Gyrus: A Framework for User-Intent Monitoring of Text-based Networked Applications

Traditional security systems have largely focused on attack detection. Unfortunately, accurately identifying the latest attack has proven to be a never-ending cycle. In this paper, we propose a way to break this cycle by ensuring that a system's behavior matches the user's intent. Since our approach is attack agnostic, it will scale better than traditional security systems. There are two key components to our approach. First, we capture the user's intent through their interactions with an application. Second, we verify that the resulting system output can be mapped back to the user's interactions. To demonstrate how this works we created Gyrus, a research prototype that observes user interactions for common tasks such as sending email, instant messaging, online social networking, and online financial services. Gyrus secures these applications from malicious behavior such as spam and wire fraud by allowing only outgoing traffic with content that matches the user's intent. To understand how Gyrus captures user intent, consider the case of a text- based application. In this case the user's input is displayed on the screen so the user can confirm that their input is correct. Gyrus builds on this concept by focusing on what is being displayed to the user instead of what the user has typed or clicked. We call this the "what you see is what you send (WYSIWYS)" policy. We implemented Gyrus under a standard virtualization environment, and our prototype system successfully stops malware from sending unintended content over the network. Our evaluation shows that Gyrus is very efficient and introduces no noticeable delay to a users' interaction with the protected applications.

[1]  Sanjeev Arora,et al.  Probabilistic checking of proofs: a new characterization of NP , 1998, JACM.

[2]  Ben Shneiderman,et al.  Designing the User Interface: Strategies for Effective Human-Computer Interaction , 1998 .

[3]  Randy H. Katz,et al.  Design and implementation of an extrusion-based break-in detector for personal computers , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[4]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.

[5]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[6]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[7]  Zhi Wang,et al.  Taming Hosted Hypervisors with (Mostly) Deprivileged Execution , 2013, NDSS.

[8]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[9]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[10]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[11]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[12]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[13]  Jun Zhu,et al.  Breaking up is hard to do: security and functionality in a commodity hypervisor , 2011, SOSP.

[14]  Jakob Nielsen Book review: Designing the User Interface: Strategies for Effective Human-Computer Interaction by Ben Shneiderman (Addison-Wesley, 1987) , 1987, SGCH.

[15]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[16]  Hermann Härtig,et al.  Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors , 2004, EW 11.

[17]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[18]  Stuart E. Madnick,et al.  Application and analysis of the virtual machine approach to information system security and isolation , 1973, Workshop on Virtual Computer Systems.

[19]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[20]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[21]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[24]  Stephen McCamant,et al.  Cloud Terminal: Secure Access to Sensitive Applications from Untrusted Systems , 2012, USENIX Annual Technical Conference.

[25]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[26]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.