layering security at global control points to secure ......layering security at global control...
TRANSCRIPT
Layering Security at Global Control Points to Secure
Unmodified Software
Scott Ruoti
MIT Lincoln Laboratory
Kent Seamons Daniel Zappala
Brigham Young University
Scott Ruoti is currently an MITLincoln Laboratory employee NoLaboratory funding or resources wereused to produce the resultfindingsreported in this publication
Problems with Application Software Security
bull Lack of cybersecurity-trained architects and developers
bull Security flaws
bull Difficult to patch vulnerabilities
bull Legacy software
Legacy Software
bull Even secure software may eventually no longer be supported
bull Hard to sustain security effort indefinitely
Partial Solution ndash Security Libraries
Limitation Usually requires expertise to use correctly
OAuthbull 60 of 149 mobile apps using OAuth studied were vulnerable
[Chen et al OAuth demystified for mobile application developers CCS 2014]
SSLTLSbull Badly designed APIs and libraries
[Georgiev et al The most dangerous code in the world CCS 2012]
bull 8 of apps in the study were vulnerable to MitM attack[Fahl et al Why Eve and Mallory love Android CCS 2012]
Solution Layered Security Paradigm
Implement security at global control points OS Browser Firewalls
1 Password
4 Password success
2 Two-factor Auth
3 Two-factor success
1 HTTP
4 Data
2 HTTPS
3 Data
1 File request
4 Decrypted file
2 File request
3 Encrypted file
GlobalControlPoints
Not a New Idea ndash Other Examples
bull Anti-virus
bull Spam filtering
bull Intrusion detection
bull Compilerbull Stack canaries
bull Pointer protection
bull Middleboxbull TLS inspection
bull Blacklisting
Use Cases from Our Research
MessageGuard End-to-end encryption in the browser
TrustBase TLS certificate-based authentication in the OS
MessageGuard
ldquoWersquore on the Same Pagerdquo A Usability Study of Secure Email Using Pairs of Novice UsersS Ruoti J Andersen S Heidbrink M ONeill E Vaziripour J Wu D Zappala and K SeamonsACM Conference on Human Factors in Computing Systems (CHI 2016) Honorable Mention Award
Private Webmail 20 Simple and Easy-to-Use Secure EmailS Ruoti J Andersen T Hendershot D Zappala and K SeamonsACM User Interface Software and Technology Symposium (UIST 2016)
Confused Johnny When Automatic Encryption Leads to Confusion and MistakesS Ruoti N Kim B Burgon TW van der Horst and K Seamons Symposium on Usable Privacy and Security (SOUPS 2013)
Private Facebook ChatC Robison S Ruoti T W van der Horst and K E SeamonsInternational Conference on Privacy Security Risk and Trust (PASSAT 2012) and International Conference on Social Computing (SocialCom 2012)
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Problems with Application Software Security
bull Lack of cybersecurity-trained architects and developers
bull Security flaws
bull Difficult to patch vulnerabilities
bull Legacy software
Legacy Software
bull Even secure software may eventually no longer be supported
bull Hard to sustain security effort indefinitely
Partial Solution ndash Security Libraries
Limitation Usually requires expertise to use correctly
OAuthbull 60 of 149 mobile apps using OAuth studied were vulnerable
[Chen et al OAuth demystified for mobile application developers CCS 2014]
SSLTLSbull Badly designed APIs and libraries
[Georgiev et al The most dangerous code in the world CCS 2012]
bull 8 of apps in the study were vulnerable to MitM attack[Fahl et al Why Eve and Mallory love Android CCS 2012]
Solution Layered Security Paradigm
Implement security at global control points OS Browser Firewalls
1 Password
4 Password success
2 Two-factor Auth
3 Two-factor success
1 HTTP
4 Data
2 HTTPS
3 Data
1 File request
4 Decrypted file
2 File request
3 Encrypted file
GlobalControlPoints
Not a New Idea ndash Other Examples
bull Anti-virus
bull Spam filtering
bull Intrusion detection
bull Compilerbull Stack canaries
bull Pointer protection
bull Middleboxbull TLS inspection
bull Blacklisting
Use Cases from Our Research
MessageGuard End-to-end encryption in the browser
TrustBase TLS certificate-based authentication in the OS
MessageGuard
ldquoWersquore on the Same Pagerdquo A Usability Study of Secure Email Using Pairs of Novice UsersS Ruoti J Andersen S Heidbrink M ONeill E Vaziripour J Wu D Zappala and K SeamonsACM Conference on Human Factors in Computing Systems (CHI 2016) Honorable Mention Award
Private Webmail 20 Simple and Easy-to-Use Secure EmailS Ruoti J Andersen T Hendershot D Zappala and K SeamonsACM User Interface Software and Technology Symposium (UIST 2016)
Confused Johnny When Automatic Encryption Leads to Confusion and MistakesS Ruoti N Kim B Burgon TW van der Horst and K Seamons Symposium on Usable Privacy and Security (SOUPS 2013)
Private Facebook ChatC Robison S Ruoti T W van der Horst and K E SeamonsInternational Conference on Privacy Security Risk and Trust (PASSAT 2012) and International Conference on Social Computing (SocialCom 2012)
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Legacy Software
bull Even secure software may eventually no longer be supported
bull Hard to sustain security effort indefinitely
Partial Solution ndash Security Libraries
Limitation Usually requires expertise to use correctly
OAuthbull 60 of 149 mobile apps using OAuth studied were vulnerable
[Chen et al OAuth demystified for mobile application developers CCS 2014]
SSLTLSbull Badly designed APIs and libraries
[Georgiev et al The most dangerous code in the world CCS 2012]
bull 8 of apps in the study were vulnerable to MitM attack[Fahl et al Why Eve and Mallory love Android CCS 2012]
Solution Layered Security Paradigm
Implement security at global control points OS Browser Firewalls
1 Password
4 Password success
2 Two-factor Auth
3 Two-factor success
1 HTTP
4 Data
2 HTTPS
3 Data
1 File request
4 Decrypted file
2 File request
3 Encrypted file
GlobalControlPoints
Not a New Idea ndash Other Examples
bull Anti-virus
bull Spam filtering
bull Intrusion detection
bull Compilerbull Stack canaries
bull Pointer protection
bull Middleboxbull TLS inspection
bull Blacklisting
Use Cases from Our Research
MessageGuard End-to-end encryption in the browser
TrustBase TLS certificate-based authentication in the OS
MessageGuard
ldquoWersquore on the Same Pagerdquo A Usability Study of Secure Email Using Pairs of Novice UsersS Ruoti J Andersen S Heidbrink M ONeill E Vaziripour J Wu D Zappala and K SeamonsACM Conference on Human Factors in Computing Systems (CHI 2016) Honorable Mention Award
Private Webmail 20 Simple and Easy-to-Use Secure EmailS Ruoti J Andersen T Hendershot D Zappala and K SeamonsACM User Interface Software and Technology Symposium (UIST 2016)
Confused Johnny When Automatic Encryption Leads to Confusion and MistakesS Ruoti N Kim B Burgon TW van der Horst and K Seamons Symposium on Usable Privacy and Security (SOUPS 2013)
Private Facebook ChatC Robison S Ruoti T W van der Horst and K E SeamonsInternational Conference on Privacy Security Risk and Trust (PASSAT 2012) and International Conference on Social Computing (SocialCom 2012)
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Partial Solution ndash Security Libraries
Limitation Usually requires expertise to use correctly
OAuthbull 60 of 149 mobile apps using OAuth studied were vulnerable
[Chen et al OAuth demystified for mobile application developers CCS 2014]
SSLTLSbull Badly designed APIs and libraries
[Georgiev et al The most dangerous code in the world CCS 2012]
bull 8 of apps in the study were vulnerable to MitM attack[Fahl et al Why Eve and Mallory love Android CCS 2012]
Solution Layered Security Paradigm
Implement security at global control points OS Browser Firewalls
1 Password
4 Password success
2 Two-factor Auth
3 Two-factor success
1 HTTP
4 Data
2 HTTPS
3 Data
1 File request
4 Decrypted file
2 File request
3 Encrypted file
GlobalControlPoints
Not a New Idea ndash Other Examples
bull Anti-virus
bull Spam filtering
bull Intrusion detection
bull Compilerbull Stack canaries
bull Pointer protection
bull Middleboxbull TLS inspection
bull Blacklisting
Use Cases from Our Research
MessageGuard End-to-end encryption in the browser
TrustBase TLS certificate-based authentication in the OS
MessageGuard
ldquoWersquore on the Same Pagerdquo A Usability Study of Secure Email Using Pairs of Novice UsersS Ruoti J Andersen S Heidbrink M ONeill E Vaziripour J Wu D Zappala and K SeamonsACM Conference on Human Factors in Computing Systems (CHI 2016) Honorable Mention Award
Private Webmail 20 Simple and Easy-to-Use Secure EmailS Ruoti J Andersen T Hendershot D Zappala and K SeamonsACM User Interface Software and Technology Symposium (UIST 2016)
Confused Johnny When Automatic Encryption Leads to Confusion and MistakesS Ruoti N Kim B Burgon TW van der Horst and K Seamons Symposium on Usable Privacy and Security (SOUPS 2013)
Private Facebook ChatC Robison S Ruoti T W van der Horst and K E SeamonsInternational Conference on Privacy Security Risk and Trust (PASSAT 2012) and International Conference on Social Computing (SocialCom 2012)
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Solution Layered Security Paradigm
Implement security at global control points OS Browser Firewalls
1 Password
4 Password success
2 Two-factor Auth
3 Two-factor success
1 HTTP
4 Data
2 HTTPS
3 Data
1 File request
4 Decrypted file
2 File request
3 Encrypted file
GlobalControlPoints
Not a New Idea ndash Other Examples
bull Anti-virus
bull Spam filtering
bull Intrusion detection
bull Compilerbull Stack canaries
bull Pointer protection
bull Middleboxbull TLS inspection
bull Blacklisting
Use Cases from Our Research
MessageGuard End-to-end encryption in the browser
TrustBase TLS certificate-based authentication in the OS
MessageGuard
ldquoWersquore on the Same Pagerdquo A Usability Study of Secure Email Using Pairs of Novice UsersS Ruoti J Andersen S Heidbrink M ONeill E Vaziripour J Wu D Zappala and K SeamonsACM Conference on Human Factors in Computing Systems (CHI 2016) Honorable Mention Award
Private Webmail 20 Simple and Easy-to-Use Secure EmailS Ruoti J Andersen T Hendershot D Zappala and K SeamonsACM User Interface Software and Technology Symposium (UIST 2016)
Confused Johnny When Automatic Encryption Leads to Confusion and MistakesS Ruoti N Kim B Burgon TW van der Horst and K Seamons Symposium on Usable Privacy and Security (SOUPS 2013)
Private Facebook ChatC Robison S Ruoti T W van der Horst and K E SeamonsInternational Conference on Privacy Security Risk and Trust (PASSAT 2012) and International Conference on Social Computing (SocialCom 2012)
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Not a New Idea ndash Other Examples
bull Anti-virus
bull Spam filtering
bull Intrusion detection
bull Compilerbull Stack canaries
bull Pointer protection
bull Middleboxbull TLS inspection
bull Blacklisting
Use Cases from Our Research
MessageGuard End-to-end encryption in the browser
TrustBase TLS certificate-based authentication in the OS
MessageGuard
ldquoWersquore on the Same Pagerdquo A Usability Study of Secure Email Using Pairs of Novice UsersS Ruoti J Andersen S Heidbrink M ONeill E Vaziripour J Wu D Zappala and K SeamonsACM Conference on Human Factors in Computing Systems (CHI 2016) Honorable Mention Award
Private Webmail 20 Simple and Easy-to-Use Secure EmailS Ruoti J Andersen T Hendershot D Zappala and K SeamonsACM User Interface Software and Technology Symposium (UIST 2016)
Confused Johnny When Automatic Encryption Leads to Confusion and MistakesS Ruoti N Kim B Burgon TW van der Horst and K Seamons Symposium on Usable Privacy and Security (SOUPS 2013)
Private Facebook ChatC Robison S Ruoti T W van der Horst and K E SeamonsInternational Conference on Privacy Security Risk and Trust (PASSAT 2012) and International Conference on Social Computing (SocialCom 2012)
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Use Cases from Our Research
MessageGuard End-to-end encryption in the browser
TrustBase TLS certificate-based authentication in the OS
MessageGuard
ldquoWersquore on the Same Pagerdquo A Usability Study of Secure Email Using Pairs of Novice UsersS Ruoti J Andersen S Heidbrink M ONeill E Vaziripour J Wu D Zappala and K SeamonsACM Conference on Human Factors in Computing Systems (CHI 2016) Honorable Mention Award
Private Webmail 20 Simple and Easy-to-Use Secure EmailS Ruoti J Andersen T Hendershot D Zappala and K SeamonsACM User Interface Software and Technology Symposium (UIST 2016)
Confused Johnny When Automatic Encryption Leads to Confusion and MistakesS Ruoti N Kim B Burgon TW van der Horst and K Seamons Symposium on Usable Privacy and Security (SOUPS 2013)
Private Facebook ChatC Robison S Ruoti T W van der Horst and K E SeamonsInternational Conference on Privacy Security Risk and Trust (PASSAT 2012) and International Conference on Social Computing (SocialCom 2012)
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
MessageGuard
ldquoWersquore on the Same Pagerdquo A Usability Study of Secure Email Using Pairs of Novice UsersS Ruoti J Andersen S Heidbrink M ONeill E Vaziripour J Wu D Zappala and K SeamonsACM Conference on Human Factors in Computing Systems (CHI 2016) Honorable Mention Award
Private Webmail 20 Simple and Easy-to-Use Secure EmailS Ruoti J Andersen T Hendershot D Zappala and K SeamonsACM User Interface Software and Technology Symposium (UIST 2016)
Confused Johnny When Automatic Encryption Leads to Confusion and MistakesS Ruoti N Kim B Burgon TW van der Horst and K Seamons Symposium on Usable Privacy and Security (SOUPS 2013)
Private Facebook ChatC Robison S Ruoti T W van der Horst and K E SeamonsInternational Conference on Privacy Security Risk and Trust (PASSAT 2012) and International Conference on Social Computing (SocialCom 2012)
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
MessageGuard ndash Key Features
Overlay all text input fields with end-to-end encryption
Provides secure messaging across the web
Distributed as a browser extension
9
Extensible key management
bull PGP IBE passwords etc
Extensible front-end
bull Gmail Facebook Outlook etc
A common user interface
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
MessageGuard Architecture
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Evaluation
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Coverage and Performance
MessageGuard runs on all major browsersbull Desktop Chrome Firefox IE Opera Safaribull Android Chrome Firefox Operabull iOS Chrome Mercury Safari
MessageGuard encrypts data on almost all of the Alexa top 50 websitesbull youtubecom the only site with an issue
five lines of customization code to fix
Negligible overhead
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Usability Scores
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Other Approaches
ShadowCrypt [CCS 2014]bull End-to-end encryption for web applicationsbull Leverage the Shadow DOM as a control point
Mimesis Aegis [Usenix Security 2014]bull End-to-end encryption on mobile appsbull Leverages the accessibility layer as a control point
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
MessageGuard Information
bull Source code httpsbitbucketorgisrlemailmessageguardbull Pull requests welcome
bull Project website httpsisrlbyueduprojectsemail
bull Plug-ins available https[pgpibepasswords]messageguardio
bull Contact scottruotiorg
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
TrustBase
TrustBase An Architecture to Repair and Strengthen Certificate-Based AuthenticationM OrsquoNeill S Heidbrink S Ruoti J Whitehead D Bunker L Dickinson T Hendershot J Reynolds K Seamons D ZappalaUSENIX Security Symposium 2017
TLS Inspection How Often and Who Cares M OrsquoNeill S Ruoti K Seamons D ZappalaIEEE Internet Computing MayJune 2017
TLS Proxies Friend or FoeM OrsquoNeill S Ruoti K Seamons D ZappalaACM Internet Measurement Conference (IMC 2016)
User Attitudes Toward the Inspection of Encrypted TrafficS Ruoti M OrsquoNeill D Zappala K SeamonsSymposium on Usable Privacy and Security (SOUPS 2016)
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
TrustBase
bull Motivating principlesbull Centralize authentication as an OS service
bull Empower system admins to dictate how trust decisions are made on their own machines
bull Design goalsbull Secure all existing applications
bull Prohibit unprivileged applications from acting against administrator rules
bull Provide easy deployment of authentication systems
bull Negligible overhead
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
API
TrustBase
Transport
Network
helliphellip
Application
Validation
Plugins
Prototypes forbull Linuxbull Android (nonrooted)bull Windows
Moving Trust to the OS
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
TrustBase Architecture
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
TrustBase Architecture
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Traffic Interception (Linux)
Sock
et A
PI
TCP
Han
dlin
g
connect
writesend
sendmsgsendmmsg
readrecv
recvmsgrecvmmsg
closeshutdown
Handler API
bull Loadable kernel module
bull Hooks into native transport protocol functionality
bull Provides generic inspectionmodification API
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Evaluation
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Coverage
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Hardening
bull Unprivileged malware cannot unload interception
bull CAP_NET_RAW is required to use raw sockets (default) and to bypass TrustBase interception
bull CAP_NET_ADMIN required to receive and respond to queries
bull Configuration is writable only by privileged users
bull Daemons run nonroot with only required permissions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Performance
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Other Approaches
CertShim [Bates et al CCS 2014]
Benefitsbull Transparently intercept TLS library calls (LD_PRELOAD)bull Low overhead
Limitationsbull Dynamic linked libraries onlybull User-level attacker can disable
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
TrustBase Information
bull Source code httpsgithubcommarkoneilltrustbase-linux
bull Pull requests welcome
bull Project website httpsowntrustorg
bull Contact mtobyuedu
Linux Android Win10
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Future - Layering-Aware Applications
TrustBasebull Application API
bull Secure Socket Type
MessageGuardbull Customize for websites
bull Key management
bull Email API for encrypted attachments
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Summary
Remove security functionality burden from developers
Layer security at control points
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Risks and Rewards
Risksbull Bugs are global
bull Disruption is a DOS
Rewardsbull Correctness
bull Many eyeballs
bull Easier path to fix flaws
bull Updates are global
bull More rapid deployment of new security features
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Risks amp Rewards Example ndash TLS Inspection
Source Durumeric et al The Security Impact of HTTPS Interception NDSS 2017
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Future Applications in our Research
Password authenticationbull Password monitoring
bull Strong password protocols
Content-based encryption and signing of web content
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Funding Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No CNS-1528022Any opinions findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology DirectorateCyber Security Division (DHS SampTCSD) via contract number HHSP233201600046CThe views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements either expressed or implied of the Department of Homeland Security
Questions
Questions