Protecting confidential information is a major concern for organizations and individuals alike, who stand to suffer huge losses if private data falls into the wrong hands. One of the primary threats to confidentiality is malicious software, which is estimated to already reside on 100 to 150 million computers. Current security controls, such as anti-virus software and intrusion detection systems, are inadequate at preventing malware infection. Due to its diversity and the openness of personal computing systems, eliminating malware is a difficult, open problem that is unlikely to go away in the near future. Yet, computers that are infected with malicious software and connected to the Internet still need access to sensitive information.

The first security system introduced in this thesis, named Capsule, protects locally-modified confidential files. Capsule allows a compromised machine to securely view and edit encrypted files without malware being able to steal their contents. It achieves this goal by taking a checkpoint of system state, disabling network device output, and switching into secure mode. When the user is finished editing the sensitive file, Capsule re-encrypts it with an isolated module, restores the system to its original state, and re-enables device output. For files that can be edited offline, Capsule delivers guaranteed confidentiality against malicious software.

Not all access to confidential information can be isolated from network activity. Some applications, such as online banking, necessitate interaction with both sensitive data and the Internet simultaneously. The network monitoring systems introduced in this thesis seek to maintain confidentiality in such scenarios. The specific contributions include: (1) methods for detecting and classifying web traffic generated by network applications; (2) algorithms for quantifying information leakage in outbound web traffic; and (3) an approach for identifying unwanted web traffic by excluding benign traffic with a whitelist. We evaluate these systems on live network traffic from several hundred computers to show their effectiveness in detecting real confidentiality threats with a low false-positive rate. This thesis raises the bar significantly for malicious software attempting to breach confidentiality, and limits the rate at which data can be stolen from a network.