Uni-directional trusted path: Transaction confirmation on just one device

Proceedings of the International Conference on Dependable Systems and Networks

Volumn , Issue , 2011, Pages 1-12

  Filyanov, Atanas ^a   McCuney, Jonathan M ^b   Sadeghiz, Ahmad Reza ^c   Winandy, Marcel ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

^b CARNEGIE MELLON UNIVERSITY   (United States)

^c Center for Advanced Security Research   (Germany)

Author keywords

security; transaction confirmation; trusted computing; trusted path

Indexed keywords

CAPTCHAS; CODE EXECUTION; DEPLOYED SYSTEMS; INPUT AND OUTPUTS; MALWARES; REMOTE ATTESTATION; SECURITY; SENSITIVE INFORMATIONS; SERVICE PROVIDER; TRANSACTION CONFIRMATION; TRUSTED COMPUTING; TRUSTED PATH;

COMPUTER CRIME;

NETWORK SECURITY;

EID: 80051945078     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/DSN.2011.5958202     Document Type: Conference Paper

References (52)

1. CNET, "Pop-up program reads keystrokes, steals passwords," 2004, http://news.cnet.com/2100-7349-3-5251981.html.
2. "New Trojans plunder bank accounts," 2006, http: //news.cnet.com/2100-7349-3-6041173.html.
3. W3C Working Group, "Inaccessibility of CAPTCHA," Note 23, Nov. 2005.
4. J. Epstein, J. McHugh, H. Orman, R. Pascale, A. Marmor-Squires, B. Danner, C. R. Martin, M. Branstad, G. Benson, and D. Rothnie, "A high assurance window system prototype," Journal of Computer Security, vol. 2, no. 2, 1993.
5. N. Feske and C. Helmuth, "A Nitpicker's guide to a minimalcomplexity secure GUI," in Proc. Annual Computer Security Applications Conference (ACSAC), 2005.
6. J. S. Shapiro, J. Vanderburgh, and E. Northup, "Design of the EROS trusted window system," in Proc. USENIX Security, 2004.
7. TrustMark, "TrustMark banking and financial solutions," http://www.trustmark.com/passmark/index.html, Aug. 2010.
8. B. Lampson, "Usable security: How to get it," Communications of the ACM, vol. 52, no. 11, 2009.
9. AMD, "AMD64 virtualization codenamed "Pacifica" technology - secure virtual machine architecture reference manual," AMD, Tech. Rep. Publication Number 33047, Revision 3.01, May 2005.
10. Intel Corporation, "Intel trusted execution technology MLE developer's guide," Intel Corporation, Tech. Rep. Document Number: 315168-006, Dec. 2009.
11. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. CRC Press, 2001.
12. L. F. Cranor, "What do they indicate? evaluating security and privacy indicators," Interactions, vol. 13, no. 3, 2006.
13. S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, "The emperor's new security indicators," in Proc. IEEE Symposium on Security and Privacy, 2007.
14. M. Wu, R. C. Miller, and S. L. Garfinkel, "Do security toolbars actually prevent phishing attacks?" in Proc. Conference on Human Factors in Computing Systems (CHI), 2006.
15. J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki, "Flicker: An execution infrastructure for TCB minimization," in Proc. ACM SIGOPS European Conference on Computer Systems (EuroSys), 2008.
16. Trusted Computing Group, "TPM main specification, version 1.2, revision 103," Jul. 2007.
17. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh, "Terra: a virtual machine-based platform for trusted computing," in Proc. ACM Symposium on Operating Systems Principles (SOSP), 2003.
18. R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. van Doorn, J. L. Griffin, and S. Berger, "sHype: Secure hypervisor approach to trusted virtualized systems," IBM Research Division, Tech. Rep. RC23511, Feb. 2005.
19. European Multilaterally Secure Computing Base Project, "Turaya," http://www.emscb.org/content/pages/turaya.htm.
20. OpenTC Project Consortium, "Open Trusted Computing," http://www.opentc.net.
21. K.-P. Yee, D. Wagner, M. Hearst, and S. M. Bellovin, "Prerendered user interfaces for higher-assurance electronic voting," in Proc. USENIX Electronic Voting Technology Workshop, 2006.
22. C. Doctorow, "Solving and creating captchas with free porn," Boing Boing, Jan. 2004.
23. S. M. Bellovin and M. Merritt, "Encrypted key exchange: Password-based protocols secure against dictionary attacks," in Proc. IEEE Symposium on Security and Privacy, 1992.
24. D. P. Jablon, "Strong password-only authenticated key exchange," Computer Communication Review, vol. 26, 1996.
25. T. Wu, "The secure remote password protocol," in Proc. Network and Distributed System Security Symposium (NDSS). The Internet Society, 1998.
26. S. Gajek, A.-R. Sadeghi, C. Stüble, and M. Winandy, "Compartmented security for browsers - or how to thwart a phisher with trusted computing," in Proc. Conference on Availability, Reliability and Security (ARES), 2007.
27. C. Jackson, D. Boneh, and J. Mitchell, "Spyware resistant web authentication using virtual machines," http://crypto.stanford.edu/ spyblock/, 2006.
28. R. C. Jammalamadaka, T. W. van der Horst, S. Mehrotra, K. E. Seamons, and N. Venkasubramanian, "Delegate: A proxy based architecture for secure website access from an untrusted machine," in Proc. Annual Computer Security Applications Conference (ACSAC), 2006.
29. M. Wu, R. C. Miller, and G. Little, "Web Wallet: Preventing Phishing Attacks by Revealing User Intentions," in Proc. Symposium on Usable Privacy and Security (SOUPS), 2006.
30. S. Bugiel, A. Dmitrienko, K. Kostiainen, A.-R. Sadeghi, and M. Winandy, "TruWalletM: Secure web authentication on mobile platforms," in Proc. Trusted Systems, Second International Conference (INTRUST), 2011.
31. OASIS, "Assertions and protocols for the OASIS security assertion markup language (SAML) v2.0," OASIS Standard saml-core-2.0-os, Mar. 2005.
32. OpenID Foundation, "OpenID authentication 2.0-final specification," Dec. 2007.
33. E. Brickell, J. Camenisch, and L. Chen, "Direct anonymous attestation," in Proc. ACM Conference on Computer and Communications Security (CCS), 2004.
34. E. Cesena, H. Löhr, G. Ramunno, A.-R. Sadeghi, and D. Vernizzi, "Anonymous authentication with TLS and DAA," in Proc. Conference on Trust and Trustworthy Computing (TRUST), 2010.
35. FreeWebShop.org, http://www.freewebshop.org.
36. B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer, "Xen and the art of virtualization," in Proc. ACM Symposium on Operating Systems Principles (SOSP), 2003.
37. K. Chen, "Reversing and exploiting an Apple firmware update," in Black Hat, 2009.
38. M. AlZomai, B. AlFayyadh, A. Jøsang, and A. McCullagh, "An experimental investigation of the usability of transaction authorization in online bank security systems," in Proc. Australasian Information Security Conference (ACSC), 2008.
39. S. Balfe and K. G. Paterson, "e-EMV: Emulating EMV for internet payments with trusted computing technologies," in Proc. ACM Workshop on Scalable Trusted Computing (STC), 2008.
40. B. Parno, C. Kuo, and A. Perrig, "Phoolproof phishing prevention," in Proc. Financial Cryptography and Data Security Conference, 2006.
41. IBM Zurich Research Lab, "Security on a stick," Press release, Oct. 2008.
42. A. Vapen, D. Byers, and N. Shahmehri, "2-clickAuth - optical challenge-response authentication," in Proc. Conference on Availability, Reliability and Security (ARES), 2010.
43. T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch, "The Zurich Trusted Information Channel - an efficient defence against man-in-the-middle and malicious software attacks," in Proc. Conference on Trust and Trustworthy Computing (TRUST), 2008.
44. "Elevated privileges," CVE-2007-4993, 2007.
45. "The CPU hardware emulation does not properly handle the Trap flag," CVE-2008-4915 (under review), 2008.
46. R. Wojtczuk, "Subverting the Xen hypervisor," Invisible Things Lab, 2008.
47. J. Azema and G. Fayad, "M-Shield mobile security technology: making wireless secure," Texas Instruments, Feb. 2008, http://focus.ti.com/pdfs/ wtbu/timshieldwhitepaper.pdf.
48. R. Gummadi, H. Balakrishnan, P. Maniatis, and S. Ratnasamy, "Not-a-Bot (NAB): Improving Service Availability in the Face of Botnet Attacks," in Proc. Network Systems Design and Implementation (NSDI), Apr. 2009.
49. D. Grawrock, Dynamics of a Trusted Platform: A Building Block Approach. Intel Press, 2008.
50. T. Alves and D. Felton, "TrustZone: Integrated hardware and software security," Information Quaterly, vol. 3, no. 4, 2004.
51. K. Kostiainen, J.-E. Ekberg, N. Asokan, and A. Rantala, "On-board credentials with open provisioning," in Proc. Symposium on Information, Computer, and Communications Security (ASIACCS), 2009.
52. K. Shimizu, "The Cell Broadband Engine processor security architecture," http://www.ibm.com/developerworks/power/library/pa- cellsecurity/, Apr 2006.