ProtectIOn: Root-of-Trust for IO in Compromised Platforms
Abstract
Security and safety-critical remote applications such as e-voting, online banking, industrial control systems and medical devices rely upon user interaction that is typically performed through web applications. Trusted path to such remote systems is critical in the presence of an attacker that controls the computer that the user operates. Such an attacker can observe and modify any IO data without being detected by the user or the server. We investigate the security of previous research proposals and observe several drawbacks that make them vulnerable to attacks. Based on these observations we identify novel requirements for secure IO operation in the presence of a compromised host.
As a solution, we propose ProtectIOn, a system that ensures IO integrity using a trusted low-TCB device that sits between the attacker-controlled host and the IO devices. ProtectIOn intercepts the display signal and user inputs from the keyboard and mouse, and overlays secure UI on top of the HDMI frames generated by the untrusted host. The guiding design principles of ProtectIOn are that (i) integrity of user input and output cannot be considered separately, (ii) all user input modalities need to be protected simultaneously, and (iii) integrity protection should not rely on error prone user tasks like checking the presence of security indicators. By following these guidelines, ProtectIOn achieves strong protection for IO integrity. We also propose an extension of ProtectIOn for IO confidentiality and implement a plug-and-play prototype and evaluate its performance.
Research Area: Trusted Computing
People
BibTex
@INPROCEEDINGS{dhar2020protection,
isbn = {1-891562-61-4},
doi = {10.14722/ndss.2020.24112},
year = {2020-02},
booktitle = {Proceedings 2020 Network and Distributed System Security Symposium (NDSS 2020)},
volume = {2},
type = {Conference Paper},
author = {Dhar, Aritra and Ulqinaku, Enis and Kostiainen, Kari and Capkun, Srdjan},
size = {18 p.},
abstract = {Security and safety-critical remote applications such as e-voting, online banking, industrial control systems and medical devices rely upon user interaction that is typically performed through web applications. Trusted path to such remote systems is critical in the presence of an attacker that controls the computer that the user operates. Such an attacker can observe and modify any IO data without being detected by the user or the server. We investigate the security of previous research proposals and observe several drawbacks that make them vulnerable to attacks. Based on these observations we identify novel requirements for secure IO operation in the presence of a compromised host.As a solution, we propose ProtectIOn, a system that ensures IO integrity using a trusted low-TCB device that sits between the attacker-controlled host and the IO devices. ProtectIOn intercepts the display signal and user inputs from the keyboard and mouse, and overlays secure UI on top of the HDMI frames generated by the untrusted host. The guiding design principles of ProtectIOn are that (i) integrity of user input and output cannot be considered separately, (ii) all user input modalities need to be protected simultaneously, and (iii) integrity protection should not rely on error prone user tasks like checking the presence of security indicators. By following these guidelines, ProtectIOn achieves strong protection for IO integrity. We also propose an extension of ProtectIOn for IO confidentiality and implement a plug-and-play prototype and evaluate its performance.},
language = {en},
address = {Reston, VA},
publisher = {Internet Society},
title = {ProtectIOn: Root-of-Trust for IO in Compromised Platforms},
PAGES = {1377 - 1394},
Note = {27th Annual Network and Distributed System Security Symposium (NDSS 2020); Conference Location: San Diego, CA, USA; Conference Date: February 23-26, 2020; Conference lecture held on February 26, 2020.}
}
Research Collection: 20.500.11850/453008