keynote

Old, new, borrowed, blue --: a perspective on the evolution of mobile platform security architectures

Authors:

Kari Kostiainen,

Elena Reshetova,

Jan-Erik Ekberg,

N. AsokanAuthors Info & Claims

CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacy

Pages 13 - 24

https://doi.org/10.1145/1943513.1943517

Published: 21 February 2011 Publication History

Abstract

The recent dramatic increase in the popularity of "smartphones" has led to increased interest in smartphone security research. From the perspective of a security researcher the noteworthy attributes of a modern smartphone are the ability to install new applications, possibility to access Internet and presence of private or sensitive information such as messages or location. These attributes are also present in a large class of more traditional "feature phones." Mobile platform security architectures in these types of devices have seen a much larger scale of deployment compared to platform security architectures designed for PC platforms. In this paper we start by describing the business, regulatory and end-user requirements which paved the way for this widespread deployment of mobile platform security architectures. We briefly describe typical hardware-based security mechanism that provide the foundation for mobile platform security. We then describe and compare the currently most prominent open mobile platform security architectures and conclude that many features introduced recently are borrowed, or adapted with a twist, from older platform security architectures. Finally, we identify a number of open problems in designing effective mobile platform security.

References

[1]

James Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, Electronic Systems Division, 1972.

[2]

William A. Arbaugh, David J. Farber, and Jonathan M. Smith. A secure and reliable bootstrap architecture. In IEEE Symposium on Security and Privacy, pages 65--71. IEEE Computer Society, 1997.

Digital Library

[3]

ARM. Trustzone-enabled processor. http://www.arm.com/products/processors/technologies/trustzone.php.

[4]

ARM. Building a Secure System using TrustZone#8482; Technology, 2009. Available from http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf.

[5]

David Barrera, Hilmi Günes Kayacik, Paul C. van Oorschot, and Anil Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In Ehab Al-Shaer, Angelos D. Keromytis, and Vitaly Shmatikov, editors, ACM Conference on Computer and Communications Security, pages 73--84. ACM, 2010.

Digital Library

[6]

Desktop bus project page. website. http://www.freedesktop.org/wiki/Software/dbus, 2010.

[7]

Pern Hui Chia, Andreas Heiner, and N. Asokan. Use of ratings from personalized community for trustworthy application installation. In Proceedings of the the 15th Nordic Conference in Secure IT Systems, 2010.

[8]

Pern Hui Chia, Andreas Heiner, and N. Asokan. The wisdom of cliques: Use of personalized social rating for trustworthy application installation. Technical Report NRC-TR-2010-001, Nokia Research Center, July 2010. Available at http://research.nokia.com/files/tr/NRCTR2010001.pdf.

[9]

Jan-Erik Ekberg and Markku Kylänpää. Mobile trusted module. Technical Report NRC-TR-2007-015, Nokia Research Center, November 2007. Available at: http://research.nokia.com/files/NRCTR2007015.pdf.

[10]

ETSI. ETSI GSM 02.09 Security Aspects. European Telecommunication Standards Institute, April 1993. Version 3.1.0; Available from http://www.3gpp.org/ftp/Specs/html-info/0209.htm.

[11]

ETSI. ETSI GSM 02.09 Security Aspects. European Telecommunication Standards Institute, June 2001. Version 8.0.1 Release 99; Available from http://www.3gpp.org/ftp/Specs/html-info/0209.htm.

[12]

Gartner. Press release; worldwide mobile phone sales in trhid quarter 2010. http://www.gartner.com/it/page.jsp?id=1466313, 2010.

[13]

Gitorious. Mssf project source code. http://meego.gitorious.org/meego-platform-security, 2010.

[14]

Dmitry Kasatkin. Mobile simplified security framework. In Proceedings of the 12th Linux Symposium, 2010.

[15]

Butler Lampson. Protection. In Proceedings of the 5th Princeton Conference on Information Sciences and System, pages 18--24, 1971.

[16]

Steve Litchfield. Defining the smartphone. On-line article at AllAboutSymbian.com, July 2010. Available at http://www.aboutsymbian.com/features/item/Defining_the_Smartphone.ph%p.

[17]

Peter Loscocco and Stephen Smalley. Integrating flexible support for security policies into the linux operating system. In Clem Cole, editor, USENIX Annual Technical Conference, FREENIX Track, pages 29--42. USENIX, 2001.

Digital Library

[18]

Claudio Marforio and Srdjan Capkun Aurélien Francillon. Personal communication, November 2010. Paper in submission.

[19]

Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Arvind Seshadri. Minimal TCB Code Execution (Extended Abstract). In Proc. IEEE Symposium on Security and Privacy, May 2007.

Digital Library

[20]

MeeGo. Mobile simplified security framework overview. http://conference2010.meego.com/session/mobile-simplified-security-fram%ework-overview, 2010.

[21]

Sun Microsystems. Mobile information device profile for java 2 micro edition, version 2.1. http://www.oracle.com/technetwork/java/index-jsp-138820.html, 2006.

[22]

Motorola. Mobile information device profile for java micro edition, version 3.0. http://opensource.motorola.com/sf/projects/jsr271, 2009.

[23]

Oracle. Java technology. http://www.java.com/en/about/, 2010.

[24]

Hewlett Packard. Openvms guide to system security. Available from http://www.hp.com/go/openvms/doc/, June 2010.

[25]

Siani Pearson, editor. Trusted Computing Platforms: TCPA technology in context. Prentice Hall, 2003.

Digital Library

[26]

Elena Reshetova. Mobile simplified security framework overview. http://userweb.kernel.org/~jmorris/lss2010_slides/reshetovaLinuxCon_overview_v_final.pdf, 2010.

[27]

Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and Leendert van Doorn. Design and implementation of a tcg-based integrity measurement architecture. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 16--16, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[28]

Jane Sales. Symbian OS Internals. Wiley, 2005.

Digital Library

[29]

Casey Schaufler. Smack in embedded computing. In Proceedings of the 10th Linux Symposium, 2008.

[30]

Dries Schellekens, Pim Tuyls, and Bart Preneel. Embedded trusted computing with authenticated non-volatile memory. In Proc. of the 1st International conference on Trusted Computing and Trust in Information Technologies (TRUST 2008), 2008.

Digital Library

[31]

SourceForge. An overview of the linux integrity subsystem. http://heanet.dl.sourceforge.net/project/linux-ima/linux-ima/Integrity_overview.pdf, 2010.

[32]

Jay Srage and Jerome Azema. M-Shield mobile security technology, 2005. TI White paper. http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf.

[33]

Harini Sundaresan. OMAP platform security features, July 2003. TI White paper. http://focus.ti.com/pdfs/vf/wireless/platformsecuritywp.pdf.

[34]

Trusted Computing Group. https://www.trustedcomputinggroup.org/home.

[35]

TCG. Trusted Platform Module (TPM) Specifications. Available at: https://www.trustedcomputinggroup.org/specs/TPM/.

[36]

Android-DLS wiki. Howto: Unpack, edit, and re-pack boot images. http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_%and_Re-Pack_Boot_Images, 2010.

[37]

Maurice Wilkes. The Cambridge CAP computer and its operating system. North-Holland Publishing Co., Amsterdam, The Netherlands, The Netherlands, 1979.

Digital Library

Cited By

Peters TPierson TSen SCamacho JKotz DPöpper CVanhoef MBatina LMayrhofer R(2021)Recurring verification of interaction authenticity within bluetooth networksProceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3448300.3468287(192-203)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3448300.3468287
Perez AZeadally SJabeur N(2017)Investigating Security for Ubiquitous Sensor NetworksProcedia Computer Science10.1016/j.procs.2017.05.432109(737-744)Online publication date: 2017
https://doi.org/10.1016/j.procs.2017.05.432
Francillon AFanucci LTeich J(2016)Trust, but verifyProceedings of the 2016 Conference on Design, Automation & Test in Europe10.5555/2971808.2972084(1178-1182)Online publication date: 14-Mar-2016
https://dl.acm.org/doi/10.5555/2971808.2972084
Show More Cited By

Index Terms

Old, new, borrowed, blue --: a perspective on the evolution of mobile platform security architectures
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Old risks, new challenges: exploring differences in security between home computer and mobile device use

Home users are particularly vulnerable to information security threats as they must make decisions about how to protect themselves, often with little knowledge of the technology. Furthermore, information for home users tends to focus on the traditional ...
Old Wine in New Skins?: Revisiting the Software Architecture for IP Network Stacks on Constrained IoT Devices
IoT-Sys '15: Proceedings of the 2015 Workshop on IoT challenges in Mobile and Industrial Systems

In this paper, we argue that existing concepts for the design and implementation of network stacks for constrained devices do not comply with the requirements of current and upcoming Internet of Things (IoT) use cases. The IoT requires not only a ...
Internet of Things Security Research: A Rehash of Old Ideas or New Intellectual Challenges?
The Internet of Things (IoT) is a new computing paradigm that spans wearable devices, homes, hospitals, cities, transportation, and critical infrastructure. Building security into this new computing paradigm is a major technical challenge. What IoT ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacy

February 2011

294 pages

ISBN:9781450304665

DOI:10.1145/1943513

General Chair:
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Elisa Bertino
Purdue University, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 February 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Keynote

Conference

CODASPY '11

Sponsor:

SIGSAC

CODASPY '11: First ACM Conference on Data and Application Security and Privacy

February 21 - 23, 2011

TX, San Antonio, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
1,421
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Peters TPierson TSen SCamacho JKotz DPöpper CVanhoef MBatina LMayrhofer R(2021)Recurring verification of interaction authenticity within bluetooth networksProceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3448300.3468287(192-203)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3448300.3468287
Perez AZeadally SJabeur N(2017)Investigating Security for Ubiquitous Sensor NetworksProcedia Computer Science10.1016/j.procs.2017.05.432109(737-744)Online publication date: 2017
https://doi.org/10.1016/j.procs.2017.05.432
Francillon AFanucci LTeich J(2016)Trust, but verifyProceedings of the 2016 Conference on Design, Automation & Test in Europe10.5555/2971808.2972084(1178-1182)Online publication date: 14-Mar-2016
https://dl.acm.org/doi/10.5555/2971808.2972084
Johnstone MBaig ZHannay PCarpene CFeroze M(2016)Controlled Android Application Execution for the IoT InfrastructureInternet of Things. IoT Infrastructures10.1007/978-3-319-47063-4_2(16-26)Online publication date: 18-Nov-2016
https://doi.org/10.1007/978-3-319-47063-4_2
Moriyama DYung M(2015)The bright side arguments for the coming smartphones crypto war: The added value of device encryption2015 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS.2015.7346812(65-73)Online publication date: Sep-2015
https://doi.org/10.1109/CNS.2015.7346812
Dmitrienko AHeuser SNguyen Tda Silva Ramos MRein ASadeghi A(2015)Market-Driven Code Provisioning to Mobile Secure HardwareFinancial Cryptography and Data Security10.1007/978-3-662-47854-7_23(387-404)Online publication date: 16-Jul-2015
https://doi.org/10.1007/978-3-662-47854-7_23
Roland MRoland M(2015)Related WorkSecurity Issues in Mobile NFC Devices10.1007/978-3-319-15488-6_4(47-67)Online publication date: 12-Feb-2015
https://doi.org/10.1007/978-3-319-15488-6_4
Truong HLagerspetz ENurmi POliner ATarkoma SAsokan NBhattacharya SChung CBroder AShim KSuel T(2014)The company you keepProceedings of the 23rd international conference on World wide web10.1145/2566486.2568046(39-50)Online publication date: 7-Apr-2014
https://dl.acm.org/doi/10.1145/2566486.2568046
Suarez-Tangil GTapiador JPeris-Lopez PRibagorda A(2014)Evolution, Detection and Analysis of Malware for Smart DevicesIEEE Communications Surveys & Tutorials10.1109/SURV.2013.101613.0007716:2(961-987)Online publication date: Oct-2015
https://doi.org/10.1109/SURV.2013.101613.00077
Ekberg JKostiainen KAsokan N(2014)The Untapped Potential of Trusted Execution Environments on Mobile DevicesIEEE Security & Privacy10.1109/MSP.2014.3812:4(29-37)Online publication date: Jul-2014
https://doi.org/10.1109/MSP.2014.38
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents