Shark Cage

This software is provided "as is", without warranty of any kind. This software is also still under development. Use entirely at your own risk. Contributions through PRs are highly appreciated.

This project contains Windows programs to isolate a specific program in its own desktop to prevent malware (without OS privileges) to capture user input or screenshots. After the installation of Shark Cage, create a config using the CageConfigurator containing the program (e.g. Firefox for online banking) which should run in a secure environment, optionally an additional programm (e.g. Keepass to retrieve the password for the online banking) and an icon which is later used to signal the execution in a secure environment to the user.

All programs running in the Shark Cage will be started on a second, isolated desktop which malware without administrator privilieges can not access.

Components

This project consists of five sub-programs:

• CageService
• CageManager
• CageChooser
• CageConfigurator
• SharkCageInstaller

Three of them (Service, Manager, Chooser) interact with each other via messages using a TCP connection.

CageService

The CageService implements a Windows service running in the background. It receives messages from the CageChooser and sends messages to the CageManager.

CageManager

The CageManager creates a new desktop and starts the program and optionally the additional program according to the config received from the CageChooser over the CageService. In addition, the token image and some additional information is displayed. Using the displayed "Activate"-button(s) the program(s) can be restarted or brought back into the foreground.

Expand to see example

CageChooser

The CageChooser is a user interface which displays in a list all available configs on the system by iterating over the registry entries at the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SharkCage\Configs. By selecting a config and pressing the "Start"-button (or the enter key), the CageManager will be started. The creation of the CageManager is done implicitely when receiving a START_PROCESS message which means the Chooser will only send one message with the config path and then everything else happens automatically.

Expand to see example

CageConfigurator

The CageConfigurator provides a graphical user interface to create a config file including a token image to be displayed on the secure desktop, the program which should be started and optionally an additional application. The additional program can be chosen out of a list of "trustworthy" applications. As soon as the config file has been saved, a link to the config which is stored at C:\Users\Public\Documents\SharkCage\ will be saved in the Registry under the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SharkCage\Configs. The config contains json data and its access rights restrict anyone except the administrator group from accessing the file in any way.

Expand to see example

SharkCageInstaller

The SharkCageInstaller is used to install all project applications, starting the CageService and setting some keys in the registry.

Further information

You can find a more detailed list of all components in the Visual Studio solution in the project overview.

Installation

1. The SharkCageInstaller is used to install all programs for this project (CageService, CageManager, CageChooser and CageConfigurator) and is hosted on Github. Follow this link and download the latest version: Github-Releases.
2. Please make sure the SharkCageInstaller is signed using the certificate issued to the HTWG Konstanz with the following fingerprint: ADBE74BD39789DD111815DE59C60D715143E4620 to avoid any unnecessary security risks.

3. Execute the installer and follow the instructions. For installing the service, the SharkCageInstaller needs to run with admininistration privileges. Please make sure that the "User Account Control"-dialog shows the HTWG Konstanz as the verified publisher.

   Expand to see example

   

Building from source

1. Clone or download this repository
2. Build the project (SharkCage.sln, VS2017 with InstallerProjects required) with one of the available build targets (debug / release).
3. If using debug build you can just start the CageChooser and a powershell script with on-screen instructions will correctly configure your system (BEWARE: debug build disables some security checks and should not be used when working with sensitive data). If you want to use the release build the easiest solution is to run the included (built) installer and follow the instructions.

Information about additional apps

The following apps can currently be run in addition to the primary app:

• Keepass
  • ATTENTION: The option Tools > Options > Security > Enter master key on secure desktop needs to be disabled before attempting to start Keepass in SharkCage, otherwise there could be issues with displaying the secure desktop.