Authenticode verification support for Windows (similar to the 'signature' table on macOS)

[alessandrogario]

Goal

This PR aims to add Authenticode verification support to osquery in a similar way to the 'signature' virtual table that has been implemented for macOS.

Changes

I have defined a signature virtual table for Windows, containing the following columns: path, original_program_name (from the publisher), serial_number, issuer_name, subject_name, result.

The following are the possible values for the result column:

• missing: Missing signature.
• invalid: An invalid signature, caused by missing or broken files.
• untrusted: A signature that could not be validated.
• distrusted: A valid signature, explicitly distrusted by the user.
• valid: A valid signature which is not explicitly trusted by the user.
• trusted: A valid signature, trusted by the user.

Examples

Verifying the authenticode signature for running executables

SELECT process.pid, process.path, authenticode.result
FROM processes as process
LEFT JOIN signature AS authenticode
ON process.path = authenticode.path;

...
| 5124 | C:\Windows\system32\winlogon.exe    | missing |
| 2476 | C:\Windows\system32\dwm.exe         | missing |
| 2744 | C:\Windows\system32\fontdrvhost.exe | trusted |
| 6372 | c:\windows\system32\sihost.exe      | missing |
| 7152 | c:\windows\system32\svchost.exe     | trusted |
| 80   | c:\windows\system32\svchost.exe     | trusted |
| 6748 | c:\windows\system32\taskhostw.exe   | trusted |
...

Listing unsigned/untrusted processes listening for connections

SELECT port_info.pid, port_info.family, port_info.protocol, port_info.port, port_info.address,
       process.name, process.path,
       authenticode.result AS authenticode

FROM listening_ports AS port_info

LEFT JOIN processes
AS process ON port_info.pid = process.pid

LEFT JOIN signature AS authenticode
ON process.path = authenticode.path

WHERE authenticode <> "trusted";

+------+--------+----------+-------+---------+-------------+------------------------------------+--------------+
| pid  | family | protocol | port  | address | name        | path                               | authenticode |
+------+--------+----------+-------+---------+-------------+------------------------------------+--------------+
| 6588 | 2      | 6        | 80    | 0.0.0.0 | hfs.exe     | C:\Program Files (x86)\HFS\hfs.exe | missing      |
| 1724 | 2      | 6        | 49667 | 0.0.0.0 | spoolsv.exe | C:\Windows\System32\spoolsv.exe    | missing      |
| 1724 | 23     | 6        | 49667 | ::      | spoolsv.exe | C:\Windows\System32\spoolsv.exe    | missing      |
+------+--------+----------+-------+---------+-------------+------------------------------------+--------------+

[facebook-github-bot]

@alessandrogario has updated the pull request. View: changes

[facebook-github-bot]

@alessandrogario has updated the pull request. View: changes

[theopolis]

I'd recommend creating an authenticode or signature table for Windows.

[alessandrogario]

@theopolis sure! I'm still writing the utilities I need, as I also want to be able to list signature information like signer name etc. Once it's done, I'll create the new table; how would you like it to work? Should it just list the running executables?

[theopolis]

how would you like it to work? Should it just list the running executables?

Check out the signature table for macOS, if you don't mind, mimic the user experience for that.

[facebook-github-bot]

@alessandrogario has updated the pull request.

[facebook-github-bot]

@alessandrogario has updated the pull request.

[alessandrogario]

I have defined a 'signature' virtual table for Windows; it only sports two columns for now, but I plan on adding more. I'm using a more verbose field instead of the 'signed' boolean used in the macOS implementation.

The following are the possible states:

• missing: Missing signature.
• invalid: An invalid signature, caused by missing or broken files.
• untrusted: A signature that could not be validated.
• distrusted: A valid signature, explicitly distrusted by the user.
• valid: A valid signature which is not explicitly trusted by the user.
• trusted: A valid signature, trusted by the user.

EDIT: I should probably put this information in the summary!

[muffins]

A couple of smaller nits and a question about the << operator definition, not sure if that'll fly as it seems risky to define it in such a high scope for something used by so many places in the code base.

Otherwise super excited for this table to land!

[muffins]

perhaps you could default to unknown or -1?

[alessandrogario]

Done!

[muffins]

We have a stringToWstring function already implemented here that you could use, but this looks good -- any chance you could take a look at our implementation to see if it could stand some improvements? ;)

[alessandrogario]

They look similar! I am now using that one!

[muffins]

ERROR seems a bit intense for a failure to compute the signature of an executable, maybe this could be a WARNING instead? I think we try and reserve ERROR for something which would halt the daemon itself.

[muffins]

Would you mind adding in an example that joins off of the process table just to show up the extra cool features? :D

[alessandrogario]

Done! I've added a simple example in the table specs, and also edited the PR summary to include a couple of more (that we can probably add to the docs once this is merged).

[muffins]

While this is pretty awesome how you're making use of the << on Rows, I'm honestly not sure how to feel about it as it seems dangerous to overload an operator on a data structure that gets used in so many places in this high of namespace - /CC @theopolis to potentially put my worries to rest, but are there potentially other (arguably less awesome) ways to achieve the same behavior?

[facebook-github-bot]

@alessandrogario has updated the pull request. View: changes

[facebook-github-bot]

@alessandrogario has updated the pull request. View: changes

[facebook-github-bot]

@alessandrogario has updated the pull request. View: changes

[facebook-github-bot]

@alessandrogario has updated the pull request. View: changes

[facebook-github-bot]

@alessandrogario has updated the pull request. View: changes

[facebook-github-bot]

@alessandrogario has updated the pull request.

[theopolis]

I'll defer to @muffins but a quick note, some of the VLOGs seem a bit generic.

[theopolis]

Are these not in a header somewhere?

[muffins]

@alessandrogario - Just in case you didn't see it they're here :)

[theopolis]

This should be in it's own include block (double new line separated) and included using the local search:

#include "osquery/core/conversions.h"

[theopolis]

Can you use a more specific symbol name here? genAuthenticode or something similar?

Dismissing as my review is dated. Will review again after the changes requested by @theopolis are addressed.

[facebook-github-bot]

@alessandrogario has updated the pull request.

[facebook-github-bot]

@alessandrogario has updated the pull request. View: changes

[theopolis]

Can you explain this loop?

[alessandrogario]

This is used to print the serial number backwards (as it is shown in the Authenticode dialog properties of Windows).

Since DWORD is unsigned, the loop uses the fact that according to the standard the value will wrap around once you decrement past zero.

[theopolis]

You can create the buffer with a requested container size in the ctor

[theopolis]

ok to test

[osqueryer]

🙅 The commit 50f6de6 (Job results: 2631) failed the code audit or documentation test.

[osqueryer]

👎 The commit 50f6de6 (Job results: 5988) failed one or more tests (Linux).

[osqueryer]

👎 The commit 50f6de6 (Job results: 5989) failed one or more tests (Linux).

[osqueryer]

👎 The commit 2e99777 (Job results: 5991) failed one or more tests (Linux).

[theopolis]

Can we morph fields from darwin or windows such that we can have a unified signature table?

schema([
    Column("path", TEXT, "Must provide a path or directory", required=True),
    Column("signed", INTEGER, "1 If the file is signed else 0"),
    Column("identifier", TEXT, "The signing identifier sealed into the signature"),
    Column("cdhash", TEXT, "SHA1 hash of the application Code Directory"),
    Column("team_identifier", TEXT, "The team signing identifier sealed into the signature"),
    Column("authority", TEXT, "Certificate Common Name"),
])

• path cool!
• original_program_name can this be called identifier on both?
• serial_number, issuer_name, subject_name can be extended schema on Windows for now.
• cdhash does this checksum have an authenticode equivalent?
• result can stay on both, maybe on darwin we fill this in with "signed" or "unknown"
• signed being a boolean should be included here, it should indicate if the binary is properly signed.

[theopolis]

The reason that the build is breaking in the CI is because there are two specfiles named signature. This is not allowed.

[alessandrogario]

original_program_name: I have renamed this to "identifier".
cdhash: There is something but to grab it you need to parse the PE header and locate the PKCS#7 structure that contains the hash. There is really no easy way to calculate it without a custom tool (and it's hard to use this value in a meaningful way) so I skipped it.
result: I'll add this column to the darwin schema, and set it to "signed" when "signed" is 1 and to "unknown" when it is 0.
signed: Should this value be 1 only when the signature is both valid and trusted?

What should I do with the remaining fields? Should both specfiles (darwin and Windows) contain the exact same columns?

[theopolis]

Leave the fields blank if there are no meaningful compromises/merging options.

You can add "extended" schema like:

extended_schema(WINDOWS, [
    Column("friendly_name", TEXT, "The friendly display name of the interface."),
])

The first option is the requirement. These columns will be set to HIDDEN on platforms that do not match. Such that a SELECT * does not return them.

Your options for evaluators right now are: WINDOWS, LINUX, POSIX, DARWIN, FREEBSD. They are small functions defined in gentable.py.

[facebook-github-bot]

@alessandrogario has updated the pull request.

[osqueryer]

🙅 The commit 6e5b348 (Job results: 2647) failed the code audit or documentation test.

[osqueryer]

👎 The commit 6e5b348 (Job results: 6006) failed one or more tests (Linux).

[osqueryer]

👎 The commit 6e5b348 (Job results: 923) failed one or more tests (FreeBSD).

[osqueryer]

👎 The commit 6e5b348 (Job results: 6007) failed one or more tests (Linux).

[osqueryer]

👎 The commit 6e5b348 (Job results: 924) failed one or more tests (FreeBSD).

[facebook-github-bot]

@alessandrogario has updated the pull request.

[osqueryer]

👎 The commit 087f1fb (Job results: 925) failed one or more tests (FreeBSD).

[osqueryer]

👎 The commit 087f1fb (Job results: 926) failed one or more tests (FreeBSD).

[theopolis]

LGTM, @muffins I'll let you have the final look and merge when you're ready.

[muffins]

LGTM