1 / 28

Building Trusted Path on Untrusted Device Drivers for M obile Devices

Building Trusted Path on Untrusted Device Drivers for M obile Devices. Wenhao Li , Mingyang Ma, Jinchen Han, Yubin Xia, Bingyu Zang , Cheng-Kang Chu, Tieyan Li SJTU, Fudan and Huawei Technologies. Motivation. The population of mobile users grows dramatically So is the malware!.

lam
Download Presentation

Building Trusted Path on Untrusted Device Drivers for M obile Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Building Trusted Path on Untrusted Device Drivers for Mobile Devices Wenhao Li, Mingyang Ma, Jinchen Han, Yubin Xia, BingyuZang, Cheng-Kang Chu, TieyanLi SJTU, Fudanand Huawei Technologies.

  2. Motivation • The population of mobile users grows dramatically • So is the malware!

  3. Key and Screen Logger Attack • Key and screen loggers are not rare • Especially when devices are rooted or jailed break • With root privilege, existing solutions could be easily bypassed

  4. Device Drivers are vulnerable! • Among these vulnerabilities, many are due to device drivers • Device drivers should not be trusted!

  5. The Lack of Trusted Path Problem • User Input • Key logger: steal user’s password • Screen Output • Screen logger: steal user’s credit No and tamper with data (i.e. change $1,000 to $1) • The key cause is the lack of a trusted path between • users and their devices • devices and Internet services Credit No:3412…343 Pay: $1,000 Password:

  6. Goal of TrustUI • Provides a trusted path between services and end users • from user input to screen output • from mobile device to cloud services • Properties TrustUI should have • deployable to existing mobile devices • TCB should be minimal

  7. OUTLINE • Motivation of TrustUI • Background and Design Alternatives • Design and Implementation • Evaluation • Conclusion

  8. ARM TrustZone Background • Widely deployed in mobile devices • First Introduced in ARMv6, 2002 • However, few devices utilize this technology • Technology Detail • Split CPU Mode Execution • Memory and Peripheral Protection • Interrupt Isolation

  9. SplitCPU Mode Execution • Two separated worlds: normal and secure world • secure world can access all states of normal world but not vice-versa • A new privileged mode: secure monitor mode • used to switch two worlds • handle security violation

  10. Memory and Peripheral Protection • Memory region and peripheral could be assigned to secure world accessible only, or both • DMA protection • memory-to-peripheral DMA is world sensitive, normal world DMA could not access secure memory • Interrupt isolation • Normal world, secure world and monitor mode have their own separated exception vector table • An interrupt can be configured as secure or non-secure

  11. Threat Model • In-scope: software-based attacks • Out-of-scope: physical hardware attacks • Code running in secure world and monitor mode is trusted while others are untrusted

  12. An Alternative Approach • Runs rich functionality in parallel with a closed-box secure OS • Only some necessary device drivers and core logics in secure world • Limitations • Vendors may refuse to provide device drivers source code • Device drivers are vulnerable to attacks

  13. OUTLINE • Motivation of TrustUI • Background and Design Alternatives • Design and Implementation • Evaluation • Conclusion

  14. TrustUI Design • A security-oriented split driver model • Reuse existing device drivers without trusting them

  15. TrustUI Design: Secure Display Normal World Secure World Secure Kernel Untrusted Rich OS Proxy Proxy Secure Application Display Backend Display Lib Display Frontend Display Driver Software Hardware Display Device Frame Buffer Unsecure Memory Secure Memory LED Indicator Memory

  16. TrustUI Design: Secure Input Normal World Secure World Secure Kernel Untrusted Rich OS Proxy Proxy Secure Application Touch Backend UI Element Randomization Input Frontend Touch Driver Software Hardware Unsecure Memory Secure Memory Frame Buffer LED Indicator Display Device Touch Screen Memory

  17. TrustUI Design: Network Delegation Normal World Secure World Secure Kernel Untrusted Rich OS Proxy Proxy Secure Application Network Backend SSL Library Network Frontend NIC Driver Software Hardware Unsecure Memory Secure Memory NIC Device Memory

  18. Security Challenges of TrustUI

  19. Frame Buffer Overlay Attack • Modern display device may have more than one window (frame buffer) • Screen Hijacking Attack • A malicious display driver can pass a pointer of frame buffer with low priority to the secure world, and operate on a higher layer frame buffer

  20. Dealing with FB Overlay: LED & color randomization • Two display layers in secure display • same color as LED and periodically change them • foreground font element: same color as foreground layer • foreground bitmap element: foreground layer color rendered on the edge and a watermark in random position

  21. Secure Input: UI Randomization • Soft Keyboard Randomization • information leakage: input length, touch position and interval • touch position: regenerate the keyboard layout after entering a character by adding an offset for each key • input length and touch interval: generate a random pop-up button on the screen within the keyboard area for the user to click • Other UI elements • Up to the trusted application developer to decide

  22. TrustUI Implementation • Implemented in Samsung Exynos4412 development board • with ARM Cortex-A9 processor • Run Android Ice Cream Sandwich in normal world • Linux kernel version 3.0.2. • Source Code has been merged into T6 • T6: a TrustZone based trusted kernel for mobile

  23. OUTLINE • Motivation of TrustUI • Background and Design Alternatives • Design and Implementation • Evaluation • Conclusion

  24. Security Evaluation • (left)Touch-logger analysis: touch position and length • (a)(b)(c) got by entering password ‘00000000’ • (d) (e) by entering ‘5cfc912f’ and ‘12345678’ • (f) by ‘f6b0736c3b’ • (right)Touch-logger analysis: touch interval

  25. Security Evaluation • Screen-capture attack • method: read device file in /dev/graphics/fb0 and some overlay devices like video playback and camera preview with and without invoking lock_display(). • tool: screencapprovided by AOSP • result: only get the out-of-date display content that are before switching to secure world.

  26. Reduce The Attack Surface • Small "open-box" • Small TCB • about 10K SLOC

  27. Conclusion • TrustUI: a system aiming at providing trusted path for mobile devices • built with cooperative randomization of the trust path and secure delegation of network interaction • Enables secure interaction between end users and services based on ARM TrustZone with a small TCB • excluding commodity software stack as well as drivers for user-interacting devices out of its TCB

  28. Thank You! Q&A Source code of T6 available via: http://www.liwenhaosuper.com/projects/t6

More Related