Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer Thanh Bui and Siddharth Prakash Rao, Aalto University; Markku Antikainen, University of Helsinki; Viswanathan Manihatty Bojan and Tuomas Aura, Aalto University https://www.usenix.org/conference/usenixsecurity18/presentation/bui This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer Thanh Bui*, Siddharth Rao*, Markku Antikaineny, Viswanathan Bojan*, and Tuomas Aura* * Aalto University y University of Helsinki, Helsinki Institute for Information Technology Abstract the authorized insiders. They may be coworkers, family members, or guest users with console access. Operating systems provide various inter-process commu- Our focus is on the security of inter-process communi- nication (IPC) mechanisms. Software applications typi- cation (IPC), i.e. communication channels that are inter- cally use IPC for communication between frontend and nal to the computer. Computer software often comprises backend components, which run in different processes multiple components, such as a frontend application and on the same computer. This paper studies the security a backend database, which obviously need to exchange of how the IPC mechanisms are used in PC, Mac and information. Many modern desktop applications also of- Linux software. We describe attacks where a nonprivi- ten follow the design of web software and have a sepa- leged process impersonates the IPC communication end- rate UI component, which connects to the business logic points. The attacks are closely related to impersonation via a RESTful API. The UI may even be implemented in and man-in-the-middle attacks on computer networks but JavaScript and run in a web browser. take place inside one computer. The vulnerable IPC We assume the attacker to have login access as non- methods are ones where a server process binds to a name administrator or, at minimum, the ability to keep non- or address and waits for client communication. Our re- privileged processes running in the background. The at- sults show that application developers are often unaware tacker’s goal is to exploit IPC between the processes of of the risks and secure practices in using IPC. We find at- another user. The attacks that we discover are similar to tacks against several security-critical applications includ- those on the open networks, but they happen inside one ing password managers and hardware tokens, in which computer, where application developers often do not ex- another user’s process is able to steal and misuse sensi- pect adversaries. We therefore use the name man in the tive data such as the victim’s credentials. The vulnera- machine (MitMa) to describe these attackers. bilities can be exploited in enterprise environments with centralized access control that gives multiple users re- During the analysis of case-study applications, we ob- mote or local login access to the same host. Computers served that application developers have an ambiguous with guest accounts and shared computers at home are attitude towards local attackers and the security of IPC similarly vulnerable. channels. On one hand, these threats are not given much consideration. It is quite common to cite opinions of se- curity experts stating that attempts to defend against local 1 Introduction attackers are futile. On the other hand, the application implementations often make some attempt to authenti- People use personal computers (PC) for storing and pro- cate or encrypt the communication, but rarely with the cessing their most critical information, such as sensitive same prudence as seen in communication over physical work documents, private messages, or access credentials networks. to online accounts. These computers and the software Our main contribution is to highlight the importance running on them is designed to be personal, and the fo- of the adversary model where a nonprivileged user inter- cus of security engineering has therefore been on exter- cepts communication inside the computer. We demon- nal threats from unauthorized users and from the Inter- strate its seriousness with various examples of widely- net. Nevertheless, most PCs can be accessed by more deployed applications and compromises of critical data. than one authorized user, making them effectively multi- We show that the vulnerabilities are common and that user computers. In this paper, we analyze threats from exploiting them is not difficult. We also discuss potential USENIX Association 27th USENIX Security Symposium 1511 ing [41], that is, leaving login sessions in the background and resuming them later. Such background sessions con- tinue to have running processes that can be used in the attacks. On macOS and Linux, it is also possible to leave processes running when the user logs out (e.g., with the nohup command). On Windows, user processes are killed at the end of the login session, and thus the MitMa attacker must remain logged in. Figure 1: MitMa attack MitMa attacker Method Linux macOS Windows Console login 3 3 3 Authenticated mitigation techniques. Finally, we believe that the obser- SSH 3 3 3 user vations of this paper will be valuable also in the ongoing Remote desktop N/A 3 N/A efforts to improve isolation between one user’s applica- Guest account Console login 3 3 3 tions. The rest of this paper is structured as follows. Sec- Table 1: MitMa attackers on different OSs tion 2 explains our adversary model. Section 3 describes IPC methods and the basic attack principles. Sections 4– The MitMa attacks can also be launched using guest 7 cover the vulnerabilities found in several classes of ap- accounts. The guest user can start the malicious process plications. Potential solutions are covered in Section 8 and leave the guest session in the background with fast while Section 9 discusses the results and Section 10 sur- user switching. We implemented the attacks described veys related work. Finally, Section 11 concludes the pa- in this paper with macOS High Sierra, Windows 7, and per. Windows 8.1. These operating systems have the guest account enabled by default. Windows 10 does not cur- 2 The adversary rently have a built-in guest account, though creating one is possible. In enterprise Windows domains, the avail- ability of the guest account depends on the group policy. This section describes the adversary model and explains The attacks can also be carried out remotely, for ex- its relevance in everyday information systems. ample, if SSH [56] has been enabled. On macOS, the We consider multi-user computers that may have pro- SSH server is started if the administrator chooses “Re- cesses of two or more users running at the same time. mote Login” from sharing preferences. Windows 10 in The attacker is a nonprivileged user who tries to steal the developer mode also starts an SSH server. The user sensitive information from or interfere with another user. might not realize this because earlier Windows versions It does this by intercepting communication between the required third-party SSH servers. victim user’s processes, as illustrated in Figure 1. The Another remote access method is remote desktop. malicious process is nonprivileged, and it typically runs Non-server versions of Windows allow only one inter- in the background and belongs to a different login ses- active session at a time. Thus, the attacker cannot access sion than the victim’s processes. The attack is similar the computer at the same time as the local users. How- to impersonation or man in the middle in computer net- ever, the remote desktop session can be left in the back- works, but since the communication takes place inside ground and resumed later, similar to fast user switching. one computer, we call it man in the machine (MitMa). The MitMa attack is technically possible also between Shared computers are common both in home and en- remote desktop sessions on a Windows Server. While the terprise environments. In a Windows domain, users are case-study applications considered in this paper are gen- centrally registered at the Active Directory (AD) and erally not run on Windows Server, there could be other they are typically able to log into each other’s worksta- vulnerable applications. tions. Linux and macOS workstations are commonly in- tegrated into AD or other centralized directory services. In addition to having its own user account, the MitMa 3 Client-server communication inside the attacker needs to be able to run a process in the back- computer ground when the victim user is working on the computer. Table 1 summarizes ways to achieve this. Personal com- Modern operating systems (OS) provide several means puters generally have not been designed for multiple si- for IPC. The vulnerabilities presented in this paper were multaneous users, but they do support fast user switch- found in IPC methods where a server process or device 1512 27th USENIX Security Symposium USENIX Association listens for connections from client processes. Specifi- do on the localhost because the legitimate server and at- cally, we consider network sockets, named pipes, and tacker cannot both bind to the same port number. Fortu- Universal Serial Bus (USB) communication. In this sec- nately for the attacker, many applications implement port tion, we give a high-level overview of these IPC mech- agility for IPC: if the primary port is taken, they choose anisms. The reader is referred e.g. to [47, 49] for more the next port number from a predefined list. This enables details. We also discuss the attack vectors that the MitMa the attacker to receive client connections on the primary attacker might exploit against each IPC type.