Secure I/O
Secure input and output (I/O) refers to a protected path between the computer user and the software with which they believe they are interacting. On current computer systems there are many ways for malicious software to intercept data as it travels between a user and a software process - for example keyboard loggers and screen-scrapers. Secure I/O reflects a hardware and software protected and verified channel, using checksums to verify that the software used to do the I/O has not been tampered with. Malicious software injecting itself in this path could be identified.
Although protecting against software attacks, Secure I/O doesn't assist in protection against hardware-based attack such as a key capture device physically inserted between the user's keyboard and the computer.
[edit]
Memory curtaining
Memory curtaining extends the current memory protection techniques to provide full isolation of sensitive areas of memory ? for example locations containing cryptographic keys. Even the operating system doesn't have full access to curtained memory, so the information would be secure from an intruder who took control of the OS.
[edit]
Sealed storage
Sealed storage protects private information by allowing it to be encrypted using a key derived from the software and hardware being used. This means the data can be read only by the same combination of software and hardware. For example, users who keep a private diary on their computer do not want other programs or other computers to be able to read it. Currently, a virus can search for the diary, read it, and send it to someone else. The Sircam virus did something similar to this. Even if the diary were protected by a password, the virus might run a dictionary attack. Alternately the virus might modify the user's diary software to have it leak the text once he unlocked his or her diary. Using sealed storage, the diary is securely encrypted so that only the unmodified diary program on his or her computer can read it.
[edit]
Remote attestation
Remote attestation allows changes to the user's computer to be detected by him and others. That way, he can avoid having private information sent to or important commands sent from a compromised or insecure computer. It works by having the hardware generate a certificate stating what software is currently running. The user can present this certificate to a remote party to show that their computer hasn't been tampered with.
Remote attestation is usually combined with public-key encryption so that the information sent can only be read by the programs that presented and requested the attestation, and not by an eavesdropper.
To take the diary example again, the user's diary software could send the diary to other machines, but only if they could attest that they were running a secure copy of the diary software. Combined with the other technologies, this provides a more secured path for the diary: secure I/O protects it as it is entered on the keyboard and displayed on the screen, memory curtaining protects it as it is being worked on, sealed storage protects it when saved to the hard drive, and remote attestation protects it from unauthorized software even when it is used on other computers.
Facebook
Twitter