Paper 2017/1245

IntegriKey: End-to-End Integrity Protection of User Input

Aritra Dhar, Der-Yeuan Yu, Kari Kostiainen, and Srdjan Capkun


Various safety-critical devices, such as industrial control systems, medical devices, and home automation systems, are configured through web interfaces from remote hosts that are standard PCs. The communication link from the host to the safety-critical device is typically easy to protect, but if the host gets compromised, the adversary can manipulate any user-provided configuration settings with severe consequences including safety violations. In this paper, we propose IntegriKey, a novel system for user input integrity protection in compromised host. The user installs a simple plug-and-play device between the input peripheral and the host. This device observes user input events and sends a trace of them to the server that compares the trace to the application payload received from the untrusted host. To prevent subtle attacks where the adversary exchanges values from interchangeable input fields, we propose a labeling scheme where the user annotates input values. We built a prototype of IntegriKey, using an embedded USB bridge, and our experiments show that such integrity protection adds only minor delay. We also developed a UI analysis tool that helps developers to protect their services and evaluated it on commercial safety-critical systems.

Available format(s)
Publication info
Contact author(s)
aritra dhar @ inf ethz ch
2018-02-12: revised
2017-12-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Aritra Dhar and Der-Yeuan Yu and Kari Kostiainen and Srdjan Capkun},
      title = {IntegriKey: End-to-End Integrity Protection of User Input},
      howpublished = {Cryptology ePrint Archive, Paper 2017/1245},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.