SLIDE 1
| | NDSS 2020
| | NDSS 2020 4/3/20 2
P ROTECT IO N : Root-of-Trust for IO in Compromised Platforms Aritra - - PowerPoint PPT Presentation
P ROTECT IO N : Root-of-Trust for IO in Compromised Platforms Aritra - - PowerPoint PPT Presentation
P ROTECT IO N : Root-of-Trust for IO in Compromised Platforms Aritra Dhar, Enis Ulqinaku, Kari Kostiainen, Srdjan Capkun ETH Zurich NDSS 2020 | | Motivation Remote device 75 Heart beat 177 Insulin (U) 0.025 Basal rate (U/Hr) Low limit
SLIDE 2
SLIDE 3
| | NDSS 2020 4/3/20 3
Motivation
Program Cancel Heart beat Insulin (U) Remote device Low limit (mg/dL) High limit (mg/dL) Basal rate (U/Hr) 75 177 0.025 60 105
SLIDE 4
| | NDSS 2020 4/3/20 Aritra Dhar 4
Remote Trusted path
Host Remote server IO devices User
SLIDE 5
| | NDSS 2020 4/3/20 Aritra Dhar 5
Solution 1: Transaction Confirmation Device
Program Cancel Heart beat Insulin (U) Remote device Low limit (mg/dL) High limit (mg/dL) Basal rate (U/Hr) 75 177 0.025 60 105
Android Protected Confirmation You are going to program Heart beat 75 Insulin 177U Basal rate 0.025 U/Hr Low level 60 mg/dL High level 105 mg/dL And more ……
SLIDE 6
| | NDSS 2020 4/3/20 Aritra Dhar 6
Solution 2: Input Signing
Trusted embedded device Program Cancel Heart beat Insulin (U) Remote device Low limit (mg/dL) High limit (mg/dL) Basal rate (U/Hr) 75 177 0.025 60 105 Heart beat 75 Insulin 177U Basal rate 0.025 U/Hr Low level 60 mg/dL High level 105 mg/dL
SLIDE 7
| | NDSS 2020 4/3/20 Aritra Dhar 7
Display manipulation attack
17 177 177 177 7 1777 User sees 177 Device records 1777 Host sends 1777 Insulin Insulin
- IntegriKey
SLIDE 8
| | NDSS 2020
The lack of output integrity – the render of user inputs on the screen – compromises input integrity.
4/3/20 Aritra Dhar 8
Observation 1
SLIDE 9
| | NDSS 2020 4/3/20 Aritra Dhar 9
Solution 3: Overlay
Program Cancel Heart beat Insulin (U) Remote device Low limit (mg/dL) High limit (mg/dL) Basal rate (U/Hr) 75 177 0.025 60 105 Program Cancel Heart beat Insulin (U) Remote device Low limit (mg/dL) High limit (mg/dL) Basal rate (U/Hr)
SLIDE 10
| | NDSS 2020 4/3/20 Aritra Dhar 10
Overlay: Output Manipulation
Program Cancel Heart beat Insulin (U) Remote device Low limit (mg/dL) High limit (mg/dL) Basal rate (U/Hr) Program Cancel Insulin (U) Heart rate Remote device Low limit (mg/cc) High limit (mg/cc) Basal rate (U/Hr)
SLIDE 11
| | NDSS 2020 4/3/20 Aritra Dhar 11
Overlay: Output Manipulation
Program Cancel Insulin (U) Heart rate Remote device Low limit (mg/cc) High limit (mg/cc) Basal rate (U/Hr) 75 177 0.025 6000
10500
SLIDE 12
| | NDSS 2020
If the protected output is provided out-of-context, users are more likely not to verify it. Therefore input integrity can be violated.
4/3/20 Aritra Dhar 12
Observation 2
SLIDE 13
| | NDSS 2020 4/3/20 Aritra Dhar 13
Overlay: Early Form Submission Attack
Textbox in focus Program Cancel Heart beat Insulin (U) Remote device Low limit (mg/dL) High limit (mg/dL) Basal rate (U/Hr) 75 17 0.025 60 105 OS triggers click
- Fidelius
- Trusted overlay from FPGA
SLIDE 14
| | NDSS 2020
If not all the modalities of inputs are secured simultaneously, none of them can be fully secured.
4/3/20 Aritra Dhar 14
Observation 3
SLIDE 15
| | NDSS 2020 4/3/20 Aritra Dhar 15
Requirements
Inter-dependency between Input and output
The lack of output integrity – the render of user inputs on the screen – compromises input integrity.
SLIDE 16
| | NDSS 2020 4/3/20 Aritra Dhar 16
Requirements
All modalities of input
If not all the modalities of inputs are secured simultaneously, none of them can be fully secured.
SLIDE 17
| | NDSS 2020 4/3/20 Aritra Dhar 17
Requirements
Low cognitive load
If the protected output is provided out-of-context, users are more likely not to verify it. Therefore input integrity can be violated.
SLIDE 18
| | NDSS 2020 4/3/20 Aritra Dhar 18
Requirements
Low TCB and easy deploy
SLIDE 19
| | NDSS 2020 4/3/20 Aritra Dhar 19
Requirements
SLIDE 20
| | NDSS 2020 4/3/20 Aritra Dhar 20
ProtectIOn
Input modalities Low TCB + fast deployment
IOHub
SLIDE 21
| | NDSS 2020 4/3/20 Aritra Dhar 21
IO Integrity – Overlay Generation
Program Cancel Insulin (U) Heart rate Remote device Low limit (mg/cc) High limit (mg/cc) Basal rate (U/Hr) <form action=“/some_action”, signature = “0x45AB…”, id = “0x0ab”> Simultaneous IO
SLIDE 22
| | NDSS 2020 4/3/20 Aritra Dhar 22
IO Integrity – Overlay Generation
Simultaneous IO
SLIDE 23
| | NDSS 2020 4/3/20 Aritra Dhar 23
IO Integrity – Overlay Generation
Program Cancel Insulin (U) Heart rate Remote device Low limit (mg/cc) High limit (mg/cc) Basal rate (U/Hr)
Verified UI from secure_site.io
Simultaneous IO
SLIDE 24
| | NDSS 2020 4/3/20 Aritra Dhar 24
IO Integrity – Input
Program Cancel Insulin (U) Heart rate Remote device Low limit (mg/cc) High limit (mg/cc) Basal rate (U/Hr)
Verified UI from secure_site.io
75 177 0.025 60 105 Simultaneous IO
SLIDE 25
| | NDSS 2020
§ Output Integrity: Low cognitive load § Several existing mechanisms
4/3/20 Aritra Dhar 25
Grabbing User Attention
Put 1 in front of all inputs Low cognitive load
SLIDE 26
| | NDSS 2020
Put 1 in front of all inputs Low cognitive load
§ Output Integrity: Low cognitive load § Several existing mechanisms
§ Lightbox
4/3/20 Aritra Dhar 26
Grabbing User Attention
SLIDE 27
| | NDSS 2020
§ Output Integrity: Low cognitive load § Several existing mechanisms
§ Lightbox § Highlight
4/3/20 Aritra Dhar 27
Grabbing User Attention
Low cognitive load Put 1 in front of all inputs
SLIDE 28
| | NDSS 2020
§ Output Integrity: Low cognitive load § Several existing mechanisms
§ Lightbox § Highlight § Freezing
4/3/20 Aritra Dhar 28
Grabbing User Attention
Put 1 in front of all inputs Low cognitive load
SLIDE 29
| | NDSS 2020
Put 1 in front of all inputs
§ Output Integrity: Low cognitive load § Several existing mechanisms
§ Lightbox § Highlight § Freezing § Combination
4/3/20 Aritra Dhar 29
Grabbing User Attention
Low cognitive load
SLIDE 30
| | NDSS 2020
§ Output Integrity: Low cognitive load § Several existing mechanisms
§ Lightbox § Highlight § Freezing § Combination
§ How to determine when to engage?
§ Track pointer § Mouse movement on the overlay
4/3/20 Aritra Dhar 30
Grabbing User Attention
Low cognitive load
SLIDE 31
| | NDSS 2020 4/3/20 Aritra Dhar 31
Prototype and TCB
25.16M 20.92M 2M 71K 600K 36.68M 1.9K 3.5K 893 121K Low TCB Fast deployment
SLIDE 32
| | NDSS 2020 4/3/20 Aritra Dhar 32
Performance
§ Display latency: 21.67 ms
§ ~46 fps
§ Mouse latency: 250 !" § Keyboard latency: 170 !" § Pointer detection accuracy: 0.997
SLIDE 33
| | NDSS 2020
§ Existing research
§ Drawbacks § Observations
§ Requirements for Trusted Path § ProtectIOn design § Prototype
4/3/20 Aritra Dhar 33
Summary
SLIDE 34
Thank you! Questions?
SLIDE 35
Backup slides
SLIDE 36
| | NDSS 2020 4/3/20 Aritra Dhar 36
Attacker’s view User’s view on the monitor Focusing user’s attention
Prototype View
SLIDE 37
| | NDSS 2020 4/3/20 Aritra Dhar 37
Other Trusted Path Solutions
SLIDE 38
| | NDSS 2020
§ Server sends messages : HTML, JS … → " § All modalities of inputs → #
§ #$%&' → " → #
§ Host transforms them : Browser, GPU … + I → ["]
§ ,-.$/01-" : ", # → ["]
§ Host is a bad guy → " 1- "4 § Output integrity → Users need to report back " / "4
4/3/20 Aritra Dhar 38
How to Build a Trusted Path
SLIDE 39
| | NDSS 2020
§ Sever sends ! § Server knows ! § Given ! , correct input is " § Host sends !# ≠ ! Output integrity § User sends "# ≠ " Input integrity
4/3/20 Aritra Dhar 39
Definition: Violation of Input/output Integrity
SLIDE 40
| | NDSS 2020 4/3/20 Aritra Dhar 40
Verification
!" !# $%&'()*%+() + " $%&'()*%+() + . + / !. !/ $%&'()*%+() + /0# !/0#
…
+ # + $%&'()*%+() Anything missing in the chain → IO integrity violation
SLIDE 41
| | NDSS 2020 4/3/20 Aritra Dhar 41
Overlay: Output Manipulation
Program Cancel Insulin (U) Heart rate Remote device Low limit (mg/cc) High limit (mg/cc) Basal rate (U/Hr) 75 177 0.025 6000
10500