Systems and methods for identifying code signing certificate misuse

US 9,338,012 B1
Filed: 10/04/2013
Issued: 05/10/2016
Est. Priority Date: 10/04/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identifying code signing certificate misuse, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a software file that has been signed using a code signing certificate;

identifying a software publisher that is identified by the code signing certificate used to sign the software file;

obtaining a reputation score for the software file by querying a centralized database comprising a plurality of file reputations, wherein;

the reputation score indicates a trustworthiness of the software file independently of the code signing certificate;

the reputation score is based on information that is collected in the course of conducting malware scans of client devices and sent to the centralized database;

providing, to the software publisher, information that is based on the reputation score and that indicates that the code signing certificate has been compromised.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for identifying code signing certificate misuse may include (1) identifying a software file that has been signed using a code signing certificate, (2) identifying a software publisher that is identified by the code signing certificate used to sign the software file, (3) obtaining a reputation score for the software file that indicates a trustworthiness of the software file independently of the code signing certificate, and (4) providing, to the software publisher, information that is based on the reputation score and that indicates that the code signing certificate has been compromised. Various other methods, systems, and computer-readable media are also disclosed.

20 Citations

View as Search Results

20 Claims

1. A computer-implemented method for identifying code signing certificate misuse, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a software file that has been signed using a code signing certificate;
  
  identifying a software publisher that is identified by the code signing certificate used to sign the software file;
  
  obtaining a reputation score for the software file by querying a centralized database comprising a plurality of file reputations, wherein;
  
  the reputation score indicates a trustworthiness of the software file independently of the code signing certificate;
  
  the reputation score is based on information that is collected in the course of conducting malware scans of client devices and sent to the centralized database;
  
  providing, to the software publisher, information that is based on the reputation score and that indicates that the code signing certificate has been compromised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the reputation score is based on at least one of:
    - a prevalence of the software file;
      
      at least one detected association of the software file with malware.
  - 3. The computer-implemented method of claim 1, further comprising:
    - identifying a plurality of software files that were signed using the code signing certificate;
      
      obtaining, for each software file in the plurality of software files, a reputation score that indicates a likelihood that the software publisher did not authorize the software file to be signed using the code signing certificate;
      
      providing, to the software publisher, a list of software files in the plurality of software files, prioritized by reputation score.
  - 4. The computer-implemented method of claim 1, further comprising receiving, from the software publisher, an indication that the software publisher did not authorize the software file to be signed by the code signing certificate.
  - 5. The computer-implemented method of claim 4, further comprising performing a security action in response to receiving the indication that the software publisher did not authorize the software file to be signed by the code signing certificate.
  - 6. The computer-implemented method of claim 1, further comprising:
    - receiving, from the software publisher, for each software file in a plurality of software files authorized to be signed using the code signing certificate, identification of the software file;
      
      compiling a certificate database associating the code signing certificate with identification of each software file in the plurality of software files authorized to be signed using the code signing certificate.
  - 7. The computer-implemented method of claim 6, further comprising:
    - obtaining a second software file signed using a second code signing certificate;
      
      extracting from the second software file the second code signing certificate used to sign the software file;
      
      adding to the certificate database an entry associating the extracted second code signing certificate with identification of the second software file.
  - 8. The computer-implemented method of claim 6, wherein identification of each software file in the plurality of software files comprises identification of at least one of:
    - the software file;
      
      a digital signature from the software file.
  - 9. The computer-implemented method of claim 6, further comprising verifying that an additional software file was signed by an authorized certificate by:
    - receiving the additional software file signed using an additional code signing certificate;
      
      verifying the integrity of the additional software file by;
      
      obtaining a public key of a key pair used to encrypt a software file digest included in a digital signature of the additional software file;
      
      decrypting the software file digest included in the digital signature of the additional software file;
      
      creating a second software file digest using a hash algorithm specified in the digital signature of the additional software file;
      
      verifying that the software file digest and the second software file digest are identical;
      
      querying, using identification of the additional software file, the certificate database;
      
      receiving, in response to querying the certificate database, indication of whether the software publisher authorized the additional software file to be signed using the additional code signing certificate.

10. A system for identifying code signing certificate misuse, the system comprising:
- an identification module that identifies a software file that has been signed using a code signing certificate;
  
  a publisher identification module that identifies a software publisher that is identified by the code signing certificate used to sign the software file;
  
  a reputation module that obtains a reputation score for the software file by querying a centralized database comprising a plurality of file reputations, wherein;
  
  the reputation score indicates a trustworthiness of the software file independently of the code signing certificate;
  
  the reputation score is based on information that is collected in the course of conducting malware scans of client devices and sent to the centralized database;
  
  a reporting module that provides, to the software publisher, information that is based on the reputation score and that indicates that the code signing certificate has been compromised;
  
  at least one processor configured to execute the identification module, the publisher identification module, the reputation module, and the reporting module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the reputation score is based on at least one of:
    - a prevalence of the software file;
      
      at least one detected association of the software file with malware.
  - 12. The system of claim 10, wherein:
    - the identification module identifies a plurality of software files that were signed using the code signing certificate;
      
      the reputation module obtains, for each software file in the plurality of software files, a reputation score that indicates a likelihood that the software publisher did not authorize the software file to be signed using the code signing certificate;
      
      the reporting module provides, to the software publisher, a list of software files in the plurality of software files, prioritized by reputation score.
  - 13. The system of claim 10, further comprising a receiving module that receives, from the software publisher, an indication that the software publisher did not authorize the software file to be signed by the code signing certificate.
  - 14. The system of claim 13, further comprising a security module that performs a security action in response to receiving the indication that the software publisher did not authorize the software file to be signed by the code signing certificate.
  - 15. The system of claim 10:
    - wherein the identification module receives, from the software publisher, for each software file in a plurality of software files authorized to be signed using the code signing certificate, identification of the software file;
      
      further comprising a database module that compiles a certificate database associating the code signing certificate with identification of each software file in the plurality of software files authorized to be signed using the code signing certificate.
  - 16. The system of claim 15, wherein:
    - the identification module obtains a second software file signed using a second code signing certificate;
      
      the identification module extracts from the second software file the second code signing certificate used to sign the software file;
      
      the database module adds to the certificate database an entry associating the extracted second code signing certificate with identification of the second software file.
  - 17. The system of claim 15, wherein identification of each software file in the plurality of software files comprises identification of at least one of:
    - the software file;
      
      a digital signature from the software file.
  - 18. The system of claim 15:
    - further comprising a verification module that verifies that an additional software file was signed by an authorized certificate by;
      
      receiving the additional software file signed using an additional code signing certificate;
      
      verifying the integrity of the additional software file by;
      
      obtaining a public key of a key pair used to encrypt a software file digest included in a digital signature of the additional software file;
      
      decrypting the software file digest included in the digital signature of the additional software file;
      
      creating a second software file digest using a hash algorithm specified in the digital signature of the additional software file;
      
      verifying that the software file digest and the second software file digest are identical;
      
      wherein the database module;
      
      queries, using identification of the software file, the certificate database;
      
      receives, in response to querying the certificate database, indication of whether the software publisher authorized the file to be signed using the code signing certificate.

19. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a software file that has been signed using a code signing certificate;
  
  identify a software publisher that is identified by the code signing certificate used to sign the software file;
  
  obtain a reputation score for the software file by querying a centralized database comprising a plurality of file reputations, wherein;
  
  the reputation score indicates a trustworthiness of the software file independently of the code signing certificate;
  
  the reputation score is based on information that is collected in the course of conducting malware scans of client devices and sent to the centralized database;
  
  provide, to the software publisher, information that is based on the reputation score and that indicates that the code signing certificate has been compromised.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable medium of claim 19, wherein the one or more computer-readable instructions cause the computing device to:
    - identify a plurality of software files that were signed using the code signing certificate;
      
      obtain, for each software file in the plurality of software files, a reputation score that indicates a likelihood that the software publisher did not authorize the software file to be signed using the code signing certificate;
      
      provide, to the software publisher, a list of software files in the plurality of software files, prioritized by reputation score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DigiCert Incorporated
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Prakashkumar, Suhas, Narayanan, Sreekanth, Naik, Alok
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US14/046,418
Time in Patent Office

949 Days
Field of Search

726/1, 726/2, 726/3, 726/4, 726/5, 726/6, 713/176, 713/179, 713/164
US Class Current

1/1
CPC Class Codes

H04L 9/3247 involving digital signatures

Systems and methods for identifying code signing certificate misuse

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for identifying code signing certificate misuse

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links