Cybercriminals using cookie theft infostealer malware continue to pose a risk to the safety and security of our users. We already have a number of initiatives in this area including Chrome’s download protection using Safe Browsing, Device Bound Session Credentials, and Google’s account-based threat detection to flag the use of stolen cookies. Today, we’re announcing another layer of protection to make Windows users safer from this type of malware.
使用 cookie 盗窃信息窃取恶意软件的网络犯罪分子继续对我们用户的安全构成风险。我们已经在这一领域采取了许多举措,包括Chrome 使用安全浏览的下载保护、设备绑定会话凭证以及 Google 基于帐户的威胁检测来标记被盗 cookie 的使用。今天,我们宣布推出另一层保护,使 Windows 用户更安全地免受此类恶意软件的侵害。
Like other software that needs to store secrets, Chrome currently secures sensitive data like cookies and passwords using the strongest techniques the OS makes available to us – on macOS this is the Keychain services, and on Linux we use a system provided wallet such as kwallet or gnome-libsecret. On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks. However, the DPAPI does not protect against malicious applications able to execute code as the logged in user – which infostealers take advantage of.
与其他需要存储机密的软件一样,Chrome 目前使用操作系统提供给我们的最强大的技术来保护 cookie 和密码等敏感数据 – 在 macOS 上,这是Keychain 服务,在 Linux 上,我们使用系统提供的钱包,例如 kwallet 或gnome-libsecret。在 Windows 上,Chrome 使用数据保护 API (DPAPI),可保护静态数据免受系统上其他用户或冷启动攻击的影响。但是,DPAPI 无法防范能够以登录用户身份执行代码的恶意应用程序 – 信息窃取者会利用这一点。
In Chrome 127 we are introducing a new protection on Windows that improves on the DPAPI by providing Application-Bound (App-Bound) Encryption primitives. Rather than allowing any app running as the logged in user to access this data, Chrome can now encrypt data tied to app identity, similar to how the Keychain operates on macOS.
在 Chrome 127 中,我们在 Windows 上引入了一种新的保护,该保护通过提供应用程序绑定(App-Bound)加密原语来改进 DPAPI。 Chrome 现在可以加密与应用程序身份相关的数据,而不是允许以登录用户身份运行的任何应用程序访问此数据,类似于钥匙串在 macOS 上的运行方式。
We will be migrating each type of secret to this new system starting with cookies in Chrome 127. In future releases we intend to expand this protection to passwords, payment data, and other persistent authentication tokens, further protecting users from infostealer malware.
我们将从 Chrome 127 中的 cookie 开始将每种类型的秘密迁移到这个新系统。在未来的版本中,我们打算将这种保护扩展到密码、支付数据和其他持久身份验证令牌,进一步保护用户免受信息窃取恶意软件的侵害。
How it works 怎么运行的
App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app’s identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail.
应用程序绑定加密依赖特权服务来验证请求应用程序的身份。在加密过程中,应用程序绑定加密服务将应用程序的身份编码到加密数据中,然后在尝试解密时验证其是否有效。如果系统上的另一个应用程序尝试解密相同的数据,它将失败。
Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn’t be doing. This makes their actions more suspicious to antivirus software – and more likely to be detected. Our other recent initiatives such as providing event logs for cookie decryption work in tandem with this protection, with the goal of further increasing the cost and risk of detection to attackers attempting to steal user data.
由于应用程序绑定服务以系统权限运行,因此攻击者需要做的不仅仅是诱骗用户运行恶意应用程序。现在,恶意软件必须获得系统权限,或者将代码注入 Chrome,这是合法软件不应该做的事情。这使得他们的行为对防病毒软件来说更加可疑,并且更有可能被检测到。我们最近的其他举措(例如为 cookie 解密提供事件日志)与这种保护相结合,目的是进一步增加对试图窃取用户数据的攻击者的检测成本和风险。
Enterprise Considerations
企业考虑因素
Since malware can bypass this protection by running elevated, enterprise environments that do not grant their users the ability to run downloaded files as Administrator are particularly helped by this protection – malware cannot simply request elevation privilege in these environments and is forced to use techniques such as injection that can be more easily detected by endpoint agents.
由于恶意软件可以通过运行提升权限来绕过此保护,因此不授予用户以管理员身份运行下载文件的企业环境特别有助于此保护 – 恶意软件不能简单地在这些环境中请求提升权限,并且被迫使用诸如端点代理可以更轻松地检测到注入。
App-Bound Encryption strongly binds the encryption key to the machine, so will not function correctly in environments where Chrome profiles roam between multiple machines. We encourage enterprises who wish to support roaming profiles to follow current best practices. If it becomes necessary, App-Bound encryption can be configured using the new ApplicationBoundEncryptionEnabled policy.
应用程序绑定加密将加密密钥与计算机强绑定,因此在 Chrome 配置文件在多台计算机之间漫游的环境中无法正常运行。我们鼓励希望支持漫游配置文件的企业遵循当前的最佳实践。如果有必要,可以使用新的ApplicationBoundEncryptionEnabled策略配置应用程序绑定加密。
To further help detect any incompatibilities, Chrome emits an event when a failed verification occurs. The Event is ID 257 from ‘Chrome’ source in the Application log.
为了进一步帮助检测任何不兼容性,Chrome 会在验证失败时发出一个事件。该事件的 ID 为 257,来自应用程序日志中的“Chrome”源。
Conclusion 结论
App-Bound Encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system. It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system. As the malware landscape continually evolves we are keen to continue engaging with others in the security community on improving detections and strengthening operating system protections, such as stronger app isolation primitives, for any bypasses.
应用程序绑定加密增加了攻击者窃取数据的成本,也使他们的行为对系统产生更大的干扰。它可以帮助防御者为系统上其他应用程序的可接受行为划清界限。随着恶意软件格局的不断发展,我们热衷于继续与安全社区中的其他人合作,改进检测并加强操作系统保护,例如针对任何绕过的更强大的应用程序隔离原语。
原文始发于Chrome Security Team:Improving the security of Chrome cookies on Windows
相关文章
