Towards a Usable Framework for Modelling Security and Privacy Risks in the Smart Home

The Internet-of-Things (IoT) ushers in a new age where the variety and amount of connected, smart devices present in the home is set to increase substantially. While these bring several advantages in terms of convenience and assisted living, security and privacy risks are also a concern. In this article, we consider this risk problem from the perspective of technology users in the smart home, and set out to provide a usable framework for modelling security and privacy risks. The novelty of this work is in its emphasis on supplying a simplified risk assessment approach, complete with typical smart home use cases, home devices, IoT threat and attack models, and potential security controls. The intention is for this framework and the supporting tool interface to be used by actual home users interested in understanding and managing the risks in their smart home environments

Partitioning the Trusted Computing Baseof Applications on Commodity Systems

Secure containers implemented in both software and hardware are being used to isolate and reduce attack vectors on executing software. The isolation of software partitions protects the data and the execution from external software (e.g. the OS, other applications, other software partitions within the same application). Despite the existence of many hardware isolation technologies such as ARM TrustZone, Intel Software Guard Extension (SGX), and others, it is still not clear how to efficiently use isolation to secure applications data. This is particularly the case when considering vulnerabilities within the application, strong adversaries who have control over the OS, and performance requirements of the application. Previous work demonstrated the efficiency of SGX in protecting against memory leakage vulnerabilities. However, since SGX allows separation of privileges through partitioning monolithic applications into compartments, using it in mitigating faulty API vulnerabilities or Buffer over-writes is far from being straightforward. To illustrate, we found that many systems with ”secure containers” capabilities do not deliver the security expected from containers, which indicates an absence of a methodology for using Trusted Execution Environment (TEE) systems. For example, our analysis of Samsung KNOX architecture revealed that such systems cannot protect against memory leakage, buffer over-reads, buffer over-writes, and others. In this thesis two research hypotheses are investigated. First, privilege separation through application partitioning enhanced TEE can be used to mitigate software vulnerabilities, protect containers from privileged kernel, while maintaining the reasonable performance of an application . Second, partitioning patterns can be used to mitigate different threats. We demonstrate how vulnerabilities can be mitigated with secure containers and how the specific design of the secure containers determines the success of the desired protection from such a paradigm. This research uncovers the potential of TEE in separating privileges in applications using hardware based technologies instead of access control enforced in several layers by software. The realisation of the potential of secure containers will help corporations and enterprises design better secure systems and devices that protect end-users data from application and system vulnerabilities and attacks performed by software.</p

Partitioning the Trusted Computing Baseof Applications on Commodity Systems

Secure containers implemented in both software and hardware are being used to isolate and reduce attack vectors on executing software. The isolation of software partitions protects the data and the execution from external software (e.g. the OS, other applications, other software partitions within the same application). Despite the existence of many hardware isolation technologies such as ARM TrustZone, Intel Software Guard Extension (SGX), and others, it is still not clear how to efficiently use isolation to secure applications data. This is particularly the case when considering vulnerabilities within the application, strong adversaries who have control over the OS, and performance requirements of the application. Previous work demonstrated the efficiency of SGX in protecting against memory leakage vulnerabilities. However, since SGX allows separation of privileges through partitioning monolithic applications into compartments, using it in mitigating faulty API vulnerabilities or Buffer over-writes is far from being straightforward. To illustrate, we found that many systems with âsecure containersâ capabilities do not deliver the security expected from containers, which indicates an absence of a methodology for using Trusted Execution Environment (TEE) systems. For example, our analysis of Samsung KNOX architecture revealed that such systems cannot protect against memory leakage, buffer over-reads, buffer over-writes, and others. In this thesis two research hypotheses are investigated. First, privilege separation through application partitioning enhanced TEE can be used to mitigate software vulnerabilities, protect containers from privileged kernel, while maintaining the reasonable performance of an application . Second, partitioning patterns can be used to mitigate different threats. We demonstrate how vulnerabilities can be mitigated with secure containers and how the specific design of the secure containers determines the success of the desired protection from such a paradigm. This research uncovers the potential of TEE in separating privileges in applications using hardware based technologies instead of access control enforced in several layers by software. The realisation of the potential of secure containers will help corporations and enterprises design better secure systems and devices that protect end-users data from application and system vulnerabilities and attacks performed by software.</p

AuDroid: preventing attacks on audio channel sin mobile devices

Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks. We design and implement AuDroid, an extension to the SE Linux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the microphone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead