us-15-Moore-Defeating Pass-the-Hash-Separation-Of-Powers.pdf

《us-15-Moore-Defeating Pass-the-Hash-Separation-Of-Powers.pdf》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、DefeatingPass-the-HashSeparationofPowersCredentialTheft•Attheheartofmanyhigh-profileattacks.•FueledbySingleSign-On•Afeaturenobodywantstolivewithout.Pass-the-Hash:AWindowsPrimer•LSASSonAlice’slaptophoststheAlice’sLaptopauthenticationprotocolsLocalSecurityAuth

2、ority(LSASS)NTLM•Administrator-levelattackersmayNTOWF:C9DF4E56A2…access:•NTLMHashKerberosTicketGrantingServiceServiceServiceServiceTicketKeyTicketTicketTicketTicketKey•KerberosKeys•Alice’spasswordPassword•AttackersstealandreplaytheselegacyprotocolartifactsTh

3、eChainReactionWeHavetheTechnology•Multi-FactorAuthentication•Stealingonecredentialisn’tenough.•StrongCredentials•Smartcards,FIDOkey,etc•TokenBinding•Makestolentokensuseless.BusinessesLikeMakingMoney•Legacycomponentskeepworking•“MyprinterworkswithNTLM.”•NAS,P

4、rinters,Software,etc.•Businessdependsonthese•LegacyprotocolsincludereplayableartifactsHowtokeepasecret?SeparationofPowers•Balanceofpowerspreventsabuse•Ensuresaccountability•Legislationpassesthelaws.•Executivebranchcarriesoutthetasks.•Judicialsystemmakesureev

5、eryoneisplayingbytherules.•OSandrealgovernmentsaren’tthatdifferent.•AdministratorsTheLegislativePower•Kernel/SystemServices/DriversExecutivePower•TrustedComputingBase(TCB)JudicialPower(makessureeveryoneobeystheconstitution)Admin==Kernel==TCB:Riskybusiness

6、•Adminsarehuman,humanserr•Datashows:>90%(!!)ofWindowsusersrunassomesortofadministrator•Totallossofsystemwhenamaliciousattachmentisrun•Whatiftheadministratorismalicious?•Adminsshouldnothavetotalcontrolonthemachine•E.g.games,multi-tenantscenarios•Wecan’tsimply

7、trustthekernel,either.•Attacksurfacetoobig:Thousandsofsystemcalls,IOCTLs•Diverseecosystem:Many3rdpartydriverswithdifferentqualityassurancestandardsThisisnotanewproblem…•Authenticode/KernelModeCodeSigning•Principle:Puttingreputationofanauthenticatedidentityon

8、theline•Cost+traceabilitynegativelyimpactsexploiteconomics•Problem:StrongverificationofpublishersbyCAsisquestionableatbestandrecallsarehardandslow.•ProtectedProcess–PP/ProtectedProcessLight–PPL•