Compartmented Security for Browsers – Or How to Thwart a Phisher with Trusted Computing Sebastian Gajek, Ahmad-Reza Sadeghi, Christian St¨ uble, and Marcel Winandy Horst G¨ ortz Institute for IT Security, Ruhr-University Bochum Universit¨ atsstr. 150, D-44780 Bochum, Germany sebastian.gajek@nds.rub.de, sadeghi@crypto.rub.de, stueble@acm.org, winandy@ieee.org Abstract Identity theft through phishing attacks has become a ma- jor concern for Internet users. Typically, phishing attacks aim at luring the user to a faked web site to disclose per- sonal information. Existing solutions proposed against this kind of attack can, however, hardly counter the new genera- tion of sophisticated malware phishing attacks, e.g., pharm- ing Trojans, designed to target certain services. This paper aims at making the first steps towards the design and imple- mentation of a security architecture that prevents both clas- sical and malware phishing attacks. Our approach is based on the ideas of compartmentalization for isolating applica- tions of different trust level, and a trusted wallet for stor- ing credentials and authenticating sensitive services. Once the wallet has been setup in an initial step, our solution re- quires no special care from users for identifying the right web sites while the disclosure of credentials is strictly con- trolled. Moreover, a prototype of the basic platform exists and we briefly describe its implementation. 1. Introduction Identity theft has become a subject of great concern for Internet users in the recent years: Since password-based user authentication has established on the Internet to grant users access to security critical services, identity theft and fraud attracted attackers [25]. Hence, phishing—a col- loquial abbreviation of password fishing—has become a prominent attack. Whereas classical phishing attacks pri- marily used spoofed emails to lure unwary users to faked web sites where they reveal personal information (e.g., passwords, credit card numbers), current attacks have be- come advanced in their number and technical sophistica- tion [2, 11, 15]. The new generation of phishing attacks does not solely address the weaknesses of careless Inter- net users, but also exploits vulnerabilities of the underlying computing platforms and takes advantage of legacy flaws of the Internet: Hostile profiling addresses specific email recipients to mount classical phishing attacks more pre- cisely [6], pharming compromises DNS servers to resolve domain name requests to phishing sites [2], and malware phishing infiltrates customers’ computers, e.g., to log their password stroking using malicious programs [17]. The most dominant reason for the proliferation of phish- ing attacks is that strong assumptions and requirements are made on the ability of ordinary Internet users when access- ing sensitive services [13]. Internet users of average skill often do not understand security indicators and cannot dis- tinguish between legitimate and faked web sites [21]. To reliably authenticate a web site, the user has to verify the domain name, ‘https’ in the URL, and the server’s certifi- cate. However, ordinary Internet users are unfamiliar with the meaning of SSL and DNS. This is in particular true for phishing victims, as most faked sites may have been ex- posed if users had properly checked for the presence of SSL channels. On the other hand, the rise of malware phishing indicates that common computing platforms lack of appro- priate protection in practice. The problem with malware phishing attacks is that they are (i) specifically designed to target certain services (e.g., regional banks), (ii) exploit op- erating system characteristics, and (iii) deploy tailored func- tionalities to obtain users’ credentials [2, 17]. It is straight- forward for malware phishing attacks, e.g., to fake security indicators, imitate the browser’s (or any security-critical ap- plication’s) chrome or modify the system configuration, and thus to circumvent current phishing (and malware) coun- termeasures (see Section 5). Moreover, malware phishing attacks are not transparent to the user and hence raise less suspicion of identity theft than its classical variant. In this paper, we make the first steps towards the design and implementation of a security architecture that counters both phishing attacks. We propose a modular platform that uses a trusted wallet to store user’s credentials and authen- ticate the sensitive services as a proxy on behalf of the user. Hence, it does not require specific skills from users, e.g.,