Thwarting Malware and UI Redressing Attacks with Verifiable User Actions

David Evans
University of Washington
1 May 2009


User intentions are at the heart of security, but not considered by current systems in any systematic way. Information about user intentions can be used to construct better access control policies, thwart misdirection attacks such as phishing and clickjacking, and support other security techniques such as anomaly-based intrusion detection. Any decisions based on user intentions require a secure method for collecting user behavior including information about the user interface elements with which the user is interacting.

We present a method for securely recording user interactions with graphical user interfaces. Our approach combines direct observation of user interface elements within the operating system with external observation of user input and graphical output. We use comparisons with bitmap images to verify the visual consistency of the user interface elements. We demonstrate that policies taking advantage of information about user intentions can limit damage caused by malware and thwart misdirection attacks such as clickjacking and cross-site-request forgery.

This talk describes work primarily done by Jeff Shirley.

Slides: [PPS, PDF]