Skip to main content

Andromeda: Enabling Secure Enclaves for the Android Ecosystem

  • Conference paper
  • First Online:
Information Security (ISC 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13118))

Included in the following conference series:

Abstract

The Android OS is currently used in a plethora of devices that play a core part of our everyday life, such as mobile phones, tablets, smart home appliances, entertainment systems and embedded devices. The majority of these devices typically process and store a vast amount of security-critical and privacy-sensitive data, including personal contacts, financial accounts and high-profile enterprise assets. The importance of these data makes these devices valuable attack targets.

In this paper we propose Andromeda, a framework that provides secure enclaves for Android OS to mitigate attacks that target sensitive or critical code, data and communication channels. Andromeda offers the first SGX interface for Android OS (to the best of our knowledge), as well as services that enhance its security and offer protection schemes for several applications that deal with sensitive or secret data. Andromeda is also able to securely execute SGX-enabled code on behalf of external devices that are not equipped with SGX-capable CPUs. Moreover, Andromeda protects cryptographic keys from memory dump attacks with less than 16% overhead on the corresponding cryptographic operations and provides secure, end-to-end encrypted, communication and computation channels for external devices paired with the Android device.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Amazon’s AWS permission managements. https://aws.amazon.com/iam/details/manage-permissions/

  2. AMD Secure Encrypted Virtualization (SEV). https://developer.amd.com/amd-secure-memory-encryption-sme-amd-secure-encrypted-virtualization-sev/

  3. Android Keystore. https://developer.android.com/training/articles/keystore.html

  4. Android Sensor API. https://developer.android.com/guide/topics/sensors/sensors_overview

  5. Android Services. https://developer.android.com/guide/components/services.html

  6. Bosch IoT. https://www.bosch-iot-suite.com/permissions/

  7. Crystax NDK. https://www.crystax.net/android/ndk/

  8. Intel Software Guard Extensions (SGX). https://software.intel.com/en-us/sgx

  9. Intel’s Skylake Processors. https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/ia-introduction-basics-paper.pdf

  10. International Data Corporation. https://www.idc.com/promo/smartphone-market-share/os

  11. Mobile Operating System Market Share Worldwide. https://gs.statcounter.com/os-market-share/mobile/worldwide

  12. Samsung SmartThings. https://www.samsung.com/us/smart-home/smartthings/

  13. Statista. https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/

  14. ARM LIMITED: ARM Security Technology - Building a Secure System using TrustZone Technology (2009)

    Google Scholar 

  15. Arnautov, S., et al.: SCONE: secure linux containers with Intel SGX. In: OSDI (2016)

    Google Scholar 

  16. Azab, A.M., et al.: Hypervision across worlds: real-time kernel protection from the ARM TrustZone secure world. In: CCS (2014)

    Google Scholar 

  17. Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: CCS (2010)

    Google Scholar 

  18. Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with haven. ACM Trans. Comput. Syst. 33(3), 8:1–8:26 (2015)

    Google Scholar 

  19. Boivie, R., Williams, P.: Secureblue++: CPU support for secure execution. Technical Report (2012)

    Google Scholar 

  20. Brasser, F., Gens, D., Jauernig, P., Sadeghi, A.R., Stapf, E.: Sanctuary: Arming TrustZone with user-space enclaves (2019)

    Google Scholar 

  21. Caddy Tom: Side-channel attacks (2011). https://link.springer.com/referencework/10.1007%2F0-387-23483-7

  22. Chalkiadakis, N., Deyannis, D., Karnikis, D., Vasiliadis, G., Ioannidis, S.: The million dollar handshake: secure and attested communications in the cloud. In: CLOUD (2020)

    Google Scholar 

  23. Colp, P., et al.: Protecting data on smartphones and tablets from memory attacks. In: ASPLOS (2015)

    Google Scholar 

  24. Deyannis, D., Karnikis, D., Vasiliadis, G., Ioannidis, S.: An enclave assisted snapshot-based kernel integrity monitor. In: EdgeSys (2020)

    Google Scholar 

  25. Deyannis, D., Papadogiannaki, E., Kalivianakis, G., Vasiliadis, G., Ioannidis, S.: TrustAV: practical and privacy preserving malware analysis in the cloud. In: CODASPY (2020)

    Google Scholar 

  26. Fernandes, E., Paupore, J., Rahmati, A., Simionato, D., Conti, M., Prakash, A.: FlowFence: practical data protection for emerging IoT application frameworks. In: Proceedings of the 25th USENIX Security Symposium. USENIX Security (2016)

    Google Scholar 

  27. Ferraiuolo, A., Baumann, A., Hawblitzel, C., Parno, B.: Komodo: using verification to disentangle secure-enclave hardware from software. In: SOSP (2017)

    Google Scholar 

  28. Kuvaiskii, D., et al.: SGXBOUNDS: memory safety for shielded execution. In: Proceedings of the Twelfth European Conference on Computer Systems. EuroSys (2017)

    Google Scholar 

  29. Li, X., Hu, H., Bai, G., Jia, Y., Liang, Z., Saxena, P.: DroidVault: a trusted data vault for android devices. In: ICECCS (2014)

    Google Scholar 

  30. Orenbach, M., Lifshits, P., Minkin, M., Silberstein, M.: Eleos: ExitLess OS services for SGX enclaves. In: EuroSys (2017)

    Google Scholar 

  31. Pirker, M., Slamanig, D.: A framework for privacy-preserving mobile payment on security enhanced ARM TrustZone platforms. In: TrustCom (2012)

    Google Scholar 

  32. Samsung: White Paper : An Overview of Samsung KNOX (2013). http://www.samsung.com/my/business-images/resource/white-paper/2013/11/Samsung_KNOX_whitepaper_An_Overview_of_Samsung_KNOX-0.pdf

  33. Santos, N., Raj, H., Saroiu, S., Wolman, A.: Using ARM TrustZone to build a trusted language runtime for mobile applications. In: ASPLOS (2014)

    Google Scholar 

  34. Schuster, F., et al.: VC3: trustworthy data analytics in the cloud using SGX. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy. S&P (2015)

    Google Scholar 

  35. Seo, J., et al.: SGX-Shield: enabling address space layout randomization for SGX programs. In: NDSS (2017)

    Google Scholar 

  36. Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: NDSS (2017)

    Google Scholar 

  37. Tsai, C.C., Porter, D.E., Vij, M.: Graphene-SGX: A practical library OS for unmodified applications on SGX. In: USENIX ATC (2017)

    Google Scholar 

  38. Wang, J., Stavrou, A., Ghosh, A.: HyperCheck: a hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_9

    Chapter  Google Scholar 

  39. Zheng, X., Yang, L., Ma, J., Shi, G., Meng, D.: TrustPAY: trusted mobile payment on security enhanced ARM TrustZone platforms. In: ISCC (2016)

    Google Scholar 

Download references

Acknowledgments

The research work was supported by the Hellenic Foundation for Research and Innovation (HFRI) and the General Secretariat for Research and Technology (GSRT), under the HFRI PhD Fellowship grant (GA. No. 2767). This work was also supported by the projects CONCORDIA, C4IIoT and COLLABS, funded by the European Commission under Grant Agreements No. 830927, No. 833828, and No. 871518. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Dimitris Deyannis .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Deyannis, D., Karnikis, D., Vasiliadis, G., Ioannidis, S. (2021). Andromeda: Enabling Secure Enclaves for the Android Ecosystem. In: Liu, J.K., Katsikas, S., Meng, W., Susilo, W., Intan, R. (eds) Information Security. ISC 2021. Lecture Notes in Computer Science(), vol 13118. Springer, Cham. https://doi.org/10.1007/978-3-030-91356-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91356-4_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91355-7

  • Online ISBN: 978-3-030-91356-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics