EP2316088A2 - System and method for securing a user interface - Google Patents

System and method for securing a user interface

Info

Publication number
EP2316088A2
EP2316088A2 EP09784296A EP09784296A EP2316088A2 EP 2316088 A2 EP2316088 A2 EP 2316088A2 EP 09784296 A EP09784296 A EP 09784296A EP 09784296 A EP09784296 A EP 09784296A EP 2316088 A2 EP2316088 A2 EP 2316088A2
Authority
EP
European Patent Office
Prior art keywords
user interface
information
software component
user
main part
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP09784296A
Other languages
German (de)
French (fr)
Inventor
Nicolas Ponsini
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Trusted Logic Mobility SAS
Original Assignee
Trusted Logic SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Trusted Logic SAS filed Critical Trusted Logic SAS
Publication of EP2316088A2 publication Critical patent/EP2316088A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Definitions

  • the invention relates to a system for securing a user interface, and a method of securing such an interface.
  • the user interface is the interface through which a user of a computer machine, for example a computer or an embedded system, dialogs with this machine.
  • the user interface includes one or more interface devices.
  • the interface devices are diverse. Some devices are so-called input devices, which allow you to enter information into the machine. Other devices are so-called output devices, which provide information from the machine. Other interface peripherals are so-called input / output devices, which allow to enter information into the machine or to output information from it.
  • Input devices include keyboards, mice or other pointing devices, pinpad (personal identification keyboard in French), smart card readers, graphics tablets, microphones.
  • output devices include screens or speakers.
  • touch screens In most cases, the information is displayed in pixel mode on a screen, usually in a window environment, and the user uses a keyboard and a mouse, or the screen itself - if it is touch-sensitive - to interact with the machine. It is then up to applications controlling the interface to process and interpret information coming from the user.
  • the banking application identifies the user by asking the user to enter his customer number. The user then enters their customer number using the computer keyboard.
  • the banking application authenticates the client user by asking the latter to enter his secret access code using the keyboard of his computer and / or the mouse. If the identification and authentication are validated by the banking application, then the application displays the status of the client user account on the screen.
  • Such man / machine interactions are subject to many malicious attacks. For example, some of these attacks consist of retrieving the identifier and the secret access code of the client user so that the hacker can consult at leisure the accounts of the client user to include making illegal transfers.
  • the first technique is to intercept and record all events related to the input devices of the user interface and, in particular, to collect all keys that have been pressed by the user on a keyboard and / or all mouse clicks even the displacements of this one. Fatally, the identifier and the access code of the client user are retrieved by the malicious application.
  • a second technique is to take control of the output devices of the interface and, in particular, to take control of the display of the screen and emulate or simulate the banking application.
  • the client user who then believes that he is dealing with the real banking application, provides his credentials and access codes to the malicious application. These identifiers and codes are recovered for fraudulent use. Phishing is an example of such fraudulent practices.
  • the pilot software of the peripherals of said interface This is for example the security of the keyboard driver, the mouse and / or the security of the driver of the graphics card of the screen.
  • the secure drivers include for example a secret key shared with the controlled hardware, so that the information processed by the driver is encrypted and therefore not accessible in clear by malicious applications.
  • Terra TM As for the so-called Terra TM technology, which is disclosed in the document entitled “Terra: A Virtual Machine-Based Platform for Trusted Computing", TaI Garfinkel et al., Computer Science Department, Stanford University, it has not been implemented. commercially essentially for the reasons mentioned above. Moreover, this is confirmed in this document, which teaches, in point 2.3, that "We have not implemented a secure user interface in our Terra prototype. We believe that the implementation of a secure user interface, which would allow the use of graphics hardware capabilities, should require additional hardware and software support. "
  • security indicators in the user interface. This is, in a non-limiting example, a small padlock in a corner of the browser, a red frame around a window, and / or a reserved banner at the top of the screen. Thus, a window or information entered on the keyboard will be considered as trusted if the security indicator is present.
  • Such indicators are disclosed in particular in the international application published under the number WO2007060322.
  • the security of this approach is based on the difficulty of guessing all the indicators provided by the application and displaying an indicator at the particular location of the user interface. It is therefore a practical approach, which is commonly used in computer science, but which offers a more modest level of security, the display of an indicator in a window being potentially within the reach of an attacker more or less aware.
  • L4Linux is, in fact, the Linux operating system implemented as an application above the L4 microkernel.
  • This particular application is thus seen as an application of the micronucleus L4, operating in user mode.
  • the classic Linux window manager is in the L4Linux application.
  • the graphics events for the L4 micronucleus applications are handled directly by the first Nitpicker TM interface controller and are invisible to Linux applications, and vice versa.
  • This third approach allows a good separation of applications.
  • it imposes a duplication of the user interface controllers, which implies an increase in the size of the code, an increased consumption of resources and, of course, errors to be corrected in each of the controllers is a technical support to ensure.
  • a problem proposes to solve the invention is to provide a system for securing a user interface comprising: a user interface managed by hardware devices; one or more applications using the user interface; one or more hardware devices of the user interface for interacting with said interface, said hardware devices being controlled by pilot software, which overcomes the aforementioned drawbacks of the state of the art and which, in particular, does not require modification of the hardware devices or duplication of interface controllers, while showing an adequate level of security against, for example, malicious applications that proceed by recording keystrokes or phishing.
  • the solution of the invention to this problem posed first object is a system for securing a user interface comprising: a user interface comprising one or more hardware devices of the user interface for interacting with said interface, said hardware peripherals being piloted by pilot software; one or more applications using the user interface; characterized by further comprising: a hypervisor having direct access to hardware devices of the user interface; one or more virtual machines for executing the application or applications using the user interface, said virtual machines having no direct access to the hardware resources of the user interface; and a security software component comprising a front portion controlled by the one or more virtual machines, said front portion of the security software being included in said one or more virtual machines, and a main portion controlled by the hypervisor, said main part of the software of security being included in said hypervisor, the drivers of hardware devices of the user interface being split into two parts, a main part of said drivers being placed under the control of the hypervisor, a front portion of said drivers being placed under the control of the machines virtual, the front end of the security software component ensuring the management of the front part
  • Its second object is a method for securing a user interface, characterized in that it comprises the steps of: providing a user interface comprising one or more hardware peripherals of the user interface for interacting with said interface, said hardware devices being driven by pilot software; providing a hypervisor, one or more virtual machines for executing one or more applications using the user interface, said virtual machines having no direct access to the hardware resources of the user interface and a security software component comprising a front portion controlled by the one or more virtual machines, said front portion of the security software being included in said one or more virtual machines, and a main portion controlled by the hypervisor, said main part of the security software being included in said hypervisor; executing an application of a virtual machine; enabling a secure mode of the system at the request of the application; securely displaying information controlled by the main portion of the security software component, the hypervisor accessing the hardware peripherals of the user interface directly; then disable the secure mode of the system.
  • the hardware peripherals of the user interface comprise at least one user information input device and a screen; the main part of the software component is able to display and control the display of a graphical interface component in the interface user, for the input of information by the user; - The main part of the software component is able to validate identification and / or authentication information entered by the user; the information exchanged between the main part of the security component and the front part of this component is secured by means of encryption and / or signature keys; information exchanged between the front part of the security software component and an application of the virtual machine comprising this front part are secured by means of encryption and / or signature keys; the method further comprises the following steps according to which: the application requires the input of a user information, the input request is transmitted to the main part of the software component, a graphical data entry component is displayed under the direct control of the security software component, the user enters a user information, and the user information is validated; the user information is validated by the main part of the security software component, or is sent back to the front part of said component
  • FIG. 1 schematically presents the system according to the invention
  • FIG. 2 is a diagram which illustrates the various steps of the method according to the invention for the secure entry of information into a graphic component
  • FIG. 3 is a diagram which illustrates the various steps of the method according to the invention for the secure display of information.
  • the present invention relates to systems for securing a user interface.
  • the systems according to the invention are intended to be implemented, in particular, but not exclusively, in devices of the embedded type, which often have limited hardware resources, in comparison with the resources available to computers, particularly of the personal type, for example. They are nevertheless likely to concern such computers.
  • the onboard devices particularly targeted in the present invention are portable devices manufactured in series such as smart cards associated with card readers themselves connected to a terminal, mobile phones optionally equipped with subscriber identification modules and having a screen, personal digital assistants, or any other small electronic devices manipulating digital data.
  • the embedded devices according to the invention are provided with a processor or no. They include at least one and sometimes several memories.
  • the systems of the invention include a user interface comprising one or more hardware devices of the user interface, and one or more applications using the user interface.
  • the user interface is the interface through which a user of a computer machine, for example a computer or an embedded system, dialogs with this machine.
  • the user interface comprises one of several hardware devices of the interface, which are driven by pilot software.
  • the peripherals of the interface are various. Some devices are input devices that allow you to enter information into the machine. Other devices are output devices, which provide information from the machine. Other interface devices still are input / output devices, which allow you to enter information into the machine or output information from it.
  • Input devices include keyboards, mice or other pointing devices, pinpad, smart card readers, graphics tablets, microphones.
  • output devices include the screens or speakers.
  • UI-based applications are various applications that cause UI events for the management of user-entered information and / or the presentation of such information, or other user audit information.
  • the information entered by the user includes identification and / or authentication information.
  • Applications issue various queries, such as display or input queries.
  • an application may be a banking application, which allows a user to access these bank accounts and make transfers.
  • Hardware devices in the user interface are devices that allow the user to interact with the interface. They are piloted by pilot software. These devices are for example keyboards, mice, screens including touch.
  • the system according to the invention further comprises a hypervisor, one or more virtual machines and a security software component called in this figure Secure UI.
  • the hypervisor or privileged domain, is a software layer that allows the execution of one or more virtual machines above said layer.
  • the hypervisor has direct access to the hardware resources of the user interface and in particular to the peripherals. In the invention, it is the only entity with such direct access to these resources. Indeed, virtual machines do not have direct access to hardware devices. They do not have this privilege.
  • the virtual machines include a guest operating system of their own and at least one application using the user interface. They allow the execution of this or these applications.
  • Virtual machines have either indirect access to hardware devices, or access that may appear to be direct, but transiting by the hypervisor. Also, the so-called hardware accesses that virtual machines have, which are indirect accesses to the interface peripherals, are thus controlled and controlled solely by the hypervisor. In addition, virtual machines do not communicate with each other. They are isolated from each other.
  • Xen TM virtualization architecture developed by the University of Cambridge (UK) or the VMWare TM virtualization architecture.
  • the hypervisor which ultimately is a particular virtual machine, is the zero domain (domO). It ensures separation and isolation of virtual machines, each virtual machine corresponding to a specific domain, domU, which does not have domO privileges. Indeed, the privilege of physical access to devices is delegated by virtual machines from domU to the hypervisor.
  • the hardware device drivers of the user interface are split into two parts.
  • a significant portion of said drivers is placed and rotates in the hypervisor, under the control of said hypervisor. This is the part that physically manages device access.
  • Another part, smaller in size, is placed and rotates in each virtual machine, under the control of each virtual machine.
  • This other part serves as a relay to the part of the driver located in the hypervisor.
  • the portion of the driver contained in the hypervisor is referred to as the main part of the driver or backend driver in Figure 1.
  • the driver portion located in the virtual machines is called the front part of the pilot or frontend driver in Figure 1.
  • the security software component according to the invention is a component of the user interface, intended to secure this interface.
  • This component comprises a front-end or Secure UI frontend, controlled by the virtual machine (s) as well as a main part, or Secure UI backend, controlled by the hypervisor.
  • the front part of the security software is included, that is to say integrated in the virtual machine (s).
  • the main part of the security software is included or integrated in the hypervisor.
  • This component manages the hardware interface drivers of the interface, that is to say for example the drivers of the keyboard, the screen, the mouse or pinpad.
  • This component can be considered as a pilot component of hardware device drivers for the user interface.
  • the main part of this driver interacts with the user's interface devices.
  • a virtual machine of a system first activates the front part of the security software component.
  • a security context is then created and various information is noted such as the identifier of the virtual machine. Therefore, the user interface is in so-called secure mode.
  • an application A of the aforementioned virtual machine wishes to authenticate a user, for example by entering a password or a personal identification code (PIN), it notifies the front part of the software component of securing his request. This frontal part of this component transmits the request to the main part of the hypervisor component.
  • PIN personal identification code
  • the latter can then decide whether or not to display, on the screen, a GUI component, more specifically a confidence window, for entering the password or PIN. If it decides to display this graphic component, the hypervisor directly accesses the card or graphical component of the interface. More particularly, the main part of the security software component retrieves the frame buffer of the virtual machine concerned and inserts the display of the GUI component for entering the password or PIN in calling the driver of the card or graphics component to display. A window will appear on the UI screen. He can enter his password or PIN for example using the keyboard or a pinpad.
  • the keyboard or pinpad driver When entering the password or PIN, the keyboard or pinpad driver is used. The entered information is directly sent to the main part of the user interface security software component.
  • either the main part of this component validates the pass mode itself, or said password is transmitted to the front part of the security component.
  • the main part of the security software component transmits the password to the front of this component, it can, in turn, validate the password / PIN or transmit it to the application so that it validates it.
  • the requests and information exchanged in the system are secure because they necessarily pass through the two parts of the security component.
  • an application B for example malicious, contained in the virtual machine comprising the application A or else in another virtual machine, can not change the display of the graphical input component password or change the entry of the last.
  • the display of the graphic component and the input of information by the user are entirely managed by the security software component, within the hypervisor. It is this component that decides to display a password / PIN entry graphical component and accesses the hardware resources directly for this display. It is this software component that decides the size and shape of this graphical input component. It is this security software component that receives the events entered by the user and manages this information.
  • Virtual machines can not access the image buffer and the information entered on hardware devices in the GUI. They can not short-circuit the hypervisor because they do not have direct access to hardware devices. As well, the invention effectively secures the man / machine interactions.
  • the security software component is likely to respond to the following commands, which are mostly mentioned in Figures 2 and 3 above.
  • the ACTIVATE command issued by an application, which makes it possible to create a security context between a virtual machine, or an application of a virtual machine. This is the command to enter the secure mode.
  • the DEACTIVATE command is used to switch from secure mode to non-secure mode. After calling this command, the user interface is no longer secure. It should be noted that the secure context can only be deactivated by the component that has commanded the activation of the secure mode. The authentication of this component can be performed using a signature shared key when creating the context.
  • the command GET_DATA is a command that can be issued by the application that requires the input of information such as a PIN, a password, an identifier or various data, and which is intended for the security software component.
  • the information obtained following the execution of this command is sent encrypted and signed to the front part of the security software component, or to the requesting application, in the case where keys have been shared.
  • the DISPLAY_DATA command which requires the display of information in a trust window.
  • the information is transmitted from the front end of the security software component, or application, to the main part of that component, and then displayed in the user interface under the control of the hypervisor.
  • the main part the security software component which runs within the hypervisor, controls the formatting of this information.
  • the hypervisor can display the source of said information.
  • commands specific to entering passwords, PINs or other identification or authentication information are likely to be implemented in the method according to the invention.
  • This information is validated by comparison in the main part of the security software component, which runs in the hypervisor.
  • the validation or the absence of validation of the authentication is returned, for example, encrypted and signed, to the front part of the security software component, or even to the requesting application, if keys have been shared for this purpose with this application.
  • the entry of the information under the control of the security software component, which executes in the hypervisor is likely to be performed by keyboard, by means of a mouse or by clicking on a pinpad including the type comprising a window with visual keys on which the user must click.
  • the command SET_PIN according to which an application, which sends the command, requires the updating of identification or authentication information in the memory of the main part of the security software component, which is executes in the hypervisor. Indeed, the identification or authentication information is validated, in the main part of the security software component, against data stored in memory of it.
  • This command therefore allows the modification of the data stored in the memory of the main part of the software component. It can be invoked a first time by any application, if the application requires the establishment of a comparison information in the memory of the software component. Then, the modification of the information by this application can be made only on presentation and validation of the information stored in memory.
  • the main part of the security software component which executes in the hypervisor, activates a particular device such as a smart card reader, requires the input of an identification code, validates the code entered or not, and returns the validation or non-validation information to the front part of the security software component, or even to the requesting application, if keys have been shared for this purpose.
  • the securing of the system according to the invention can advantageously be enhanced by securing the communication channel between the main part of the security software component and its front part.
  • signature and / or encryption keys are shared between the main and front parts of the component. These keys are used to secure queries and responses that pass between these parts.
  • identification information is validated by the front part of the component, this information will be transmitted securely, encrypted and / or signed in the communication channel. Indeed, if the information and signed and / or encrypted, it can not be modified and / or read by third-party virtual machines.
  • Securing the system according to the invention may also advantageously be enhanced by securing communications between the front end of the security software component and the or each of the applications of the virtual machine comprising this part.
  • encryption and / or signature keys are shared between this front end and the secure application. These keys make it possible to encrypt and / or sign the messages that transit between the two entities, in particular the identification or authentication information if they must be validated by the application itself.
  • the other applications of the virtual machine can not read and / or modify the information intended for the requesting application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • User Interface Of Digital Computer (AREA)
  • Stored Programmes (AREA)

Abstract

The invention relates to a method for securing a user interface that comprises a user interface including one or more peripheral hardware devices of the user interface for interaction with said interface, said peripheral hardware devices being driven by driver software, and one or more applications using the user interface. The invention also relates to a method for securing such an interface. The system of the invention is characterised in that the same further comprises a hypervisor and one or more virtual machines, the drivers of the peripheral hardware devices of the user interface being divided into two portions, i.e. a main portion of said drivers under the control of the hypervisor and a front-end portion of said drivers under the control of the virtual machines, wherein the front-end portion of the securing software component is in charge of managing the front-end portion of the drivers and the main portion of the securing software component is in charge of managing the main portion of the drivers. The invention can particularly be used in onboard systems.

Description

SYSTEME ET PROCEDE POUR LA SECURISATION D'UNE INTERFACE UTILISATEUR SYSTEM AND METHOD FOR SECURING A USER INTERFACE
L'invention concerne un système pour la sécurisation d'une interface utilisateur, ainsi qu'un procédé de sécurisation d'une telle interface.The invention relates to a system for securing a user interface, and a method of securing such an interface.
L'interface utilisateur est l'interface par laquelle un utilisateur d'une machine informatique, par exemple un ordinateur ou un système embarqué, dialogue avec cette machine. L'interface utilisateur comprend un ou plusieurs périphériques d'interface.The user interface is the interface through which a user of a computer machine, for example a computer or an embedded system, dialogs with this machine. The user interface includes one or more interface devices.
Les périphériques d'interface sont divers. Certains périphériques sont des périphériques dits d'entrée, qui permettent d'entrer des informations dans la machine. D'autres périphériques sont des périphériques dits de sortie, qui permettent d'obtenir des informations de la machine. D'autres périphériques d'interface encore sont des périphériques dits d'entrée/sortie, qui permettent d'entrer des informations dans la machine ou de sortir des informations de celle-ci.The interface devices are diverse. Some devices are so-called input devices, which allow you to enter information into the machine. Other devices are so-called output devices, which provide information from the machine. Other interface peripherals are so-called input / output devices, which allow to enter information into the machine or to output information from it.
Parmi les périphériques d'entrée, on citera notamment les claviers, les souris ou autres dispositifs de pointage, les pinpad (clavier d'identification personnelle en langue française) , les lecteurs de cartes à puce, les tablettes graphiques, les microphones. Parmi les périphériques de sortie, on citera notamment les écrans ou les enceintes acoustiques. Enfin, parmi les périphériques d'entrée/sortie, on citera notamment les écrans tactiles. Dans la plupart des cas, les informations sont présentées affichées en mode pixels sur un écran, généralement dans un environnement fenêtre, et l'utilisateur utilise un clavier et une souris, ou bien l'écran lui-même - si celui-ci est tactile - pour interagir avec la machine. Il appartient alors aux applications contrôlant l'interface de traiter et d'interpréter les informations venant de l'utilisateur.Input devices include keyboards, mice or other pointing devices, pinpad (personal identification keyboard in French), smart card readers, graphics tablets, microphones. Among the output devices, include screens or speakers. Finally, among the input / output peripherals, mention will be made in particular of touch screens. In most cases, the information is displayed in pixel mode on a screen, usually in a window environment, and the user uses a keyboard and a mouse, or the screen itself - if it is touch-sensitive - to interact with the machine. It is then up to applications controlling the interface to process and interpret information coming from the user.
Par exemple, lorsque l'utilisateur souhaite consulter son compte bancaire sur l'Internet, il dialogue avec une application bancaire à l'aide d'un écran et d'un clavier et/ou une souris. Dans un premier temps, l'application bancaire identifie l'utilisateur en demandant à celui-ci de saisir son numéro de client. L'utilisateur saisit alors sont numéro de client à l'aide du clavier de l'ordinateur. Dans un deuxième temps, l'application bancaire authentifie l'utilisateur client en demandant à celui-ci de saisir son code d'accès secret à l'aide du clavier de son ordinateur et/ou de la souris. Si l'identification et l' authentification sont validées par l'application bancaire, alors celle-ci affiche l'état du compte de l'utilisateur client à l'écran.For example, when the user wants to view his bank account on the Internet, he dialogs with a banking application using a screen and a keyboard and / or mouse. At first, the banking application identifies the user by asking the user to enter his customer number. The user then enters their customer number using the computer keyboard. In a second step, the banking application authenticates the client user by asking the latter to enter his secret access code using the keyboard of his computer and / or the mouse. If the identification and authentication are validated by the banking application, then the application displays the status of the client user account on the screen.
De telles interactions homme/machine sont sujettes à de nombreuses attaques malveillantes. Par exemple, certaines de ces attaques consistent à récupérer l'identifiant et le code secret d'accès de l'utilisateur client afin que le pirate puisse consulter à loisir les comptes de l'utilisateur client en vue notamment de procéder à des virements illicites.Such man / machine interactions are subject to many malicious attacks. For example, some of these attacks consist of retrieving the identifier and the secret access code of the client user so that the hacker can consult at leisure the accounts of the client user to include making illegal transfers.
En pratique, deux techniques sont souvent utilisées à cet effet.In practice, two techniques are often used for this purpose.
La première technique consiste à intercepter et enregistrer tous les événements liés aux périphériques d'entrée de l'interface utilisateur et, notamment, à collecter toutes les touches qui ont été pressées par l'utilisateur sur un clavier et/ou tous les clics de souris voire les déplacements de celle-ci. Fatalement, l'identifiant et le code d'accès de l'utilisateur client sont récupérés par l'application malveillante.The first technique is to intercept and record all events related to the input devices of the user interface and, in particular, to collect all keys that have been pressed by the user on a keyboard and / or all mouse clicks even the displacements of this one. Fatally, the identifier and the access code of the client user are retrieved by the malicious application.
Une seconde technique consiste a prendre le contrôle des périphériques de sortie de l'interface et, notamment, à prendre le contrôle de l'affichage de l'écran et d'émuler ou simuler l'application bancaire. L'utilisateur client, qui croit alors avoir affaire à la véritable application bancaire, fournit ses identifiants et codes d'accès à l'application malveillante. Ces identifiants et codes sont récupérés pour une utilisation frauduleuse. L' hameçonnage est un exemple de telles pratiques frauduleuses .A second technique is to take control of the output devices of the interface and, in particular, to take control of the display of the screen and emulate or simulate the banking application. The client user, who then believes that he is dealing with the real banking application, provides his credentials and access codes to the malicious application. These identifiers and codes are recovered for fraudulent use. Phishing is an example of such fraudulent practices.
Pour contrer les attaques malveillantes précitées et, plus généralement, les problèmes de confiance de la relation avec l'interface utilisateur, il est connu, selon une première approche, de sécuriser les logiciels pilotes des périphériques de ladite interface. Il s'agit par exemple de la sécurisation du pilote du clavier, de la souris et/ou de la sécurisation du pilote de la carte graphique de l'écran. Les pilotes sécurisés comprennent par exemple une clé secrète partagée avec le matériel piloté, de sorte que les informations traitées par le pilote soient chiffrées et par suite, non accessibles en clair par des applications malveillantes.To counter the aforementioned malicious attacks and, more generally, the trust problems of the relationship with the user interface, it is known, according to a first approach, to secure the pilot software of the peripherals of said interface. This is for example the security of the keyboard driver, the mouse and / or the security of the driver of the graphics card of the screen. The secure drivers include for example a secret key shared with the controlled hardware, so that the information processed by the driver is encrypted and therefore not accessible in clear by malicious applications.
Toutefois, le développement de pilotes sécurisés a été freiné car il impose une modification du matériel piloté, par exemple l'insertion d'une clé secrète partagée avec le pilote. Cette modification est coûteuse pour les fabricants de matériels.However, the development of secure drivers has been slowed down because it imposes a modification of the piloted hardware, for example the insertion of a secret key shared with the pilot. This change is costly for hardware manufacturers.
Certes, Microsoft™ a proposé un système d'exploitation dit NGSCB, qui implémente des pilotes sécurisés ainsi que cela est divulgué dans le brevet publié sous le numéro US2005/091503. Néanmoins, non seulement la technologie implémentée dans cette base informatique exige une modification du matériel piloté, soit pour chiffrer/déchiffrer les informations échangées, soit pour accéder à un espace sécurisé, mais, en outre, elle suppose que les entrées de l'utilisateur transitent toujours par le système d'exploitation hôte de la machine, qui constitue un environnement non sécurisé, ce qui représente une faille potentielle de sécurité, même si ces informations sont chiffrées, compte tenu du fait que le système d'exploitation hôte est un environnement non sécurisé qui pourrait par exemple détruire ou ne pas transférer ces entrées. Il en va de même pour les entrées sécurisées visées dans le document brevet publié sous le numéro EP1526425 qui enseigne que les informations sécurisées entrées et destinées à être gérées par le noyau sécurisé de la base informatique, en pratique le nexus™, transitent dans une pile logicielle du système d'exploitation hôte de la machine.Certainly, Microsoft ™ has proposed an operating system called NGSCB, which implements secure drivers as disclosed in the patent published under number US2005 / 091503. Nevertheless, not only the technology implemented in this computer database requires a modification of the piloted hardware, either to encrypt / decrypt the information exchanged, or to access a secure space, but, moreover, it assumes that the user inputs pass through always by the host operating system the machine, which is an insecure environment, which represents a potential security vulnerability, even if this information is encrypted, given that the host operating system is an insecure environment that could for example destroy or not transfer these entries. The same goes for the secure entries referred to in the patent document published under the number EP1526425 which teaches that the secure information entered and intended to be managed by the secure core of the computer database, in practice the nexus ™, pass through a stack host operating system software of the machine.
Quant à la technologie dite Terra™, qui est divulguée dans le document intitulé « Terra: A Virtual Machine-Based Platform for Trusted Computing », TaI Garfinkel et al., Computer Science Department, Stanford University, elle n'a pas été mise en œuvre commercialement essentiellement pour les raisons évoquées ci-dessus. D'ailleurs, cela est confirmé dans ce document, qui enseigne, au point 2.3, que «Nous n'avons pas mis en œuvre une interface utilisateur sécurisée dans notre prototype Terra. Nous sommes d'avis que la mise en œuvre d'une interface utilisateur sécurisée, qui permettrait l'utilisation des capacités du matériel graphique, devrait requérir un matériel additionnel et un support logiciel» .As for the so-called Terra ™ technology, which is disclosed in the document entitled "Terra: A Virtual Machine-Based Platform for Trusted Computing", TaI Garfinkel et al., Computer Science Department, Stanford University, it has not been implemented. commercially essentially for the reasons mentioned above. Moreover, this is confirmed in this document, which teaches, in point 2.3, that "We have not implemented a secure user interface in our Terra prototype. We believe that the implementation of a secure user interface, which would allow the use of graphics hardware capabilities, should require additional hardware and software support. "
Par ailleurs, pour sécuriser l'interface utilisateur, il est possible, selon une seconde approche, d'adjoindre des indicateurs de sécurité dans l'interface utilisateur. Il s'agit, dans un exemple non limitatif, d'un petit cadenas dans un coin du navigateur, d'un cadre rouge autour d'une fenêtre, et/ou d'un bandeau réservé en haut de l'écran. Ainsi, une fenêtre ou des informations saisies au clavier seront considérées comme de confiance si l'indicateur de sécurité est présent. De tels indicateurs sont divulgués en particulier dans la demande internationale publiée sous le numéro WO2007060322. On peut aussi citer l'architecture du prototype NetTop™ divulguée dans le document Tech Trend Notes, Vol. 9, Edition 4, automne 2000, p.1-8, ou même, la technologie Terra™ précitée, qui réservent une partie de l'écran pour spécifier quelle est la machine virtuelle qui contrôle l'interface utilisateur. La sécurité de cette approche repose sur la difficulté de deviner l'ensemble des indicateurs prévus par l'application et d'afficher un indicateur à l'endroit particulier de l'interface utilisateur. Il s'agit donc d'une approche pratique, qui est communément utilisée en matière informatique, mais qui offre un niveau de sécurité plus modeste, l'affichage d'un indicateur dans une fenêtre étant potentiellement à la portée d'un attaquant plus ou moins averti.In addition, to secure the user interface, it is possible, according to a second approach, to add security indicators in the user interface. This is, in a non-limiting example, a small padlock in a corner of the browser, a red frame around a window, and / or a reserved banner at the top of the screen. Thus, a window or information entered on the keyboard will be considered as trusted if the security indicator is present. Such indicators are disclosed in particular in the international application published under the number WO2007060322. The architecture of the NetTop ™ prototype disclosed in Tech Trend Notes, Vol. 9, Issue 4, Fall 2000, p.1-8, or even the aforementioned Terra ™ technology, which reserve a portion of the screen to specify which virtual machine controls the user interface. The security of this approach is based on the difficulty of guessing all the indicators provided by the application and displaying an indicator at the particular location of the user interface. It is therefore a practical approach, which is commonly used in computer science, but which offers a more modest level of security, the display of an indicator in a window being potentially within the reach of an attacker more or less aware.
Enfin, pour sécuriser l'interface utilisateur, il est possible, selon une troisième approche, de dupliquer les contrôleurs d'interface utilisateur. Ainsi, si deux applications A et B, qui veulent se protéger l'une de l'autre, exécutent chacune leur propre contrôleur d'interface utilisateur, alors les événements clavier/écran de l'application A sont traités par le contrôleur d'interface de l'application A et restent invisibles de l'application B, et réciproquement. Cette technique est utilisée par l'équipe de recherche en systèmes d'exploitation de l'Université Technique de Dresde dans sa démonstration pour sécuriser les interfaces utilisateurs graphiques. Dans cette démonstration, un premier contrôleur d'interface, appelé Nitpicker™, est placé au-dessus du micronoyau L4. Il contrôle l'interface utilisateur graphique pour les applications de ce micronoyau. Un second contrôleur d'interface est, quant à lui, placé dans une application particulière nommée L4Linux, qui est, en fait, le système d'exploitation Linux implémenté sous la forme d'une application au dessus du micronoyau L4. Cette application particulière est ainsi vue comme une application du micronoyau L4 , fonctionnant en mode utilisateur. Le gestionnaire de fenêtres classique de Linux se trouve dans l'application L4Linux. Les événements graphiques des applications du micronoyau L4 sont gérés directement par le premier contrôleur d' interface Nitpicker™ et sont invisibles des applications de Linux, et réciproquement.Finally, to secure the user interface, it is possible, according to a third approach, to duplicate the user interface controllers. Thus, if two A and B applications, which want to protect each other, each execute their own user interface controller, then the application A screen / keyboard events are processed by the interface controller. of the application A and remain invisible from the application B, and vice versa. This technique is used by the research team in operating systems at the Technical University of Dresden in its demonstration to secure graphical user interfaces. In this demonstration, a first interface controller, called Nitpicker ™, is placed above L4 micronucleus. It controls the graphical user interface for the applications of this micronucleus. A second controller The interface is, in turn, placed in a particular application named L4Linux, which is, in fact, the Linux operating system implemented as an application above the L4 microkernel. This particular application is thus seen as an application of the micronucleus L4, operating in user mode. The classic Linux window manager is in the L4Linux application. The graphics events for the L4 micronucleus applications are handled directly by the first Nitpicker ™ interface controller and are invisible to Linux applications, and vice versa.
Cette troisième approche permet donc une bonne séparation des applications. Toutefois, elle impose une duplication des contrôleurs d'interface utilisateur, ce qui implique une augmentation de la taille du code, une consommation accrue de ressources et, bien entendu, des erreurs à corriger dans chacun des contrôleurs soit un support technique à assurer.This third approach allows a good separation of applications. However, it imposes a duplication of the user interface controllers, which implies an increase in the size of the code, an increased consumption of resources and, of course, errors to be corrected in each of the controllers is a technical support to ensure.
Compte tenu de ce qui précède, un problème de se propose de résoudre l'invention est de réaliser un système pour la sécurisation d'une interface utilisateur comportant : une interface utilisateur gérée par des périphériques matériels ; une ou plusieurs applications utilisant l'interface utilisateur ; un ou plusieurs périphériques matériels de l'interface utilisateur pour interagir avec ladite interface, lesdits périphériques matériels étant pilotés par des logiciels pilotes, qui pallie aux inconvénients précités de l'état de la technique et qui, en particulier, ne nécessite pas de modification des périphériques matériels ni une duplication des contrôleurs d'interface, tout en montrant un niveau adéquat de sécurisation vis-à-vis, notamment, d'applications malveillantes qui procèdent par enregistrement de frappes ou par hameçonnage . La solution de l'invention à ce problème posé a pour premier objet un système pour la sécurisation d'une interface utilisateur comportant : une interface utilisateur comprenant un ou plusieurs périphériques matériels de l'interface utilisateur pour interagir avec ladite interface, lesdits périphériques matériels étant pilotés par des logiciels pilotes ; une ou plusieurs applications utilisant l'interface utilisateur ; caractérisé en ce qu'il comporte en outre : un hyperviseur disposant d'un accès direct aux périphériques matériels de l'interface utilisateur ; une ou plusieurs machines virtuelles permettant l'exécution de la ou des applications utilisant l'interface utilisateur, lesdites machines virtuelles ne disposant pas d'accès direct aux ressources matérielles de l'interface utilisateur ; et un composant logiciel de sécurisation comprenant une partie frontale contrôlée par la ou les machines virtuelles, ladite partie frontale du logiciel de sécurisation étant comprise dans ladite ou lesdites machines virtuelles, et une partie principale contrôlée par l' hyperviseur, ladite partie principale du logiciel de sécurisation étant comprise dans ledit hyperviseur, les pilotes des périphériques matériels de l'interface utilisateur étant scindés en deux parties, une partie principale desdits pilotes étant placée sous le contrôle de l' hyperviseur, une partie frontale desdits pilotes étant placée sous le contrôle des machines virtuelles, la partie frontale du composant logiciel de sécurisation assurant la gestion de la partie frontale des pilotes, la partie principale du composant logiciel de sécurisation assurant la gestion de la partie principale des pilotes. Elle a pour second objet un procédé pour la sécurisation d'une interface utilisateur, caractérisé en ce qu' il comprend les étapes de : fourniture d'une interface utilisateur comprenant un ou plusieurs périphériques matériels de l'interface utilisateur pour interagir avec ladite interface, lesdits périphériques matériels étant pilotés par des logiciels pilotes ; fourniture d'un hyperviseur, d'une ou plusieurs machines virtuelles permettant l'exécution d'une ou plusieurs applications utilisant l'interface utilisateur, lesdites machines virtuelles ne disposant pas d'accès direct aux ressources matérielles de l'interface utilisateur et d'un composant logiciel de sécurisation comprenant une partie frontale contrôlée par la ou les machines virtuelles, ladite partie frontale du logiciel de sécurisation étant comprise dans ladite ou lesdites machines virtuelles, et une partie principale contrôlée par l' hyperviseur, ladite partie principale du logiciel de sécurisation étant comprise dans ledit hyperviseur ; d'exécution d'une application d'une machine virtuelle ; d'activation d'un mode sécurisé du système à la requête de l'application ; d'affichage sécurisé d'une information contrôlé par la partie principale du composant logiciel de sécurisation, l' hyperviseur accédant directement aux périphériques matériels de l'interface utilisateur ; puis de désactivation du mode sécurisé du système. De manière avantageuse, - les périphériques matériels de l'interface utilisateur comprennent au moins un périphérique d'entrée d'information de l'utilisateur et un écran ; - la partie principale du composant logiciel est apte à afficher et à contrôler l'affichage d'un composant d'interface graphique dans l'interface utilisateur, pour la saisie d'une information par l'utilisateur ; - la partie principale du composant logiciel est apte à valider une information d'identification et/ou d' authentification saisie par l'utilisateur ; - les informations échangées entre la partie principale du composant de sécurisation et la partie frontale de ce composant est sécurisé au moyen de clés de chiffrement et/ou de signature ; - des informations échangées entre la partie frontale du composant logiciel de sécurisation et une application de la machine virtuelle comportant cette partie frontale sont sécurisées au moyen de clés de chiffrement et/ou de signature ; - le procédé comporte en outre les étapes suivantes selon lesquelles : l'application requiert la saisie d'une information utilisateur, la requête de saisie est transmise a la partie principale du composant logiciel, un composant graphique de saisie d'information est affiché sous le contrôle direct du composant logiciel de sécurisation, l'utilisateur saisit une information utilisateur, et l'information utilisateur est validée ; - l'information utilisateur est validée par la partie principale du composant logiciel de sécurisation, ou est renvoyée à la partie frontale dudit composant voire à l'application demanderesse, pour validation ; l'information utilisateur est validée contre des données conservées en mémoire de la partie principale du composant logiciel de sécurisation ; - l'application requiert l'établissement ou la mise à jour d'une information conservée en mémoire du composant logiciel de sécurisation, en ce que l'information est saisie par l'utilisateur, et en ce qu'elle est enregistrée dans la partie principale du composant logiciel de sécurisation ; et - le procédé comporte en outre les étapes suivantes selon lesquelles : l'application requiert un affichage sécurisé d'une information, la requête d'affichage est transmise à la partie principale du composant logiciel, etl ' information est affichée sous le contrôle direct dudit composant logiciel.In view of the foregoing, a problem proposes to solve the invention is to provide a system for securing a user interface comprising: a user interface managed by hardware devices; one or more applications using the user interface; one or more hardware devices of the user interface for interacting with said interface, said hardware devices being controlled by pilot software, which overcomes the aforementioned drawbacks of the state of the art and which, in particular, does not require modification of the hardware devices or duplication of interface controllers, while showing an adequate level of security against, for example, malicious applications that proceed by recording keystrokes or phishing. The solution of the invention to this problem posed first object is a system for securing a user interface comprising: a user interface comprising one or more hardware devices of the user interface for interacting with said interface, said hardware peripherals being piloted by pilot software; one or more applications using the user interface; characterized by further comprising: a hypervisor having direct access to hardware devices of the user interface; one or more virtual machines for executing the application or applications using the user interface, said virtual machines having no direct access to the hardware resources of the user interface; and a security software component comprising a front portion controlled by the one or more virtual machines, said front portion of the security software being included in said one or more virtual machines, and a main portion controlled by the hypervisor, said main part of the software of security being included in said hypervisor, the drivers of hardware devices of the user interface being split into two parts, a main part of said drivers being placed under the control of the hypervisor, a front portion of said drivers being placed under the control of the machines virtual, the front end of the security software component ensuring the management of the front part of the drivers, the main part of the security software component ensuring the management of the main part of the drivers. Its second object is a method for securing a user interface, characterized in that it comprises the steps of: providing a user interface comprising one or more hardware peripherals of the user interface for interacting with said interface, said hardware devices being driven by pilot software; providing a hypervisor, one or more virtual machines for executing one or more applications using the user interface, said virtual machines having no direct access to the hardware resources of the user interface and a security software component comprising a front portion controlled by the one or more virtual machines, said front portion of the security software being included in said one or more virtual machines, and a main portion controlled by the hypervisor, said main part of the security software being included in said hypervisor; executing an application of a virtual machine; enabling a secure mode of the system at the request of the application; securely displaying information controlled by the main portion of the security software component, the hypervisor accessing the hardware peripherals of the user interface directly; then disable the secure mode of the system. Advantageously, the hardware peripherals of the user interface comprise at least one user information input device and a screen; the main part of the software component is able to display and control the display of a graphical interface component in the interface user, for the input of information by the user; - The main part of the software component is able to validate identification and / or authentication information entered by the user; the information exchanged between the main part of the security component and the front part of this component is secured by means of encryption and / or signature keys; information exchanged between the front part of the security software component and an application of the virtual machine comprising this front part are secured by means of encryption and / or signature keys; the method further comprises the following steps according to which: the application requires the input of a user information, the input request is transmitted to the main part of the software component, a graphical data entry component is displayed under the direct control of the security software component, the user enters a user information, and the user information is validated; the user information is validated by the main part of the security software component, or is sent back to the front part of said component or even to the requesting application, for validation; the user information is validated against data stored in memory of the main part of the security software component; - the application requires the establishment or updating of information stored in memory of the security software component, in that the information is entered by the user, and in that it is recorded in the part main component of the security software component; and the method further comprises the following steps according to which: the application requires a secure display of information, the display request is transmitted to the main part of the software component, and the information is displayed under the direct control of said software component.
L'invention sera mieux comprise à la lecture de la description non limitative qui va suivre de modes de réalisation de l'invention, et au regard des dessins dans lesquels : la figure 1 présente, de manière schématique, le système selon l'invention ; la figure 2 est un diagramme qui illustre les différentes étapes du procédé selon l'invention pour la saisie sécurisée d' information dans un composant graphique ; et la figure 3 est un diagramme qui illustre les différentes étapes du procédé selon l'invention pour l'affichage sécurisé d'information.The invention will be better understood on reading the following nonlimiting description of embodiments of the invention, and with reference to the drawings in which: FIG. 1 schematically presents the system according to the invention; FIG. 2 is a diagram which illustrates the various steps of the method according to the invention for the secure entry of information into a graphic component; and FIG. 3 is a diagram which illustrates the various steps of the method according to the invention for the secure display of information.
La présente invention concerne des systèmes pour la sécurisation d'une interface utilisateur.The present invention relates to systems for securing a user interface.
Les systèmes selon l'invention sont destinés à être implémentés, en particulier, mais non exclusivement, dans des dispositifs du type embarqués, qui disposent bien souvent de ressources matérielles limitées, en comparaison des ressources dont disposent des ordinateurs notamment du type personnel par exemple. Ils sont néanmoins susceptibles de concerner de tels ordinateurs. Les dispositifs embarqués plus particulièrement visés dans la présente invention sont des dispositifs portatifs fabriqués en séries tels que des cartes à puce associées à des lecteurs de cartes eux-mêmes connectés à un terminal, des téléphones portables éventuellement munis de modules d'identification abonnés et disposant d'un écran, des assistants digitaux personnels, ou tous autres dispositifs électroniques de dimensions réduites manipulant des données numériques. Les dispositifs embarqués selon l'invention sont munis d'un processeur ou non. Ils comportent au moins une et parfois plusieurs mémoires .The systems according to the invention are intended to be implemented, in particular, but not exclusively, in devices of the embedded type, which often have limited hardware resources, in comparison with the resources available to computers, particularly of the personal type, for example. They are nevertheless likely to concern such computers. The onboard devices particularly targeted in the present invention are portable devices manufactured in series such as smart cards associated with card readers themselves connected to a terminal, mobile phones optionally equipped with subscriber identification modules and having a screen, personal digital assistants, or any other small electronic devices manipulating digital data. The embedded devices according to the invention are provided with a processor or no. They include at least one and sometimes several memories.
Les systèmes selon l'invention comportent une interface utilisateur comprenant un ou plusieurs périphériques matériels de l'interface utilisateur, et une ou plusieurs applications utilisant l'interface utilisateur.The systems of the invention include a user interface comprising one or more hardware devices of the user interface, and one or more applications using the user interface.
L'interface utilisateur est l'interface par laquelle un utilisateur d'une machine informatique, par exemple un ordinateur ou un système embarqué, dialogue avec cette machine .The user interface is the interface through which a user of a computer machine, for example a computer or an embedded system, dialogs with this machine.
L'interface utilisateur comprend un de plusieurs périphériques matériels de l'interface, qui sont pilotés par des logiciels pilotes. Les périphériques de l'interface sont divers. Certains périphériques sont des périphériques d'entrée, qui permettent d'entrer des informations dans la machine. D'autres périphériques sont des périphériques de sortie, qui permettent d'obtenir des informations de la machine. D'autres périphériques de l'interface encore sont des périphériques d'entrée/sortie, qui permettent d'entrer des informations dans la machine ou de sortir des informations de celle-ci.The user interface comprises one of several hardware devices of the interface, which are driven by pilot software. The peripherals of the interface are various. Some devices are input devices that allow you to enter information into the machine. Other devices are output devices, which provide information from the machine. Other interface devices still are input / output devices, which allow you to enter information into the machine or output information from it.
Parmi les périphériques d'entrée, on citera notamment les claviers, les souris ou autres dispositifs de pointage, les pinpad, les lecteurs de cartes à puce, les tablettes graphiques, les microphones. Parmi les périphériques de sortie, citera notamment les écrans ou les enceintes acoustiques. Enfin, parmi les périphériques d'entrée/sortie, on citera notamment les écrans tactiles.Input devices include keyboards, mice or other pointing devices, pinpad, smart card readers, graphics tablets, microphones. Among the output devices, include the screens or speakers. Finally, among the input / output peripherals, mention will be made in particular of touch screens.
Les applications utilisant l'interface utilisateur sont des applications diverses qui sont à l'origine d'événements de l'interface utilisateur pour la gestion des informations saisies par l'utilisateur et/ou la présentation de telles informations, ou d'autres informations audit utilisateur. Les informations saisies par l'utilisateur sont notamment des informations d'identification et/ou d' authentification. Les applications émettent des requêtes diverses telles que des requêtes d'affichage ou de saisie. Par exemple, une application peut être une application bancaire, qui permet à un utilisateur d'accéder à ces comptes bancaires et de procéder à des virements .UI-based applications are various applications that cause UI events for the management of user-entered information and / or the presentation of such information, or other user audit information. The information entered by the user includes identification and / or authentication information. Applications issue various queries, such as display or input queries. For example, an application may be a banking application, which allows a user to access these bank accounts and make transfers.
Les périphériques matériel de l'interface utilisateur sont des périphériques permettant à l'utilisateur d' interagir avec ladite interface. Ils sont pilotés par des logiciels pilotes. Ces périphériques sont par exemple des claviers, des souris, des écrans notamment tactiles. Ainsi que cela est montré à la figure 1, le système selon l'invention comporte en outre un hyperviseur, une ou plusieurs machines virtuelles et un composant logiciel de sécurisation appelé, dans cette figure Secure UI.Hardware devices in the user interface are devices that allow the user to interact with the interface. They are piloted by pilot software. These devices are for example keyboards, mice, screens including touch. As shown in Figure 1, the system according to the invention further comprises a hypervisor, one or more virtual machines and a security software component called in this figure Secure UI.
L' hyperviseur, ou domaine privilégié, est une couche logicielle qui permet l'exécution d'une ou plusieurs machines virtuelles au-dessus de ladite couche. L' hyperviseur dispose d'un accès direct aux ressources matérielles de l'interface utilisateur et notamment, aux périphériques. Dans l'invention, il s'agit de la seule entité disposant d'un tel accès direct à ces ressources. En effet, les machines virtuelles ne disposant pas d'un accès direct aux périphériques matérielles. Elles ne disposent pas de ce privilège.The hypervisor, or privileged domain, is a software layer that allows the execution of one or more virtual machines above said layer. The hypervisor has direct access to the hardware resources of the user interface and in particular to the peripherals. In the invention, it is the only entity with such direct access to these resources. Indeed, virtual machines do not have direct access to hardware devices. They do not have this privilege.
Les machines virtuelles comprennent un système d'exploitation dit invité qui leur est propre et au moins une application utilisant l'interface utilisateur. Elles permettent l'exécution de cette ou ces applications.The virtual machines include a guest operating system of their own and at least one application using the user interface. They allow the execution of this or these applications.
Les machines virtuelles disposent soit d'un accès indirect aux périphériques matériels, soit d'un accès susceptible d'apparaître comme direct, mais qui transite par l' hyperviseur . Aussi, les accès dit matériels dont disposent les machines virtuelles, qui sont des accès indirects aux périphériques d'interfaces, sont ainsi contrôlés et pilotés uniquement par l' hyperviseur . De plus, les machines virtuelles ne communiquent pas entre elles. Elles sont isolées les unes des autres.Virtual machines have either indirect access to hardware devices, or access that may appear to be direct, but transiting by the hypervisor. Also, the so-called hardware accesses that virtual machines have, which are indirect accesses to the interface peripherals, are thus controlled and controlled solely by the hypervisor. In addition, virtual machines do not communicate with each other. They are isolated from each other.
On connaît différentes architectures logicielles de virtualisation susceptibles d'être utilisées dans le système selon l'invention. Il s'agit par exemple de l'architecture de virtualisation Xen™ développée par l'université de Cambridge (Royaume-Uni) ou de l'architecture de virtualisation VMWare™ . Dans l'architecture Xen™, l' hyperviseur, qui constitue finalement une machine virtuelle particulière, correspond au domaine zéro (domO) . Il assure la séparation et l'isolement des machines virtuelles, chaque machine virtuelle correspondant à un domaine spécifique, domU, qui ne dispose pas des privilèges de domO . En effet, le privilège de l'accès physique aux périphériques est délégué par les machines virtuelles des domU à l ' hyperviseur .There are various virtualization software architectures that can be used in the system according to the invention. Examples include the Xen ™ virtualization architecture developed by the University of Cambridge (UK) or the VMWare ™ virtualization architecture. In the Xen ™ architecture, the hypervisor, which ultimately is a particular virtual machine, is the zero domain (domO). It ensures separation and isolation of virtual machines, each virtual machine corresponding to a specific domain, domU, which does not have domO privileges. Indeed, the privilege of physical access to devices is delegated by virtual machines from domU to the hypervisor.
Dans l'invention, les pilotes des périphériques matériels de l'interface utilisateur sont scindés en deux parties . Une partie importante desdits pilotes est placée et tourne dans l' hyperviseur, soit sous le contrôle dudit hyperviseur. Il s'agit de la partie qui gère physiquement les accès aux périphériques. Une autre partie, moins importante au niveau taille, est placée et tourne dans chaque machine virtuelle, soit sous le contrôle de chaque machine virtuelle. Cette autre partie sert de relais vers la partie du pilote située dans l' hyperviseur . La partie du pilote contenue dans l' hyperviseur est appelée partie principale du pilote ou pilote backend à la figure 1. La partie du pilote située dans les machines virtuelles est appelée partie frontale du pilote ou pilote frontend à la figure 1.In the invention, the hardware device drivers of the user interface are split into two parts. A significant portion of said drivers is placed and rotates in the hypervisor, under the control of said hypervisor. This is the part that physically manages device access. Another part, smaller in size, is placed and rotates in each virtual machine, under the control of each virtual machine. This other part serves as a relay to the part of the driver located in the hypervisor. The portion of the driver contained in the hypervisor is referred to as the main part of the driver or backend driver in Figure 1. The driver portion located in the virtual machines is called the front part of the pilot or frontend driver in Figure 1.
Le composant logiciel de sécurisation selon l'invention (Secure UI) est un composant de l'interface utilisateur, destiné à la sécurisation de cette interface. Ce composant comprend une partie frontale ou Secure UI frontend, contrôlée par la ou les machines virtuelles ainsi qu'une partie principale, ou Secure UI backend, contrôlée par l'hyperviseur . La partie frontale du logiciel de sécurisation est comprise, c'est-à-dire intégrée dans la ou les machines virtuelles. La partie principale du logiciel de sécurisation est comprise ou intégrée dans l'hyperviseur Ce composant gère les pilotes des périphériques matériels de l'interface, c'est-à-dire par exemple les pilotes du clavier, de l'écran, de la souris ou du pinpad. Ce composant peut être considéré comme étant un composant pilote des pilotes des périphériques matériels de l'interface utilisateur. La partie principale de ce pilote interagit avec les périphériques d'interface de l'utilisateur.The security software component according to the invention (Secure UI) is a component of the user interface, intended to secure this interface. This component comprises a front-end or Secure UI frontend, controlled by the virtual machine (s) as well as a main part, or Secure UI backend, controlled by the hypervisor. The front part of the security software is included, that is to say integrated in the virtual machine (s). The main part of the security software is included or integrated in the hypervisor This component manages the hardware interface drivers of the interface, that is to say for example the drivers of the keyboard, the screen, the mouse or pinpad. This component can be considered as a pilot component of hardware device drivers for the user interface. The main part of this driver interacts with the user's interface devices.
Si l'on se rapporte désormais aux figures 2 et 3 , il apparaît que, pour la sécurisation de l'interface utilisateur, une machine virtuelle d'un système selon l'invention active tout d'abord la partie frontale du composant logiciel de sécurité d'interface utilisateur. Un contexte de sécurisation est alors créé et diverses informations sont notées telles que l'identifiant de la machine virtuelle. Dès lors, l'interface utilisateur est en mode dit sécurisé. Lorsque, dans ce mode sécurisé, une application A de la machine virtuelle précitée, souhaite authentifier un utilisateur, par exemple par la saisie d'un mot de passe ou d'un code d'identification personnel (PIN), elle notifie la partie frontale du composant de logiciel de sécurisation de sa requête. Cette partie frontale de ce composant transmet la requête à la partie principale du composant de l' hyperviseur . Cette dernière peut alors décider ou non d'afficher, sur l'écran, d'un composant d'interface graphique, plus spécifiquement une fenêtre de confiance, pour la saisie du mot de passe ou du PIN. Si elle décide d'afficher ce composant graphique, 1' hyperviseur accède directement à la carte ou au composant graphique de l'interface. Plus particulièrement, la partie principale du composant logiciel de sécurisation récupère la mémoire tampon d'image (frame buffer) de la machine virtuelle concernée et y insère l'affichage du composant d'interface graphique pour la saisie du mot de passe ou du PIN en appelant le pilote de la carte ou du composant graphique pour effectuer l'affichage. Une fenêtre s'affiche alors sur l'écran de l'interface utilisateur. Celui-ci peut saisir son mot de passe ou son PIN par exemple à l'aide du clavier ou d'un pinpad.Referring now to FIGS. 2 and 3, it appears that, in order to secure the user interface, a virtual machine of a system according to the invention first activates the front part of the security software component. user interface. A security context is then created and various information is noted such as the identifier of the virtual machine. Therefore, the user interface is in so-called secure mode. When, in this secure mode, an application A of the aforementioned virtual machine wishes to authenticate a user, for example by entering a password or a personal identification code (PIN), it notifies the front part of the software component of securing his request. This frontal part of this component transmits the request to the main part of the hypervisor component. The latter can then decide whether or not to display, on the screen, a GUI component, more specifically a confidence window, for entering the password or PIN. If it decides to display this graphic component, the hypervisor directly accesses the card or graphical component of the interface. More particularly, the main part of the security software component retrieves the frame buffer of the virtual machine concerned and inserts the display of the GUI component for entering the password or PIN in calling the driver of the card or graphics component to display. A window will appear on the UI screen. He can enter his password or PIN for example using the keyboard or a pinpad.
A la saisie du mot de passe ou du PIN, le pilote du clavier ou du pinpad est utilisé. Les informations saisies sont directement envoyées à la partie principale du composant logiciel de sécurité d' interface utilisateur.When entering the password or PIN, the keyboard or pinpad driver is used. The entered information is directly sent to the main part of the user interface security software component.
Dans ce cas, soit la partie principale de ce composant valide le mode de passe elle-même, soit ledit mot de passe est transmis à la partie frontale du composant de sécurité .In this case, either the main part of this component validates the pass mode itself, or said password is transmitted to the front part of the security component.
Pour que la partie principale du composant valide le mot de passe, il suffit que cette partie ait mémorisé les mots de passe attendus, ou leur empreinte numériqueFor the main part of the component to validate the password, it is enough that this part has memorized the expected passwords, or their digital fingerprint
(hash) pour chaque application de chaque machine virtuelle. En fonction de la comparaison du mot de passe ou du PIN saisi par l'utilisateur avec les mots de passe ou PIN mémorisé dans la partie principale du composant logiciel de sécurisation, cette partie principale renvoie à la partie frontale un accord de validation (OK) ou un refus (NOK) . Pour terminer, la partie frontale du composant fait suivre l'accord ou le refus à l'application demanderesse. Si la partie principale du composant logiciel de sécurité transmet le mot de passe à la partie frontale de ce composant, celle-ci peut, à son tour, valider ce mot de passe/PIN ou alors le transmettre à l'application afin que celle-ci le valide. Ainsi, selon l'invention, les requêtes et informations échangées dans le systèmes sont sécurisées car elles transitent nécessairement par les deux parties du composant de sécurisation.(hash) for each application of each virtual machine. According to the comparison of the password or the PIN entered by the user with the passwords or PIN stored in the main part of the security software component, this main part returns at the front end a validation agreement (OK) or a refusal (NOK). Finally, the front part of the component sends the agreement or refusal to the applicant application. If the main part of the security software component transmits the password to the front of this component, it can, in turn, validate the password / PIN or transmit it to the application so that it validates it. Thus, according to the invention, the requests and information exchanged in the system are secure because they necessarily pass through the two parts of the security component.
En mode sécurisé, une application B, par exemple malveillante, contenue dans la machine virtuelle comprenant l'application A ou alors dans une autre machine virtuelle, ne peut pas modifier l'affichage du composant graphique de saisie de mot de passe ni modifier la saisie de ce dernier. En effet, l'affichage du composant graphique et la saisie d' informations par l'utilisateur sont entièrement gérés par le composant logiciel de sécurisation, au sein de l' hyperviseur . C'est ce composant qui décide d'afficher un composant graphique de saisie de mot de passe/PIN et accède directement aux ressources matérielles pour cet affichage. C'est ce composant logicel qui décide de la taille et de la forme de ce composant graphique de saisie. C'est ce composant logiciel de sécurisation qui reçoit les événements saisis par l'utilisateur et gère cette information. Les machines virtuelles ne peuvent pas accéder à la mémoire tampon d' image et aux informations saisies aux périphériques matériels de l'interface graphique. Elles ne peuvent pas non plus court-circuiter l' hyperviseur car elles n'ont pas d'accès direct aux périphériques matériels. Aussi, l'invention sécurise effectivement les interactions homme/machine .In secure mode, an application B, for example malicious, contained in the virtual machine comprising the application A or else in another virtual machine, can not change the display of the graphical input component password or change the entry of the last. Indeed, the display of the graphic component and the input of information by the user are entirely managed by the security software component, within the hypervisor. It is this component that decides to display a password / PIN entry graphical component and accesses the hardware resources directly for this display. It is this software component that decides the size and shape of this graphical input component. It is this security software component that receives the events entered by the user and manages this information. Virtual machines can not access the image buffer and the information entered on hardware devices in the GUI. They can not short-circuit the hypervisor because they do not have direct access to hardware devices. As well, the invention effectively secures the man / machine interactions.
Le composant logiciel de sécurisation est susceptible de répondre aux commandes suivantes, qui sont pour la plupart mentionnées aux figures 2 et 3 précitées.The security software component is likely to respond to the following commands, which are mostly mentioned in Figures 2 and 3 above.
La commande ACTIVATE, émise par une application, qui permet de créer un contexte de sécurisation entre une machine virtuelle, ou une application d'une machine virtuelle. Il s'agit donc de la commande qui permet d'entrer dans le mode sécurisé.The ACTIVATE command, issued by an application, which makes it possible to create a security context between a virtual machine, or an application of a virtual machine. This is the command to enter the secure mode.
La commande DEACTIVATE permet de passer du mode sécurisé à un mode non sécurisé. Après l'appel de cette commande, l'interface utilisateur n'est plus sécurisée. On notera que le contexte sécurisé ne peut être désactivé que par le composant ayant commandé l'activation du mode sécurisé. L' authentification de ce composant peut être effectuée en utilisant une clé partagée de signature lors de la création du contexte.The DEACTIVATE command is used to switch from secure mode to non-secure mode. After calling this command, the user interface is no longer secure. It should be noted that the secure context can only be deactivated by the component that has commanded the activation of the secure mode. The authentication of this component can be performed using a signature shared key when creating the context.
La commande GET_DATA est une commande qui peut être émise par l'application qui requiert la saisie d'informations telles qu'un PIN, un mot de passe, un identifiant ou des données diverses, et qui est destinée au composant logiciel de sécurisation. Les informations obtenues suite à l'exécution de cette commande sont envoyées chiffrées et signées à la partie frontale du composant logiciel de sécurisation, ou à l'application demanderesse, dans le cas où des clés auront été partagées .The command GET_DATA is a command that can be issued by the application that requires the input of information such as a PIN, a password, an identifier or various data, and which is intended for the security software component. The information obtained following the execution of this command is sent encrypted and signed to the front part of the security software component, or to the requesting application, in the case where keys have been shared.
La commande DISPLAY_DATA, qui requiert l'affichage d'informations dans une fenêtre de confiance. En réponse à cette commande, les informations sont transmises par la partie frontale du composant logiciel de sécurisation, ou de l'application, à la partie principale de ce composant, puis elles sont affichées dans l'interface utilisateur sous le contrôle de l'hyperviseur . La partie principale du composant logiciel de sécurisation, qui s'exécute au sein de l' hyperviseur, contrôle la mise en forme de ces informations. Notamment, l' hyperviseur peut afficher la provenance desdites informations. Par ailleurs, des commandes propres à la saisie de mots de passe, PIN ou autres informations d'identifications ou d' authentification sont susceptibles d'être mise en œuvre dans le procédé selon l'invention.The DISPLAY_DATA command, which requires the display of information in a trust window. In response to this command, the information is transmitted from the front end of the security software component, or application, to the main part of that component, and then displayed in the user interface under the control of the hypervisor. . The main part the security software component, which runs within the hypervisor, controls the formatting of this information. In particular, the hypervisor can display the source of said information. Furthermore, commands specific to entering passwords, PINs or other identification or authentication information are likely to be implemented in the method according to the invention.
Il s'agit tout d'abord de la commande COMPARE_PIN, qui est requise lorsque l'application requiert la saisie d'un PIN ou d'une autre information d'identification ou d' authentification. Cette information est validée par comparaison dans la partie principale du composant logiciel de sécurisation, qui s'exécute dans l' hyperviseur . La validation ou l'absence de validation de l' authentification est renvoyée, par exemple, chiffrée et signée, à la partie frontale du composant logiciel de sécurisation, voire à l'application demanderesse, si des clés ont été partagées à cet effet avec cette application. La saisie de l'information sous le contrôle du composant logiciel de sécurisation, qui s'exécute dans l' hyperviseur, est susceptible d'être effectuée au clavier, au moyen d'une souris ou en cliquant sur un pinpad notamment du type comprenant une fenêtre munie de touches visuelles sur lesquelles l'utilisateur doit cliquer.This is first of all the COMPARE_PIN command, which is required when the application requires the entry of a PIN or other identification or authentication information. This information is validated by comparison in the main part of the security software component, which runs in the hypervisor. The validation or the absence of validation of the authentication is returned, for example, encrypted and signed, to the front part of the security software component, or even to the requesting application, if keys have been shared for this purpose with this application. The entry of the information under the control of the security software component, which executes in the hypervisor, is likely to be performed by keyboard, by means of a mouse or by clicking on a pinpad including the type comprising a window with visual keys on which the user must click.
Il s'agit ensuite de la commande SET_PIN selon laquelle une application, qui envoie la commande, requiert la mise à jour d'une information d'identification ou d' authentification dans la mémoire de la partie principale du composant logiciel de sécurisation, qui s'exécute dans l' hyperviseur . En effet, l'information d'identification ou d' authentification est validée, dans la partie principale du composant logiciel de sécurisation, contre des données conservées en mémoire de celui-ci. Cette commande autorise donc la modification des données conservées dans la mémoire de la partie principale du composant logiciel. Elle peut être invoquée une première fois par une application quelconque, si l'application requiert l'établissement d'une information de comparaison dans la mémoire du composant logiciel. Ensuite, la modification de l'information par cette application quelconque ne pourra être effectuée que sur présentation et validation de l'information conservée en mémoire .It is then the command SET_PIN according to which an application, which sends the command, requires the updating of identification or authentication information in the memory of the main part of the security software component, which is executes in the hypervisor. Indeed, the identification or authentication information is validated, in the main part of the security software component, against data stored in memory of it. This command therefore allows the modification of the data stored in the memory of the main part of the software component. It can be invoked a first time by any application, if the application requires the establishment of a comparison information in the memory of the software component. Then, the modification of the information by this application can be made only on presentation and validation of the information stored in memory.
Il s'agit enfin de la commande PAY_TRANSACTION selon laquelle une application requiert un paiement pour une transaction donnée. Dans ce cas, la partie principale du composant logiciel de sécurisation, qui s'exécute dans 1' hyperviseur, active un périphérique particulier tel qu'un lecteur de cartes à puce, requiert la saisie d'un code d' identification, valide le code entré ou non, et renvoie l'information de validation ou de non validation à la partie frontale du composant logiciel de sécurisation, voire à l'application demanderesse, si des clés ont été partagées à cet effet.Finally, it is the PAY_TRANSACTION command according to which an application requires a payment for a given transaction. In this case, the main part of the security software component, which executes in the hypervisor, activates a particular device such as a smart card reader, requires the input of an identification code, validates the code entered or not, and returns the validation or non-validation information to the front part of the security software component, or even to the requesting application, if keys have been shared for this purpose.
On notera que la sécurisation du système selon l'invention peut avantageusement être renforcée en sécurisant le canal de communication entre la partie principale du composant logiciel de sécurisation et sa partie frontale. Dans ce cas, à la création du contexte de sécurisation, des clés de signature et/ou de chiffrement sont partagées entre les parties principale et frontale du composant. Ces clés sont utilisées pour sécuriser les requêtes et les réponses qui transitent entre ces parties. En particulier, si une information d' identification est validée par la partie frontale du composant, cette information sera transmise de manière sécurisée, chiffrée et/ou signée dans le canal de communication. En effet, si l'information et signée et/ou chiffrée, elle ne peut pas être modifiée et/ou lue par des machines virtuelles tierces.It will be noted that the securing of the system according to the invention can advantageously be enhanced by securing the communication channel between the main part of the security software component and its front part. In this case, when the security context is created, signature and / or encryption keys are shared between the main and front parts of the component. These keys are used to secure queries and responses that pass between these parts. In particular, if identification information is validated by the front part of the component, this information will be transmitted securely, encrypted and / or signed in the communication channel. Indeed, if the information and signed and / or encrypted, it can not be modified and / or read by third-party virtual machines.
La sécurisation du système selon l'invention peut par ailleurs avantageusement être renforcée en sécurisant les communications entre la partie frontale du composant logiciel de sécurisation et la ou chacune des applications de la machine virtuelle comportant cette partie. Dans ce cas, des clés de chiffrement et/ou de signature sont partagées entre cette partie frontale et l'application sécurisée. Ces clés permettent de chiffrer et/ou de signer les messages qui transitent entre les deux entités notamment les informations d' identification ou d' authentification si celles-ci doivent être validées par l'application elle-même. Les autres applications de la machine virtuelle ne peuvent pas lire et/ou modifier les informations destinées à l'application demanderesse. Securing the system according to the invention may also advantageously be enhanced by securing communications between the front end of the security software component and the or each of the applications of the virtual machine comprising this part. In this case, encryption and / or signature keys are shared between this front end and the secure application. These keys make it possible to encrypt and / or sign the messages that transit between the two entities, in particular the identification or authentication information if they must be validated by the application itself. The other applications of the virtual machine can not read and / or modify the information intended for the requesting application.

Claims

REVENDICATIONS
1. Système pour la sécurisation d'une interface utilisateur comportant : une interface utilisateur comprenant un ou plusieurs périphériques matériels de l'interface utilisateur pour interagir avec ladite interface, lesdits périphériques matériels étant pilotés par des logiciels pilotes ; une ou plusieurs applications utilisant l'interface utilisateur ; caractérisé en ce qu' il comporte en outre : un hyperviseur disposant d'un accès direct aux périphériques matériels de l'interface utilisateur ; une ou plusieurs machines virtuelles permettant l'exécution de la ou des applications utilisant l'interface utilisateur, lesdites machines virtuelles ne disposant pas d'accès direct aux ressources matérielles de l'interface utilisateur ; et un composant logiciel de sécurisation comprenant une partie frontale contrôlée par la ou les machines virtuelles, ladite partie frontale du logiciel de sécurisation étant comprise dans ladite ou lesdites machines virtuelles, et une partie principale contrôlée par l' hyperviseur, , ladite partie principale du logiciel de sécurisation étant comprise dans ledit hyperviseur, les pilotes des périphériques matériels de l'interface utilisateur étant scindés en deux parties, une partie principale desdits pilotes étant placée sous le contrôle de l' hyperviseur, une partie frontale desdits pilotes étant placée sous le contrôle des machines virtuelles, la partie frontale du composant logiciel de sécurisation assurant la gestion de la partie frontale des pilotes, la partie principale du composant logiciel de sécurisation assurant la gestion de la partie principale des pilotes. A system for securing a user interface comprising: a user interface comprising one or more hardware devices of the user interface for interacting with said interface, said hardware devices being driven by pilot software; one or more applications using the user interface; characterized in that it further comprises: a hypervisor having direct access to the hardware peripherals of the user interface; one or more virtual machines for executing the application or applications using the user interface, said virtual machines having no direct access to the hardware resources of the user interface; and a security software component comprising a front portion controlled by the one or more virtual machines, said front portion of the security software being included in said one or more virtual machines, and a main portion controlled by the hypervisor, said main portion of the software security device being included in said hypervisor, the drivers of the hardware peripherals of the user interface being split into two parts, a main part of said drivers being placed under the control of the hypervisor, a front part of said drivers being placed under the control of the virtual machines, the front part of the security software component ensuring the management of the front part of the drivers, the main part of the security software component ensuring the management of the main part of the drivers.
2. Système selon la revendication 1, caractérisé en ce que les périphériques matériels de l'interface utilisateur comprennent au moins un périphérique d'entrée d'information de l'utilisateur et un écran.2. System according to claim 1, characterized in that the hardware peripherals of the user interface comprise at least one information input device of the user and a screen.
3. Système selon l'une des revendications précédentes, caractérisé en ce que la partie principale du composant logiciel est apte à afficher et à contrôler l'affichage d'un composant d'interface graphique dans l'interface utilisateur, pour la saisie d'une information par l'utilisateur.3. System according to one of the preceding claims, characterized in that the main part of the software component is able to display and control the display of a graphical interface component in the user interface, for the input of information by the user.
4. Système selon l'une des revendications précédentes , caractérisé en ce que la partie principale du composant logiciel est apte à valider une information d'identification et/ou d' authentification saisie par l ' utilisateur .4. System according to one of the preceding claims, characterized in that the main part of the software component is able to validate identification information and / or authentication entered by the user.
5. Système selon l'une des revendications précédentes, caractérisé en ce que les informations échangées entre la partie principale du composant de sécurisation et la partie frontale de ce composant est sécurisé au moyen de clés de chiffrement et/ou de signature.5. System according to one of the preceding claims, characterized in that the information exchanged between the main part of the security component and the front of this component is secured by means of encryption keys and / or signature.
6. Système selon l'une des revendications précédentes, caractérisé en ce que des informations échangées entre la partie frontale du composant logiciel de sécurisation et une application de la machine virtuelle comportant cette partie frontale sont sécurisées au moyen de clés de chiffrement et/ou de signature . 6. System according to one of the preceding claims, characterized in that information exchanged between the front portion of the security software component and an application of the virtual machine comprising this front part are secured by means of encryption keys and / or signature.
8. Procédé pour la sécurisation d'une interface utilisateur, caractérisé en ce qu'il comprend les étapes de : fourniture d'une interface utilisateur comprenant un ou plusieurs périphériques matériels de l'interface utilisateur pour interagir avec ladite interface, lesdits périphériques matériels étant pilotés par des logiciels pilotes ; fourniture d'un hyperviseur, d'une ou plusieurs machines virtuelles permettant l'exécution d'une ou plusieurs applications utilisant l'interface utilisateur, lesdites machines virtuelles ne disposant pas d'accès direct aux ressources matérielles de l'interface utilisateur et d'un composant logiciel de sécurisation comprenant une partie frontale contrôlée par la ou les machines virtuelles, ladite partie frontale du logiciel de sécurisation étant comprise dans ladite ou lesdites machines virtuelles, et une partie principale contrôlée par l' hyperviseur, ladite partie principale du logiciel de sécurisation étant comprise dans ledit hyperviseur ; d'exécution d'une application d'une machine virtuelle ; d'activation d'un mode sécurisé du système à la requête de l'application ; d'affichage sécurisé d'une information contrôlée par la partie principale du composant logiciel de sécurisation, l' hyperviseur accédant directement aux périphériques matériels de l'interface utilisateur ; puis de désactivation du mode sécurisé du système.8. A method for securing a user interface, characterized in that it comprises the steps of: providing a user interface comprising one or more hardware devices of the user interface for interacting with said interface, said hardware devices being piloted by pilot software; providing a hypervisor, one or more virtual machines for executing one or more applications using the user interface, said virtual machines having no direct access to the hardware resources of the user interface and a security software component comprising a front portion controlled by the one or more virtual machines, said front portion of the security software being included in said one or more virtual machines, and a main portion controlled by the hypervisor, said main part of the security software being included in said hypervisor; executing an application of a virtual machine; enabling a secure mode of the system at the request of the application; securely displaying information controlled by the main part of the security software component, the hypervisor accessing the hardware peripherals of the user interface directly; then disable the secure mode of the system.
9. Procédé selon la revendication 8, caractérisé en ce qu'il comporte en outre les étapes suivantes selon lesquelles : l'application requiert la saisie d'une information utilisateur ; la requête de saisie est transmise à la partie principale du composant logiciel ; un composant graphique de saisie d' information est affiché sous le contrôle direct du composant logiciel de sécurisation ; l'utilisateur saisit une information utilisateur ; et l'information utilisateur est validée.9. The method of claim 8, characterized in that it further comprises the following steps according to which: the application requires the input of a user information; the input request is transmitted to the main part of the software component; a graphical information input component is displayed under the direct control of the security software component; the user enters user information; and the user information is validated.
10. Procédé selon la revendication 9, caractérisé en ce que l'information utilisateur est validée par la partie principale du composant logiciel de sécurisation, ou est renvoyée à la partie frontale dudit composant voire à l'application demanderesse, pour validation.10. The method of claim 9, characterized in that the user information is validated by the main part of the security software component, or is returned to the front of said component or even the applicant application, for validation.
11. Procédé selon la revendication 10, caractérisé en ce que l'information utilisateur est validée contre des données conservées en mémoire de la partie principale du composant logiciel de sécurisation.11. The method of claim 10, characterized in that the user information is validated against data stored in memory of the main part of the security software component.
12. Procédé selon la revendication 11, caractérisé en ce que l'application requiert l'établissement ou la mise à jour d'une information conservée en mémoire du composant logiciel de sécurisation, en ce que l'information est saisie par l'utilisateur, et en ce qu'elle est enregistrée dans la partie principale du composant logiciel de sécurisation.12. Method according to claim 11, characterized in that the application requires the establishment or updating of information stored in the memory of the security software component, in that the information is entered by the user, and in that it is registered in the main part of the security software component.
13. procédé selon l'une des revendications 9 à 12, caractérisé en ce qu' il comporte en outre les étapes suivantes selon lesquelles : l'application requiert un affichage sécurisé d'une information ; la requête d'affichage est transmise à la partie principale du composant logiciel ; et l'information est affichée sous le contrôle direct dudit composant logiciel. 13. Method according to one of claims 9 to 12, characterized in that it further comprises the following steps according to which: the application requires a secure display of information; the display request is transmitted to the main part of the software component; and the information is displayed under the direct control of said software component.
EP09784296A 2008-07-23 2009-07-23 System and method for securing a user interface Withdrawn EP2316088A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0804192A FR2934395B1 (en) 2008-07-23 2008-07-23 SYSTEM AND METHOD FOR SECURING A USER INTERFACE
PCT/FR2009/000918 WO2010010258A2 (en) 2008-07-23 2009-07-23 System and method for securing a user interface

Publications (1)

Publication Number Publication Date
EP2316088A2 true EP2316088A2 (en) 2011-05-04

Family

ID=40230045

Family Applications (1)

Application Number Title Priority Date Filing Date
EP09784296A Withdrawn EP2316088A2 (en) 2008-07-23 2009-07-23 System and method for securing a user interface

Country Status (4)

Country Link
US (1) US8874931B2 (en)
EP (1) EP2316088A2 (en)
FR (1) FR2934395B1 (en)
WO (1) WO2010010258A2 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL210169A0 (en) 2010-12-22 2011-03-31 Yehuda Binder System and method for routing-based internet security
EP3651042A1 (en) * 2011-03-22 2020-05-13 Telefonaktiebolaget LM Ericsson (publ) Method for switching between virtualized and non-virtualized system operation
US8813218B2 (en) * 2012-02-14 2014-08-19 Janus Technologies, Inc. Security-enhanced computer systems and methods
US9129124B2 (en) * 2012-04-12 2015-09-08 Hewlett-Packard Development Company, L.P. Dynamic provisioning of virtual systems
US9769123B2 (en) * 2012-09-06 2017-09-19 Intel Corporation Mitigating unauthorized access to data traffic
US9232176B2 (en) 2013-03-04 2016-01-05 Janus Technologies, Inc. Method and apparatus for securing computer video and audio subsystems
US9384150B2 (en) 2013-08-20 2016-07-05 Janus Technologies, Inc. Method and apparatus for performing transparent mass storage backups and snapshots
US11210432B2 (en) 2013-08-20 2021-12-28 Janus Technologies, Inc. Method and apparatus for selectively snooping and capturing data for secure computer interfaces
US9684805B2 (en) 2013-08-20 2017-06-20 Janus Technologies, Inc. Method and apparatus for securing computer interfaces
US9215250B2 (en) 2013-08-20 2015-12-15 Janus Technologies, Inc. System and method for remotely managing security and configuration of compute devices
US9076003B2 (en) 2013-08-20 2015-07-07 Janus Technologies, Inc. Method and apparatus for transparently encrypting and decrypting computer interface data
US9231921B2 (en) 2013-08-20 2016-01-05 Janus Technologies, Inc. System and architecture for secure computer devices
US9424443B2 (en) 2013-08-20 2016-08-23 Janus Technologies, Inc. Method and apparatus for securing computer mass storage data
US9342331B2 (en) 2013-10-21 2016-05-17 International Business Machines Corporation Secure virtualized mobile cellular device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7380136B2 (en) * 2003-06-25 2008-05-27 Intel Corp. Methods and apparatus for secure collection and display of user interface information in a pre-boot environment
US20060089992A1 (en) * 2004-10-26 2006-04-27 Blaho Bruce E Remote computing systems and methods for supporting multiple sessions
US7886353B2 (en) * 2005-03-25 2011-02-08 Microsoft Corporation Accessing a USB host controller security extension using a HCD proxy
US7661126B2 (en) * 2005-04-01 2010-02-09 Microsoft Corporation Systems and methods for authenticating a user interface to a computer user
GB0615015D0 (en) * 2006-07-28 2006-09-06 Hewlett Packard Development Co Secure use of user secrets on a computing platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2010010258A3 *

Also Published As

Publication number Publication date
FR2934395B1 (en) 2013-01-04
US8874931B2 (en) 2014-10-28
US20110131423A1 (en) 2011-06-02
WO2010010258A2 (en) 2010-01-28
FR2934395A1 (en) 2010-01-29
WO2010010258A3 (en) 2010-03-18

Similar Documents

Publication Publication Date Title
EP2316088A2 (en) System and method for securing a user interface
US8335931B2 (en) Interconnectable personal computer architectures that provide secure, portable, and persistent computing environments
EP1975840B1 (en) Security viewing method and device
JP5976564B2 (en) Security enhanced computer system and method
CN101529366B (en) Identification and visualization of trusted user interface objects
US8176324B1 (en) Method and system for a secure virtual keyboard
US8281364B2 (en) Method and system for performing secure logon input on network
US9519498B2 (en) Virtual machine assurances
US20110060947A1 (en) Hardware trust anchor
CN107533609A (en) For the system, apparatus and method being controlled to multiple credible performing environments in system
JP2016509726A (en) Protecting the results of privileged computing operations
Martignoni et al. Cloud terminal: Secure access to sensitive applications from untrusted systems
US11727115B2 (en) Secured computer system
FR3026207A1 (en) SECURE DISPLAY TERMINAL
WO2008088622A1 (en) Secure pin transmission
CN117751551A (en) System and method for secure internet communications
EP1952297A2 (en) Method and device for authentication by a user of a trustworthy interface and related computer programme
Stumpf et al. Towards secure e-commerce based on virtualization and attestation techniques
Singh et al. Performance analysis of middleware distributed and clustered systems (PAMS) concept in mobile communication devices using Android operating system
US20220391543A1 (en) Device and method for secure communication
Liu Enhanced Password Security on Mobile Devices.
WO2024069088A1 (en) Smartphone incorporating a hardware wallet for storing cryptographic keys implementing software multiplexing of the display of the smartphone
Ruan et al. Intel’s Embedded Solutions: from Management to Security
BE1024111A1 (en) MICROCONTROLLER FOR SAFE STARTING WITH FIREWALL

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20110125

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

AX Request for extension of the european patent

Extension state: AL BA RS

RIN1 Information on inventor provided before grant (corrected)

Inventor name: PONSINI, NICOLAS

DAX Request for extension of the european patent (deleted)
RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: TRUSTED LOGIC MOBILITY SAS

17Q First examination report despatched

Effective date: 20121210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20130423