research-article

Measuring integrity on mobile phone systems

Authors:

Divya Muthukumaran,

Joshua Schiffman,

Trent JaegerAuthors Info & Claims

SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologies

Pages 155 - 164

https://doi.org/10.1145/1377836.1377862

Published: 11 June 2008 Publication History

Abstract

Mobile phone security is a relatively new field that is gathering momentum in the wake of rapid advancements in phone system technology. Mobile phones are now becoming sophisticated smart phones that provide services beyond basic telephony, such as supporting third-party applications. Such third-party applications may be security-critical, such as mobile banking, or may be untrusted applications, such as downloaded games. Our goal is to protect the integrity of such critical applications from potentially untrusted functionality, but we find that existing mandatory access control approaches are too complex and do not provide formal integrity guarantees. In this work, we leverage the simplicity inherent to phone system environments to develop a compact SELinux policy that can be used to justify the integrity of a phone system using the Policy Reduced Integrity Measurement Architecture (PRIMA) approach. We show that the resultant policy enables systems to be proven secure to remote parties, enables the desired functionality for installing and running trusted programs, and the resultant SELinux policy is over 90% smaller in size. We envision that this approach can provide an outline for how to build high integrity phone systems.

References

[1]

Trusted Platform. http://www.sisa.samsung.com/innovation/tp/index.htm.

[2]

Bank of America. Mobile banking. http://www.bankofamerica.com/onlinebanking/index.cfm?template=mobile_banking&statecheck=PA.

[3]

W. E. Boebert and R. Y. Kain. A practical alternative to heirarchical integrity policies. In Proceedings of the 8th National Computer Security Conference, 1985.

[4]

F-Secure Computer Virus Information Pages: Cabir. http://www.f-secure.com/v-descs/cabir.shtml, 2006.

[5]

L. S. Clair, J. Schiffman, T. Jaeger, and P. McDaniel. Establishing and sustaining system integrity via root of trust installation. In Proceedings of the 2007 Annual Computer Security Applications Conference, Dec. 2007.

[6]

D. D. Clark and D. Wilson. A comparison of military and commercial security policies. In 1987 IEEE Symposium on Security and Privacy, May 1987.

[7]

J. de Haas. Symbian Phone Security. http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-deHaas.pdf.

[8]

T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In 2000 IEEE Symposium on Security and Privacy, May 2000.

Digital Library

[9]

N. Hardy. The Confused Deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22(4), 1988.

Digital Library

[10]

IBM. Integrity Measurement Architecture for Linux. http://www.sourceforge.net/projects/linux-ima.

[11]

236 mln wireless subscribers in the us in 2006. http://www.itfacts.biz/index.php?id=P8421, 2007.

[12]

O. W. R. M. J. Marchesini, S.W. Smith. Experimenting with tcpa/tcg hardware, or: How i learned to stop worrying and love the bear. Technical Report TR2003-476, Computer Science Technical Report, Dartmouth College, Dec. 2003.

[13]

T. Jaeger, R. Sailer, and U. Shankar. PRIMA: Policy-reduced integrity measurement architecture. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies, pages 19--28, June 2006.

Digital Library

[14]

C. S. Janak Desai, George Wilson. Extending selinux to meet lspp data import/export requirements, Feb 2006. http://selinux-symposium.org/2006/papers/04-lspp.pdf.

[15]

K.J.Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Mitre Corporation, June 1975.

[16]

F-Secure Computer Virus Information Pages: Mabir.A. http://www.f-secure.com/v-descs/mabir.shtml, 2005.

[17]

H. Maruyama, F. Seliger, N. Nagaratnam, T. Ebringer, S. Munetoh, S. Yoshihama, and T. Nakamura. Trusted platform on demand. Technical Report RT0564, IBM, Feb. 2004.

[18]

Montavista. Montavista Mobilinux. http://www.mvista.com/product_detail_mob.php.

[19]

Motorola. Opensource Motorola. https://opensource.motorola.com.

[20]

H. Nahari. Trusted secure embedded Linux. In Proceedings of the Linux Symposium Proceedings of the Linux Symposium Proceedings of the Linux Symposium, 2007.

[21]

Novell. AppArmor Linux Application Security. http://www.novell.com/linux/security/apparmor/.

[22]

Security-Enhanced Linux. http://www.nsa.gov/selinux.

[23]

openmoko.com. http://www.openmoko.com/, 2008.

[24]

V. Rao. Security in mobile phones - handset and networks perspective. Master's thesis, The Pennsylvania State University, 2007.

[25]

U. Shankar, T. Jaeger, and R. Sailer. Toward automated information-ow integrity verification for security-critical applications. In Proceedings of the 2006 ISOC Networked and Distributed Systems Security Symposium (NDSS'06), Feb. 2006.

[26]

E. Shi, A. Perrig, and L. V. Doorn. BIND: A time-of-use attestation service for secure distributed systems. In Proceedings of IEEE Symposium on Security and Privacy, May 2005.

Digital Library

[27]

Symbian OS: the open mobile operating system. http://www.symbian.com/, 2008.

[28]

Symbian Limited. Symbian signed. http://www.symbiansigned.com.

[29]

Trifinite.org - home of the trifinite.group. http://trifinite.org/trifinite_stuff.html, 2008.

[30]

Trolltech. Qtopia Open Source. http://trolltech.com/products/qtopia/opensource.

[31]

Trusted Computing Group. Trusted computing group: Mobile. https://www.trustedcomputinggroup.org/groups/mobile.

[32]

Trusted Computing Group. TCG TPM specification version 1.2 revision 85, Feb 2005. https://www.trustedcomputinggroup.org/groups/tpm/.

[33]

Windows mobile: Smartphone and pda software. http://www.microsoft.com/windowsmobile/, 2008.

[34]

C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In Proceedings of the 11th USENIX Security Symposium, pages 17--31, August 2002.

Digital Library

[35]

X. Zhang, O. Aciicmez, and J.-P. Seifert. A trusted mobile phone reference architecture via secure kernel. In Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, 2007.

Digital Library

Cited By

Abdul Kadir AHabibi Lashkari ADaghmehchi Firoozjaei MAbdul Kadir AHabibi Lashkari ADaghmehchi Firoozjaei M(2024)Other Operating SystemsUnderstanding Cybersecurity on Smartphones10.1007/978-3-031-48865-8_5(71-87)Online publication date: 23-Jan-2024
https://doi.org/10.1007/978-3-031-48865-8_5
Litchfield ADu W(2023)XFilter: An Extension of the Integrity Measurement Architecture Based on Fine-Grained PoliciesApplied Sciences10.3390/app1310604613:10(6046)Online publication date: 15-May-2023
https://doi.org/10.3390/app13106046
Ilapakurthy S(2023)Bolstering the Mobile Cloud: Addressing Emerging Threats and Strengthening Multi-Layered Defenses for Robust Mobile Security2023 10th International Conference on Internet of Things: Systems, Management and Security (IOTSMS)10.1109/IOTSMS59855.2023.10325824(1-7)Online publication date: 23-Oct-2023
https://doi.org/10.1109/IOTSMS59855.2023.10325824
Show More Cited By

Index Terms

Measuring integrity on mobile phone systems
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Measuring and prioritising value of mobile phone usage

The purpose of this research is to measure and prioritise the value of mobile phone usage using employees' perspectives. The Content analysis method and the Analytic Hierarchy Process (AHP) were adopted to collect and analyse data. According to the ...
A trusted mobile phone reference architecturevia secure kernel
STC '07: Proceedings of the 2007 ACM workshop on Scalable trusted computing

Driven by the ever increasing information security demands in mobile devices, the Trusted Computing Group (TCG) formed a dedicated group - Mobile Phone Working Group (MPWG). to address the security needs of mobile platforms. Along this direction, the ...
An empirical analysis on consumer adoption of mobile phone and mobile content in Korea

This paper aims to empirically analyse consumer preference for mobile phone and mobile content. It is concerned with three issues: how users value the attributes of mobile phones; the effects of demographic characteristics on the adoption of mobile ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologies

June 2008

214 pages

ISBN:9781605581293

DOI:10.1145/1377836

General Chair:
Indrakshi Ray
Colorado State University, USA
,
Program Chair:
Ninghui Li
Purdue University, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT08

Sponsor:

SACMAT08: 13th ACM Symposium on Access Control Models and Technologies

June 11 - 13, 2008

CO, Estes Park, USA

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

54
Total Citations
View Citations
1,535
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Abdul Kadir AHabibi Lashkari ADaghmehchi Firoozjaei MAbdul Kadir AHabibi Lashkari ADaghmehchi Firoozjaei M(2024)Other Operating SystemsUnderstanding Cybersecurity on Smartphones10.1007/978-3-031-48865-8_5(71-87)Online publication date: 23-Jan-2024
https://doi.org/10.1007/978-3-031-48865-8_5
Litchfield ADu W(2023)XFilter: An Extension of the Integrity Measurement Architecture Based on Fine-Grained PoliciesApplied Sciences10.3390/app1310604613:10(6046)Online publication date: 15-May-2023
https://doi.org/10.3390/app13106046
Ilapakurthy S(2023)Bolstering the Mobile Cloud: Addressing Emerging Threats and Strengthening Multi-Layered Defenses for Robust Mobile Security2023 10th International Conference on Internet of Things: Systems, Management and Security (IOTSMS)10.1109/IOTSMS59855.2023.10325824(1-7)Online publication date: 23-Oct-2023
https://doi.org/10.1109/IOTSMS59855.2023.10325824
Xu CCheng YCheng WJi SLi W(2021)Security Protection Scheme of Embedded System Running Environment based on TCM2021 2nd International Seminar on Artificial Intelligence, Networking and Information Technology (AINIT)10.1109/AINIT54228.2021.00128(636-641)Online publication date: Oct-2021
https://doi.org/10.1109/AINIT54228.2021.00128
Abbas QAbbas QJin J(2021)Malicious Traffic Classifier in android using Neural NetworksJournal of Physics: Conference Series10.1088/1742-6596/1732/1/0120381732(012038)Online publication date: 9-Jan-2021
https://doi.org/10.1088/1742-6596/1732/1/012038
Ganz JPeisert S(2017)ASLR: How Robust Is the Randomness?2017 IEEE Cybersecurity Development (SecDev)10.1109/SecDev.2017.19(34-41)Online publication date: Sep-2017
https://doi.org/10.1109/SecDev.2017.19
Zhang HYao DRamakrishnan NFreeman DMitrokotsa ASinha A(2016)Causality-based Sensemaking of Network Traffic for Android Application SecurityProceedings of the 2016 ACM Workshop on Artificial Intelligence and Security10.1145/2996758.2996760(47-58)Online publication date: 28-Oct-2016
https://dl.acm.org/doi/10.1145/2996758.2996760
Tang SLv BShen W(2016)Hybrid MQ Signature for Embedded DeviceProceedings, Part I, of the 21st Australasian Conference on Information Security and Privacy - Volume 972210.1007/978-3-319-40253-6_17(281-290)Online publication date: 4-Jul-2016
https://dl.acm.org/doi/10.1007/978-3-319-40253-6_17
Muthumanickam KIlavarasan E(2015)Behavior based authentication mechanism to prevent malicious code attacks in windows2015 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS)10.1109/ICIIECS.2015.7193071(1-5)Online publication date: Mar-2015
https://doi.org/10.1109/ICIIECS.2015.7193071
Shuib LShamshirband SIsmail M(2015)A review of mobile pervasive learningComputers in Human Behavior10.1016/j.chb.2015.01.00246:C(239-244)Online publication date: 1-May-2015
https://dl.acm.org/doi/10.1016/j.chb.2015.01.002
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten