3 research outputs found
Using Context and Interactions to Verify User-Intended Network Requests
Client-side malware can attack users by tampering with applications or user
interfaces to generate requests that users did not intend. We propose Verified
Intention (VInt), which ensures a network request, as received by a service, is
user-intended. VInt is based on "seeing what the user sees" (context). VInt
screenshots the user interface as the user interacts with a security-sensitive
form. There are two main components. First, VInt ensures output integrity and
authenticity by validating the context, ensuring the user sees correctly
rendered information. Second, VInt extracts user-intended inputs from the
on-screen user-provided inputs, with the assumption that a human user checks
what they entered. Using the user-intended inputs, VInt deems a request to be
user-intended if the request is generated properly from the user-intended
inputs while the user is shown the correct information. VInt is implemented
using image analysis and Optical Character Recognition (OCR). Our evaluation
shows that VInt is accurate and efficient