Table Of ContentAuthentication and Data Protection under Strong
Adversarial Model
Lianying Zhao
A thesis
in
The Concordia Institute
for
Information Systems Engineering
Presented in Partial Ful(cid:28)llment of the Requirements
For the Degree of
Doctor of Philosophy (Information and Systems Engineering) at
Concordia University
MontrØal, QuØbec, Canada
July 2018
(cid:13)c Lianying Zhao, 2018
Concordia University
School of Graduate Studies
This is to certify that the thesis prepared
By: Mr. Lianying Zhao
Entitled: Authentication and Data Protection under Strong Ad-
versarial Model
and submitted in partial ful(cid:28)llment of the requirements for the degree of
Doctor of Philosophy (Information and Systems Engineering)
complies with the regulations of this University and meets the accepted standards
with respect to originality and quality.
Signed by the (cid:28)nal examining commitee:
Chair
Dr. Ketra Schmitt
External Examiner
Dr. Urs Hengartner
External to Program
Dr. Otmane Ait Mohamed
Examiner
Dr. Jeremy Clark
Examiner
Dr. Lingyu Wang
Thesis Supervisor
Dr. Mohammad Mannan
Approved by
Dr. Chadi Assi, Graduate Program Director
June 21, 2018
Dr. Amir Asif, Dean
Faculty of Engineering and Computer Science
Abstract
Authentication and Data Protection under Strong Adversarial Model
Lianying Zhao, Ph.D.
Concordia University, 2018
We are interested in addressing a series of existing and plausible threats to cyberse-
curity where the adversary possesses unconventional attack capabilities. Such uncon-
ventionality includes, in our exploration but not limited to, crowd-sourcing, physi-
cal/juridical coercion, substantial (but bounded) computational resources, malicious
insiders, etc. Our studies show that unconventional adversaries can be counteracted
with a special anchor of trust and/or a paradigm shift on a case-speci(cid:28)c basis.
Complementing cryptography, hardware security primitives are the last defense in
the face of co-located (physical) and privileged (software) adversaries, hence serving
as the special trust anchor. Examples of hardware primitives are architecture-shipped
features (e.g., with CPU or chipsets), security chips or tokens, and certain features on
peripheral/storage devices. We also propose changes of paradigm in conjunction with
hardware primitives, such as containing attacks instead of counteracting, pretended
compliance, and immunization instead of detection/prevention.
In this thesis, we demonstrate how our philosophy is applied to cope with sev-
eral exemplary scenarios of unconventional threats, and elaborate on the prototype
systems we have implemented. Speci(cid:28)cally, Gracewipe is designed for stealthy and
veri(cid:28)able secure deletion of on-disk user secrets under coercion; Hypnoguard pro-
tects in-RAM data when a computer is in sleep (ACPI S3) in case of various mem-
ory/guessing attacks; Uvauth mitigates large-scale human-assisted guessing attacks
iii
by receiving all login attempts in an indistinguishable manner, i.e., correct creden-
tials in a legitimate session and incorrect ones in a plausible fake session; Inuksuk is
proposed to protect user (cid:28)les against ransomware or other authorized tampering. It
augments the hardware access control on self-encrypting drives with trusted execu-
tion to achieve data immunization. We have also extended the Gracewipe scenario to
a network-based enterprise environment, aiming to address slightly di(cid:27)erent threats,
e.g., malicious insiders.
We believe the high-level methodology of these research topics can contribute to
advancing the security research under strong adversarial assumptions, and the pro-
motion of software-hardware orchestration in protecting execution integrity therein.
iv
Acknowledgments
My thesis supervisor, Dr. Mohammad Mannan, has always been the driving force,
reliable support and rigorous guide for my Ph.D. research, which lead to my smooth
conversion to an academic mindset from the industry. I appreciate the meticulousness
and rigorousness that are (cid:16)genetically(cid:17) implanted into my research habits and even
the way I think, just because of him.
I am grateful for all members of Madiba Security Research Group (especially
Xavier de CarnØ de Carnavalet), as well as the rest of my research colleagues of
the CIISE department, for the pleasant discussions we have had, regarding research,
career and life. When disappointment or frustration comes, it is them who make me
look forward.
I also would like to express my gratitude to my family members, who have been
backing me up and understanding the devoted nature of Ph.D. studies, without which
this thesis would not have been possible.
v
Contents
List of Figures xi
List of Tables xii
1 Introduction 1
1.1 Unconventional Attack Capabilities . . . . . . . . . . . . . . . . . . . 1
1.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Hardware security primitives (cid:21) P1 . . . . . . . . . . . . . . . . 3
1.2.2 Passive but resilient defense (cid:21) P2 . . . . . . . . . . . . . . . . 4
1.3 Thesis Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.6 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Deceptive Deletion Triggers under Coercion 10
2.1 Introduction and Motivation . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Goals and Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.1 Goals and terminology . . . . . . . . . . . . . . . . . . . . . . 14
2.2.2 Threat model and assumptions . . . . . . . . . . . . . . . . . 16
2.3 Gracewipe Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3.1 Overview and disk layout . . . . . . . . . . . . . . . . . . . . 18
2.3.2 Execution steps . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3.3 Sealing in NVRAM . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3.4 Password management . . . . . . . . . . . . . . . . . . . . . . 21
2.4 Implementation with TrueCrypt . . . . . . . . . . . . . . . . . . . . . 22
2.4.1 Implementing the wiper . . . . . . . . . . . . . . . . . . . . . 22
2.4.2 Adapting TrueCrypt . . . . . . . . . . . . . . . . . . . . . . . 23
vi
2.4.3 Orchestrating components . . . . . . . . . . . . . . . . . . . . 23
2.4.4 Windows and TPM issues . . . . . . . . . . . . . . . . . . . . 24
2.5 Extended Unlocking Schemes . . . . . . . . . . . . . . . . . . . . . . 25
2.5.1 Existing panic password schemes . . . . . . . . . . . . . . . . 26
2.5.2 Counter-based deletion trigger . . . . . . . . . . . . . . . . . . 27
2.5.3 Edit-distance-based password scheme . . . . . . . . . . . . . . 28
2.5.4 Other possible schemes . . . . . . . . . . . . . . . . . . . . . . 31
2.6 Performance Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.7 Generalized Work(cid:29)ow and Comparison . . . . . . . . . . . . . . . . . 34
2.8 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.9 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.10 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3 Extending Gracewipe to Network-based Environments 41
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.2 Threat Model and Assumptions . . . . . . . . . . . . . . . . . . . . . 43
3.3 An Analysis and Status-quo of Remote Secure Erase . . . . . . . . . 44
3.4 End-to-end Veri(cid:28)able Secure Deletion . . . . . . . . . . . . . . . . . . 47
3.4.1 Design considerations . . . . . . . . . . . . . . . . . . . . . . . 47
3.5 A Proof-of-concept on x86 PCs . . . . . . . . . . . . . . . . . . . . . 48
3.5.1 Assumptions and terminology . . . . . . . . . . . . . . . . . . 49
3.5.2 Design overview . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.5.3 Implementation of Gracewipe Remote . . . . . . . . . . . . . . 51
3.5.4 Adapting for server-coordinated remote wipe . . . . . . . . . . 54
3.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4 Hypnoguard: Protecting Secrets across Sleep-wake Cycles 57
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.2 Terminologies, Goals and Threat Model . . . . . . . . . . . . . . . . . 60
4.2.1 Terminologies . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.2.2 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.2.3 Threat model and assumptions . . . . . . . . . . . . . . . . . 61
4.3 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.3.1 Design choices and elements . . . . . . . . . . . . . . . . . . . 64
4.3.2 Unlock/deletion policy and deployment . . . . . . . . . . . . . 65
vii
4.3.3 How goals are achieved . . . . . . . . . . . . . . . . . . . . . . 67
4.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.4.1 Overview and execution steps . . . . . . . . . . . . . . . . . . 68
4.4.2 Instrumenting the S3 handler . . . . . . . . . . . . . . . . . . 70
4.4.3 Memory considerations . . . . . . . . . . . . . . . . . . . . . . 70
4.4.4 User interaction . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.4.5 Moving data around . . . . . . . . . . . . . . . . . . . . . . . 73
4.4.6 Unencrypted memory regions . . . . . . . . . . . . . . . . . . 73
4.5 High-speed Full Memory Encryption and Decryption . . . . . . . . . 74
4.5.1 Enabling techniques . . . . . . . . . . . . . . . . . . . . . . . 74
4.5.2 Performance analysis . . . . . . . . . . . . . . . . . . . . . . . 75
4.6 Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.9 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5 Trusted Write-protection Against Privileged Data Tampering 85
5.1 Introduction and Motivation . . . . . . . . . . . . . . . . . . . . . . . 85
5.2 Threat Model and Assumptions . . . . . . . . . . . . . . . . . . . . . 89
5.3 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.3.1 Design goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.3.2 Trusted (cid:28)le versioning . . . . . . . . . . . . . . . . . . . . . . 92
5.3.3 Design choices . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.3.4 System components and work(cid:29)ow . . . . . . . . . . . . . . . . 96
5.3.5 A remote data vault . . . . . . . . . . . . . . . . . . . . . . . 97
5.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.4.1 Using Flicker to handle TXT sessions . . . . . . . . . . . . . . 99
5.4.2 OPAL access to SED inside TXT . . . . . . . . . . . . . . . . 99
5.4.3 Secure user interface . . . . . . . . . . . . . . . . . . . . . . . 100
5.4.4 OPAL implementation challenges . . . . . . . . . . . . . . . . 102
5.5 Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . 103
5.5.1 File system e(cid:30)ciency . . . . . . . . . . . . . . . . . . . . . . . 103
5.5.2 CPU slowdown in Flicker PAL . . . . . . . . . . . . . . . . . . 104
5.5.3 Adding support for DMA disk access . . . . . . . . . . . . . . 106
5.5.4 Usage scenarios and performance . . . . . . . . . . . . . . . . 106
viii
5.6 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
5.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
6 COTS One-Time Programs 116
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.2.1 Design goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.2.2 Trusted execution environments . . . . . . . . . . . . . . . . . 121
6.2.3 Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.2.4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.2.5 Additional background . . . . . . . . . . . . . . . . . . . . . . 125
6.3 System 1: TXT-only . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.3.1 TXT-only provisioning at Alice’s site . . . . . . . . . . . . . . 127
6.3.2 TXT-only evaluation at Bob’s site . . . . . . . . . . . . . . . . 128
6.3.3 Trusted execution . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.3.4 Performance evaluation . . . . . . . . . . . . . . . . . . . . . . 129
6.4 System 2: GC-based . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6.4.1 The Frigate GC compiler . . . . . . . . . . . . . . . . . . . . . 132
6.4.2 Execution steps . . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.4.3 Enhanced security: GC-based Plus . . . . . . . . . . . . . . . 135
6.4.4 Performance evaluation . . . . . . . . . . . . . . . . . . . . . . 135
6.5 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
6.5.1 Genomic test . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
6.5.2 GC-Based OTP implementation . . . . . . . . . . . . . . . . . 141
6.5.3 GC-based case study setup . . . . . . . . . . . . . . . . . . . . 142
6.5.4 TXT-only OTP implementation . . . . . . . . . . . . . . . . . 143
6.5.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.5.6 Porting e(cid:27)ort . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.6 Other Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.7 Security analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
6.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
6.9 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
ix
7 Explicit Authentication Response Considered Harmful 154
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
7.2 Threat Model and Assumptions . . . . . . . . . . . . . . . . . . . . . 157
7.3 Uvauth: User-veri(cid:28)able Authentication . . . . . . . . . . . . . . . . . 159
7.3.1 Implicit detection of an authentication outcome . . . . . . . . 160
7.3.2 Designing fake sessions . . . . . . . . . . . . . . . . . . . . . . 162
7.4 Distorted Image as a Communication Channel . . . . . . . . . . . . . 165
7.4.1 Captchas as a cipher . . . . . . . . . . . . . . . . . . . . . . . 165
7.4.2 Adaptation of regular captchas . . . . . . . . . . . . . . . . . 166
7.4.3 An example with VNC . . . . . . . . . . . . . . . . . . . . . . 167
7.5 Limitations and Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
7.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
8 Further Discussion 174
8.1 Onto Mobile Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 174
8.2 Open Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
8.3 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
A Glossary and Additional Information 214
x
Description:Doctor of Philosophy (Information and Systems Engineering) at [224], which is alleged to be used in some countries (e.g., Turkey [58], . 3https://www.gnu.org/software/grub/manual/html_node/Chain_002dloading.html. 14 the adversary can clone the disk before allowing any password input. 39
