Spyware Resistant Web Authentication Using Virtual Machines

Password collection by keyloggers and related malware is increasing at an alarming rate. We investigate client-only defenses and methods that require server-side assistance. Password hashing and password injection, in which passwords are isolated from spyware, provide protection against phishing, commonpassword attacks, and spyware on the client platform. To protect against network sniffing and dictionary attacks, we suggest an appropriate combination of password-authenticated key exchange (PAKE) and SSL. As further defense against pharming, cookie sniffing, and session hijacking, we propose a form of transaction confirmation over an authenticated channel. Our implemented and freely distributed client-side system providing all of these mechanisms consists of two components: a browser extension that runs in an untrusted environment, and an authentication agent that runs in an environment that is protected from spyware. Using a virtual machine monitor, the trusted and untrusted components can both run on the same physical machine.