code signing features - addition request

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

code signing features - addition request

jose nazario
i'm trying to migrate an automated static analyzer i wrote to output MAEC data. one of the sections the tool does is a signature check (via sigcheck). 

given the increasing use of signed code (OSX, Windows, mobile platforms, etc) i respectfully suggest we add elements for signatures to the ObjectType.File_System_Object_Attributes.File_Type_Attributes.PE_Binary_Attributes.Digital_Certificates
. originally i was thinking something like the following (fields borrowed heavily from sigcheck):

<signatures>
  <signature> <!-- multiple signatures are allowed -->
    <tool>maec:ToolType</tool> <!-- e.g. sigcheck from MSFT -->
    <verified>xs:boolean</verified>
    <signature_size>xs:integer</signature_size>
    <file_date>xs:dateTime</file_date>
    <strong_name>xs:string</strong_name> 
    <publisher>xs:string</publisher>
    <description>xs:string</description>
    <product>xs:string</product>
    <version>xs:string</version>
    <file_version>xs:string</file_version>
    <authorities>
      <authority>xs:string</authority> <!-- multiple authorities are allowed -->
    </authorities>
    </signature>
</signatures>

or is this overkill? 


references:
http://technet.microsoft.com/en-us/sysinternals/bb897441 (you can see an example now on virustotal)

_____________________________
jose nazario, ph.d. [hidden email]
sr. manager of security research, arbor networks

Reply | Threaded
Open this post in threaded view
|

RE: code signing features - addition request

Chase, Melissa P.

Jose,

 

Thanks for suggesting this. It actually came up as an example in a discussion of the relation between MAEC and SCAP tools on the Handshake group. So, I’m going to cross-post your suggestion to Handshake in case some folks are following that more closely.

 

I think it looks reasonable, but it would good for others to weigh in. We might also want to think about if referencing CPE makes sense.

 

Penny

 

P.S. For those on the list who are not part of Handshake, see http://maec.mitre.org/community/index.html for more information.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jose Nazario
Sent: Friday, February 25, 2011 11:53 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: code signing features - addition request

 

i'm trying to migrate an automated static analyzer i wrote to output MAEC data. one of the sections the tool does is a signature check (via sigcheck). 

 

given the increasing use of signed code (OSX, Windows, mobile platforms, etc) i respectfully suggest we add elements for signatures to the ObjectType.File_System_Object_Attributes.File_Type_Attributes.PE_Binary_Attributes.Digital_Certificates

. originally i was thinking something like the following (fields borrowed heavily from sigcheck):

 

<signatures>

  <signature> <!-- multiple signatures are allowed -->

    <tool>maec:ToolType</tool> <!-- e.g. sigcheck from MSFT -->

    <verified>xs:boolean</verified>

    <signature_size>xs:integer</signature_size>

    <file_date>xs:dateTime</file_date>

    <strong_name>xs:string</strong_name> 

    <publisher>xs:string</publisher>

    <description>xs:string</description>

    <product>xs:string</product>

    <version>xs:string</version>

    <file_version>xs:string</file_version>

    <authorities>

      <authority>xs:string</authority> <!-- multiple authorities are allowed -->

    </authorities>

    </signature>

</signatures>

 

or is this overkill? 

 

 

references:

http://technet.microsoft.com/en-us/sysinternals/bb897441 (you can see an example now on virustotal)

 

_____________________________

jose nazario, ph.d. [hidden email]

sr. manager of security research, arbor networks