Abstract
Password based authentication remains as the mainstream user authentication method for most web servers, despite its known vulnerability to keylogger attacks. Most existing countermeasures are costly because they require a strong isolation of the browser and the operating system. In this paper, we propose KGuard, a password input protection system. Its security is based on the hardware-based virtualization without safeguarding the browser or OS. A security-conscious user can conveniently and securely activate or deactivate the password protection by using key combinations. We have implemented KGuard and experimented our prototype on Windows with Firefox. The results show that no significant performance loss is induced by our protection mechanism when a user authenticates to commercial web servers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: SOSP 2003: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 164–177. ACM, New York (2003)
Basili, V.R., Perricone, B.T.: Software errors and complexity: an empirical investigation. Commun. ACM 27, 42–52 (1984)
Bugiel, S., Dmitrienko, A., Kostiainen, K., Sadeghi, A.-R., Winandy, M.: TruWalletM: Secure Web Authentication on Mobile Platforms. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 219–236. Springer, Heidelberg (2011)
Chen, X., Garfinkel, T., Christopher Lewis, E., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2008), Seattle, WA, USA (March 2008)
Cheng, Y., Ding, X., Deng, R.H.: DriverGuard: A Fine-Grained Protection on I/O Flows. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 227–244. Springer, Heidelberg (2011)
Cox, R.S., Hansen, J.G., Gribble, S.D., Levy, H.M.: A safety-oriented platform for web applications. In: Proceedings of IEEE Symposium on Security and Privacy (2006)
CVE-2008-0923 (2008), http://cve.mitre.org/cgi-bin/cvename.cgi-?name=cve-2008-0923
Gajek, S., Löhr, H., Sadeghi, A.-R., Winandy, M.: Truwallet: trustworthy and migratable wallet-based web authentication. In: Proceedings of the 2009 ACM workshop on Scalable trusted computing, STC 2009, pp. 19–28. ACM, New York (2009)
Grier, C., Tang, S., King, S.: Secure web browsing with the OP web browser. In: Proceedings of IEEE Symposium on Security and Privacy (2008)
IBM. IBM VGA Technical Reference Manual, http://www.mca-mafia.de/pdf/ibm_vgaxga_trm2.pdf
King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: Implementing malware with virtual machines. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 314–327. IEEE Computer Society, Washington, DC (2006)
Sawtooth Consulting Limited. CyaSSL Embedded SSL Library, http://www.yassl.com/yaSSL/Products-cyassl.html
McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: Trustvisor: Efficient tcb reduction and attestation. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 143–158. IEEE Computer Society, Washington, DC (2010)
McCune, J.M., Parno, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: EuroSys 2008 (2008)
McCune, J.M., Perrig, A., Reiter, M.K.: Bump in the ether: a framework for securing sensitive user input. In: Proceedings of the Annual Conference on USENIX 2006 Annual Technical Conference, p. 17. USENIX Association, Berkeley (2006)
McCune, J.M., Perrig, A., Reiter, M.K.: Safe passage for passwords and other sensitive data. In: Proceedings of the Symposium on Network and Distributed Systems Security (NDSS) (February 2009)
Microsoft. About the Windows Driver Kit (WDK), http://goo.gl/DfSRi
Murray, D.G., Milos, G., Hand, S.: Improving xen security through disaggregation. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2008, pp. 151–160. ACM, New York (2008)
Oprea, A., Balfanz, D., Durfee, G., Smetters, D.K.: Securing a remote terminal application with a mobile trusted device. In: 20th Annual Computer Security Applications Conference, pp. 438–447. IEEE (2004)
Ostrand, T.J., Weyuker, E.J.: The distribution of faults in a large industrial software system. In: Proceedings of the 2002 ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2002, pp. 55–64. ACM, New York (2002)
Rafal, W., Joanna, R., Alexander, T.: Xen 0wning trilogy (2008), http://invisible-thingslab.com/itl/Resources.html
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium (2005)
Limited Sawtooth, Consulting. Ctaocrypt embedded cryptography library, http://www.yassh.com/yaSSL/Docs_CTaoCrypt_Usage_Reference.html
Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007, pp. 335–350. ACM, New York (2007)
Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y., Kato, K.: Bitvisor: a thin hypervisor for enforcing i/o device security. In: Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2009, pp. 121–130. ACM, New York (2009)
Steinberg, U., Kauer, B.: Nova: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 209–222. ACM, New York (2010)
The Blue Pill, http://blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf
Trusted Computing Group. TPM main specification. Main Specification Version 1.2 rev. 85 (February 2005)
Wu, M., Miller, R.C., Little, G.: Web wallet: Preventing phishing attacks by revealing user intentions. In: Proceedings of the Symposium on Usable Privacy and Security (SOUPS), pp. 102–113. ACM Press (2006)
Zaharia, M., Katti, S., Grier, C., Paxson, V., Shenker, S., Stoica, I., Song, D.: Hypervisors as a foothold for personal computer security: An agenda for the research community. Technical report (January 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cheng, Y., Ding, X. (2012). Virtualization Based Password Protection against Malware in Untrusted Operating Systems. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds) Trust and Trustworthy Computing. Trust 2012. Lecture Notes in Computer Science, vol 7344. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30921-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-30921-2_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30920-5
Online ISBN: 978-3-642-30921-2
eBook Packages: Computer ScienceComputer Science (R0)