4 research outputs found
Device-Based Isolation for Securing Cryptographic Keys
In this work, we describe an eective device-based isolation
approach for achieving data security. Device-based isolation
leverages the proliferation of personal computing devices to
provide strong run-time guarantees for the condentiality of
secrets. To demonstrate our isolation approach, we show its
use in protecting the secrecy of highly sensitive data that
is crucial to security operations, such as cryptographic keys
used for decrypting ciphertext or signing digital signatures.
Private key is usually encrypted when not used, however,
when being used, the plaintext key is loaded into the memory
of the host for access. In our threat model, the host may
be compromised by attackers, and thus the condentiality of
the host memory cannot be preserved. We present a novel
and practical solution and its prototype called DataGuard to
protect the secrecy of the highly sensitive data through the
storage isolation and secure tunneling enabled by a mobile
handheld device. DataGuard can be deployed for the key
protection of individuals or organizations
Neural-Augmented Static Analysis of Android Communication
We address the problem of discovering communication links between
applications in the popular Android mobile operating system, an important
problem for security and privacy in Android. Any scalable static analysis in
this complex setting is bound to produce an excessive amount of
false-positives, rendering it impractical. To improve precision, we propose to
augment static analysis with a trained neural-network model that estimates the
probability that a communication link truly exists. We describe a
neural-network architecture that encodes abstractions of communicating objects
in two applications and estimates the probability with which a link indeed
exists. At the heart of our architecture are type-directed encoders (TDE), a
general framework for elegantly constructing encoders of a compound data type
by recursively composing encoders for its constituent types. We evaluate our
approach on a large corpus of Android applications, and demonstrate that it
achieves very high accuracy. Further, we conduct thorough interpretability
studies to understand the internals of the learned neural networks.Comment: Appears in Proceedings of the 2018 ACM Joint European Software
Engineering Conference and Symposium on the Foundations of Software
Engineering (ESEC/FSE