Browse > Article
http://dx.doi.org/10.7236/IJASC.2019.8.2.77

Piosk : A Practical Kiosk To Prevent Information Leakage  

Lee, Suchul (Dept. Computer Science and Information Engineering, Korea National University of Transportation)
Lee, Sungil (National Security Research Institute)
Oh, Hayoung (Ajou University)
Han, Seokmin (Dept. Computer Science and Information Engineering, Korea National University of Transportation)
Publication Information
International journal of advanced smart convergence / v.8, no.2, 2019 , pp. 77-87 More about this Journal
Abstract
One of important concerns in information security is to control information flow. It is whether to protect confidential information from being leaked, or to protect trusted information from being tainted. In this paper, we present Piosk (Physical blockage of Information flow Kiosk) that addresses both the problems practically. Piosk can forestall and prevent the leakage of information, and defend inner tangible assets against a variety of malwares as well. When a visitor who carries a re-writable portable storage device, must insert the device into Piosk installed next to the security gate. Then, Piosk scans the device at the very moment, and detects & repairs malicious codes that might be exist. After that, Piosk writes the contents (including sanitized ones) on a new read-only portable device such as a compact disk. By doing so, the leakage of internal information through both insiders and outsiders can be prevented physically. We have designed and prototyped Piosk. The experimental verification of the Piosk prototype implementation reveals that, Piosk can accurately detect every malware at the same detection level as Virus Total and effectively prevent the leakage of internal information. In addition, we compare Piosk with the state-of-the-art methods and describe the special advantages of Piosk over existing methods.
Keywords
Information flow control; Information leakage; Malwares detection; Kiosk; Physical security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 CVE Details, The ultimate security vulnerability datasource. https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-32238/Microsoft-Windows-10.html
2 Gooroom OS. https://www.gooroom.kr/
3 S. F. Fruhauf and T. Jerome, "Secure universal serial bus (USB) storage device and method." U.S. Patent No. 8,528,096. 3 Sep. 2013.
4 Korea Electric Power Corporation (KEPCO). http://home.kepco.co.kr
5 Talukder, K. Asoke, and M. Chaitanya. Architecting secure software systems. Auerbach publications, 2008.
6 Security Paper Limited. http://www.security-papers.com/
7 Ransomware. https://en.wikipedia.org/wiki/Ransomware
8 Advanced persistent threat https://en.wikipedia.org/wiki/Advanced_persistent_threat
9 Trojan horse. https://en.wikipedia.org/wiki/Trojan_Horse
10 Free antivirus protection that never quits. https://www.avast.com
11 V3 Internet Security, Greater Business comes with Greater Security. http://global.ahnlab.com
12 A. Wool, "A quantitative study of firewall configuration errors," Computer, vol. 37, no. 6, pp. 62-67, 2004. DOI: https://doi.org/10.1109/MC.2004.2   DOI
13 J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan, "Side-channel vulnerability factor: A metric for measuring information leakage", ACM SIGARCH Computer Architecture News 2012, 40(3), 106-117. DOI: https://doi.org/10.1109/ISCA.2012.6237010   DOI
14 Y. Qi, B. Yang, B. Xu, and J. Li, "Towards system-level optimization for high performance unified threat management", IEEE 3rd International Conference on Networking and Services 2007. DOI: https://doi.org/10.1109/ICNS.2007.126
15 Virus Total. https://www.virustotal.com/
16 T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, "Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds", ACM conference on Computer and communications security 2009. DOI: https://doi.org/10.1145/1653662.1653687
17 B. Kopf and D. Basin, "An information-theoretic model for adaptive side-channel attacks", 14th ACM Conference on Computer and Communications Security. DOI: https://doi.org/10.1145/1315245.1315282
18 S. Mario, C. Kostas, P. Catuscia, and S. Geoffrey, "Measuring Information Leakage Using Generalized Gain Functions", IEEE 25th Computer Security Foundations Symposium 2012. DOI: https://doi.org/10.1109/CSF.2012.26
19 H. Takabi, J. B. Joshi, and G. J. Ahn, "Security and privacy challenges in cloud computing environments" IEEE Symposium on Security and Privacy 2010. DOI: https://doi.org/10.1109/MSP.2010.186
20 A. Sharma and K. S. Sanjay, "Evolution and detection of polymorphic and metamorphic malwares: A survey." arXiv preprint arXiv: 1406.7061 (2014).   DOI
21 C. Willems, H. Thorsten, and F. Felix, "Toward automated dynamic malware analysis using cwsandbox", IEEE Symposium on Security and Privacy 2007. DOI: https://doi.org/10.1109/MSP.2007.45
22 California Cyber Security Kiosk, https://www.olea.com/product/california-cyber-security-kiosk/
23 S. Lee, S. Kim, S. Lee, H. Yoon, D. Lee, J. Choi, and J. Lee, "LARGen: automatic signature generation for Mal wares using latent Dirichlet allocation", IEEE Transactions on Dependable and Secure Computing Vol.15 No.5 2018. DOI: https://doi.org/10.1109/TDSC.2016.2609907
24 A. Dinaburg, P. Royal, M. Sharif, and W. Lee, "Ether: malware analysis via hardware virtualization extensions", 15th ACM conference on Computer and communications security 2008. DOI: https://doi.org/10.1145/1455770.1455779
25 J. McLean, "Security models and information flow", IEEE Symposium on Security and Privacy, 1990. DOI: https://doi.org/10.1109/RISP.1990.63849
26 R. E. Knoedler, T. B. Freese, R. M. Parker, and J. E. Janicke, "Security gate with walk through feature", U.S. Patent No. 5,272,840 (1993). Washington, DC: U.S. Patent and Trademark Office.
27 MetaDefender, Opswat, https://www.opswat.com/products/metadefender
28 ODIX kiosk, File sanitization system, https://odix.com/odix-kiosk/
29 D. Maiorca, G. Giacinto, and C. Igino, "Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious pdf files detection", ACM SIGSAC symposium on Information, computer and communications security 2013. DOI: https://doi.org/10.1145/2484313.2484327
30 Z. Wang, Z. Tang, K. Zhou, R. Zhang, Z. Qi, and H. Guan, "DsVD: an effective low-overhead dynamic soft- ware vulnerability discoverer", IEEE International Symposium on Autonomous Decentralized Systems 2011. DOI: https://doi.org/10.1109/ISADS.2011.56
31 Scan Virus Total offline to preserve privacy, GitHub. https://github.com/teeknofil/Virus-Total-Never-Analyzed
32 T. Schreck, B. Stefan, and G. Jan, "BISSAM: Automatic vulnerability identification of office documents", Springer International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment 2012. DOI: https://doi.org/10.1007/978-3-642-37300-8_12
33 L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers, "Going beyond the sandbox: An overview of the new security architecture in the Java development kit 1.2", USENIX Symposium on Internet Technologies and Systems 1997.
34 Sigcheck v2.60. Microsoft, https://docs.microsoft.com/ko-kr/sysinternals/downloads/sigcheck
35 VirusTotal offline analysis, GitHub, https://github.com/cuckoosandbox/cuckoo/issues/2052