Evading Signature Validation in Digitally Signed PDF

Author
Dr. Ramesh Cheripelli, Swathi Ch
Keywords
Behavioural Detection; Malware Evasion; Shadow Attack; System Call Obfuscation; Electronic Mail; Authentication; Password; Cross Site Password Reuses
Abstract
Carefully marked Portable Document Formats (PDFs) are utilized in agreements, contracts, bills, proposals, and arrangements to ensure the genuineness and trustworthiness of their material. A normal client would accept that carefully marked PDF records are conclusive and cannot be additionally altered. Be that as it may, different changes like adding comments to a marked PDF or rounding out structure fields are permitted and do not nullify PDF marks. In this paper, we show that this adaptability permits attackers to totally change a record’s substance while keeping the first signature approval status immaculate.
References
[1] Adobe. Adobe fast facts, November 2018. URL https://www.adobe.com/ about-adobe/fast-facts.html.
[2] DocuSign. Docusign 2019 annual report. Technical report, 2019.
[3] Adobe Systems Incorporated. PDF Reference, version 1.7, sixth edition edition, November 2006.
[4] Ian Markwood, Dakun Shen, Yao Liu, and Zhuo Lu. PDF Mi- rage: Content Masking Attack Against Information-Based On- line Services. In 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC), pages 833–847, 2017.
[5] Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Sel- hausen, Martin Grothe, and Jorg Schwenk. 1 trillion dollar refund – how to spoof pdf signatures. In ¨ ACM Conference on Computer and Communications Security, November 2019.
[6] United States Government Printing Office. Electronic signatures in global and national commerce act, 2000. URL https://www.govinfo.gov/content/pkg/ PLAW- 106publ229/pdf/ PLAW-106publ229.pdf.
[7] Dan-Sabin Popescu. Hiding malicious content in PDF documents. CoRR, abs/1201.0397, 2012. URL http://arxiv.org/abs/1201.0397.
[8] European Union. Regulation (eu) no 910/2014 of the european parliament and of the council on electronic identification and trust services for electronic transac- tions in the internal market and repealing directive 1999/93/ec, 2014. URL https://eur-lex. europa.eu/ legal-content/ EN/TXT/ PDF/? uri= CELEX:32014R0910.
[9] O. Aciiçmez, Ç. K. Koç, and J. Seifert, “On the power of simple branch prediction analysis”, in Proc. of the 2nd ACM Symposium on information, Computer and Communications Security (ASIACCS’07), 2007.
[10] B.W. Kernighan and S. Lin, “An Efficient Heuristic Procedure for Partition Graphs”, Bell Systems Technical J., vol. 49, pp. 291-307, 1970.
[11] M. Christodorescu, S. Jha, and C. Kruegel, “Mining spec- ifications of malicious behavior”, in Proc. of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, 2007.
[12] Anubis. http://anubis.iseclab.org/.
[13] L. Lamport, “Time, clocks, and the ordering of events in a distributed system”, Communications of the ACM, v.21 n.7, p.558-565, 1978.
[14] X. Jiang, A. Walters, F. Buchholz, D. Xu, Y. M. Wang, and E. H. Spafford, “Provenance-Aware Tracing of Worm Break- in and Contaminations: A Process Coloring Approach”, in Proc. of 26th IEEE Int’l Conf. Distributed Computing Systems (ICDCS’06), 2006.
[15] T. Fletcher, “Sharing a File Descriptor Between Processes”
[16] H. Yin, D. Song, E. Manuel, C. Kruegel, and E. Kirda, “Panorama: Capturing system-wide information flow for mal- ware detection and analysis”, in Proc. of the 14th ACM Conferences on Computer and Communication Security, 2007.
[17] S. T. King and P. M. Chen, “Backtracking Intrusions”, in Proc. of the 2003 Symposium on Operating Systems Principles, pages 223–236, 2003.
[18] E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer, “Behavior-based Spyware Detection”, in Proc. of the USENIX Security Symposium, 2006.
[19] F. Cohen, “Computer viruses: theory and experiments”, Computers and Security, v.6 n.1, p.22-35, 1987.
[20] Phoenix. https://connect.microsoft.com/Phoenix.
[21] L. Cavallaro, P. Saxena, and R. Sekar, “On the limits of information flow techniques for malware analysis and contain- ment”, in Proc. of 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008.
[22] P. Szor, “The Art of Computer Virus Research and Defense”, Addison-Wesley Professional, 2005.
[23] S. Forrest, A. S. Perelson, L. Allen, and R. Cherukuri, “Self- Nonself Discrimination in a Computer”, in Proc. of IEEE Symposium on Security & Privacy,1994
[24] E. Stinson and J. C. Mitchell, “Characterizing Bots’ Remote Control Behavior”, In Detection of Intrusions & Malware, and Vulnerability Assessment, 2007.
[25] C. Willems, T. Holz, and F. Freiling, “Toward Automated Dynamic Malware Analysis Using CWSandbox”, in Proc. of IEEE Security and Privacy, 2007
[26] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, G. Vigna, “Automating mimicry attacks using static binary analysis”, in Proc. of the 14th conference on USENIX Security Symposium, p.11-11, 2005.
[27] Norman Sandbox Whitepaper. http://www.norman.com.
[28] A. Srivastava, A. Lanzi, and Jonathon Giffin, “System Call API Obfuscation”, in Proc. of the 11th International Symposium on Recent Advances in Intrusion Detection, 2008.
[29] K. Rieck, T. Holz, C. Willems, P. Düssel and P. Laskov, “Learning and Classification of Malware Behavior”, in Proc. of Detection of Intrusions and Malware, and Vulnerability Assessment, 2008.
[30] C. Percival, “Cache missing for fun and profit”, BSD- Can, http://www.daemonology.net/hyperthreading-considered- harmful/ , 2005.
[31] R. Stevens, “UNIX Network Programming”, Volume 2, Second Edition: Interprocess Communications, Prentice Hall, 1999.
[32] K. V. Dyshlevoi, V. E. Kamensky, and L. B. Solovskaya, “Marshalling In Distributed Systems: Two Approaches”, http://citeseerx.ist.psu.edu/viewdoc/su mmary?doi=10.1.1.26.97 81, 1997.
[33] J. Borello and L. Mé, “Code obfuscation techniques for metamorphic viruses”, J. Comput. Virol. 4, 211–220 (2008). doi: 10.1007/s11416-008-0084-2
[34] Wikipedia. Electronic signatures and law, 2019.
[35] L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, and J. C. Mitchell, “A Layered Architecture for Detecting Malicious Behaviors”, in Proc. of the 11th international Symposium on Recent Advances in intrusion Detection (RAID’08), 2008.
[36] C. Lattner and V. Adve, “LLVM: A compilation framework for lifelong program analysis & transformation”, in Proc. of the 2004 International Symposium on Code Generation and Optimization (CGO’04), 2004.
[37] M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant, “Semantics-Aware Malware Detection”, in Proc. of IEEE Sym- posium on Security and Privacy, 2005.
[38] P. Barford and V. Yagneswaran, “An Inside Look at Botnets”, Advances in Information Security, Springer, 2006.
[39] D. Wagner and P. Soto, “Mimicry attacks on host-based in- trusion detection systems”, in Proc. of the 9th ACM conference on Computer and communications security (CCS’02), 2002.
[40] E. Filiol, “Formalisation and implementation aspects of k-ary (malicious) codes”, Journal in Computer Virology, vol. 3, no. 3, EICAR 2007 Best Academic Papers, 2007.
[41] N. Harbour, “Stealth Secrets of the Malware Ninjas”, available at https://www.blackhat.com/presentations/bh-usa- 07/Harbour/Presentation/bh-usa-07- harbour.pdf.
[42] C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, “Effective and Efficient Malware Detection at the End Host”, in Proc. of 18th USENIX Security Symposium, 2009.
[43] Nomenumbra, “Counter Behavior Based Malware Analysis, Hacking at Random”, HAR 2009.

Received : 19 March 2021
Accepted : 15 September 2021
Published : 24 September 2021
DOI: 10.30726/esij/v8.i3.2021.83017

Evading-Signature-Validation-in-Digitally-Signed-PDF-.pdf