protecting mobile devices from physical memory attacks
play

Protecting Mobile Devices from Physical Memory Attacks with - PowerPoint PPT Presentation

Dec 26, 2022 •8 likes •318 views

Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen Cao, Sencun Zhu, Jingqiang Lin, Peng Liu, Yubin Xia, and Bo Luo Why do Physical-space Threats Concern for SmartPhones? Why do Physical-space Threats

  1. Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen Cao, Sencun Zhu, Jingqiang Lin, Peng Liu, Yubin Xia, and Bo Luo

  2. Why do Physical-space Threats Concern for SmartPhones?

  3. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc. https://patriotpower.ogsd.net/2650/news/the-lost-phone-retriever/

  4. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc. https://www.theexplode.com/stolen-phone-by-imei-number/

  5. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc.

  6. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc.

  7. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc.

  8. DRAM is a Low-hanging Fruit for Attackers Processor Core Logic Instruction Data Cache Cache Bus On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  9. DRAM is a Low-hanging Fruit for Attackers Processor Core Logic Instruction Data Cache Cache Bus On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  10. DRAM is a Low-hanging Fruit for Attackers Processor Core Logic Instruction Data Cache Cache Bus On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  11. DRAM is a Low-hanging Fruit for Attackers Processor Core Logic Instruction Data Cache Cache Bus On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  12. DRAM is a Low-hanging Fruit for Attackers • When the smartphone is locked, Processor how can an attacker extract Core Logic sensitive data? Instruction • Modern smartphones enforce Data Cache Cache full disk encryption Bus • Off-chip DRAM is problematic! On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  13. DRAM is a Low-hanging Fruit for Attackers • When the smartphone is locked, Processor how can an attacker extract Core Logic sensitive data? Instruction • Modern smartphones enforce Data Cache Cache full disk encryption Bus • Off-chip DRAM is problematic! On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  14. Attacks to DRAM

  15. Attacks to DRAM

  16. Attacks to DRAM • DDR bus monitoring • Cold boot attack

  17. Attacks to DRAM • DDR bus monitoring • Cold boot attack https://www.futureplus.com

  18. Attacks to DRAM • DDR bus monitoring • Cold boot attack https://www1.informatik.uni-erlangen.de/frost

  19. MemVault – Memory Vault • Avoid using DRAM to store cleartext Processor sensitive data Core Logic Instruction Data Cache Cache Immunity to Capacity Controllability Intrusiveness Physical Attacks ✓ OCRAM ~ 128 - 256 KB Memory Not in used On-Chip External RAM /iRAM Mapped after booting RAM/iRAM Controller ✓ Cache ~ 1 MB Transparent Always in used Off-Chip Off-Chip ROM DRAM

  20. Why OCRAM/iRAM is immune to Physical Attacks? • DDR bus monitoring • No external pins • Cold boot attack • Attacker cannot remove OCRAM/iRAM and install it to another machine • SoC bootup code is mandatory for SoC to reboot • The code clears OCRAM/iRAM automatically

  21. Questions to Answer • iRAM has limited size • Encrypt data on DRAM • Leave “hot” data in cleartext in iRAM • Performance overhead • Only encrypt sensitive data • How to determine sensitive data? • Let developers tell us • Developers cannot tell if intermediate results are sensitive • Taint analysis based on TaintDroid • Developers only determine the taint source

  22. MemVault – Overview Stack Tainted Dummy Frames Object Stack Frame DRAM DRAM iRAM Vault T1 T1 S S S T2 T2 T2 Untainted Taint Encrypted Source Object Object

  23. MemVault – Stack Protection • Local variables on the 0xFFFFFFFF interpreter stack Grow Downwards Stack Frame 0 Stack Frame 1 • If a variable is tainted, the stack frame is moved to iRAM • No tainted value is ever written Stack Frame 1 to the original stack frame • New stack frame in iRAM has a Current Frame Pointer (FP) 0x00000000 pointer to track the origin stack frame for stack maintenance

  24. MemVault – Object Protection • A trampoline for each object • If pointer to trampoline is NULL, the object is never tainted • If the trampoline pointer is non- NULL, the object might be tainted and the object is encrypted • If iramObj is null, the encrypted object is decrypted to iRAM • If iramObj is non-null, the cleartext object is directly addressable • Next and previous for LRU Object in the DRAM Trampoline Object in the iRAM • iRAM has limited space • Cleartext references for GC

  25. Key Management • Key is randomly generated per app • AES in CTR mode • Virtual address of the object is used as IV • Key and key schedules are also kept in iRAM • Key is discarded when the app terminates

  26. Implementation • On top of TaintDroid (port to Android 4.4.3) • Encryption/decryption is implemented as a redirection layer of the interpreter Instruction Format Instruction Semantics Instrumentation move-op-R vA vA ← R S_DS & S_IS iget-op vA vB fC vA ← vB(fC) R & S_DS & S_IS … … … S_IS: Switch to iRAM stack, if working on DRAM stack and the resulting stack is tainted S_DS: Switch to DRAM stack, if working on iRAM stack and the resulting stack is untainted R: Redirect object access if necessary

  27. Evaluation • WordPress • Password • BankDroid private synchronized void loadAccount(Preferences preferences) { • Account Number Storage storage = preferences.getStorage(); • Password mStoreUri = Base64.decode(storage.getString(mUuid + • KeePass ".storeUri", null)); + MemVault.addTaintArray(mStoreUri); • MasterKey ... • Password } • K-9 email client Code snippet of K-9 email client • Password • Email

  28. Net CPU LCD Evaluation - Performance 600 Power Consumption (Joules/hour) 500 400 300 WordPress BankDroid KeePass K-9 200 Android 985 239 79 269 100 TaintDroid 1001 247 82 277 0 MemVault 1008 248 83 277 d d t d d t d d t d d t l l l l i i u i i u i i u i i u o o o o o o o o a a a a r r r r r r r r V V V V d D d D d D d D n n n n t m t m t m t m A n A n A n A n i e i e i e i e a a a a M M M M T T T T App Start Time (in ms) KeePass K-9 WordPress BankDroid TaintDroid + 18.8% MemVault + 37.2 % Additional Power Consumption

  29. Comparison with Existing Memory Encryption Solutions Architecture Software Granularity Code Memory Overhead Environment Modification Limitation ✓ Cryptkeeper x86 Linux 4 KB None 1.09x ∼ 9.00x ✓ RamCrypt x86 Linux 4 KB None 1.25x ∼ 2.70x ✓ Bear ARM Micro-Kernel 16B ~ 128 KB Significant 1.50x ∼ 3.40x ✓ Esorics’17 x86 Linux 16 B None/Significa 1.17x ∼ 10.00x+ nt Case ARM Slef-contained Whole app Significant 32 KB 1.03x ✓ Sentry ARM Android 4 KB None 1.48x ∼ 2.74x ✓ MemVault ARM Android Object Trivial 1.37x

  30. Conclusion • MemVault is able to minimize the exposure of sensitive data in DRAM • MemVault only needs minor modifications to the source code • MemVault selectively encrypts sensitive data to improve performance • Limitations • MemVault only protects data within Dalvik virtual machine • E.g., the buffer of the touchscreen driver cannot be protected • TaintDroid has false negative • Future direction • Chip level full memory encryption (like Intel SGX or AMD SME)

  31. Thanks! leguan@cs.uga.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical memory over a bus Devices access memory over I/O bus with DMA Devices can appear to be a region of memory 1 / 41 Realistic ~2005 PC

1.54k views • 50 slides
Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

406 views • 36 slides
Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas

Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas

www.iaik.tugraz.at S C I E N C E P A S S I O N T E C H N O L O G Y Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas Unterluggauer, Mario Werner

621 views • 57 slides
A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat

A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat

A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat Scandalis Dr. Julius O. Smith III Nick Porcaro Berklee Voltage, March 10-11 2017 02/20/2017 1 Overview The story of physical modeling stretches

597 views • 58 slides
A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat

A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat

A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat Scandalis Dr. Julius O. Smith III Nick Porcaro Berklee Voltage, March 10-11 2017 02/20/2017 1 Overview The story of physical modeling stretches

764 views • 59 slides
Protecting Mobile Agents Anna Suen suen@cs.fsu.edu January 22, 2003 Preview Review:

Protecting Mobile Agents Anna Suen suen@cs.fsu.edu January 22, 2003 Preview Review:

Protecting Mobile Agents January 22, 2003 Protecting Mobile Agents Anna Suen suen@cs.fsu.edu January 22, 2003 Preview Review: Mobile Agent System Model Types of Attacks Agent Threats Techniques for protecting agents 2

230 views • 10 slides
A Brief History of Physical Modeling Leading up to Mobile Devices Pat Scandalis Dr. Julius O.

A Brief History of Physical Modeling Leading up to Mobile Devices Pat Scandalis Dr. Julius O.

A Brief History of Physical Modeling Leading up to Mobile Devices Pat Scandalis Dr. Julius O. Smith III Nick Porcaro CCRMA Open House 4/22/2016 04/22/2016 1 Overview The story of physical modeling stretches back nearly 1000 years

839 views • 68 slides
Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits,

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits,

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits, Roni Forte , Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein Speaker: Pavel Lifshits SMART BATTERY

739 views • 39 slides
A new categorization system for side-channel attacks on mobile devices & more Veelasha

A new categorization system for side-channel attacks on mobile devices & more Veelasha

A new categorization system for side-channel attacks on mobile devices & more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia Radboud University, Nijmegen, NL 2 Digital Security

759 views • 55 slides
Securing Mobile Devices & Protecting the Privacy of Users Martina Lindorfer Technische

Securing Mobile Devices & Protecting the Privacy of Users Martina Lindorfer Technische

Securing Mobile Devices & Protecting the Privacy of Users Martina Lindorfer Technische Universitt Wien martina@iseclab.org https://martina.lindorfer.in @lindorferin About Me Assistant Professor at TU Wien (Security &

319 views • 17 slides
Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory protection Special security issues for memory Buffer overflows Lecture 8 Page 1 CS 236 Online What Is In Memory? Executable code

401 views • 24 slides
Localization ocalization of mobile devices of mobile devices L Seminar: Mobile Computing IFW

Localization ocalization of mobile devices of mobile devices L Seminar: Mobile Computing IFW

Localization ocalization of mobile devices of mobile devices L Seminar: Mobile Computing IFW C42 Tuesday, 29th May 2001 Roger Zimmermann Overview Overview Introduction Why Technologies Absolute Positioning Relative

314 views • 30 slides
Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU

Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU

Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU Virtual Memory Operating System System Calls CS 140 Lecture Notes: Virtual Machines Slide 1 Process Abstraction Physical Hardware Instruction

60 views • 4 slides
Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda Protecting mobile devices and your privacy Protecting Mobile Devices and Your Privacy Before We Start The City of Phoenix does not

971 views • 52 slides
Rock-Paper-Fibers Bringing Physical Affordance to Mobile Touch Devices Frederik Rudeck Patrick

Rock-Paper-Fibers Bringing Physical Affordance to Mobile Touch Devices Frederik Rudeck Patrick

Rock-Paper-Fibers Bringing Physical Affordance to Mobile Touch Devices Frederik Rudeck Patrick Baudisch Preview Motivation on current touch devices, every interaction feels the same Microsoft Surface Jord, S., et al. The reacTable. TEI

757 views • 54 slides
Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

599 views • 46 slides
Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Secure Systems Lab Technical University Vienna Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel and Engin Kirda pmilani@ sssup.it gilbert@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@

606 views • 28 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
FlowFence: Prac-cal Data Protec-on for Emerging IoT Applica-on Frameworks Earlence Fernandes,

FlowFence: Prac-cal Data Protec-on for Emerging IoT Applica-on Frameworks Earlence Fernandes,

FlowFence: Prac-cal Data Protec-on for Emerging IoT Applica-on Frameworks Earlence Fernandes, Jus/n Paupore, Amir Rahma/, Daniel Simionato, Mauro Con/, Atul Prakash University of Michigan, University of Padova Published at USENIX Security 2016

468 views • 22 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
Securing web applications is not nearly as easy! 3 4 5 6

Securing web applications is not nearly as easy! 3 4 5 6

GuardRails GuardRails Web applications are easier to create A Data-Centric Web Application Security Framework than ever! Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia

113 views • 8 slides
RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse

803 views • 35 slides
Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security & Privacy Introduction TaintScope: A Checksum-Aware Background Directed Fuzzing Tool for Automatic Motivation Software Vulnerability Detection TaintScope Intuition Tielei Wang 1 ,

427 views • 5 slides
An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se)

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se)

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se) Visiting Associate Professor, Stanford, CA, U.S.A. Chalmers, Gteborg, Sweden Work-in-progress with Pablo Buiras (Chalmers), Deian Stefan (Stanford),

328 views • 20 slides

More recommend