Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David - - PowerPoint PPT Presentation

deadbolt
SMART_READER_LITE
LIVE PREVIEW

Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David - - PowerPoint PPT Presentation

Nov 02, 2022 196 likes •491 views

Deadbolt: Locking Down Android Disk Encryption Adam Skillen, David Barrera, and Paul C. van Oorschot askillen@ccsl.carleton.ca Carleton Computer Security Lab Carleton University Ottawa, Canada SPSM 2013, Berlin, Germany November 8, 2013 The

slide-1
SLIDE 1

Deadbolt:

Locking Down Android Disk Encryption Adam Skillen, David Barrera, and Paul C. van Oorschot

askillen@ccsl.carleton.ca Carleton Computer Security Lab Carleton University Ottawa, Canada

SPSM 2013, Berlin, Germany

November 8, 2013

slide-2
SLIDE 2

The problem with Android disk encryption

Android storage encryption uses Full Disk Encryption (FDE). Key stays in RAM while screen-locked. FDE only protects private data when volume is unmapped.

(e.g., device is shutdown)

Mobile device always-on usage model weakens FDE. FDE key and private data are susceptible to cold-boot, lock-screen bypass, and hardware based attacks.

  • A. Skillen

Deadbolt November 8, 2013 2 / 22

slide-3
SLIDE 3

FDE – PC model

PCs are regularly shut-down or hibernated, effectively securing the encrypted data by removing the key from RAM

  • A. Skillen

Deadbolt November 8, 2013 3 / 22

slide-4
SLIDE 4

FDE – Mobile model

Mobile devices are instead screen-locked. The key remains in RAM and volume remains mounted

  • A. Skillen

Deadbolt November 8, 2013 4 / 22

slide-5
SLIDE 5

Android storage encryption

Implemented through DM CRYPT Block ciphers act on individual disk sectors. On-the-fly (transparent to users/apps).

  • A. Skillen

Deadbolt November 8, 2013 5 / 22

slide-6
SLIDE 6
  • cf. iOS storage encryption

Files are encrypted individually, some keys are removed from RAM when screen-locked

  • A. Skillen

Deadbolt November 8, 2013 6 / 22

slide-7
SLIDE 7

Unlocked iOS device

All keys/files available when screen is unlocked

  • A. Skillen

Deadbolt November 8, 2013 7 / 22

slide-8
SLIDE 8

Locked iOS device

Some keys/files available when screen is locked

  • A. Skillen

Deadbolt November 8, 2013 8 / 22

slide-9
SLIDE 9

Unlocked Android device

Key and storage available when screen is unlocked

  • A. Skillen

Deadbolt November 8, 2013 9 / 22

slide-10
SLIDE 10

Locked Android device

Key and storage remain available when screen is locked!

  • A. Skillen

Deadbolt November 8, 2013 10 / 22

slide-11
SLIDE 11

Contributions

1 Software-only method to protect FDE key and encrypted data.

Resilient to cold-boot and lock-screen bypass while in Deadbolt mode.

2 Retains most smart-device functionality.

(Dialer, SMS, Internet, optionally import some user data).

3 Resuming from Deadbolt mode is faster than a full boot-up. 4 Added benefit of an optional incognito environment.

Logs and activities can be discarded after resuming from Deadbolt.

5 Full design and implementation for use with Android 4.0+

Source code available from project website.

  • A. Skillen

Deadbolt November 8, 2013 11 / 22

slide-12
SLIDE 12

Use Cases

Deadbolt complements the Android lock-screen, for use in high risk situations

E.g., travelling, commuting, border-crossing Intended users: anybody that currently uses device encryption

Optionally, policies could be used to invoke Deadbolt

E.g., time-of-day, GPS location

Incognito mode allows users to perform tasks deniably

E.g., phone calls will not show up in logs

Safe mode allows users to perform potentially hazardous tasks

E.g., visit untrusted websites

  • A. Skillen

Deadbolt November 8, 2013 12 / 22

slide-13
SLIDE 13

Threat model

Assume adversary can obtain physical access to device while in Deadbolt

Software vulnerabilities – lock-screen routinely bypassed (e.g., recent Android Skype bug, iOS 7 bug). Cold boot attack – keys and intermediate state in RAM, M¨ uller et al. recently demonstrated cold boot on Android [ACNS’13]. Hardware attacks – ARM debug interface, JTAG, etc.

  • A. Skillen

Deadbolt November 8, 2013 13 / 22

slide-14
SLIDE 14

Deadbolt implementation

Implemented in the Android volume mounting daemon (vold)

1

Pause running Android framework (GUI, daemons, etc.)

2

Unmount encrypted userdata volume.

3

Zero all key material in RAM.

4

Mount empty tmpfs (RAM filesystem) on /userdata.

5

Restart Android framework.

  • cf. Switching runlevel without restarting kernel.
  • A. Skillen

Deadbolt November 8, 2013 14 / 22

slide-15
SLIDE 15

Deadbolt environment

Uninitialized environment.

Default settings, no user data/apps.

Base system apps (without user data).

Sufficient for phone, web, texting, maps/GPS.

tmpfs mounted to userdata storage.

Private data inaccessible, all changes must be exported or lost.

Optionally import certain data.

E.g., contacts, WiFi passwords, etc.

  • A. Skillen

Deadbolt November 8, 2013 15 / 22

slide-16
SLIDE 16

Deadbolted Android device

Key and storage secured, core smartphone functionality retained

  • A. Skillen

Deadbolt November 8, 2013 16 / 22

slide-17
SLIDE 17

Deadbolt modes

Incognito mode is like a Live-CD environment: no data persists after exiting (Default mode)

Allows importing/exporting data to encrypted storage

Safe mode allows users to perform potentially danger-

  • us tasks without the risk of disclosing private data

Importing/exporting of private data is disabled

  • A. Skillen

Deadbolt November 8, 2013 17 / 22

slide-18
SLIDE 18

Deadbolt UI

Enter Deadbolt (Suspend full environment) Exit Deadbolt (Resume full environment)

  • A. Skillen

Deadbolt November 8, 2013 18 / 22

slide-19
SLIDE 19

Deadbolt performance – Locking data

Tested on Nexus 7 tablet with AOSP 4.2.2

Power off device: 14.03s (σ = 0.145) Enter Deadbolt: 31.62s (σ = 1.235)

  • A. Skillen

Deadbolt November 8, 2013 19 / 22

slide-20
SLIDE 20

Deadbolt performance – Unlocking data

Boot up: 42.17s (σ = 0.638) Exit Deadbolt: 14.00s (σ = 0.122)

Trade increased time to lock for decreased time to unlock, and maintain core functionality

  • A. Skillen

Deadbolt November 8, 2013 20 / 22

slide-21
SLIDE 21

Limitations and usability concerns

Absence of user apps and data (e.g., games, email passwords). App notifications must use other means (e.g., over SMS). Minimum 256 MB RAM (Android 4.0+ devices). Cannot be installed after market, must be implemented in OS.

(Can possibly be made part of default Android OS).

Private data fragments may remain in RAM.

  • A. Skillen

Deadbolt November 8, 2013 21 / 22

slide-22
SLIDE 22

Summary

With FDE, data remains unlocked while device powered on. Deadbolt offers security benefits of a powered off device while retaining most mobile functionality. Switching to Deadbolt faster than reboot. Some usability/security trade-offs. Deadbolt project website: http://www.ccsl.carleton.ca/~askillen/deadbolt

  • A. Skillen

Deadbolt November 8, 2013 22 / 22

slide-23
SLIDE 23

Deadbolt overview

Device Off FDE Mode

FDE Key unavailable All user apps+data available System apps available Some user apps+data available FDE Key unavailable System apps available

Deadbolt Mode

Incognito Mode Safe Mode User enters password Power on device User enables Deadbolt User exits Deadbolt User enters password FDE Key cleared

Enhanced Android lock-screen. All private data encrypted and inaccessible. Temporary (empty) Android environment. Core phone functionality available.

  • A. Skillen

Deadbolt November 11, 2013 Extra 1

slide-24
SLIDE 24

Deadbolt comparison

Lock-screen bypass resilient Cold-boot resilient Software only App notifications Incognito mode File Apple iOS

  • BlackBerry
  • FDE

Windows Phone

  • Android FDE
  • Deadbolt
  • a
  • a(e.g., over SMS)
  • A. Skillen

Deadbolt November 11, 2013 Extra 2

slide-25
SLIDE 25

Alternative approaches and future work

Exiting Deadbolt is fast (only requires restarting GUI/services)

Suspend to disk (likely not an advantage given Android’s memory model)

Entering Deadbolt is slower (requires creating directory structure, unpacking system apps, restart framework)

Pre-created disk image could be used with OverlayFS (RO, COW) Trusted execution implementation (key only available inside TEE)

  • A. Skillen

Deadbolt November 11, 2013 Extra 3

slide-26
SLIDE 26

Data transfer between environments

Copy files and merge SQLite databases while tmpfs and FDE storage mounted concurrently. Import – Optionally import some data into Deadbolt. Any imported data is susceptible to disclosure.

E.g., contacts, WiFi settings/passwords, bookmarks.

Export – Save some data created in Deadbolt.

E.g., call log, SMS/MMS, photos.

  • A. Skillen

Deadbolt November 11, 2013 Extra 4

slide-27
SLIDE 27

Security evaluation

dm-crypt uses kzfree on key material when unmapped We wipe vold’s copy of the key/password (using memset) Used LiME and AESKeyFind to examine memory in Deadbolt Plaintext private data fragments may exist in RAM. When exiting Deadbolt, we wipe the tmpfs Data imported into Deadbolt is subject to disclosure while in Deadbolt

  • A. Skillen

Deadbolt November 11, 2013 Extra 5

slide-28
SLIDE 28

Related Work

  • J. G¨
  • zfried and T. M¨
  • uler. ARMORED: CPU-bound encryption for

Android-driven ARM devices (ARES 2013). Key stored in CPU registers rather than RAM. (Defence against cold boot, but still susceptible to physical attack and lock-screen bypass)

  • A. Skillen

Deadbolt November 11, 2013 Extra 6