Reverse Fingerprinting

12/20/2019
by   Christian A. Gorke, et al.
0

Software connected to the Internet is an attractive target for attackers: as soon as a security flaw is known, services may be taken under attack. In contrast, software developers release updates to add further features and fix flaws in order to increase its security. Consequently, a user of the software wants to have the latest secure version running. However, if the software is provided as a service, e.g., as part of the cloud, the user relies on the service provider (SP) to perform such updates. But when asking for the software version, the user has to trust the output of SP or his software. Latter may be malformed, since updating software costs time and money, i.e., in comparison to changing a (false) version string. Now the question rises how a software service's client can provably determine the real software version of the running service at the SP, also known as Remote Software Identification (RSI). While existing tools provide an answer, they can be tricked by the service to output any forged string because they rely on the information handed directly by the SP. We solve the problem of RSI by introducing Reverse Fingerprinting (RFP), a novel challenge-response scheme which employs the evaluation of inherit functions of software versions depending on certain inputs. That is, RFP does not rely on version number APIs but employs a database consisting of function inputs and according outputs and combines them with a strategy and a randomness source to provably determine the version number. We also provide a theoretical framework for RSI and RFP, and describe how to create databases and strategies. Additionally, RFP can be securely outsourced to a third party, called the auditor, to take away the burden of the user while respecting liability. We also provide an implementation and API to perform RFP in practice, showing that most of the providers have installed the latest versions.

READ FULL TEXT
research
02/21/2019

Bottom-up strategy for data retrieval and data entry over front-end application Software

Some people implement pattern and best practices without analyzing its e...
research
10/20/2022

A Security and Trust Framework for Decentralized 5G Marketplaces

5G networks intend to cover user demands through multi-party collaborati...
research
05/11/2018

Quantifying Users' Beliefs about Software Updates

Software updates are critical to the performance, compatibility, and sec...
research
07/17/2017

Downgrade Attack on TrustZone

Security-critical tasks require proper isolation from untrusted software...
research
06/28/2022

Building a Secure Software Supply Chain with GNU Guix

The software supply chain is becoming a widespread analogy to designate ...
research
07/19/2021

Zero Trust Service Function Chaining

In this paper, we address the inefficient handling of traditional securi...
research
03/20/2020

Efficient Oblivious Database Joins

A major algorithmic challenge in designing applications intended for sec...

Please sign up or login with your details

Forgot password? Click here to reset