compartmented security for browsers
DESCRIPTION
Presentation of a paper at ARES 2007 conference. Security architecture to prevent phishing attacks.TRANSCRIPT
RuhR-Universität Bochum
Compartmented Security for Browsers-
Or How to Thwart a Phisher with Trusted Computing
Sebastian Gajek, Ahmad-Reza Sadeghi, Christian Stüble, Marcel Winandy
Horst Görtz Institute for IT SecurityRuhr-University Bochum, Germany
ARES 20072nd International Conference on Availability, Reliability and SecurityVienna, 10-13 April 2007
2007-04-10Compartmented Security for Browsers (ARES 2007) 2
RuhR-Universität Bochum
Marcel Winandy
2007-04-10Compartmented Security for Browsers (ARES 2007) 3
RuhR-Universität Bochum
Marcel Winandy
"Classical" Phishing
…….
Costumers(e.g., bank)
Adversary A
credentials
credentials (e.g., username,password)
Collection Server
2007-04-10Compartmented Security for Browsers (ARES 2007) 4
RuhR-Universität Bochum
Marcel Winandy
Malware Phishing
Adversary A
credentials
…….
Costumers(e.g., bank)
Tailored to specific services, such as domestic banks
Collection Server
2007-04-10Compartmented Security for Browsers (ARES 2007) 5
RuhR-Universität Bochum
Marcel Winandy
Reasons for Success
● Strong assumptions on ordinary users● Legacy flaws of Internet technology (e.g. DNS)● Vulnerabilities of underlying computing platform
2007-04-10Compartmented Security for Browsers (ARES 2007) 6
RuhR-Universität Bochum
Marcel Winandy
Existing approaches
● Browser-based● Server-based● Operating System based
2007-04-10Compartmented Security for Browsers (ARES 2007) 7
RuhR-Universität Bochum
Marcel Winandy
Browser-based approaches
● White lists / black lists● Heuristic checks● Blinking browser boundaries● Logo-type certificates● Wallets
Browser F extra functionality
2007-04-10Compartmented Security for Browsers (ARES 2007) 8
RuhR-Universität Bochum
Marcel Winandy
Browser-based approaches
● White lists / black lists● Heuristic checks● Blinking browser boundaries● Logo-type certificates● Wallets
Browser FMalware Phishing !?
2007-04-10Compartmented Security for Browsers (ARES 2007) 9
RuhR-Universität Bochum
Marcel Winandy
Server-Based Approaches
● User-friendly authentication protocols● Password-augmented SSL protocol● Trusted device augmented SSL protocol
ClientClient Server
F extra functionality
2007-04-10Compartmented Security for Browsers (ARES 2007) 10
RuhR-Universität Bochum
Marcel Winandy
Server-Based Approaches
● User-friendly authentication protocols● Password-augmented SSL protocol● Trusted device augmented SSL protocol
ClientClient Server
F
Malware Phishing !?
2007-04-10Compartmented Security for Browsers (ARES 2007) 11
RuhR-Universität Bochum
Marcel Winandy
OS-Based Approaches
● Isolation● Integrity Verification● Secure GUI● Virtualization
Example: Tahoma BOSBrowser Browser Browser
VMM
VM VMVM
2007-04-10Compartmented Security for Browsers (ARES 2007) 12
RuhR-Universität Bochum
Marcel Winandy
OS-Based Approaches
● Isolation● Integrity Verification● Secure GUI● Virtualization
Example: Tahoma BOSBrowser Browser Browser
VMM
VM VMVMClassical Phishing !?
13Marcel Winandy Compartmented Security for Browsers (ARES 2007) 2007-04-10
Idea:Combination
2007-04-10Compartmented Security for Browsers (ARES 2007) 14
RuhR-Universität Bochum
Marcel Winandy
Our Approach
● Trusted wallet: Let the system...– authenticate legitimate service sites
– control and perform the user authentication
● Compartmentalization: Isolate browser / wallet● Trusted execution environment:
– Security kernel
– Trusted Computing
– Virtualization
2007-04-10Compartmented Security for Browsers (ARES 2007) 15
RuhR-Universität Bochum
Marcel Winandy
Basic Architecture
WalletProxy
authentication data
serviceusage
virtualnetwork Service
P
System S
Browser
Legacy OS
Security Kernel
Hardware(Trusted Computing Support)
U
realnetwork
compartment
2007-04-10Compartmented Security for Browsers (ARES 2007) 16
RuhR-Universität Bochum
Marcel Winandy
Wallet-Proxy
BrowserB
U
authenticateUW
use_serviceU↔B use_serviceB↔W
update_proxyWB
WalletProxyW
PauthenticateWP
use_serviceP↔W
SSL secured channel
2007-04-10Compartmented Security for Browsers (ARES 2007) 17
RuhR-Universität Bochum
Marcel Winandy
Wallet-Proxy
BrowserB
U
authenticateUW
use_serviceU↔B use_serviceB↔W
update_proxyWB
WalletProxyW
PauthenticateWP
use_serviceP↔W
SSL secured channel
Setup login data
2007-04-10Compartmented Security for Browsers (ARES 2007) 18
RuhR-Universität Bochum
Marcel Winandy
Wallet-Proxy
BrowserB
U
authenticateUW
use_serviceU↔B use_serviceB↔W
update_proxyWB
WalletProxyW
PauthenticateWP
use_serviceP↔W
SSL secured channel
Setup login data
Call service
site
2007-04-10Compartmented Security for Browsers (ARES 2007) 19
RuhR-Universität Bochum
Marcel Winandy
Wallet-Proxy
BrowserB
U
authenticateUW
use_serviceU↔B use_serviceB↔W
update_proxyWB
WalletProxyW
PauthenticateWP
use_serviceP↔W
SSL secured channel
Insert login data
Setup login data
Call service
site
2007-04-10Compartmented Security for Browsers (ARES 2007) 20
RuhR-Universität Bochum
Marcel Winandy
Wallet-Proxy
BrowserB
U
authenticateUW
use_serviceU↔B use_serviceB↔W
update_proxyWB
WalletProxyW
PauthenticateWP
use_serviceP↔W
SSL secured channel
Insert login data
Setup login data
Call service
siteAuthenticate site and user
2007-04-10Compartmented Security for Browsers (ARES 2007) 21
RuhR-Universität Bochum
Marcel Winandy
Setup Procedure
● "Two-factor authentication"– User receives credentials out-of-band
● username, password (uid, pwdid), URLid of website, and ack.code
– Wallet blocks login forms in Browser– User has to enter credentials in Wallet– Wallet performs login procedure– User enters acknowledgement code in Browser
● "One-factor authentication"– User has to register online at website– Wallet blocks login forms in Browser– User has to enter credentials in Wallet– Wallet links password to website
● pwdid := hash(pwdiduser || r), r is random value
2007-04-10Compartmented Security for Browsers (ARES 2007) 22
RuhR-Universität Bochum
Marcel Winandy
Trusted Components
CompartmentManager
Secure GUIStorageManager
WalletProxyW
Net
start start
start
U
PTPM
sealing / unsealing
measurement
user interfaceinput / output
network connection
load / store data
2007-04-10Compartmented Security for Browsers (ARES 2007) 23
RuhR-Universität Bochum
Marcel Winandy
Trusted Components
CompartmentManager
Secure GUIStorageManager
WalletProxyW
Net
start start
start
U
PTPM
sealing / unsealing
measurement
user interfaceinput / output
network connection
load / store data
Trusted path
2007-04-10Compartmented Security for Browsers (ARES 2007) 24
RuhR-Universität Bochum
Marcel Winandy
Trusted Components
CompartmentManager
Secure GUIStorageManager
WalletProxyW
Net
start start
start
U
PTPM
sealing / unsealing
measurement
user interfaceinput / output
network connection
load / store data
System integrity
Trusted path
2007-04-10Compartmented Security for Browsers (ARES 2007) 25
RuhR-Universität Bochum
Marcel Winandy
Secure Booting
CRTMBIOS
OS LoaderOS
TPM
PCRs
2007-04-10Compartmented Security for Browsers (ARES 2007) 26
RuhR-Universität Bochum
Marcel Winandy
Secure Booting
CRTMBIOS
OS LoaderOS
TPM
PCRs
CompartmentManager
Secure GUIStorageManager
Proxy WalletW
start start
start
2007-04-10Compartmented Security for Browsers (ARES 2007) 27
RuhR-Universität Bochum
Marcel Winandy
Secure Booting
CRTMBIOS
OS LoaderOS
TPM
PCRs
CompartmentManager
Secure GUIStorageManager
Proxy WalletW
start start
start
Seal Wallet data toplatform configuration
2007-04-10Compartmented Security for Browsers (ARES 2007) 28
RuhR-Universität Bochum
Marcel Winandy
Implementation
Hardware TPM
Hypervisor Layer
Hardware Layer
Application Layer
Security Kernel
Compartment
Email Browser
{untrusted}
Compartment
WalletProxy
{trusted}
Isolation
Trusted Software Layer
2007-04-10Compartmented Security for Browsers (ARES 2007) 29
RuhR-Universität Bochum
Marcel Winandy
Implementation
Hardware TPM
Hypervisor Layer
Hardware Layer
Application Layer
Security Kernel
Compartment
Email Browser
{untrusted}
Compartment
WalletProxy
{trusted}
Isolation
Trusted Software LayerCompartment MgrSecure GUI Storage Mgr
VideoInput TDDNet DiskL4 Microkernel
2007-04-10Compartmented Security for Browsers (ARES 2007) 30
RuhR-Universität Bochum
Marcel Winandy
Ongoing and Future Work
● Web form scanner– Currently improving and enhancing implementation
● System updates (property-based attestation)– Currently working on PbA implementation
● What about additional user attributes?– e.g. address, age, credit card number, etc.
● Usability– Secure GUI ("mGUI")
– Proxy-Wallet
2007-04-10Compartmented Security for Browsers (ARES 2007) 31
RuhR-Universität Bochum
Marcel Winandy
2007-04-10Compartmented Security for Browsers (ARES 2007) 32
RuhR-Universität Bochum
Marcel Winandy
2007-04-10Compartmented Security for Browsers (ARES 2007) 33
RuhR-Universität Bochum
Marcel Winandy
Questions ?
34Marcel Winandy Compartmented Security for Browsers (ARES 2007) 2007-04-10
backup
35Marcel Winandy Compartmented Security for Browsers (ARES 2007) 2007-04-10
36Marcel Winandy Compartmented Security for Browsers (ARES 2007) 2007-04-10