Abstract
The Android OS is currently used in a plethora of devices that play a core part of our everyday life, such as mobile phones, tablets, smart home appliances, entertainment systems and embedded devices. The majority of these devices typically process and store a vast amount of security-critical and privacy-sensitive data, including personal contacts, financial accounts and high-profile enterprise assets. The importance of these data makes these devices valuable attack targets.
In this paper we propose Andromeda, a framework that provides secure enclaves for Android OS to mitigate attacks that target sensitive or critical code, data and communication channels. Andromeda offers the first SGX interface for Android OS (to the best of our knowledge), as well as services that enhance its security and offer protection schemes for several applications that deal with sensitive or secret data. Andromeda is also able to securely execute SGX-enabled code on behalf of external devices that are not equipped with SGX-capable CPUs. Moreover, Andromeda protects cryptographic keys from memory dump attacks with less than 16% overhead on the corresponding cryptographic operations and provides secure, end-to-end encrypted, communication and computation channels for external devices paired with the Android device.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Amazon’s AWS permission managements. https://aws.amazon.com/iam/details/manage-permissions/
AMD Secure Encrypted Virtualization (SEV). https://developer.amd.com/amd-secure-memory-encryption-sme-amd-secure-encrypted-virtualization-sev/
Android Keystore. https://developer.android.com/training/articles/keystore.html
Android Sensor API. https://developer.android.com/guide/topics/sensors/sensors_overview
Android Services. https://developer.android.com/guide/components/services.html
Bosch IoT. https://www.bosch-iot-suite.com/permissions/
Crystax NDK. https://www.crystax.net/android/ndk/
Intel Software Guard Extensions (SGX). https://software.intel.com/en-us/sgx
Intel’s Skylake Processors. https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/ia-introduction-basics-paper.pdf
International Data Corporation. https://www.idc.com/promo/smartphone-market-share/os
Mobile Operating System Market Share Worldwide. https://gs.statcounter.com/os-market-share/mobile/worldwide
Samsung SmartThings. https://www.samsung.com/us/smart-home/smartthings/
Statista. https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/
ARM LIMITED: ARM Security Technology - Building a Secure System using TrustZone Technology (2009)
Arnautov, S., et al.: SCONE: secure linux containers with Intel SGX. In: OSDI (2016)
Azab, A.M., et al.: Hypervision across worlds: real-time kernel protection from the ARM TrustZone secure world. In: CCS (2014)
Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: Hypersentry: enabling stealthy in-context measurement of hypervisor integrity. In: CCS (2010)
Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with haven. ACM Trans. Comput. Syst. 33(3), 8:1–8:26 (2015)
Boivie, R., Williams, P.: Secureblue++: CPU support for secure execution. Technical Report (2012)
Brasser, F., Gens, D., Jauernig, P., Sadeghi, A.R., Stapf, E.: Sanctuary: Arming TrustZone with user-space enclaves (2019)
Caddy Tom: Side-channel attacks (2011). https://link.springer.com/referencework/10.1007%2F0-387-23483-7
Chalkiadakis, N., Deyannis, D., Karnikis, D., Vasiliadis, G., Ioannidis, S.: The million dollar handshake: secure and attested communications in the cloud. In: CLOUD (2020)
Colp, P., et al.: Protecting data on smartphones and tablets from memory attacks. In: ASPLOS (2015)
Deyannis, D., Karnikis, D., Vasiliadis, G., Ioannidis, S.: An enclave assisted snapshot-based kernel integrity monitor. In: EdgeSys (2020)
Deyannis, D., Papadogiannaki, E., Kalivianakis, G., Vasiliadis, G., Ioannidis, S.: TrustAV: practical and privacy preserving malware analysis in the cloud. In: CODASPY (2020)
Fernandes, E., Paupore, J., Rahmati, A., Simionato, D., Conti, M., Prakash, A.: FlowFence: practical data protection for emerging IoT application frameworks. In: Proceedings of the 25th USENIX Security Symposium. USENIX Security (2016)
Ferraiuolo, A., Baumann, A., Hawblitzel, C., Parno, B.: Komodo: using verification to disentangle secure-enclave hardware from software. In: SOSP (2017)
Kuvaiskii, D., et al.: SGXBOUNDS: memory safety for shielded execution. In: Proceedings of the Twelfth European Conference on Computer Systems. EuroSys (2017)
Li, X., Hu, H., Bai, G., Jia, Y., Liang, Z., Saxena, P.: DroidVault: a trusted data vault for android devices. In: ICECCS (2014)
Orenbach, M., Lifshits, P., Minkin, M., Silberstein, M.: Eleos: ExitLess OS services for SGX enclaves. In: EuroSys (2017)
Pirker, M., Slamanig, D.: A framework for privacy-preserving mobile payment on security enhanced ARM TrustZone platforms. In: TrustCom (2012)
Samsung: White Paper : An Overview of Samsung KNOX (2013). http://www.samsung.com/my/business-images/resource/white-paper/2013/11/Samsung_KNOX_whitepaper_An_Overview_of_Samsung_KNOX-0.pdf
Santos, N., Raj, H., Saroiu, S., Wolman, A.: Using ARM TrustZone to build a trusted language runtime for mobile applications. In: ASPLOS (2014)
Schuster, F., et al.: VC3: trustworthy data analytics in the cloud using SGX. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy. S&P (2015)
Seo, J., et al.: SGX-Shield: enabling address space layout randomization for SGX programs. In: NDSS (2017)
Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: NDSS (2017)
Tsai, C.C., Porter, D.E., Vij, M.: Graphene-SGX: A practical library OS for unmodified applications on SGX. In: USENIX ATC (2017)
Wang, J., Stavrou, A., Ghosh, A.: HyperCheck: a hardware-assisted integrity monitor. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 158–177. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_9
Zheng, X., Yang, L., Ma, J., Shi, G., Meng, D.: TrustPAY: trusted mobile payment on security enhanced ARM TrustZone platforms. In: ISCC (2016)
Acknowledgments
The research work was supported by the Hellenic Foundation for Research and Innovation (HFRI) and the General Secretariat for Research and Technology (GSRT), under the HFRI PhD Fellowship grant (GA. No. 2767). This work was also supported by the projects CONCORDIA, C4IIoT and COLLABS, funded by the European Commission under Grant Agreements No. 830927, No. 833828, and No. 871518. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Deyannis, D., Karnikis, D., Vasiliadis, G., Ioannidis, S. (2021). Andromeda: Enabling Secure Enclaves for the Android Ecosystem. In: Liu, J.K., Katsikas, S., Meng, W., Susilo, W., Intan, R. (eds) Information Security. ISC 2021. Lecture Notes in Computer Science(), vol 13118. Springer, Cham. https://doi.org/10.1007/978-3-030-91356-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-91356-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91355-7
Online ISBN: 978-3-030-91356-4
eBook Packages: Computer ScienceComputer Science (R0)