Securing Network Input via a Trusted Input Proxy

The increasing popularity of online transactions involving sensitive personal data, such as bank account and social security numbers, has created a huge security problem for today’s computer users. Malicious software (malware) that steals passwords and other critical user input has led to countless cases of identity theft and financial fraud. Client computers remain susceptible to key logging attacks due to inadequate defense against drive-by malware installation. Trusted browsing virtual machines attempt to mitigate this problem, but fail to protect against many runtime and Trojan horse malware attacks. One option for securely acquiring sensitive input is TPM-verified trusted execution. While this method promises to provide the best security, it has serious usability limitations and would require extensive modifications to both the client and the server. We propose a new approach for securing network input that relies on a Trusted Input Proxy (TIP). The TIP runs as a module in a virtual machine architecture that proxies secure network connections. When a user wishes to enter sensitive data, he or she presses an escape sequence that triggers the TIP to display a secure input dialog. The TIP will automatically generate a placeholder value based on the input using regular expression approximation (e.g. 123-45-6789 for a SSN). It will then send key presses for the placeholder to the application. Finally, the TIP will substitute actual data for placeholders as it relays network messages to the server. Although the Trusted Input Proxy approach relies on a slightly larger trusted code base, it requires no modifications to the server, very few to the client, and is far more usable than TPM-verified execution. In this paper, we present the initial design of a Trusted Input Proxy and compare its merits and shortcomings to those of other approaches.