Switchman OS and its architecture
Modern PC operating systems (including Linux, MAC, and Windows) offer user-level APIs to allow one application to access another application’s I / O path. This design facilitates the exchange of information between applications and allows applications such as screenshots. However, user-level malware also allows you to record a user’s keystrokes or wipe the user’s screen. In this section, we explore SwitchMan’s design to protect user I / O paths from user-level malware attacks. SwitchMan assigns two accounts to each user: normal for normal operation and secure for sensitive data input and output. Each user account runs in a separate virtual terminal. Malicious software running under a normal user account cannot access sensitive entries / output in the user’s secure account.
An important goal of cybersecurity is to protect private user data from unauthorized access or modification. In recent years, we’ve seen a wide range of new technologies to protect user data, including full-disk encryption, secure data transfer protocols like TLS / SSL, and secure cloud storage. However, the user’s sensitive input / output data remains vulnerable to data theft attacks with malware residing on the user’s computer. Keyloggers can capture the user’s every touch, and screen scrapers can take snapshots of any displayed window. For example, between 2013 and 2015, attackers infected the bank’s computers with Carbanak malicious software [1], then recorded video of the victim’s screen and keystrokes to obtain sensitive bank details. They successfully stole money from around 100 financial institutions and the total financial loss was nearly $ 1 billion.
Protecting sensitive user inputs / outputs is challenging because modern PC operating systems (including Linux, MAC, or Windows) offer user-level APIs for one application to share I / O with another application. with the same user ID. For example, X11 offers a feature called XGrabKeyboard () that allows an app to capture events on another app’s keyboard. When a client application connects to an X server, it shares its I / O paths with all clients connected to the same X server. These feature calls allow any malware to steal keyboard and screen input from applications users.
There are previous proposals to address this challenge in four broad areas. Working in the first department protects the user’s I / O paths at the hardware level. The second category works suggest the use of another mobile device as a reliable input / output device [3] – [4] [5] [6] [7] [8]. Third sector work uses significant tools to separate reliable applications [9], [10]. Finally, the work in the fourth section aims to improve the operating system by introducing precise I / O access control so that one application does not enter another application’s I / O path by default [11] – [12 ] [13] [14]].
Each of the above solutions requires a reliable computation basis (TCB). However, all of them require critical user management to achieve the desired level of security. The user must determine sensitive data and then switch to a trusted device (such as a mobile device) or a trusted terminal (such as running a trusted virtual machine) or both to enter / extract sensitive information. I guess it is difficult for a novice user to manage these tasks. Therefore, it is useful to explore an alternative format that can automatically handle the data entry / production conversion of sensitive data without user involvement.
For this work we propose SwitchMan, a framework that allows a server to transform a user into a secure site for a sensitive import / producer. Central SwitchMan contains a protocol that allows a remote server (e.g. a web server) to install a secure terminal switching request in its traffic path even if the client software (e.g. Browser) is untrusted (§ IV-C ). The client managed TCB will intercept the application and convert the user to a safe location.
The SwitchMan architecture can support different TCBs. One way to choose is to run a secure plug into a trusted VM and allow the VM manager to block switch requests. As a first step in this book, we hope we have relied on kernel OS and its graphics. We use the developer’s classification system to create a trusted lion / builder. This initial configuration allows us to quickly switch Switch-Man and measure its performance. Our future mission is to explore how to reduce TCB SwitchMana.
In the previous design, SwitchMan OS provided each user with two accounts: a stored account and a regular account. A secure account is an “app” account, so it only runs on small applications that the OS vendor trusts. The user cannot install any application on this account and can only use it as a trust, i.e. logging in and removing sensitive data. A regular user account is the same thing a user has today. It can be used without the above limitations.
We used the SwitchMan feature to implement Linux and tested its performance. We also did an initial check for safety and usage (§ VI). Our performance analysis shows that SwitchMan adds value to the existing system. Our usage analysis shows that SwitchMan is easier to use than previous plans.
In this project, we offer two donations. We first introduced the SwitchMan company to make it easier to secure user security / installation. Second, we used Linux to build the SwitchMan display and measured its performance. Our research shows that it improves the safety of the personal computer compared to its current status and is also easy to use. Our performance analysis shows that SwitchMan has a low cost.