This invention relates to an improved method for revoking malware in a computing device and in particular, to an improved method for revoking malware by which computing devices can detect and avoid the installation of malicious or unsafe software.
The term ‘computing device’ includes, without limitation, Desktop and Laptop computers, Personal Digital Assistants (PDAs), Mobile Telephones, Smartphones, Digital Cameras and Digital Music Players. It also includes converged devices incorporating the functionality of one or more of the classes of such devices, together with many other industrial and domestic electronic appliances.
A computing device that allows an owner or user to install software subsequent to purchase, which makes available new applications or provides new functionality, is termed an open device.
Though there are clear benefits to being able to extend the utility of a device in this way, this facility can represent a significant security risk for the owner or user. Those skilled in the art, as well as many who are not so skilled, are aware that there is a significant risk that either badly written or malicious programs (malware) can affect open computing devices. Where the computing device is connected to other devices over a network, this risk can extend to all other devices connected to the network, and can threaten the integrity of the network itself. There are many varieties of such malware; common types include, without limitation, viruses, trojans, spyware and adware.
There are many software packages that offer users detection, prevention and removal of the various types of malware on open computing devices; there is a multi-billion dollar market for anti-virus software. However, it is generally acknowledged by those skilled in the art that, wherever possible, it is better to avoid infection by malware in the first place.
One of the key disciplines in avoiding infection on any open computing device is to check any item of software that is to be installed by
One way in which tamper detection can be assured is by comparing a hash or digest of the package to be installed with a similar hash or digest published by a trusted author or distributor of a package. One standard method for providing this assurance, described in the Internet Standard RFC 1321, has been Ronald Rivest's MD5. Another set of standard methods are the SHA algorithms published by the US National Security Agency. However, the integrity of such methods depends on an assurance that the published hash being relied upon as valid is actually coming from a source which itself cannot be compromised.
An alternative method of detecting infection is to compare the hash of a package to a trusted list of hashes of packages that are known to be bad. However, this solution is unsatisfactory for a number of reasons:
Consideration of the latter reason leads to the conclusion that for practical purposes, technologies for tamper-detection depend on authentication of identity to assure their integrity.
The most well-known techniques for authenticating and validating the integrity of an item of software rely on signing and certification using asymmetric or public key cryptography as a key element. The ITU-T X.509 standard for Public Key Infrastructure (PKI) is an example of such a scheme. A simplified implementation of this technology as applied to authentication of any item of installable software might work as follows:
The chain of authentication used in X.509 PKI is typically longer than is explained in this example, but the principle remains the same; following a chain of signed certificates to eventually lead back to a trusted root certificate.
Not all signatures on packages conform to the hierarchical X.509 PKI scheme described above. One of the main reasons for this is that X.509 compliant certification is by no means a free process. The leading root signatory, Verisign, currently charges in excess of US $400 for each certificate it issues (see http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/index.html) and this not insignificant sum of money is a barrier which can prevent many aspiring developers of software for open devices from participating in hierarchical PKI schemes. Certification schemes which check and vet submitted software generally need to make a charge to cover for what is a significant amount of work; for many schemes, it is not realistic economically for this to be done completely free of charge.
An alternative certification model relies on a Web of Trust, in which certificates are signed by multiple parties who require no special status to act as co-signatories. As long as at least one of the signatories is an entity who is known to and trusted by the user, they can use their copy of that signatory's public key to validate the certificate.
It is also possible for software packages to be self-signed by the author. While this cannot establish the same degree of confidence as signatures that can be verified by a PKI or Web of Trust, a self-signed certificate is by no means worthless; because it uses asymmetric cryptography, it still enables self-signed packages to be uniquely identified and provides therefore a relatively firm guarantee against third-party tampering.
In summary, then, signing with a digital certificate achieves the following three goals:
However, for all technologies that rely on digital signatures and certification, it is nevertheless known that software packages can be signed in error. Some examples of vulnerabilities in the process include:
Because certificates may have been erroneously granted, there are systems in place by which they can be revoked, and X.509 procedures exist by which any certificate may be checked to see whether it is in fact still valid.
The original X.509 standard required a Certificate Revocation List (CRL) to be downloaded for each signing authority in the authentication chain; this list contained an entry for all of the certificates that had been revoked. The Internet Standard RFC 1422 further defines the format of CRLs for use with Privacy-enhanced Electronic Mail (PEM).
A more recent standard method for allowing certificates to be checked for revocation is the Online Certificate Status Protocol (OCSP), defined in the Internet Standard RFC2560. OCSP allows entities wishing to validate certificates to do so by making a request of OSCP responders in order to find out the status of a single certificate. Among the benefits of this system are that long CRLs no longer need to be retrieved and studied. This leads to lower network overheads, and removes the need to parse an entire list to find out information on just one certificate.
Whatever revocation checking method is in use, it is necessary that the entity performing it should know either where to go to obtain the latest revocation lists in the case of CRL or what responder they need to contact when they want to make an OSCP request. A method for determining this information is supplied by Internet Standard, RFC3280, which defines standard X.509 Certificate Extensions for this purpose.
For CRL, the X.509 cRLDistributionPoints extension points at the correct location when retrieving CRLs, while for OSCP, the AuthorityInfoAccess extension (AIA) indicates to requestors which responder should be contacted to obtain information and services about the certificate issuer and make enquiries about possible revocation requests.
Entities will commonly make separate enquiries for each certificate in the chain using these fields, if present (though OSCP requests can be chained to other responders in some circumstances).
It is apparent from this description of the known methods that any open computing device can be made more secure by making signing and certification mandatory for all software packages that a user wishes to install. By this means, the identity of installable packages can be authenticated and the contents can, in essence, be verified to be tamper-free. Packages that subsequently turn out to be malware can be identified by means of their certificates, which can be revoked via the revocation infrastructures outlined above.
The verification method defined by X.509, by which a certificate includes the means of checking for its own revocation, can be circular.
The most obvious case of such circularity is for a software package that is self-signed by the author, creator or distributor and by nobody else. For the avoidance of doubt, it should be noted that for the purposes of the description of this invention, a certificate chain for such a package may have been provided; it just happens to consist of a single certificate.
While such packages fulfill the same goals as all other signed packages, in that they can be unambiguously identified and can be verified as tamper-free since they were signed, they cannot reliably be checked for revocation using information contained in the certificate extensions. The signatory of a malware package could all too easily use such an extension to direct anyone seeking to check the validity of the certificate to their own CRL or OSCP servers and responders, which would of course always return a favorable status report because they are controlled by the malware signatory.
Mechanisms such as CRL and OCSP are really only designed to work with certificates that can be traced back to a root certificate. Self-signed certificates can employ standard extensions which direct CRL or OCSP clients to their own server which would, of course, be designed to report the status of their own software favourably. Clearly, this (prior art) is only appropriate for issuer-signed certificates and new behaviour is required if self-signed certificates are to be admitted into the same scheme.
A method of extending certificate revocation technology on a computing device so as to work effectively with software packages that are self-signed is therefore required.
According to a first aspect of the present invention there is provided a method of operating a computing device enabled to make use of one or more sets of previously stored information to supplement, replace or override information concerning certificate revocation provided by a chain of one or more certificates included with a software package, the method comprising causing the computing device to utilise previously stored information concerning certificate revocation in the event that
According to a second aspect of the present invention there is provided a computing device arranged to operate in accordance with a method of the first aspect.
According to a third aspect of the present invention there is provided an operating system for causing a computing device to operate in accordance with a method of the first aspect.
Embodiments of the present invention will now be described, by way of further example only, with reference to
A preferred implementation of the present invention is shown in
This is shown as step 10 in
If condition (a) above is encountered, and authentication-related X.509 extensions (cRLDistributionPoints or AIA) are present, the CRL or OCSP client will accept and process any such extensions using the provided revocation information, as shown by steps 12 and 14 in
If condition (b) above is encountered, the CRL or OCSP client ignores any authentication-related X.509 extensions (cRLDistributionPoints or AIA) given in the certificates present, and instead employs a default untrustedAIA setting, step 18 in
Note that the trustedAIA setting and the untrustedAIA setting need not necessarily point at different OSCP responders: they may actually be the same OSCP responders.
However, an additional enhancement is possible if they point at different responders; any server fulfilling the role of an untrustedAIA server can be modified to return a good response for certificates which are unknown rather than return a response which may cause devices coded to reject transient errors to fail the OCSP validation check. The assumption behind this enhancement is that users and other parties involved with the distribution of software for particular classes of device must be and will be very diligent about reporting known cases of malware; but that they will and should not be under any corresponding obligation to submit notification for software that they believe to be benign.
While it is of course possible as an alternative to implement this invention via CRL using trustedcRLDistributionPoints and untrustedcRLDistributionPoints settings, it should be noted that this would be less efficient that the OSCP variants.
Many advantages accrue through the use of the present invention, including
Although the present invention has been described with reference to particular embodiments, it will be appreciated that modifications may be effected whilst remaining within the scope of the present invention as defined by the appended claims.
Number | Date | Country | Kind |
---|---|---|---|
GB 0612933.2 | Jun 2006 | GB | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/GB2007/002367 | 6/26/2007 | WO | 00 | 1/15/2010 |