Novel authentication solution for shared objects developed in INSPIRE-5Gplus
INSPIRE-5Gplus partners Montimage and Tages have developed a novel authentication solution for shared objects, which addresses a critical security challenge – the need to authenticate shared objects before loading them. This solution is based on Montimage Virtual Security Function MMT-Probe and Tages Systemic SECaaS.
Building blocks of the novel authentication solution
Montimage Virtual Security Function MMT-Probe is a network anomaly detection tool analyzing traffic data at defined collecting points. A key interesting design decision is to bring operational flexibility to their anomaly detection through the edition of the rules that define (and execute) the security strategies on-the-fly at any time by anyone possessing the credentials for rule generation role. This brings to MMT-Probe the ability to adapt with upcoming threats when they occur and are classified. Interestingly, this architectural design precludes to the re-installation of the MMT-Probe, which therefore remains intact and unchanged. The loading of a new rule must be secured as they can be intercepted, modified or simply created and then injected into MMT-Probe by an attacker with such architectural view on MMT-Prove. The rule is a piece of software, structured as a shared object called by MMT-Probe core software as shown in Figure 1.
Tages Systemic SECaaS produces automated or semi-automated modifications on binaries (i.e., ready to deploy software artifacts) to bring à la carte protections including self-authentication, confidentiality, run-time integrity and license enforcement. It also allows software users (deployers) to embed metadata and fingerprints in their deliveries easing the introduction of more granular SecDevOps and cyber-defence measures, typically offering improved root cause analysis. To meet these goals, Systemic works at the perimeter of the uploaded software to protect (i.e., the software binary file). Acting at the binary level brings a lot of operational advantages such as enlarging the range of possible users (which only need to get access to the ready to deploy binary, not the source code). Nevertheless, producing modifications on the binary artifact has proven to be limited in specific use cases. As a matter of fact, a software shall be defined by itself as well as all shared objects it calls during its execution, as our collaborative work with Montimage had revealed.
Figure 2 shows the standard protection process from the original binary file to the resulting protection variant. Notably, the protected variant embeds a systemic security routine which itself is protected either by pure software means leveraging strong obfuscation shield (i.e., code virtualisation technique) or by hardware Trusted Execution Environment (e.g., Intel ‘s SGX).
Challenges of limited authentication checks
Our work for leveraging Systemic in INSPIRE-5Gplus and more specifically when considering the protection of Montimage MMT-Probe has immediately revealed the limitation caused by restricting the authentication check at the main software level only. Its dependencies and namely the rule must integrate the protected perimeter too. To mitigate these risks associated with the injection of a rogue rule, TAGES has devised and developed a solution which permits to:
- Protect the rule shared object as it is actually done with an executable. The full range of security properties are brought (e.g., software confidentiality for the static file, self-authentication at start, run-time integrity verification).
- Sign a rule (or any other dependency) by use of our SECaaS. This is the new specific step taken by our development.
- Test the signature before the corresponding shared object is loaded into process memory. This is worked out via a hook on the shared object loader routine and the changes are automatically worked out on the binary.
Figure 3 details the mechanism developed to check the authenticity of the rule by MMT-Probe, before the rule is actually loaded. The technical solution is to redirect the dlopen Linux instruction, which loads a shared object, to a new appended authentication routine before returning the original control flow when the check is passed.
Benefits of the novel authentication solution
The result of this engineering effort is significant in functional terms. The novel solution developed in INSPIRE-5Gplus provides benefits in regard to enlarging the protected perimeter to the shared objects (as massively used in modern coding). This enlarged perimeter can notably expand to well-known open-source routines, typically in the domain of cryptography, security and protocols. The scope of this extra functionality goes far beyond this use case.
Figure 4 shows the user selection on Systemic SECaaS of the proposed libraries and shared objects, for which an authentication by the main protected software is provided. Noticeably, these shared objects are extracted from the original software static analysis worked out at the initial stage before applying the protection.