Accessing Trusted Web Sites from Low-Integrity Systems without End-Host Snooping

The weakest link in secure web site access is often the end-host. Any malicious software installed there, or a runtime browser compromise, can lead to theft of critical information which is stored locally. Today´s state-of-the-art in host-based intrusion detection and prevention systems has not succeeded in eradicating this problem. In this paper, we introduce an orthogonal solution: a system that guarantees the confidentiality of sensitive documents produced during web transactions, even on a compromised browser or operating system. Compared to other solutions that utilizes virtual machines, our approach does not require user to run multiple guests and switch between them. Rather, to get the guarantees, users can switch the mode of operation of its current system to custom-defined compartments when necessary. Documents created in specific compartment will only be accessible within that compartment and can only flow between the authorized sites stated in the corresponding compartment policy. The system only requires a trusted hyper visor within which the user´s low-integrity OS runs as a guest. We describe the architecture of the system, a prototype implementation, and the modifications to the hyper visor to make transitions into and out of secure compartment(s) fast enough for interactive use.