The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - Jan. (2014 vol.13)
pp: 188-201
Xinwen Zhang , Huawei Res. Center, Santa Clara, CA, USA
Jean-Pierre Seifert , Inst. Deutsche Telekom Labs., Tech. Univ. Berlin, Berlin, Germany
Onur Aciicmez , Samsung Inf. Syst. America, San Jose, CA, USA
ABSTRACT
The security of mobile devices such as cellular phones and smartphones has gained extensive attention due to their increasing usage in people's daily life. The problem is challenging as the computing environments of these devices have become more open and general-purpose while at the same time they have the constraints of performance and user experience. We propose and implement SEIP, a simple and efficient but yet effective solution for the integrity protection of real-world cellular phone platforms, which is motivated by the disadvantages of applying traditional integrity models on these performance and user experience constrained devices. The major security objective of SEIP is to protect trusted services and resources (e.g., those belonging to cellular service providers and device manufacturers) from third-party code. We propose a set of simple integrity protection rules based upon open mobile operating system environments and application behaviors. Our design leverages the unique features of mobile devices, such as service convergence and limited permissions of user installed applications, and easily identifies the borderline between trusted and untrusted domains on mobile platforms. Our approach, thus, significantly simplifies policy specifications while still achieves a high assurance of platform integrity. SEIP is deployed within a commercially available Linux-based smartphone and demonstrates that it can effectively prevent certain malware. The security policy of our implementation is less than 20 kB, and a performance study shows that it is lightweight.
INDEX TERMS
Mobile communication, Malware, Bluetooth, Mobile computing, Smart phones,open mobile platforms, Mobile communication, Malware, Bluetooth, Mobile computing, Smart phones, smartphone security, Integrity protection
CITATION
Xinwen Zhang, Jean-Pierre Seifert, Onur Aciicmez, "Design and Implementation of Efficient Integrity Protection for Open Mobile Platforms", IEEE Transactions on Mobile Computing, vol.13, no. 1, pp. 188-201, Jan. 2014, doi:10.1109/TMC.2012.232
REFERENCES
[1] "Google on Android," http://code.google.comandroid, 2013.
[2] "Bluebug," http://trifinite.orgtrifinite_stuff_bluebug.html , 2013.
[3] "GPE Phone Edition," http:/gpephone.linuxtogo.org, 2013.
[4] "JSR-000030 J2ME Connected, Limited Device Configuration," http://jcp.org/aboutJava/communityprocess/ finaljsr030, 2013.
[5] "LiMo Foundation," https:/www.limofoundation.org, 2013.
[6] "LMbench - Tools for Performance Analysis," http://www. bitmover.comlmbench, 2013.
[7] "Maemo," http:/www.maemo.org, 2013.
[8] McAfee, "Mobile Security Report 2008," http://www.mcafee. com/us/researchmobile_security_report_2008.html , 2008.
[9] McAfee, "Mobile Security Report 2009," http://www.mcafee. com/us/local_content/ reportsmobile_security_report_2009.pdf, 2009.
[10] "MOTOMAGZX Security," http://ecosystem.motorola.com/get- inspired/ whitepaperssecurity-whitepaper.pdf, 2013.
[11] National Security Agency, "Security-Enhanced Linux," http://www.nsa.gov/researchselinux, 2013.
[12] "OpenEZX," http:/www.openezx.org, 2013.
[13] "PandaLabs Quarterly Report," http://pandalabs.pandasecurity. com/blogs/ images/PandaLabs/2008/04/01Quarterly_Report_ PandaLabs_Q1_2008.pdf , 2008.
[14] Trolltech, "Qtopia Phone Edition," http:/doc.trolltech.com, 2013.
[15] L. Potter, "Security in Qtopia Phones," LINUX J., http://www.linuxjournal.com/article9896, 2013.
[16] Tresys Tech nology, "SETools - Policy Analysis Tools for SELinux," http://oss.tresys.com/projectssetools, 2013.
[17] T. Krazit, "The Six Secrets to Mobile Computing Success," CNET, http://news.cnet.com8301-13579_3-9929210-37.html , 2013.
[18] K.J. Biba, "Integrity Consideration for Secure Computer System," Technical Report TR-3153, Mitre Corp., 1977.
[19] A. Bose and K. Shin, "Proactive Security for Mobile Messaging Networks," Proc. ACM Workshop Wireless Security, 2006.
[20] J. Carter, "Using GConf as an Example of How to Create a Userspace Object Manager," Proc. Security Enhanced Linux Symp., 2007.
[21] J. Cheng, S. Wong, H. Yang, and S. Lu, "SmartSiren: Virus Detection and Alert for Smartphones," Proc. ACM Conf. Mobile Systems, Applications, 2007.
[22] D.D. Clark and D.R. Wilson, "A Comparison of Commercial and Military Computer Security Policies," Proc. IEEE Symp. Security and Privacy, 1987.
[23] W. Enck, M. Ongtang, and P. McDaniel, "Understanding Android Security," IEEE Security and Privacy, vol. 7, no. 1, pp. 50-57, Jan. 2009.
[24] W. Enck, P. Traynor, P. McDaniel, and T.L. Porta, "Exploiting Open Functionality in SMS-Capable Cellular Networks," Proc. 12th ACM Conf. Computer and Comm. Security (CCS), 2005.
[25] T. Fraser, "LOMAC: MAC You Can Live With," Proc. Usenix Ann. Technical Conf., 2001.
[26] C. Heath, Symbian OS Platform Security. Symbian, 2006.
[27] G. Hu and D. Venugopal, "A Malware Signature Extraction and Detection Method Applied to Mobile Networks," Proc. IEEE 26th Int'l Performance, Computing, and Comm. Conf., 2007.
[28] M. Hypponen, "State of Cell Phone Malware in 2007," http://www.usenix.org/events/sec07/techhypponen.pdf , 2007.
[29] T. Jaeger, R. Sailer, and U. Shankar, "PRIMA: Policy-Reduced Integrity Measurement Architecture," Proc. 11th ACM Symp. Access Control Models and Technologies (SACMAT), 2006.
[30] H. Kim, J. Smith, and K.G. Shin, "Detecting Energy-Greedy Anomalies and Mobile Malware Variants," Proc. ACM MobiSys, 2008.
[31] N. Li, Z. Mao, and H. Chen, "Usable Mandatory Integrity Protections for Operating Systems," Proc. IEEE Symp. Security and Privacy, 2007.
[32] P. Loscocco and S. Smalley, "Integrating Flexible Support for Security Policies into the Linux Operating System," Proc. USENIX Ann. Technical Conf., pp. 29-42, June 2001.
[33] T. Lunt, D. Denning, R. Schell, M. Heckman, and M. Shockley, "The Seaview Security Model," IEEE Trans. Software Eng., vol. 16, no. 6, pp. 593-607, June 1990.
[34] C. Mulliner, G. Vigna, D. Dagon, and W. Lee, "Using Labeling to Prevent Cross-Service Attacks against Smart Phones," Proc. Third Int'l Conf. Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2006.
[35] D. Muthukumaran, A. Sawani, J. Schiffman, B.M. Jung, and T. Jaeger, "Measuring Integrity on Mobile Phone Systems," Proc. 13th ACM Symp. Access Control Models and Technologies (SACMAT), 2008.
[36] A. Shabtai, Y. Fledel, and Y. Elovici, "Securing Android-Powered Mobile Devices Using SELinux," IEEE Security and Privacy, vol. 8, no. 3, pp. 36-44, May/June 2010.
[37] U. Shankar, T. Jaeger, and R. Sailer, "Toward Automated Information-Flow Integrity Verification for Security-Critical Applications," Proc. Network and Distributed Systems Security Symp. (NDSS), 2006.
[38] D. Venugopal, G. Hu, and N. Roman, "Intelligent Virus Detection on Mobile Devices," Proc. Int'l Conf. Privacy, Security and Trust, 2006.
171 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool