Protecting Data on Smartphones & Tablets from Memory Attacks Patrick ColpJiawen Zhang James Gleeson Sahil Suneja Eyal de Lara Himanshu Raj Stefan Saroiu.

Slides:

Advertisements

Similar presentations

Virtual Memory Basics.

Advertisements

Paging: Design Issues. Readings r Silbershatz et al: ,

More on File Management

Implementing an Untrusted Operating System on Trusted Hardware.

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Zero-Interaction Authentication April 15, 2003 Mark D.Corner, Brian D. Noble Presented by Seong Oun Hwang CS744 Special Topics in System Architecture:

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.

Team Wolf Distributed, Consistent and Secure USB Storage Final Project Review Eddie Lai Matt Dube Sean Busch Zhou Zheng.

Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006.

OS Spring’03 Introduction Operating Systems Spring 2003.

Lest We Remember Cold-Boot Attacks Against Disk Encryption J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

0x1A Great Papers in Computer Security

I/O Tanenbaum, ch. 5 p. 329 – 427 Silberschatz, ch. 13 p

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

New Data Regulation Law 201 CMR TJX Video.

Slide 1 Windows PC Accelerators Reporter ：吳柏良. Slide 2 Outline l Introduction l Windows SuperFetch l Windows ReadyBoost l Windows ReadyDrive l Conclusion.

How to discover ephemeral evidence with Live RAM analysis.

Mobile Operating System Security A PRESENTATION BY DANIEL ADAMS CSC 345 DR. BOX.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,

Computing hardware CPU.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

1 CS503: Operating Systems Spring 2014 Dongyan Xu Department of Computer Science Purdue University.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Protecting Data on Smartphones and Tablets from Memory Attacks

TrustOTP: Smartphone as One-Time Password Token

Processes and OS basics. RHS – SOC 2 OS Basics An Operating System (OS) is essentially an abstraction of a computer As a user or programmer, I do not.

Chapter 1: Introduction. 1.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 1: Introduction What Operating Systems Do (previous.

3 Computing System Fundamentals

Chapter 3.2: Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

1 Memory Management. 2 Fixed Partitions Legend Free Space 0k 4k 16k 64k 128k Internal fragmentation (cannot be reallocated) Divide memory into n (possible.

Operating Systems Security

LINUX 15 : Memory Management

Review of Computer System Organization. Computer Startup For a computer to start running when it is first powered up, it needs to execute an initial program.

Windows XP Memory Management Aaron Lanoy and Jason Farnsworth.

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

OSes: 2. Structs 1 Operating Systems v Objective –to give a (selective) overview of computer system architectures Certificate Program in Software Development.

Chapter 2. Computer-System Structure Device controllers: synchronize and manage access to devices.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

The Memory Hierarchy Lecture 31 20/07/2009Lecture 31_CA&O_Engr. Umbreen Sabir.

By: Collin Molnar. Overview  Intro to Android  Security basics  Android architecture  Application isolation  Application permissions  Physical access.

BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses.

DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi

Architecture Support for Secure Computing Mikel Bezdek Chun Yee Yu CprE 585 Survey Project 12/10/04.

BY S.S.SUDHEER VARMA (13NT1D5816)

Presented by Kartik Patel

Trusted Computing and the Trusted Platform Module

EnGarde: Mutually Trusted Inspection of SGX Enclaves

Outline What does the OS protect? Authentication for operating systems

Security of Mobile Operating Systems

Computer System Structures

Outline What does the OS protect? Authentication for operating systems

Hardware Support for Embedded Operating System Security

Secure In-Cache Execution

I'm Kenichi Kourai from Kyushu Institute of Technology.

Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-

Meltdown / Spectre issue?

NEW PRODUCT INTRODUCTION CONEKT™ Mobile Smartphone Access Control Identification Solution June 2018.

2.C Memory GCSE Computing Langley Park School for Boys.

What is an operating system An operating system is the most important software that runs on a computer. It manages the computer's memory and processes,

Presentation transcript:

Protecting Data on Smartphones & Tablets from Memory Attacks Patrick ColpJiawen Zhang James Gleeson Sahil Suneja Eyal de Lara Himanshu Raj Stefan Saroiu Alec Wolman University of British Columbia University of TorontoMicrosoft Research

Smartphones and Tablets Are Easily Lost or Stolen

Lost Data on Mobile Devices is at Risk

Industry Solution #1: Disk encryption Disk encryption: Protect data-at-rest Adequate for laptops: Laptops often shutdown/hibernating Inadequate for smartphones & tablets: These devices are always on

Industry Solution #2: PIN-unlock Problem: Unencrypted data still resides in RAM!

Imagine an attacker has possession of a stolen device and can’t guess the PIN What can she do?

Memory Attacks Memory attacks allow attacker to gain access to sensitive data stored in memory Three classes of memory attacks: – Cold boot attacks – Bus monitoring attacks – DMA attacks Common aspect of attacks: – Physical possession of the device is required

Sentry: Store Code & Data On SoC With Sentry, memory pages are stored: – Encrypted in DRAM – Decrypted on the ARM SoC (System-on-Chip) encrypt sensitive apps sensitive apps run on-SoC decrypt-on-demand Sentry’s Lifecycle Device Unlocked Device PIN-locked

Outline Introduction Memory (RAM) attacks Threat model Sentry’s system design Performance evaluation Related work & conclusions

Memory Attacks Three classes of memory attacks: – Cold boot attacks – Bus monitoring attacks – DMA attacks

Cold Boot Attacks DRAM contents don’t instantly disappear after power cut – This is known as the data remanence effect – Cooling memory extends remanence effects Two types of cold boot attacks – Yank DRAM from device and stick it in a reader – Reflash device with malicious firmware that reads (preserved) contents of DRAM Recently demonstrated on Android [ACNS’13] Data remanence effect

Modern Tegra3 NVidia Tablet 2 GB of DRAM, room temperature Three steps: 1.Write unique bit pattern in device’s DRAM 2.Mount various cold-boot attacks 3.Measure fraction of bit pattern still preserved Type of AttackDRAM Preserved OS Reboot (no power loss)96.4% Device Reflash (short power loss)97.5% 2 Second Reset (long power loss)0.1%

Bus Monitoring Attacks Place monitoring device on memory bus to record communication Cannot directly access memory contents, but can copy all data travelling in-and-out of memory

DMA Attacks Attach malicious DMA-based peripheral to stolen tablet – Dump entire DRAM Today less prevalent because most smartphones and tablets lack DMA ports – This could change with adoption of Thunderbolt

Outline Introduction Memory (RAM) attacks Threat model High-level system design Performance evaluation Related work & conclusions

Threat Model In-scope: – Cold boot, bus monitoring, DMA attacks Out-of-scope: – Software attacks/malware – Physical side-channel attacks – Code-injection attacks – JTAG attacks – Sophisticated physical attacks

Outline Introduction Memory (RAM) attacks Threat model Sentry’s system design Performance evaluation Related work & conclusions

DRAM Sentry in Action: Upon Device Lock Page Table SoC Limited On-SoC Memory Encrypted pages Unencrypted pages Sensitive app

Sentry in Action: Sensitive Apps Running in Background (Locked Device) DRAM Page Table SoC Limited On-SoC Memory Encrypted pages Unencrypted pages Sensitive app

DRAM Sentry in Action: Upon Device Unlock Page Table SoC Limited On-SoC Memory Encrypted pages Unencrypted pages Sensitive app

Sentry’s Challenges 1.Where on SoC can code and data be kept? 2.How can crypto be done in-place on the SoC? 3.How do we guarantee no data “leaks” to DRAM? 4.How do we secure freed memory pages? 5.How do we bootstrap? 6.What are minimum on SoC requirements?

Sentry’s Challenges 1.Where on SoC can code and data be kept? 2.How can crypto be done in-place on the SoC? 3.How do we guarantee no data “leaks” to DRAM? 4.How do we secure freed memory page? 5.How do we bootstrap? 6.What are minimum on SoC requirements?

On-SoC Storage Internal RAM (iRAM) – Some devices ship with small iRAM (e.g., 256 KB) Locked L2 cache – ARM cache controllers offer cache locking Aimed at embedded systems for performance predictability Safe against cold-boot attacks – Unflashable firmware erases iRAM Safe against bus monitoring attacks Safe against DMA attacks – iRAM is DMA-able; need TrustZone-based DMA protections

In-place (on SoC) Crypto Can’t encrypt kernel stack – Too much of a performance hit AES_on_SoC: in-place AES for ARM

Two Issues Context switching AES places sensitive state in DRAM (on stack) – Solution: disable interrupts on encrypt/decrypt Stack variables (e.g., arguments to function calls) – Solution: Rewrite AES code to ensure all sensitive state resides in registers only

Outline Introduction Memory (RAM) attacks Threat model Sentry’s system design Performance evaluation Related work & conclusions

Methodology Two Sentry prototypes: – NVidia Tegra3 tablet running Ubuntu Linux Quad-core Cortex A9 running at 1.2GHz + 1GB of RAM – Google Nexus 4 smartphone running Android Quad-core SnapdragonS4 running at 1.5GHz + 2GB of RAM Apps: Contacts, Google Maps, Twitter, MP3 All experiments: – Repeated 10 times – Performed L2 cache locking on NVidia only – Measured energy performance on Nexus only

Performance & Energy Questions What is Sentry’s overhead? – Upon locking and unlocking a device – While decrypting on-demand on running apps – When running sensitive app in background – For protecting OS subsystem (dm-crypt) What is Sentry’s impact to the rest of system? – Portion of L2 cache allocated to Sentry

Performance & Energy Questions What is Sentry’s overhead? – Upon locking and unlocking a device – While decrypting on-demand on running apps – When running sensitive app in background – For protecting OS subsystem (dm-crypt) What is Sentry’s impact to the rest of system? – Portion of L2 cache allocated to Sentry

Performance Overhead on Lock seconds overhead per application

Performance Overhead on Unlock seconds overhead per application Minimum state required for apps to operate

Overhead of Decrypt On-Demand Less than 5% performance overhead per application

Outline Introduction Memory (RAM) attacks Threat model Sentry’s system design Performance evaluation Related work & conclusions

Related Work On-chip AES schemes for x86: – AESSE [Eurosec’10] – TRESOR [Sec’11] Encrypted RAM – Cryptkeeper [ICTHS’10] – Encrypt-on-cache-evict [DATE’08] Cloud-backed encrypt-on-lock – ZIA [Mobicom’02] – Transient Authentication [Mobisys’03] – Clean OS [OSDI’12]

Conclusions Smartphones/tablets are vulnerable to memory attacks Sentry protects these devices by keeping sensitive data encrypted in DRAM ARM is amenable to on-SoC storage of sensitive apps’ data & code

Questions?

Two Treat Models Our model: – Attacker has possession of device Not our model: – Malicious OS or software running on the device