[cryptography] How are expired code-signing certs revoked?
marsh at extendedsubset.com
Wed Dec 21 18:04:34 EST 2011
On 12/21/2011 04:24 PM, Michael Nelson wrote:
> Somewhat related: The IEEE is asking for proposals to develop and
> operate a CA as a part of their Taggant System. This involves
> signing to validate the usage of packers (compressing executables).
> Packers can make it hard for anti-virus programs to spot malware.
> Does this strike you as impractical?
> It seems obvious to me that it will be a wasted effort.
Well the people involve are not dumb, right? They know the capabilities
of malware as well as most anyone.
Here's an overview of the proposed system:
> "Today malware uses code-obfuscation techniques to disguise the
> malicious actions they take on your machine. As it is a hard problem
> to overcome such protection technologies, computer-security tools
> have started to become suspicious if an application uses code
> protection. As a result, even legitimate content-protection
> technology—generally put in place to either control application usage
> or protect intellectual property (IP) from exposure or tampering—can
> lead to false-positive detections. This forces technology vendors,
> such as software publishers, to make a decision between security and
> software accessibility. Joining the IEEE Software Taggant System
> enables SafeNet to provide our customers a way to enjoy the benefits
> of the proven IP protection without the risk of triggering a negative
> response from common malware protection tools."
So my interpretation of what they're essentially saying is this:
There are mostly three categories of software that need to modify
executable memory pages:
A. Operating system loaders. EXEs and DLLs are things AV companies
already scan. These modules can be code-signed today (and we all know
that signed code is safe code).
B. The "legitimate" code obfuscation systems currently for IP protection
C. Malware, which today uses code polymorphism ("unpackers") to evade
When today's host based antimalware systems see the code modifications
happening, it doesn't have an easy way to distinguish category B from
category C. So these researchers propose to move category B applications
into category A (under the threat of "risk of triggering a negative
response from common malware protection tools") and thereby emulate the
success of the operating system-based code signing systems.
Here's a classic article on the topic. In this case, the OS executable
loader itself is used as the unpacker:
More information about the cryptography