SeRPEnT: Secure Remote Peripheral Encryption Tunnel

Client endpoint systems are a prime target for attackers of every sophistication level. These systems take part in many transactions demanding a degree of trust that cannot be placed in a general-purpose, commodity, computer system. We propose that these sensitive transactions can be made more secure by creating a new kind of trusted path, one that connects a server directly to a client's hardware peripherals. This capability has been designed to isolate a compromised endpoint from its peripherals during security sensitive applications. Such connectivity could be made unforgeable, strong against eavesdropping and tied to a user's credentials using end-to-end cryptography. We present a prototype Secure Remote Peripheral Encryption Tunnel (SeRPEnT) for the Universal Serial Bus (USB). Our device is a small, low-power "cryptographic switchboard" that tunnels connected peripherals to a server with Virtual Machine(VM)-hosted applications. SeRPEnT can also pass-through devices to the client system, allowing normal use of the local system by the user. SeRPEnT enables secure transactions between the user and server applications by only allowing input to these VMs to originate from our portable embedded device. SeRPEnT thus drastically reduces the attack surface currently exposed to an adversary.