964 research outputs found
SGXIO: Generic Trusted I/O Path for Intel SGX
Application security traditionally strongly relies upon security of the
underlying operating system. However, operating systems often fall victim to
software attacks, compromising security of applications as well. To overcome
this dependency, Intel introduced SGX, which allows to protect application code
against a subverted or malicious OS by running it in a hardware-protected
enclave. However, SGX lacks support for generic trusted I/O paths to protect
user input and output between enclaves and I/O devices.
This work presents SGXIO, a generic trusted path architecture for SGX,
allowing user applications to run securely on top of an untrusted OS, while at
the same time supporting trusted paths to generic I/O devices. To achieve this,
SGXIO combines the benefits of SGX's easy programming model with traditional
hypervisor-based trusted path architectures. Moreover, SGXIO can tweak insecure
debug enclaves to behave like secure production enclaves. SGXIO surpasses
traditional use cases in cloud computing and makes SGX technology usable for
protecting user-centric, local applications against kernel-level keyloggers and
likewise. It is compatible to unmodified operating systems and works on a
modern commodity notebook out of the box. Hence, SGXIO is particularly
promising for the broad x86 community to which SGX is readily available.Comment: To appear in CODASPY'1
IoT Sentinel: Automated Device-Type Identification for Security Enforcement in IoT
With the rapid growth of the Internet-of-Things (IoT), concerns about the
security of IoT devices have become prominent. Several vendors are producing
IP-connected devices for home and small office networks that often suffer from
flawed security designs and implementations. They also tend to lack mechanisms
for firmware updates or patches that can help eliminate security
vulnerabilities. Securing networks where the presence of such vulnerable
devices is given, requires a brownfield approach: applying necessary protection
measures within the network so that potentially vulnerable devices can coexist
without endangering the security of other devices in the same network. In this
paper, we present IOT SENTINEL, a system capable of automatically identifying
the types of devices being connected to an IoT network and enabling enforcement
of rules for constraining the communications of vulnerable devices so as to
minimize damage resulting from their compromise. We show that IOT SENTINEL is
effective in identifying device types and has minimal performance overhead
Glider: A GPU Library Driver for Improved System Security
Legacy device drivers implement both device resource management and
isolation. This results in a large code base with a wide high-level interface
making the driver vulnerable to security attacks. This is particularly
problematic for increasingly popular accelerators like GPUs that have large,
complex drivers. We solve this problem with library drivers, a new driver
architecture. A library driver implements resource management as an untrusted
library in the application process address space, and implements isolation as a
kernel module that is smaller and has a narrower lower-level interface (i.e.,
closer to hardware) than a legacy driver. We articulate a set of device and
platform hardware properties that are required to retrofit a legacy driver into
a library driver. To demonstrate the feasibility and superiority of library
drivers, we present Glider, a library driver implementation for two GPUs of
popular brands, Radeon and Intel. Glider reduces the TCB size and attack
surface by about 35% and 84% respectively for a Radeon HD 6450 GPU and by about
38% and 90% respectively for an Intel Ivy Bridge GPU. Moreover, it incurs no
performance cost. Indeed, Glider outperforms a legacy driver for applications
requiring intensive interactions with the device driver, such as applications
using the OpenGL immediate mode API
Integrating TrustZone Protection with Communication Paths for Mobile Operating System
Nowadays, users perform various essential activities through their smartphones, including mobile payment and financial transaction. Therefore, users’ sensitive data processed by smartphones will be at risk if underlying mobile OSes are compromised. A technology called Trusted Execution Environment (TEE) has been introduced to protect sensitive data in the event of compromised OS and hypervisor.
This dissertation points out the limitations of the current design model of mobile TEE, which has a low adoption rate among application developers and has a large size of Trusted Computing Base (TCB). It proposes a new design model for mobile TEE to increase the TEE adoption rate and to decrease the size of TCB. This dissertation applies a new model to protect mobile communication paths in the Android platform. Evaluations are performed to demonstrate the effectiveness of the proposed design model
The Android Platform Security Model
Android is the most widely deployed end-user focused operating system. With
its growing set of use cases encompassing communication, navigation, media
consumption, entertainment, finance, health, and access to sensors, actuators,
cameras, or microphones, its underlying security model needs to address a host
of practical threats in a wide variety of scenarios while being useful to
non-security experts. The model needs to strike a difficult balance between
security, privacy, and usability for end users, assurances for app developers,
and system performance under tight hardware constraints. While many of the
underlying design principles have implicitly informed the overall system
architecture, access control mechanisms, and mitigation techniques, the Android
security model has previously not been formally published. This paper aims to
both document the abstract model and discuss its implications. Based on a
definition of the threat model and Android ecosystem context in which it
operates, we analyze how the different security measures in past and current
Android implementations work together to mitigate these threats. There are some
special cases in applying the security model, and we discuss such deliberate
deviations from the abstract model
- …