A secure user interface for web applications running under an untrusted operating system

Chunxiao Li, Anand Raghunathan, Niraj K. Jha

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

Many security-critical web applications, such as online banking and e-commerce, require a secure communication path between the user and a remote server. Securing this end-to-end path is challenging and can be broken down into several segments. The network part between the user's machine and the server is usually well protected, using secure communication protocols, such as the Transport Layer Security (TLS) protocol. However, the user's sensitive inputs (such as password and credit card number) are handled by the operating system (OS) and the web applications before being encrypted and passed on to the network; also some sensitive information from the server (such as private account balance and transaction confirmation) is handled by OS/applications before being displayed to the user. This user interface part of the communication path, which includes the OS and web applications, is often untrusted because of possible malware (virus, rootkits, spyware, etc.) and vulnerabilities within the client. In this paper, a secure user interface running under an untrusted OS is proposed, which is independent of the OS/applications and has a very small code base size. This secure user interface attests itself to the remote server and then handles the sensitive input and output by itself, bypassing the OS kernel and web applications. It utilizes network software stacks in the OS, however, the sensitive information is cryptographically protected before being revealed to the potentially malicious OS. This ensures the confidentiality and integrity of the sensitive information. Using this secure user interface, even while running under untrusted OS/applications, the user's sensitive input, private output, and transaction integrity can be protected.

Original languageEnglish (US)
Title of host publicationProceedings - 10th IEEE International Conference on Computer and Information Technology, CIT-2010, 7th IEEE International Conference on Embedded Software and Systems, ICESS-2010, ScalCom-2010
Pages865-870
Number of pages6
DOIs
StatePublished - 2010
Event10th IEEE International Conference on Computer and Information Technology, CIT-2010, 7th IEEE International Conference on Embedded Software and Systems, ICESS-2010, 10th IEEE Int. Conf. Scalable Computing and Communications, ScalCom-2010 - Bradford, United Kingdom
Duration: Jun 29 2010Jul 1 2010

Publication series

NameProceedings - 10th IEEE International Conference on Computer and Information Technology, CIT-2010, 7th IEEE International Conference on Embedded Software and Systems, ICESS-2010, ScalCom-2010

Other

Other10th IEEE International Conference on Computer and Information Technology, CIT-2010, 7th IEEE International Conference on Embedded Software and Systems, ICESS-2010, 10th IEEE Int. Conf. Scalable Computing and Communications, ScalCom-2010
CountryUnited Kingdom
CityBradford
Period6/29/107/1/10

All Science Journal Classification (ASJC) codes

  • Computational Theory and Mathematics
  • Computer Networks and Communications
  • Software

Fingerprint Dive into the research topics of 'A secure user interface for web applications running under an untrusted operating system'. Together they form a unique fingerprint.

  • Cite this

    Li, C., Raghunathan, A., & Jha, N. K. (2010). A secure user interface for web applications running under an untrusted operating system. In Proceedings - 10th IEEE International Conference on Computer and Information Technology, CIT-2010, 7th IEEE International Conference on Embedded Software and Systems, ICESS-2010, ScalCom-2010 (pp. 865-870). [5578460] (Proceedings - 10th IEEE International Conference on Computer and Information Technology, CIT-2010, 7th IEEE International Conference on Embedded Software and Systems, ICESS-2010, ScalCom-2010). https://doi.org/10.1109/CIT.2010.162