Our interactions with computers and hence the Internet rely heavily on a computer's input and output devices, namely the keyboard, mouse and display. A majority of these interactions are driven by the information that is presented to a user on the display. The content and source of this information is usually processed and taken for granted by a user, increasingly leading to phishing, spoofing, virtualisation, and other visually-based attacks. These attacks are successful because the information displayed to the user is what they expect to see. As attackers become savvier, users will find it increasingly difficult to determine the integrity of visual information presented to them.
Not only is it difficult for the user to determine the integrity of the presented information but it is also becoming increasingly difficult for users to guarantee the integrity of their computer systems. Consequently they can have little confidence in the confidentiality of their data, particularly when using remote inter-networked applications such as web banking. Malware can attack operating systems leaking sensitive, private information over the network. Malicious software hooks can be installed which copy keyboard and mouse events, capture the screen buffer, insert and modify network traffic and otherwise interpose on a user's interactions with the computer. Hostile websites or cross-site scripting attacks target web-based applications, enabling full exploitation of the client or other attacks designed to fool users into revealing sensitive information. These are only a few of the mechanisms available to the attacker. To mitigate such risks, a knowledgeable user needs to ensure that their operating system and applications are regularly patched, maintain well configured personal firewall and anti-spyware protective measures, and employ ‘safe browsing practices’. Even with all these measures the user remains reliant on the integrity and timeliness of the automated patch process, for both the operating system and applications, and the integrity of their hardware. The use of machines of unknown integrity specifically precludes any form of trust—most Commercial Off The Shelf (COTS) equipment falls into this category.
The specification uses the terms trusted and untrusted which can have specific meanings to those skilled in the art of computer security. The use of these terms herein are not limited to those special meanings in certain contexts where their meaning may include trustworthy and untrustworthy which can be understood to mean that the level of trust is relative to the circumstances and the risks associated therewith, as such there can be a single level or multiple levels of trust in not only the hardware but also the software used to implement one or more of the embodiments of the invention as well as data received and sent in whatever format that may be. The above discussion of the concept of trust also assumes absolute trust in the human user of the relevant software and hardware.
In the context of this invention depending upon circumstances of use, a user needs to trust the invention to perform certain operations in a manner resistant to tamper or malicious modification. This level of resistance is dependent on the circumstances of use and varying mechanisms have been employed to provide the requisite level of trust. Further mechanisms to provide physical, communications and computer security are known to those skilled in the art. The invention can be used with untrusted infrastructure, where it can be assumed that any possible malicious modification that can be made to a system has occurred and no trust can be placed in any actions of the system.
Extant and proposed work on ensuring the veracity of displayed information and input devices has focused on trusted systems, trusted displays, and securing content and delivery. Significantly this invention utilises existing communication channels and computing infrastructure such as the untrusted digital communications networks with a novel in-band addition to achieve requisite functionality and trust.
Trusted Systems
Much work has been done on securing computing systems and applications, with high grade systems almost universally requiring a Trusted Computing Base utilising trusted paths for the input and output. Boebert WO94/01821 proposed trusted paths for the keyboard and display, with a Trusted Path Subsystem providing encryption of keyboard input and generation of video output from received encrypted video packets. This system utilised an out-of-band mechanism for delivery of the trusted content and input redirection, and required the trusted content be stored within the device before video generation.
Trusted Displays
Existing trusted displays are generally integrated with a trusted computing platform and form an integral part of a complete trusted system, relying on tamper resistance and tight hardware integration to provide integrity of displayed information. Trusted Display Processors have been proposed, that can display a bitmap image in a trusted fashion. A typically proposed module utilises a smart card to provide cryptographic support and would be able to check the signature on a bitmap image that is sent to the module. The bitmap image is then displayed and an indication of trust given; one proposed method of indicating trust was to utilise a unique watermark displayed to the user
Extant and proposed solutions seek to provide a trusted manner in which to view and hence verify a digital document residing on a local machine. The Trusted Display Processors do not propose real-time operation and are not manipulating digital video streams. The applications presented were for local verification of local bitmap images.
Content Protection
HDCP is a point-to-point protocol (not end-to-end) which is used to secure the entire content of a digital video stream as it travels from a transmitter (DVD player, PC, etc.) to a receiver (digital display). The idea is to protect the content that will be streamed across the link—i.e. prevent the digital stream from being ‘ripped’ to another media. A transmitter encrypts every pixel sent to the receiver and the receiver is able to decrypt the stream before displaying it. HDCP command and control is performed out of band through a secondary (I2 C) link between the transmitter and receiver. The transmitters and receivers are keyed at manufacture and can negotiate a mutual key for the link encryption. HDCP protected media can only be played with an HDCP transmitter and corresponding receiver.
Secure Application Delivery
Remote desktop applications exist for most platforms and allow a user to access a remote server over a network connection. These applications differ in their level of integration with the operating system, their authentication mechanisms, and their network security schemes.
Significantly, no existing application architecture takes into account the trust state of a user's computer (either software or hardware), allowing the integrity and privacy of any action performed by the user on that computer, including for example a remote session, to be compromised by an attacker with control of the user's computer. The invention described herein extends the trust boundary to the computer's display and peripherals and bypasses such an attacker.