Abstract. We present an architecture for split-trust browsing: a technique that enables web applications to split their HTML across a pair of browsers—one untrusted browser running on a PC and one trusted browser running on a user’s personal device. Information entered via the personal device’s keypad cannot be read by the PC, thwarting PC-based keyloggers. Similarly, information displayed on the personal device's screen is also hidden from the PC, preserving the confidentiality and integrity of security-critical data even in the presence of screengrabbing attacks and compromised PC browsers. We present a Security Policy Model for split-trust web applications that affords defence against a range of crimeware-based attacks, including those based on active-injection (e.g. inserting malicious packets into the network or spoofing user-input events). Performance results of a prototype split-trust implementation are presented, using a commercially available cell phone as a trusted personal device.
Authors. Richard Sharp, Anil Madhavapeddy, Roy Want, Trevor Pering and John Light
See Also. This publication was part of my Ubiquitous Interaction Devices project.