当前位置:
X-MOL 学术
›
arXiv.cs.HC
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
IntegriScreen: Visually Supervising Remote User Interactions on Compromised Clients
arXiv - CS - Human-Computer Interaction Pub Date : 2020-11-27 , DOI: arxiv-2011.13979 Ivo Sluganovic, Enis Ulqinaku, Aritra Dhar, Daniele Lain, Srdjan Capkun, Ivan Martinovic
arXiv - CS - Human-Computer Interaction Pub Date : 2020-11-27 , DOI: arxiv-2011.13979 Ivo Sluganovic, Enis Ulqinaku, Aritra Dhar, Daniele Lain, Srdjan Capkun, Ivan Martinovic
Remote services and applications that users access via their local clients
(laptops or desktops) usually assume that, following a successful user
authentication at the beginning of the session, all subsequent communication
reflects the user's intent. However, this is not true if the adversary gains
control of the client and can therefore manipulate what the user sees and what
is sent to the remote server. To protect the user's communication with the remote server despite a
potentially compromised local client, we propose the concept of continuous
visual supervision by a second device equipped with a camera. Motivated by the
rapid increase of the number of incoming devices with front-facing cameras,
such as augmented reality headsets and smart home assistants, we build upon the
core idea that the user's actual intended input is what is shown on the
client's screen, despite what ends up being sent to the remote server. A
statically positioned camera enabled device can, therefore, continuously
analyze the client's screen to enforce that the client behaves honestly despite
potentially being malicious. We evaluate the present-day feasibility and deployability of this concept by
developing a fully functional prototype, running a host of experimental tests
on three different mobile devices, and by conducting a user study in which we
analyze participants' use of the system during various simulated attacks.
Experimental evaluation indeed confirms the feasibility of the concept of
visual supervision, given that the system consistently detects over 98% of
evaluated attacks, while study participants with little instruction detect the
remaining attacks with high probability.
中文翻译:
IntegriScreen:以可视方式监督受感染客户端上的远程用户交互
用户通过其本地客户端(笔记本电脑或台式机)访问的远程服务和应用程序通常假定,在会话开始时成功进行用户身份验证之后,所有后续通信都反映了用户的意图。但是,如果攻击者获得了客户端的控制权并因此可以操纵用户看到的内容以及发送给远程服务器的内容,则情况并非如此。为了保护本地客户端可能受到损害的用户与远程服务器的通信,我们提出了通过配备摄像头的第二台设备进行连续视觉监视的概念。受带有前置摄像头(例如增强现实头戴式耳机和智能家居助手)的传入设备数量迅速增加的推动,我们基于以下核心思想:实际的预期输入是客户端屏幕上显示的内容,尽管最终将其发送到远程服务器。因此,启用了静态定位功能的摄像头设备可以连续分析客户端的屏幕,以强制客户端诚实地行事,尽管它可能是恶意的。我们通过开发功能完备的原型,在三个不同的移动设备上运行大量实验测试以及通过进行用户研究来分析参与者在各种模拟过程中对系统的使用情况,从而评估该概念在当今的可行性和可部署性攻击。实验评估确实证实了视觉监控概念的可行性,因为该系统始终可以检测到98%以上的评估攻击,
更新日期:2020-12-01
中文翻译:
IntegriScreen:以可视方式监督受感染客户端上的远程用户交互
用户通过其本地客户端(笔记本电脑或台式机)访问的远程服务和应用程序通常假定,在会话开始时成功进行用户身份验证之后,所有后续通信都反映了用户的意图。但是,如果攻击者获得了客户端的控制权并因此可以操纵用户看到的内容以及发送给远程服务器的内容,则情况并非如此。为了保护本地客户端可能受到损害的用户与远程服务器的通信,我们提出了通过配备摄像头的第二台设备进行连续视觉监视的概念。受带有前置摄像头(例如增强现实头戴式耳机和智能家居助手)的传入设备数量迅速增加的推动,我们基于以下核心思想:实际的预期输入是客户端屏幕上显示的内容,尽管最终将其发送到远程服务器。因此,启用了静态定位功能的摄像头设备可以连续分析客户端的屏幕,以强制客户端诚实地行事,尽管它可能是恶意的。我们通过开发功能完备的原型,在三个不同的移动设备上运行大量实验测试以及通过进行用户研究来分析参与者在各种模拟过程中对系统的使用情况,从而评估该概念在当今的可行性和可部署性攻击。实验评估确实证实了视觉监控概念的可行性,因为该系统始终可以检测到98%以上的评估攻击,
京公网安备 11010802027423号