This software is provided "as is", without warranty of any kind. This software is also still under development. Use entirely at your own risk. Contributions through PRs are highly appreciated.
This project contains Windows programs to isolate a specific program in its own desktop to prevent malware (without OS privileges) to capture user input or screenshots.
After the installation of Shark Cage, create a config using the CageConfigurator
containing the program (e.g. Firefox for online banking) which should run in a secure environment, optionally an additional programm (e.g. Keepass to retrieve the password for the online banking) and an icon which is later used to signal the execution in a secure environment to the user.
All programs running in the Shark Cage will be started on a second, isolated desktop which malware without administrator privilieges can not access.
This project consists of five sub-programs:
CageService
CageManager
CageChooser
CageConfigurator
SharkCageInstaller
Three of them (Service, Manager, Chooser) interact with each other via messages using a TCP connection.
The CageService
implements a Windows service running in the background. It receives messages from the CageChooser
and sends messages to the CageManager
.
The CageManager
creates a new desktop and starts the program and optionally the additional program according to the config received from the CageChooser
over the CageService
. In addition, the token image and some additional information is displayed. Using the displayed "Activate"-button(s) the program(s) can be restarted or brought back into the foreground.
The CageChooser
is a user interface which displays in a list all available configs on the system by iterating over the registry entries at the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SharkCage\Configs
. By selecting a config and pressing the "Start"-button (or the enter key), the CageManager
will be started. The creation of the CageManager is done implicitely when receiving a START_PROCESS
message which means the Chooser will only send one message with the config path and then everything else happens automatically.
The CageConfigurator
provides a graphical user interface to create a config file including a token image to be displayed on the secure desktop, the program which should be started and optionally an additional application. The additional program can be chosen out of a list of "trustworthy" applications.
As soon as the config file has been saved, a link to the config which is stored at C:\Users\Public\Documents\SharkCage\
will be saved in the Registry under the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SharkCage\Configs
.
The config contains json data and its access rights restrict anyone except the administrator group from accessing the file in any way.
The SharkCageInstaller
is used to install all project applications, starting the CageService
and setting some keys in the registry.
You can find a more detailed list of all components in the Visual Studio solution in the project overview.
-
The
SharkCageInstaller
is used to install all programs for this project (CageService
,CageManager
,CageChooser
andCageConfigurator
) and is hosted on Github. Follow this link and download the latest version: Github-Releases. -
Please make sure the
SharkCageInstaller
is signed using the certificate issued to the HTWG Konstanz with the following fingerprint:ADBE74BD39789DD111815DE59C60D715143E4620
to avoid any unnecessary security risks. -
Execute the installer and follow the instructions. For installing the service, the
SharkCageInstaller
needs to run with admininistration privileges. Please make sure that the "User Account Control"-dialog shows the HTWG Konstanz as the verified publisher.
- Clone or download this repository
- Build the project (
SharkCage.sln
, VS2017 with InstallerProjects required) with one of the available build targets (debug / release). - If using debug build you can just start the
CageChooser
and a powershell script with on-screen instructions will correctly configure your system (BEWARE: debug build disables some security checks and should not be used when working with sensitive data). If you want to use the release build the easiest solution is to run the included (built) installer and follow the instructions.
The following apps can currently be run in addition to the primary app:
- Keepass
- ATTENTION: The option
Tools > Options > Security >
Enter master key on secure desktop
needs to be disabled before attempting to start Keepass in SharkCage, otherwise there could be issues with displaying the secure desktop.
- ATTENTION: The option