Trusted Path Client-server applications

About This Presentation

Title:

Trusted Path Client-server applications

Description:

Trusted Path Client-server applications Using COTS components Tommy Kristiansen tommy_at_the-wildbunch.net – PowerPoint PPT presentation

Number of Views:65

Avg rating:3.0/5.0

Slides: 16

Provided by: tomm2157

Category:

more less

Transcript and Presenter's Notes

Title: Trusted Path Client-server applications

1
Trusted Path Client-server applications

Using COTS components
Tommy Kristiansen
tommy_at_the-wildbunch.net

2
Agenda

Thesis
Contributions
Solution
Result
Questions

3
Background

Bruce Schneier believes that "semantic attacks"
are the next wave of attacks to be faced by
computer users. These violate integrity and
authenticity of data presented to the user,
enticing him to perform actions benefiting the
malfactor. Examples of direct user interactions
where this threat can be found are online voting,
online gambling, electronic signatures and
financial transactions etc.

thesis Contributions Solution Result
Questions
4
Trusted Path

Orange Book

A mechanism by which a person at a terminal can
communicate directly with the Trusted Computing
Base. This mechanism can only be activated by the
person or the Trusted Computing Base and cannot
be imitated by untrusted software. Validates to
B2 but are often implemented even when not
validated to B2 e.g. Windows NT C2. The trusted
path mechanism guarantees that data typed by a
user on a client keyboard is protected from any
intrusion by unauthorized programs. It allows a
user to create a non-forgeable and non-penetrable
communication path between the users client and
the trusted operating system software.
thesis Contributions Solution Result
Questions
5
Trusted path with COTS

Built on Hanno Langwegs work
He looked at this with Client applications.
Using Delphi to create a ActiveX Control where we
use DirectX components to create a secure
environment on a win32 platform.
Hopefully this will give authenticity and
integrity of the user and server.

thesis Contributions Solution Result
Questions
6
Why use DirectX

When we use DirectX DirectInput and DirectDraw no
other program can interfere with them run in
exclusive mode.
When we use DirectInput, there must be a user
present to give input
Eliminates synthesizing
Gives authenticity of a user.
When we use DirectDraw no other program can
interfere with the integrity of what you see.

thesis Contributions Solution Result
Questions
7
Why use ActiveX

Easy to implement DirectX components
No effort for the user to use it.
Trusted by OS
Signed ActiveX control
So youll have an trusted application that you
need to verify origin of when installing the
control.

thesis Contributions Solution Result
Questions
8
Hench

SendInput
Screen capture applications
User permissions installing ActiveX

thesis Contributions Solution Result
Questions
9
Goals with thesis

See if its possible to create such solution
Look at existing solution to prevent phishing and
compare them with this solution.
Look at the possibilities of implementing this in
other environments.

thesis Contributions Solution Status
Questions
10
Contributions

Provide software developers with a
server-distributed component to establish
integrity and authenticity with a local human
user.
Use existing software-based technology and
operating system mechanisms to implement a
trusted path without additional expensive
hardware.
Analyze and compare the security of this approach
and alternatives.
Build a working prototype for an existing general
purpose operating system.
Prevents phishing attacks
More secure under login/sigin
Prevent effectiveness of Trojan horse/Malware
Does not prevent keylogging!!