"With ""Trust none over the Internet"" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected.
This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this ""last mile"" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable."
Report
Share
Report
Share
1 of 42
Download to read offline
More Related Content
Last mile authentication problem: Exploiting the missing link in end-to-end secure communication
2. Our team
Thanh Bui
Doctoral Candidate
Aalto University
Finland
Sid Rao
Doctoral Candidate
Aalto University
Finland
Dr. Markku Antikainen
Post-doc researcher
University of Helsinki
Finland
Prof. Tuomas Aura
Professor
Aalto University
Finland
2
3. Traditional network threat model
● Server and user device are trusted
● Software is trusted
● Untrusted network:
○ “man in the middle”
● E.g. web server and web browser
● Crypto (TLS and web PKI) to protect
communication
3
Server
User device
Client
4. ● Not all communication goes over the
traditional network
○ Inter Process Communication
● Multiple untrusted services run
inside the user device
We try to understand security of
communication inside the computer
Communication inside a computer - IPC
4
User device
Frontend
process
Backend
process
5. Man in the Machine (MitMa)
● MitMa attacker: Another user at home or at work, including guest
● Attacker goal: Impersonate communication endpoints in IPC
● Attack method:
○ Runs a malicious process in the background (no privilege
escalation required)
○ Fast user switching, remote access (e.g. ssh, remote desktop) 5
Alice’s session
Frontend
process
Backend
process
Guest’s session Malware
6. This talk
● We exploit “last mile communication” inside the computer
● Structure
○ IPC and attack vectors
○ Case studies
■ Password managers
■ USB security tokens
○ Mitigation
○ Conclusion
6
7. This talk
● We exploit “last mile communication” inside the computer
● Structure
○ IPC and attack vectors
○ Case studies
■ Password managers
■ USB security tokens
○ Mitigation
○ Conclusion
7
Credentials and second
authentication factors
can be compromised
from inside the computer
zz
9. IPC methods
● File system
● Signal and semaphore
● Network socket and Unix domain socket
● Message queue
● Anonymous pipe and named pipe
● Shared memory
● Clipboard
● Remote Procedure Call (RPC)
● USB (though not strictly an IPC method)
● ...
9
10. Network sockets
● Mainly for communication across network but used for IPC as well
○ Over loopback interface: 127.0.0.0/8 or ::1/128
● Server listens on a specified port and waits for incoming client requests
○ Only a single process can bind to a port at a time
○ Any process regardless of its owner can listen on ports > 1024
● Local processes can connect to the server as clients if the port is known
● No built-in access control
10
11. Network sockets - Attack vectors (1)
Client impersonation
● Any local process can connect to any
server port on localhost
● If server accepts only one client,
connects before the legitimate client
Server impersonation
● Bind to the port before the legitimate
server does
11
12. Network sockets - Attack vectors (1)
Client impersonation
● Any local process can connect to any
server port on localhost
● If server accepts only one client,
connects before the legitimate client
Server impersonation
● Bind to the port before the legitimate
server does
Legitimate and malicious servers cannot bind to the same port at the same time
Man-in-the-Middle?
12
13. Network sockets - Attack vectors (2)
Man-in-the-Middle attack
● Port agility
○ If primary port is taken, the server might failover to another port from a predefined list
○ MitMa attacker can
■ Listen on the primary port to receive client connection, and
■ Connect himself to the legitimate server on the secondary port
13
14. Network sockets - Attack vectors (2)
Man-in-the-Middle attack
● Port agility
○ If primary port is taken, the server might failover to another port from a predefined list
○ MitMa attacker can
■ Listen on the primary port to receive client connection, and
■ Connect himself to the legitimate server on the secondary port
● No port agility
○ Replay messages by alternating between the client and server roles
○ Rate of messages passing through the attacker will be slow but might still be practical
14
15. Windows named pipe
15
● Similar client-server architecture as network socket’s, but multiple
processes can simultaneously act as servers
○ A named pipe can have multiple instances that share the same name
○ Each instance connects exactly one pipe server and one pipe client
○ New pipe clients connected to the pipe servers in round-robin order
● Named pipes placed in a special path .pipe
○ Every user (including guest) has access to the path
● Have built-in access control!
16. Windows named pipe - Access control
16
● If a named pipe doesn’t exist, any user can create it (including guest)
● If it exists, only users with FILE_CREATE_PIPE_INSTANCE permission
can create new instances
● The first instance of the named pipe decides the maximum instances and
security descriptor (DACL)
○ Default DACL:
■ READ access to everyone
■ FULL access to the creator and admins
17. Windows named pipe - Attack vectors
Client impersonation
● Any process can connect to any open
pipe instance but subject to access
control check
Server impersonation
● Pipe name hijacking: create the first
instance to control the pipe’s DACL and
maximum instances
○ Set DACL to allow everyone to create
new instances
Client + Server impersonation = Man-in-the-middle
17
18. USB Human Interface Devices (USB HID)
● E.g. keyboards, pointing devices, hardware security tokens
● On Linux and macOS,
○ USB HIDs accessed from only current active user session
● On Windows,
○ USB HIDs accessed from any user session, including those in the background
○ Security of the devices depends on application-level security mechanism implemented in
the hardware or software
18
20. ● Native (desktop) app manages the password vault
○ Password vault encrypted with a key derived from a master password
● Browser extension creates and stores passwords, and enters them into
login pages
● Browser extension and native app communicate via IPC
Password managers
20
User device
Web browser
Web page
Native
app
Browser
extension
21. ● Native app runs a HTTP/WebSocket server on a predefined port
● Browser extension connects as a client to the server
● Threats:
○ Browser extension is sandboxed → unable to perform most checks on the server process
Password managers w/ Network socket
21
Web browser
Web page
Browser
extension
8080
Network socket Native app
22. Case study - Dashlane
● Dashlane app runs a WebSocket server on port 11456
● Communication:
○ Messages encrypted with a key derived from hard-coded constant
○ Server verifies client by checking:
■ Browser extension ID in Origin header of each message
■ Code signature of the client process to make sure it is a known browser
■ Client process owned by same user as the server’s
○ Client does NOT verify server
22
23. Case study - Dashlane
● Dashlane app runs a WebSocket server on port 11456
● Communication:
○ Messages encrypted with a key derived from hard-coded constant
○ Server verifies client by checking:
■ Browser extension ID in Origin header of each message
■ Code signature of the client process to make sure it is a known browser
■ Client process owned by same user as the server’s
○ Client does NOT verify server
23
Client impersonation
Server impersonation
24. Server impersonation on Dashlane (1)
Attack steps:
1. Extract hard-coded encryption key from the browser extension’s code
2. Run WebSocket server on port 11456 before the benign server does
○ Benign server silently failovers to another port
3. Use the hard-coded key to communicate with the browser extension
24
Web browser
Web page
Browser
extension
11456
MitMa
attacker
Network socket
Dashlane
app11457
25. Server impersonation on Dashlane (2)
Results:
● Dashlane browser extension collects and sends DOM elements from web
pages to app for analysis
→ Attacker obtains personal data, such as emails and messages, from web pages
● Server can instruct the browser extension to collect web-form data and
send to it
→ Attacker obtains any text typed by the user, including credentials
25
26. Case study - 1Password
● 1Password app runs a WebSocket
server on port 6263
● Communication:
○ Server verifies client in the same way
as Dashlane does
○ In the first communication, server and
client run a self-made protocol to
agree on a shared encryption key
26
1. C → S: “hello”
2. C ← S: code (random 6-digit string)
3. C → S: hmac_key
4. Both extension and app displays the code
5. User confirms to the app if they match
6. C ← S: “authRegistered”
7. C → S: nonceC
8. C ← S: nonceS
,
mS
=HMAC(hmac_key, nonceS
||nonceC
)
9. C → S: mC
=HMAC(hmac_key, mS
)
10. C ← S: “welcome”
11. Both sides derive encryption key
K=HMAC(hmac_key, ms
||mC
||”encryption”)
27. Case study - 1Password
● 1Password app runs a WebSocket
server on port 6263
● Communication:
○ Server verifies client in the same way
as Dashlane does
○ In the first communication, server and
client run a self-made protocol to
agree on a shared encryption key
27
1. C → S: “hello”
2. C ← S: code (random 6-digit string)
3. C → S: hmac_key
4. Both extension and app displays the code
5. User confirms to the app if they match
6. C ← S: “authRegistered”
7. C → S: nonceC
8. C ← S: nonceS
,
mS
=HMAC(hmac_key, nonceS
||nonceC
)
9. C → S: mC
=HMAC(hmac_key, mS
)
10. C ← S: “welcome”
11. Both sides derive encryption key
K=HMAC(hmac_key, ms
||mC
||”encryption”)
Client impersonation
Server impersonation
29. Native messaging
29
● Browser’s built-in method for communicating between browser extension
and native code
● App registers with the browser:
○ an executable, called Native Messaging Host (NMH), and
○ a configuration file specifying which browser extensions have access to the NMH
● Browser starts the NMH in a child process and lets the browser extension
communicate with it
30. Native messaging
30
● Browser’s built-in method for communicating between browser extension
and native code
● App registers with the browser:
○ an executable, called Native Messaging Host (NMH), and
○ a configuration file specifying which browser extensions have access to the NMH
● Browser starts the NMH in a child process and lets the browser extension
communicate with it
Native messaging is immune to MitMa attacks
31. Password managers w/ Native messaging
31
● Password manager app registers a NMH with the browser and allows only
its browser extension to communicate with the NMH
● However, NMH and the native app are still two separate processes
→ they use IPC to communicate with each other
Web browser
Web page
Browser
extension
Native
app
App-specific IPC
Native
messaging
host
Native messaging
32. Case study - Password Boss
● On Windows, named pipe used for IPC between NMH and the native app
● When the app starts, it creates a named pipe with:
○ Fixed name
○ Maximum instance = 50
○ DACL allowing all authenticated users to have FULL access
● NMH connects to the named pipe as a pipe client and forwards messages
between browser extension and native app
● All messages are sent in plaintext
32
33. Case study - Password Boss
● On Windows, named pipe used for IPC between NMH and the native app
● When the app starts, it creates a named pipe with:
○ Fixed name
○ Maximum instance = 50
○ DACL allowing all authenticated users to have FULL access
● NMH connects to the named pipe as a pipe client and forwards messages
between browser extension and native app
● All messages are sent in plaintext
33
Man-in-the-Middle
34. Man-in-the-Middle on Password Boss (1)
By authenticated user:
1. Connects as a client to the app’s named pipe
instance
2. Creates another instance of the named pipe and
waits for the NMH
3. NMH connects to the attacker’s instance because it
is the only open instance
4. Forwards messages between the two pipe
instances
34
AppAttacker
Client Server
1st
inst.
NMH Attacker2nd
inst.
35. Man-in-the-Middle on Password Boss (2)
By guest user:
● Guest cannot access the app’s pipe instance
or create a new one
● Solution: Pipe name hijacking
○ Create the first instance and set a FULL access DACL
to all users
● Rest is same as the attack by authenticated
user
35
AppAttacker
Client Server
2nd
inst.
NMH Attacker3rd
inst.
Attacker Attacker1st
inst.
36. Case study - FIDO U2F security key
● 2nd
authentication factor based on
public key crypto and a USB device
● Challenge-response protocol
○ Browser keeps sending the challenge from
the server to the device until it receives
response (every 300 ms on Chrome)
○ User activates the device by touching a
button on it
○ The device responds to only the first request
after the touch
36
Browser
Security
key Server
username, password
Verify
password
challenge
challenge
User touches
button
response
response
Verify
response
37. Unauthorized access of FIDO U2F key
37
Reminder: On Windows, USB HIDs can be accessed from any user session
Assumption: Attacker has obtained the 1st
authentication factor
Attack steps:
1. Signs in to the service in the background using the 1st
factor
2. Sends the challenge from the service to the device at a high rate
3. Victim (in the foreground) signs in to ANY service using the same
security key and touches the button on the device
○ The first button touch had no effect, but such minor glitches are typically ignored
4. The attacker’s request gets signed instead of the victim’s with high
probability, and then the attacker obtains the 2nd
factor
39. Discovered vulnerabilities
39
Application IPC Channel Attacks
Password
managers
Roboform Y N - Network socket Client imp.
Dashlane Y Y - Network socket Server imp.
1Password Y N - Network socket Server imp.
F-Secure Key Y Y - Network socket
Client imp.
Server imp.
Password Boss N Y - Named pipe Man-in-the-Middle
Sticky Password Y N - Network socket
Client imp.
Server imp.
Hardware
tokens
FIDO U2F Key N Y N USB Unauthorized access
DigiSign Y Y Y Network socket Client imp.
Others
Blizzard Y Y - Network socket Client imp.
Transmission Y Y Y Network socket Client imp.
Spotify Y Y Y Network socket Client imp.
MySQL N Y N Named pipe Man-in-the-Middle
Keybase N Y N Named pipe Server imp.
macOS
Windows
Linux
40. Mitigation
● Spatial and temporal separation of users
○ Limit the number of users that can access a computer
○ Disable remote access, such as SSH and Remote desktop
● Attack detection easier in IPC than in network
○ Compare owner of client and server processes
○ Query client/server binary
● Cryptographic protection
○ User-assisted pairing vs TLS and PKI
○ Avoid self-made crypto!
40
41. Conclusion
Software developers beware, IPC is not inherently secure!
● Unprivileged user or process can attack IPC of another user on the same
computer
● Traditional network security threats exist also in IPC
● We are doing a more exhaustive survey
○ Contribute, if you are interested!
41
42. Contact
Thanh Bui: thanh.bui@aalto.fi
Siddharth Rao: siddharth.rao@aalto.fi
Markku Antikainen: markku.antikainen@helsinki.fi
Tuomas Aura: tuomas.aura@aalto.fi
Read more
”Man-in-the-Machine: Exploiting ill-secured communication
inside the computer”, USENIX Security 2018
42
Thank you!