defines who has access to the object so there are two cases so when the pipe does not exist anyone can create the first instance and set the dacl of all the future pipe instances just because of ACL it does not stop anyone from doing it however if the pipe already exists then that is tricky only those users which something called as file create pipe instance can create new instances so having access control does this matter at all to meet Mitaka
unfortunately no similar to the top network sockets Midna attacker can perform client impersonation any process can connect to an open pipe instance just by knowing the name of the pipe again he can the attacker can find it from source code or a documentation or just by running commands like sis internal tools like pipe list so even though they are subjected to access country access control checks like I mentioned before eventually we will learn from a next slide that access control does not matter it just like poor check boat hijacking or taking over the port before the legitimate server does in network sockets one can hijack in our name pipes one can hijack the name of the pipe by creating the first in sense we just hijack the name and since while creating the first instance you can also set the de sel in such a way that it allows everyone to create or connect to new instances victims benign server here may just create the second instance without noticing that there is already one and also there is a possibility of setting a flag called file flag first by penetrant which can be used to check whether the instance is created first or not however software developers seem to ignore this or they are not aware of it mainly because they underestimate or overlook this threat model similarly benign client process can connect to the attackers pipe instance without noticing who actually is the owner it won't notice that it's not him but the owner is actually some other person in this computer so client and server impersonation can be done once the pipe name is hijacked so it means that attacker can simply perform an in the middle so there is no such thing of port agility here like in network sockets because every pipe every pipe instance use the same name so MIT M is just straightforward now that we learn about sockets and name pipes what has common between us being as I told us be strictly not an IP C but here as well it shows client-server architecture and it waits for a train connection we are interested in a specific class of USB device called USB human interface which include peripheral device like hardware security tokens in UNIX and Mac implementation of USB is different from Windows in UNIX system USB HID can be accessed by exactly one interactive user so they have a mechanism where USB HID is actually a special file which is map in HID hid raw dev hid raw part and the logged in user get the default readwrite access if the session is interrupted or for example like logout a switch user the read read the axis will be transferred to the display manager and then to the next logged in user so in that way they ensure that exactly one user have access to the USB HID unfortunately in Windows no such dynamic access control mechanism exists so than one user at a time can access the hid especially of the other users at least that is the case in terms of hardware security tokens so Before we jump into case studies let me quickly summarize what we discussed so far the attacker here is man in the machine or MIT ma is an unprivileged user which also include guests he does not perform any privilege escalation the victims computer is not infected by malware the attackers aim is just to intercept the IPC of other users so the vulnerable IPC mechanisms are network sockets windows names pipes and USB they all have trying server architecture and they bind to a specific name or identifier and wait from the client to connect the attacker can do client and server impersonation as well as man-in-the-middle the fact that name pipes have access control does not change anything now we will get into case studies to understand what will happen when the endpoints of IPC are not authenticated so my colleague tang will present thank you hello everyone so now I will show how we can exploit that was socket in Empire and USB with real-world application our primary case study is standalone password managers they are different from cloud pub/sub Maris's like LastPass in the Santa they provide native desktop app that allows users to manage a password and standalone password manager they are often integrated into a browser with browser extension this browser extension help users in creating and storing password and also entering the password interlocking forms we are interested in the connection between the browser extension and the app because they communicate the password overseas communicate the password over IPC the
first case study I would like to talk about is RoboForm it's a popular pursuit manager and the roof of app it runs HTTP server on plus five four five one two and wait for client condition the road for an extension connect as a client to the app to an query all the passwords of the app the problem here is that there is no authentication between the brows stanzin and the app so it means that the app will accept any client without verifying it actually a legitimate browser extension so it's quite easy for the bhisma attacker to apply the channel since attacker is another user funding malicious process in the background you just need to connect to the app as a client and queries a whole database from the app this I would happily keep always password without any verification so this is a pretty simple case let's take a look at more complex case so one password is about a popular password manager this is more interesting because the developer trying to protect IPC channel but it's not good enough the 1password app it ran a WebSocket server or prostitutes III and wait for condition from the browser extension and when the server called Carnation we verify the client very carefully each takes a browser extension ID on the header of the each request it also check is a cost signing signature of the client process to make sure that it is a non prouder and most importantly the server checks whether the server and client processes are owned by the same user so this check it prepared meet my attacker from impersonating the client innocent face of proper form however the client doesn't verify the server actually it cannot because the browser extension is sandbox by the browser so it had except two very limited api's and to compensate for this limitation the client as a server this one an ether protocol to oaktree on a share activation key in the first communication but the desire of the god of the protocol is not secure let's take
the lowest protocol here so okay anyone spotted Poland here with the protocol so this is clearly not a secure protocol as you can see all the materials of the final key and send in the messages and also on step five when the user confirmed if the code match you can see that the user only confirmed on the app side it means that a malicious server can totally skip this confirmation so
this insecure protocol together with the fact that there's no server verification from on the client side allows misma attacker to perform server impersonation and once the minimal attacker impersonate the server it can send command to the browser extension and collect all the data that user enter on the web forms so it means that username and password that user enter on the grand form will be standard attacker
I was supposed to show the demo but
because of the technical problems and I cannot really show it but it would be on YouTube for anyone interested so
password managers are also used of a channel called native messaging to communicate between the browser is standard and the app so native messaging is standalone your standard browsers building method that design to provide more secure alternative to narrow socket it has been used by manage application including password manager so how native messaging work with partial managers first the password manager need to register an executable called native messaging host with a browser and allow only each browser extension to communicate with it host and when the browser is telling one to communicate with native messaging host the problem will run the native messaging host in a child process and communicate with it using standard input and a boo stream this way submit my attacker cannot get into the middle and intercept information on the channel so the question here now is is native messaging accomplished solution for password managers well since I know it isn't because the native messaging host and the password manager app has still two separate processes so they still need to access data over IP see the difference here is that the native messaging host is not sandbox by the browser so it has more options on how to communicate with a password manager app so let's take a
look at another case passive boss possible the password managers that use native messaging and on Windows so native messaging host used name PI to communicate with a password boss app whatsapp stars it creates an empire when wait for connection forms a native messaging host so native messaging hosts simply connect to the name pipe as a client and for what messages between the browser extension and the app the problem here is that the app doesn't restrict access to the name pipe it allow all authenticated users to have full access to the name pipe this way anyone can create a new instance or an empire or connect to it as a client in Edison the app and the native messaging host don't authenticate each other and all messages are sent in plain text
because of this issues we were able to perform man-in-the-middle on password boss we could do it not only from an authenticated user but also from guest user let me first saw how the meet how the
man in the middle attack could be done from an authenticated user as I mentioned when the app starts it creates a named pipe and with four connection forms native messaging host so first attacker just need to connect as a client those apps by instance the attacker then create another instance of the name pipe and red polka nation from the native messaging host when the native messaging host want to communicate with the app it will connect to the attackers instance because it is the only open instant of a named pipe so after that the attacker simply follows the message between two pie instances and we have men's a middle attack it's a little bit more tricky to perform the attack from a guest user because as I mentioned before the access control list of the name pipe doesn't allow the guest user to do anything only authenticated user can create new pie instance or access an open one so our solution here is by name hijacking the guest user could create the first instance for the first instance of the pipe and sell full access to all user this way when the app create is own instance it doesn't even notice that another user owns the damn pipe and I said control of the pie is not as expect the rest of the attack is the same as attacked by authenticated users that I just described before the last case study I would like to talk about is a feed or user app security key feed on YouTube is standard for second factor authentication and it is supported by many popular services such a Google Facebook github and most security keys implemented standard including newbie keys and even the new tightened security keys that Google introduced few weeks ago also follow this standard you can see the the figure on the right you can
simplify protocol up how the YouTube security key works so first the user must register to device with the online service that he wants to enable second factor authentication basically is a device then there is a public key pair and the Soviet willing the key pair the public key to the user and after that when the user wants to log into the service the Soviet will send a challenge to the browser and expect to see a response containing the device signature on the challenge to get a response the browser will repeat it we keep sending the challenge to the device until it receives a response device however it doesn't automatically sigh and it requests it received it needs to be activated by touching a button on it and it only respond to the first request a pleasure touch so how can we exploit this Phaedo security key so since the
security Keys is supposed PPN malicious knocking even when the user password has been compromised we assume here that attacker has obtained the victim's password from some Alice's and are trying to crack the second factor the detector will exploit the fact that on Windows and the user even the one in the background can exit USB HID devices at any so here is attack first attack so attacker runs a malicious browser process in this tournament in essence and size into the service using the username and password that we has obtained so Melissa's browser will receive a challenge from the service after that the Mandisa browser we keep sending the challenge to the deep to the to the device of hybrid and attacker would need to send it would need to send the challenge to the device at high gear if that is it a legitimate browser would do to increase the chance of getting the request site this easy because chrome for example is send the challenge to the device every 300 milliseconds so where the victims sign into any service using the same security key the victim would touch the button on the device and there is a high probability that a title request will be site because it is being sent to the device with a very high rate so user my notice that the first button touch has no effect because it is used by the Tigers request but such mileage glitches and normal in computers and typically it thought we tested the attack on popular services including Facebook and github and we got 100% success rate so in
summary we have three type I proceed mechanism such a vulnerable to meet my attack named pipe that was socket USP and we have seen real-world example a palsy exploited but that not the only cases that we found this is a list of
apps that we analyzed and the flow abilities that we found our focus is on password managers and other locket credentials we also found food ability in many other are many other apps this as follows client and server architecture for example in case of MySQL on Windows the client and the server I want the same computer the client can connect to the server using name pipe and we and we were able to perform man-in-the-middle attack on this channel so how can meet
my attacks can be mitigated since attack I perform by leaving malicious process running the background the most straightforward solution would be to limit the number of users on a computer ideally each computer should be personal to only one user also we will accept should be disabled or or limited to only one user the meat magnetite can also be detected for example so developers can check can compare the owner of the client and the server process and see if they are owned by the same user it might it more difficult for JavaScript client running in web browser like projects cancel because they don't have access to the operating system api's so they cannot perform the owner check in this case cryptographic protection mechanisms like user assisted pairing protocol or even standard TOS can be used to protect IPC communication
so the main takeaway message from this presentation is that developers should be aware that IPC is not inherently secure as we have shown IPC based client-server architecture may be vulnerable vulnerable to various type attacks as in physical networks and the title here is processed manual but any user or any process including guest account so if
you are interested you can take a look at our use this paper will be online next week that's it thank you [Applause] [Music] [Applause] [Music]
Feedback