Abstract

Recent studies have shown that Authenticode, the Windows code signing standard for portable executable files, can be abused by potentially unwanted programs (PUP) and malware to evade detection and bypass Windows protections. These studies discuss improper signature checks by frameworks (e.g., anti-virus programs), key mismanagement, improper verification by certificate authorities (CAs) and underground certificate trade as weaknesses that can be abused in Windows code signing public key infrastructure (PKI). We explore the Authenticode signatures of supposedly benign applications in the wild to gain a clearer understanding of this mechanism so that we can identify potential issues that can undermine trust in Authenticode. For studying the blackbox of the Authenticode, we tackle the main challenge of doing a measurement study on Authenticode, lack of a comprehensive corpus of Windows code signing certificates. As placing trust in the freeware that is downloaded from web is one significant use case of code signing, we target eight popular download portals as source of our dataset and collect 106K Windows applications. We present an analysis framework for studying code signing certificates and extract 27K certificates from signed executable applications. This framework provides a crawler for automated download of applications from download portals. Furthermore, as part of our analysis framework, we develop a linter that is specifically designed for Authenticode certificates. Both of our tools are in the process of release for public use of researchers. Our results identify issues in the code signing certificates that the Authenticode validation fails in preventing them. Usage of inadequately secure hash and public key algorithms such as MD5, SHA1 and 1024-bit RSA, missing or invalid Key Usage and Extended Key Usage, missing revocation information, non-critical Basic Constraints for CA certificates are examples of the issues that potentially undermine both integrity and authenticity assurance that Authenticode provides.