Paper 2019/869

ProtectIOn: Root-of-Trust for IO in Compromised Platforms

Aritra Dhar and Enis Ulqinaku and Kari Kostiainen and Srdjan Capkun

Abstract

Security and safety-critical remote applications such as e-voting, online banking, industrial control systems, medical devices, and home automation systems rely upon user interaction that is typically performed through web applications. Trusted path to such remote systems is critical in the presence of an attacker that controls the computer that the user operates. Such a powerful attacker can observe and modify any IO data without being detected by the user or the server. We investigate the security of previous research proposals that address this problem and observe several drawbacks that make them vulnerable to advance UI manipulation attacks.Based on these observations we define a novel set of requirements for secure IO operation in the presence of a compromised host. We propose ProtectIOn, a system that ensures the integrity and confidentiality of the user's IO employing a trusted low-TCB device that sits between the attacker-controlled host and the IO devices. Therefore, ProtectIOn device can intercept the display signal and user inputs from the keyboard and mouse. Furthermore, it can overlay secure UI on top of the HDMI frames generated by the untrusted host. ProtectIOn integrates well in the existing infrastructure, it requires small changes in the server-side, works with any browser without installing any additional software, and does not change significantly the user experience. Finally, we implement a prototype of ProtectIOn which is a plug-and-play device and evaluate its performance.