ABSTRACT
An open security problem is how a server can tell whether a request submitted by a client is legitimately intended by the user or fakes by malware that has infected the user's system. This paper proposes Attested Intentions (AINT), to ensure user intention is properly translated to service requests. AINT uses a trusted hypervisor to record user inputs and context, and uses an Intel SGX enclave to continuously verify that the context, where user interaction occurs, has not been tampered with. After verification, AINT also uses SGX enclave for execution protection to generate the service request using the inputs collected by the hypervisor. To address privacy concerns over the recording of user inputs and context, AINT performs all verification on the client device, so that recorded data is never transmitted to a remote party.
- Martín Abadi. 2004. Trusted Computing, Trusted Third Parties, and Verified Communications. In Security and Protection in Information Processing Systems, Yves Deswarte, Frédéric Cuppens, Sushil Jajodia, and Lingyu Wang (Eds.). Springer US, Boston, MA, 291--308. https://users.soe.ucsc.edu/~abadi/Papers/verif.pdfGoogle Scholar
- AMD. 2018. AMD64 Architecture Programmer's Manual Volume 2: System Programming. (Sept 2018). Retrieved Jan 17, 2019 from https://www.amd.com/system/files/TechDocs/24593.pdfGoogle Scholar
- AMD. 2018. How to Capture and Stream Gameplay Using Radeon ReLive. (Dec 2018). Retrieved July 6, 2019 from https://www.amd.com/en/support/kb/faq/dh-023Google Scholar
- ARM. 2009. Arm Security Technology - Building a Secure System using TrustZone Technology. (April 2009). Retrieved Jan 16, 2019 from http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/ch01s02s01.htmlGoogle Scholar
- Ashwin Swaminathan, Yinian Mao, and Min Wu. 2006. Robust and secure image hashing. IEEE Transactions on Information Forensics and Security 1, 2 (June 2006), 215--230. Google ScholarDigital Library
- Elie Bursztein, Steven Bethard, John C. Mitchell, Dan Jurafsky, and Céline Fabry. 2010. How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation. In IEEE Symposium on Security and Privacy. Oakland, CA, USA. http://ieeexplore.ieee.org/document/5504799 Google ScholarDigital Library
- Nicholas Carlini and David A. Wagner. 2016. Towards Evaluating the Robustness of Neural Networks. CoRR abs/1608.04644 (2016). arXiv:1608.04644 http://arxiv.org/abs/1608.04644Google Scholar
- Peter M. Chen and Brian D. Noble. 2001. When virtual is better than real {operating system relocation to virtual machines}. In Proceedings Eighth Workshop on Hot Topics in Operating Systems. 133--138. Google ScholarDigital Library
- Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallem, and Dawson Engler. 2001. An Empirical Study of Operating Systems Errors. In Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles (SOSP '01). ACM, New York, NY, USA, 73--88. Google ScholarDigital Library
- Weidong Cui, Randy H. Katz, and Wai-tian Tan. 2005. BINDER: An Extrusion-based Break-In Detector for Personal Computers. In Proceedings of the 2005 USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, USA. https://www.microsoft.com/en-us/research/publication/binder-anextrusion-based-break-in-detector-for-personal-computers/ Google ScholarDigital Library
- Dancho Danchev. 2018. Inside India's CAPTCHA solving economy. (Aug 2018). Retrieved July 6, 2019 from https://www.zdnet.com/article/inside-indias-captcha-solving-economy/Google Scholar
- Saba Eskandarian, Jonathan Cogan, Sawyer Birnbaum, Peh Chang Brandon, Dillon Franke Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung T. Nguyen, Taresh K. Sethi, Vishal Subbiah, Michael Backes, Giancarlo Pellegrino, and Dan Boneh. 2019. Fidelius: Protecting User Secrets from Compromised Browsers. In 2019 2019 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA.Google ScholarCross Ref
- Yanick Fratantonio, Chenxiong Qian, Simon P Chung, and Wenke Lee. 2017. Cloak and dagger: from two permissions to complete control of the UI feedback loop. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 1041--1057. https://ieeexplore.ieee.org/document/7958624Google ScholarCross Ref
- Vinod Ganapathy, Matthew J. Renzelmann, Arini Balakrishnan, Michael M. Swift, and Somesh Jha. 2008. The Design and Implementation of Microdrivers. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII). ACM, New York, NY, USA, 168--178. Google ScholarDigital Library
- Ramakrishna Gummadi, Hari Balakrishnan, Petros Maniatis, and Sylvia Ratnasamy. 2009. Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks. In Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI'09). USENIX Association, Berkeley, CA, USA, 307--320. http://dl.acm.org/citation.cfm?id=1558977.1558998 Google ScholarDigital Library
- Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schecter, and Collin Jackson. 2012. Clickjacking: Attacks and Defenses. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12). USENIX, Bellevue, WA, 413--428. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/huang Google ScholarDigital Library
- Intel. 2010. Intel® Trusted Execution Technology: White Paper. (2010). Retrieved Nov 15, 2018 from https://www.intel.com/content/www/us/en/architecture-and-technology/trusted-execution-technology/trusted-execution-technology-security-paper.htmlGoogle Scholar
- Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E. Porter, and Radu Sion. 2014. Sok: Introspections on Trust and the Semantic Gap. In IEEE Symposium on Security and Privacy (SP). IEEE, 605--620. https://ieeexplore.ieee.org/document/6956590 Google ScholarDigital Library
- Yeongjin Jang, Simon P Chung, Bryan D Payne, and Wenke Lee. 2014. Gyrus: A Framework for User-Intent Monitoring of Text-based Networked Applications.. In Proceedings of the 2014 Network and Distributed System Security Symposium. https://www.ndss-symposium. org/ndss2014/programme/gyrus-framework-user-intent-monitoring-text-based-networked-applications/Google ScholarCross Ref
- Wenhao Li, Shiyu Luo, Zhichuang Sun, Yubin Xia, Long Lu, Haibo Chen, Binyu Zang, and Haibing Guan. 2018. VButton: Practical Attestation of User-driven Operations in Mobile Apps. In Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys '18). ACM, New York, NY, USA, 28--40. Google ScholarDigital Library
- David Lie and Petros Maniatis. 2017. Glimmers: Resolving the Privacy/Trust Quagmire. In Proceedings of the 16th Workshop on Hot Topics in Operating Systems (HotOS '17). ACM, New York, NY, USA, 94--99. Google ScholarDigital Library
- Lionel Litty, H Andrés Lagar-Cavilla, and David Lie. 2008. Hypervisor Support for Identifying Covertly Executing Binaries. In Proceedings of the 17th Conference on Security Symposium (SS'08). USENIX Association, San Jose, CA, 243--258. https://dl.acm.org/citation.cfm?id=1496728 Google ScholarDigital Library
- Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB Reduction and Attestation. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10). IEEE Computer Society, Washington, DC, USA, 143--158. Google ScholarDigital Library
- Jonathan M. McCune, Bryan J. Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. 2008. Flicker: An Execution Infrastructure for Tcb Minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008 (Eurosys '08). ACM, New York, NY, USA, 315--328. Google ScholarDigital Library
- Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. 2013. Innovative Instructions and Software Model for Isolated Execution. In Proceedings of the 2Nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP '13). ACM, New York, NY, USA, Article 10, 1 pages. Google ScholarDigital Library
- Microsoft. 2017. Microsoft ClearType overview. (Oct 2017). Retrieved July 6, 2019 from https://docs.microsoft.com/en-us/typography/cleartype/Google Scholar
- Subhas C. Misra and Virendra C. Bhavsar. 2003. Relationships Between Selected Software Measures and Latent Bug-density: Guidelines for Improving Quality. In Proceedings of the 2003 International Conference on Computational Science and Its Applications: PartI (ICCSA'03). Springer-Verlag, Berlin, Heidelberg, 724--732. http://dl.acm.org/citation.cfm?id=1756748.1756832 Google ScholarDigital Library
- Nvidia. 2017. Record and Capture your Greatest Gaming Moments. (June 2017). Retrieved July 6, 2019 from https://www.nvidia.com/en-us/geforce/geforce-experience/shadowplay/Google Scholar
- Lara O'Reilly. 2015. Google's new CAPTCHA security login raises 'legitimate privacy concerns'. (Feb 2015). Retrieved Dec 7, 2018 from https://www.businessinsider.com.au/google-no-captcha-adtruth-privacy-research-2015-2Google Scholar
- Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical Black-Box Attacks Against Machine Learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '17). ACM, New York, NY, USA, 506--519. Google ScholarDigital Library
- Andrea Possemato, Andrea Lanzi, Simon Pak Ho Chung, Wenke Lee, and Yanick Fratantonio. 2018. ClickShield: Are You Hiding Something? Towards Eradicating Clickjacking on Android. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1120--1136. Google ScholarDigital Library
- Ramarathnam Venkatesan, S.-M Koon, Mariusz Jakubowski, and Pierre Moulin. 2000. Robust image hashing. In Proceedings 2000 International Conference on Image Processing (Cat. No.00CH37101), Vol. 3. 664--666 vol.3.Google ScholarCross Ref
- Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. 2009. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '09). ACM, New York, NY, USA, 121--130. Google ScholarDigital Library
- He Sun, Kun Sun, Yuewu Wang, Jiwu Jing, and Haining Wang. 2015. TrustICE: Hardware-Assisted Isolated Computing Environments on Mobile Devices. In 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 367--378. Google ScholarDigital Library
- Michael M. Swift, Brian N. Bershad, and Henry M. Levy. 2003. Improving the Reliability of Commodity Operating Systems. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (SOSP '03). ACM, New York, NY, USA, 207--222. Google ScholarDigital Library
- Trusted Computing Group. 2016. TPM 2.0 Library Specification. (2016). Retrieved Nov 15, 2018 from https://trustedcomputinggroup.org/resource/tpm-library-specification/Google Scholar
- Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP '13). IEEE Computer Society, Washington, DC, USA, 430--444. Google ScholarDigital Library
- Zongwei Zhou, Miao Yu, and Virgil D. Gligor. 2014. Dancing with Giants: Wimpy Kernels for On-Demand Isolated I/O. In 2014 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 308--323. Google ScholarDigital Library
Recommendations
Examining Consumers' Behavioral Intentions Towards Online Home Services Applications
On-demand home service application (HSA) is a technological advancement that has brought various day-to-day services to our doorstep with just a few clicks. By using consumer-perceived values (utilitarian, hedonic, and social), trust transfer theory, and ...
The influences of system usability and user satisfaction on continued Internet banking services usage intention: empirical evidence from Taiwan
This study proposes an extended technology acceptance model to investigate the effects of system usability and satisfaction on users' intention to continue using Internet banking services. Based on a survey data from 304 respondents, structural equation ...
Assessing the determinants of internet banking adoption intentions
Internet banking adoption is one area that has received attention from scholars. The extant studies have mainly used technology acceptance models and behavioural theories which do not account for changes in human behaviour. This study seeks to ascertain ...
Comments