Fighting Crimeware: An Architecture for Split-Trust Web Applications
نویسندگان
چکیده
We present an architecture for split-trust browsing: a technique that enables web applications to split their HTML across a pair of browsers—one untrusted browser running on a PC and one trusted browser running on a user’s personal device. Information entered via the personal device’s keypad cannot be read by the PC, thwarting PC-based keyloggers. Similarly, information displayed on the personal device’s screen is also hidden from the PC, preserving the confidentiality and integrity of security-critical data even in the presence of screengrabbing attacks and compromised PC browsers. We present a Security Policy Model for split-trust web applications that affords defence against a range of crimeware-based attacks, including those based on active-injection (e.g. inserting malicious packets into the network or spoofing user-input events). Performance results of a prototype split-trust implementation are presented, using a commercially available cell phone as a trusted personal device.
منابع مشابه
Separating Between Trust and Access Control Policies: A necessity for Web Applications
As Security is the key of success for Web Applications most of the efforts that have been put in this domain have focused on wining users’ trust to adopt the Web environment for their business operations. Although user trust is of paramount importance for Web applications, one also needs to consider Web applications trust towards users here after referred to as user trustworthiness. This paper ...
متن کاملThe Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond
Executive Summary " Crimeware " is software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software. Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via many mechanisms, including: • Social engineering attacks convincing users to open a malicious email at...
متن کاملFighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails
We present a novel key distribution architecture and a novel use of a particular identity-based digital signature scheme for making email trustworthy. Like typical digital signatures, our solution fights email-based phishing attacks and mitigates spam by detecting spoofed emails. Unlike typical digital signatures, our approach requires no complex, preestablished public-key infrastructure nor co...
متن کاملThe Roadmap of Trust and Trust Evaluation in Web Applications and Web Services
In the 1980s and 1990s, the issue of trust in many aspects of life has drawn much attention in a significant number of studies in social science. Nowadays, with the development of Web applications, trust evaluation has become a significant and important issue, especially when a client has to select a trustworthy one from a pool of unknown service providers. An effective and efficient trust eval...
متن کاملTrust Management and Security Access Controls in High Payload System Architecture
Enterprise services are commonly deployed on Internet facing applications and Mobile Apps. There is a need to have an Infrastructure and Application Framework to protect the information flow web layer and mobile apps. Trust management is being recognized in the industry along with Federated Single Sign on to cater the need of data protection at rest and in transits. Web layer need to be very li...
متن کامل