Securing sensitive content in a view-only file system

One of the most fundamental problems in computer security is protecting sensitive digital information from unauthorized disclosure. There are a number of challenges, such as spyware, removable media, and mobile devices, which make this a very hard problem. The problem becomes even more difficult when the adversary is somebody who is authorized to view the data. This is what is commonly referred to as an insider information leak. Insider leaks often occur out of malice, but sometimes are just due to plain negligence, as was the case with a recent leak of 26 million U.S. veterans' names, birth dates, and social security numbers. Current systems make an attempt to protect against this type of disclosure, but use rudimentary techniques that can be easily bypassed by a knowledgeable attacker. Examples include disabling "print" and "save" menu options within an application or scanning network traffic for signatures of known sensitive content. This paper examines a new method for protecting sensitive content from unauthorized disclosure, a View-Only File System (VOFS). VOFS relies on trusted computing primitives and virtual machine (VM) technology to provide a much greater level of security than current systems. In VOFS, a secure virtual machine on the client authenticates itself with a content provider and downloads sensitive data. Before allowing the user to view the data in his or her non-secure VM, the VOFS client disables non-essential device output. This prevents the user, or any malicious software, from printing, uploading, or stealing the sensitive content. When the user is done viewing a sensitive file, VOFS will reset the machine to previous state and resume normal device activity. Our goal is to provide near-seamless access to view-only files, while at the same time securing them from unauthorized digital replication. This paper presents the initial design, development plan, and evaluation plan for VOFS.