Abstract: Certain embodiments employ an “out-of-band” mechanism to remove the physical controls for activating input peripherals from a portable device operating system and instead controlled by a separate peripheral control domain, isolated from the operating system domain by a machine virtualization/isolation technology. No additional hardware may be required. An adjunct I/O virtualization mechanism may also be included to abstract the guarded input peripheral interfaces, such that all attempts to turn them on from within the operating system are automatically redirected by the I/O virtualization mechanism to the peripheral control domain. The peripheral control domain may then conduct a policy-driven decision process to either allow, disallow, or request manual/explicit authorization of an access attempts. Physical access may be performed within the peripheral control domain.

Abstract: In certain embodiments, virtualization mechanisms used to defend against spying can also be used by attackers as a means to execute spying attacks more effectively. In certain embodiments, attack methods may use the virtualization mechanisms to surreptitiously activate input peripherals without the user's knowledge or authorization. In certain embodiments, a virtualized network interface may be employed in which all network traffic transiting a portable wireless system is routed through a remote control component within a peripheral control domain. The remote control component may be used by an attacker to communicate remotely with the portable device to send it peripheral activation commands. The remote control component can then activate peripherals via the peripheral access module without the user's or general-purpose operating system's knowledge or authorization. All other network traffic may be passed through as normal and expected to the general-purpose operating system.

Abstract: Certain embodiments employ an “out-of-band” mechanism to remove the physical controls for activating input peripherals from a portable device operating system and instead controlled by a separate peripheral control domain, isolated from the operating system domain by a machine virtualization/isolation technology. No additional hardware may be required. An adjunct I/O virtualization mechanism may also be included to abstract the guarded input peripheral interfaces, such that all attempts to turn them on from within the operating system are automatically redirected by the I/O virtualization mechanism to the peripheral control domain. The peripheral control domain may then conduct a policy-driven decision process to either allow, disallow, or request manual/explicit authorization of an access attempts. Physical access may be performed within the peripheral control domain.

Abstract: In certain embodiments, virtualization mechanisms used to defend against spying can also be used by attackers as a means to execute spying attacks more effectively. In certain embodiments, attack methods may use the virtualization mechanisms to surreptitiously activate input peripherals without the user's knowledge or authorization. In certain embodiments, a virtualized network interface may be employed in which all network traffic transiting a portable wireless system is routed through a remote control component within a peripheral control domain. The remote control component may be used by an attacker to communicate remotely with the portable device to send it peripheral activation commands. The remote control component can then activate peripherals via the peripheral access module without the user's or general-purpose operating system's knowledge or authorization. All other network traffic may be passed through as normal and expected to the general-purpose operating system.