[Resource Topic] 2017/1245: IntegriKey: End-to-End Integrity Protection of User Input

Welcome to the resource topic for 2017/1245

Title:
IntegriKey: End-to-End Integrity Protection of User Input

Authors: Aritra Dhar, Der-Yeuan Yu, Kari Kostiainen, Srdjan Capkun

Abstract:

Various safety-critical devices, such as industrial control systems, medical devices, and home automation systems, are configured through web interfaces from remote hosts that are standard PCs. The communication link from the host to the safety-critical device is typically easy to protect, but if the host gets compromised, the adversary can manipulate any user-provided configuration settings with severe consequences including safety violations. In this paper, we propose IntegriKey, a novel system for user input integrity protection in compromised host. The user installs a simple plug-and-play device between the input peripheral and the host. This device observes user input events and sends a trace of them to the server that compares the trace to the application payload received from the untrusted host. To prevent subtle attacks where the adversary exchanges values from interchangeable input fields, we propose a labeling scheme where the user annotates input values. We built a prototype of IntegriKey, using an embedded USB bridge, and our experiments show that such integrity protection adds only minor delay. We also developed a UI analysis tool that helps developers to protect their services and evaluated it on commercial safety-critical systems.

ePrint: https://eprint.iacr.org/2017/1245

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .