Enhanced Operating System Protection to Support Digital Forensic Investigations

Digital forensic investigators today are faced with numerous problems when recovering footprints of criminal activity that involve the use of computer systems. Investigators need the ability to recover evidence in a forensically sound manner, even when criminals actively work to alter the integrity, veracity, and provenance of data, applications and software that are used to support illicit activities. In many ways, operating systems (OS) can be strengthened from a technological viewpoint to support verifiable, accurate, and consistent recovery of system data when needed for forensic collection efforts. In this paper, we extend the ideas for forensic-friendly OS design by proposing the use of a practical form of computing on encrypted data (CED) and computing with encrypted functions (CEF) which builds upon prior work on component encryption (in circuits) and white-box cryptography (in software). We conduct experiments on sample programs to provide analysis of the approach based on security and efficiency, illustrating how component encryption can strengthen key OS functions and improve tamper-resistance to anti-forensic activities. We analyze the tradeoff space for use of the algorithm in a holistic approach that provides additional security and comparable properties to fully homomorphic encryption (FHE).

[1]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[2]  Alec Yasinsac,et al.  Software issues in digital forensics , 2008, OPSR.

[3]  Yong C. Kim,et al.  Decoy circuits for FPGA design protection , 2006, 2006 IEEE International Conference on Field Programmable Technology.

[4]  William Bradley Glisson,et al.  Android Anti-forensics: Modifying CyanogenMod , 2014, 2014 47th Hawaii International Conference on System Sciences.

[5]  Yuan Xiang Gu,et al.  White-box cryptography: practical protection on hostile hosts , 2016, SSPREW '16.

[6]  Yong C. Kim,et al.  Evaluating component hiding techniques in circuit topologies , 2012, 2012 IEEE International Conference on Communications (ICC).

[7]  Bernie Lantz,et al.  LOCKING DOWN LOG FILES: ENHANCING NETWORK SECURITY BY PROTECTING LOG FILES , 2006 .

[8]  Paul C. van Oorschot,et al.  A White-Box DES Implementation for DRM Applications , 2002, Digital Rights Management Workshop.

[9]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[10]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[11]  KEYS IN SOFTWARE WHITE-BOX CRYPTOGRAPHY : HIDING KEYS IN SOFTWARE , 2012 .

[12]  Olivier Billet,et al.  Cryptanalysis of a White Box AES Implementation , 2004, Selected Areas in Cryptography.

[13]  Alec Yasinsac,et al.  Applications for Provably Secure Intent Protection with Bounded Input-Size Programs , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[14]  Frank Breitinger,et al.  Anti-forensics , 2016 .

[15]  Boaz Barak,et al.  Hopes, fears, and software obfuscation , 2016, Commun. ACM.

[16]  Benny Pinkas,et al.  FairplayMP: a system for secure multi-party computation , 2008, CCS.

[17]  Kamal Dahbur,et al.  The anti-forensics challenge , 2011, ISWSA '11.

[18]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[19]  Bruce Schneier,et al.  Cryptographic Support for Secure Logs on Untrusted Machines , 1998, USENIX Security Symposium.

[20]  Gene Tsudik,et al.  A new approach to secure logging , 2008, TOS.

[21]  Andreas Peter,et al.  SOFIR: Securely outsourced Forensic image recognition , 2014, 2014 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[22]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[23]  Michael Clear,et al.  Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs , 2016, AFRICACRYPT.

[24]  Jason Sachowski Implementing Digital Forensic Readiness: From Reactive to Proactive Process , 2016 .

[25]  Christian F. Tschudin,et al.  Protecting Mobile Agents Against Malicious Hosts , 1998, Mobile Agents and Security.

[26]  Dan Boneh,et al.  Attacking an Obfuscated Cipher by Injecting Faults , 2002, Digital Rights Management Workshop.

[27]  William Bradley Glisson,et al.  Investigating the Impact of Global Positioning System Evidence , 2015, 2015 48th Hawaii International Conference on System Sciences.

[28]  Martín Abadi,et al.  Secure circuit evaluation , 1990, Journal of Cryptology.

[29]  William Bradley Glisson,et al.  Investigating the Increase in Mobile Phone Evidence in Criminal Activities , 2013, 2013 46th Hawaii International Conference on System Sciences.

[30]  Zvika Brakerski,et al.  Shorter Circuit Obfuscation in Challenging Security Models , 2016, SCN.

[31]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[32]  Christian S. Collberg,et al.  Surreptitious Software - Obfuscation, Watermarking, and Tamperproofing for Software Protection , 2009, Addison-Wesley Software Security Series.

[33]  Robert K. Brayton,et al.  DAG-aware AIG rewriting: a fresh look at combinational logic synthesis , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[34]  Yong C. Kim,et al.  Deterministic circuit variation for anti-tamper applications , 2011, CSIIRW '11.

[35]  Ronald L. Rivest,et al.  ON DATA BANKS AND PRIVACY HOMOMORPHISMS , 1978 .

[36]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[37]  Paul C. van Oorschot,et al.  White-Box Cryptography and an AES Implementation , 2002, Selected Areas in Cryptography.

[38]  J. Todd McDonald,et al.  Examining Tradeoffs for Hardware-Based Intellectual Property Protection , 2011 .