Sileshi Demesie Yalew
Miguel Correia
ABSTRACT
Securely storing sensitive personal data is critical for protecting privacy. Currently, many persons use smartphones to store their private data. However, smartphones suffer from many security issues. To overcome this situation, the PCAS project is designing a secure personal storage device called the Secure Portable Device (SPD), to be attached to a smartphone for securely storing sensitive personal data. However, this device is unavailable, closed, and expensive to deploy for prototyping applications. We propose a platform that emulates the SPD and the smartphone using a board with an ARM processor with the TrustZone security extension. This platform is open, inexpensive, and secure. A payment application is used as an example to show the platform's capabilities. As a proof-of-concept, we implemented this platform and provide a performance evaluation using a i.MX53 board.
- Android Pay. https://www.android.com/pay/.Google Scholar
- Apple Pay. http://www.apple.com/apple-pay/.Google Scholar
- Samsung KNOX. http://www.samsung.com/my/business-images/resource/white-paper/2013/11/Samsung_KNOX_whitepaper_An_Overview_of_Samsung_KNOX-0.pdf, 2013.Google Scholar
- I. Anati, S. Gueron, S. Johnson, and V. Scarlata. Innovative technology for CPU based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, 2013.Google Scholar
- ARM. ARM security technology, building a secure system using TrustZone technology. http://www.arm.com, 2009.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259--269, 2014. Google ScholarDigital Library
- S. Bugiel, L. Davi, A. Dmitrienko, S. Heuser, A.-R. Sadeghi, and B. Shastry. Practical and lightweight domain isolation on Android. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 51--62, 2011. Google ScholarDigital Library
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pages 239--252, 2011. Google ScholarDigital Library
- L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on Android. In Proceedings of the 13th International Conference on Information Security, pages 346--360. 2011. Google ScholarDigital Library
- J.-E. Ekberg, N. Asokan, K. Kostiainen, and A. Rantala. Scheduling execution of credentials in constrained secure environments. In Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing, pages 61--70, 2008. Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pages 1--6, 2010. Google ScholarDigital Library
- D. Evtyushkin, J. Elwell, M. Ozsoy, D. Ponomarev, N. Abu Ghazaleh, and R. Riley. Iso-x: A flexible architecture for hardware-managed isolated execution. In Proceedings of International Symposium on Microarchitecture, pages 190--202, 2014. Google ScholarDigital Library
- A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 3--14, 2011. Google ScholarDigital Library
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, pages 193--206, 2003. Google ScholarDigital Library
- Genode Labs. ARM TrustZone, an exploration of ARM TrustZone technology. http://genode.org/news/an-exploration-of-arm-trustzone-technology, 2014.Google Scholar
- Y. Gilad, A. Herzberg, and A. Trachtenberg. Securing smartphones: a micro-TCB approach. In arXiv preprint arXiv:1401.7444, 2014.Google Scholar
- M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 101--112, 2012. Google ScholarDigital Library
- M. Hoekstra, R. Lal, P. Pappachan, V. Phegade, and J. Del Cuvillo. Using innovative instructions to create trustworthy software solutions. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, 2013. Google ScholarDigital Library
- P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren't the droids you're looking for: retrofitting Android to protect data from imperious applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 639--652, 2011. Google ScholarDigital Library
- C. Kaufman. Internet key exchange (IKEv2) protocol. IETF Request for Comments: RFC 4306, Dec. 2005.Google Scholar
- K. Kostiainen, J.-E. Ekberg, N. Asokan, and A. Rantala. On-board credentials with open provisioning. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 104--115, 2009. Google ScholarDigital Library
- M. La Polla, F. Martinelli, and D. Sgandurra. A survey on security for mobile devices. IEEE Communications Surveys & Tutorials, pages 446--471, 2013.Google ScholarCross Ref
- X. Li, H. Hu, G. Bai, Y. Jia, Z. Liang, and P. Saxena. DroidVault: A trusted data vault for Android devices. In Proceedings of the 19th International Conference on Engineering of Complex Computer Systems, pages 29--38, 2014. Google ScholarDigital Library
- C. Marforio, N. Karapanos, C. Soriente, K. Kostiainen, and S. Čapkun. Smartphones as practical and secure location verification tokens for payments. In Proceedings of the Network and Distributed System Security Symposium, 2014.Google ScholarCross Ref
- C. Marforio, H. Ritzdorf, A. Francillon, and S. Capkun. Analysis of the communication between colluding applications on modern smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 51--60, 2012. Google ScholarDigital Library
- J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor:Efficient TCB reduction and attestation. In Proceedings of International Symposium on Security and Privacy, pages 143--158, 2010. Google ScholarDigital Library
- F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, 2013. Google ScholarDigital Library
- W. Mostowski and E. Poll. Malicious code on Java Card smartcards: Attacks and countermeasures. In Smart Card Research and Advanced Applications, pages 1--16. Springer, 2008. Google ScholarDigital Library
- National Computer Security Center. Trusted Computer Systems Evaluation Criteria. Number CSC-STD-001-83. Aug. 1983.Google Scholar
- M. Nauman, S. Khan, and X. Zhang. Apex: extending Android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332, 2010. Google ScholarDigital Library
- S. Oaks. Java Security. O'Reilly, 2nd edition, 2001.Google Scholar
- M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in Android. In Proceedings of the 2009 Annual Computer Security Applications Conference, pages 340--349, 2009. Google ScholarDigital Library
- PCAS. Deliverable D5.2, SPD configuration and UI. https://www.pcas-project.eu/index.php/deliverables/, 2015.Google Scholar
- PCAS. Deliverable D5.3, secure data access. https://www.pcas-project.eu/index.php/deliverables/, 2015.Google Scholar
- M. Pirker and D. Slamanig. A framework for privacy-preserving mobile payment on security enhanced ARM TrustZone platforms. In Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pages 1155--1160, 2012. Google ScholarDigital Library
- N. Santos, K. Gummadi, and R. Rodrigues. Towards trusted cloud computing. In Proceedings of the Workshop on Hot Topics in Cloud Computing, June 2009. Google ScholarDigital Library
- N. Santos, H. Raj, S. Saroiu, and A. Wolman. Using ARM TrustZone to build a trusted language runtime for mobile applications. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 67--80, 2014. Google ScholarDigital Library
- R. Xu, H. Saïdi, and R. Anderson. Aurasium: Practical policy enforcement for Android applications. In Proceedings of the 21st USENIX conference on Security Symposium, pages 27--27, 2012. Google ScholarDigital Library
- Z. Xu, K. Bai, and S. Zhu. Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 113--124, 2012. Google ScholarDigital Library
- Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. Appintent: Analyzing sensitive data transmission in Android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pages 1043--1054, 2013. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 95--109, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, pages 5--8, 2012.Google Scholar
Index Terms
- Light-SPD: a platform to prototype secure mobile applications
Recommendations
Using ARM trustzone to build a trusted language runtime for mobile applications
ASPLOS '14: Proceedings of the 19th international conference on Architectural support for programming languages and operating systemsThis paper presents the design, implementation, and evaluation of the Trusted Language Runtime (TLR), a system that protects the confidentiality and integrity of .NET mobile applications from OS security breaches. TLR enables separating an application's ...
Using ARM trustzone to build a trusted language runtime for mobile applications
ASPLOS '14This paper presents the design, implementation, and evaluation of the Trusted Language Runtime (TLR), a system that protects the confidentiality and integrity of .NET mobile applications from OS security breaches. TLR enables separating an application's ...
Using ARM trustzone to build a trusted language runtime for mobile applications
ASPLOS '14This paper presents the design, implementation, and evaluation of the Trusted Language Runtime (TLR), a system that protects the confidentiality and integrity of .NET mobile applications from OS security breaches. TLR enables separating an application's ...
Comments