Abstract
Smart phones have rapidly become hand-held mobile devices capable of sustaining multiple applications. Some of these applications allow access to services including healthcare, financial, online social networks and are becoming common in the smart phone environment. From a security and privacy point of view, this seismic shift is creating new challenges, as the smart phone environment is becoming a suitable platform for security- and privacy-sensitive applications. The need for a strong security architecture for this environment is becoming paramount, especially from the point of view of Secure Application Execution (SAE). In this chapter, we explore SAE for applications on smart phone platforms, to ensure application execution is as expected by the application provider. Most of the proposed SAE proposals are based on having a secure and trusted embedded chip on the smart phone. Examples include the GlobalPlatform Trusted Execution Environment, M-Shield and Mobile Trusted Module. These additional hardware components, referred to as secure and trusted devices, provide a secure environment in which the applications can execute security-critical code and/or store data. These secure and trusted devices can become the target of malicious entities; therefore, they require a strong framework that will validate and guarantee the secure application execution. This chapter discusses how we can provide an assurance that applications executing on such devices are secure by validating the secure and trusted hardware.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The memory or communication buses mentioned are between a TPM and other components on a motherboard, rather than the on-chip memory and communication buses.
- 2.
A list of logic gates and a textual description of their interconnections which make up an electronic circuit.
References
GlobalPlatform: GlobalPlatform Card Specification, Version 2.2 (2006)
Java Card Platform Specification: Application Programming Interface, Runtime Environment Specification, Virtual Machine Specification (2006). http://java.sun.com/javacard/specs.html
Device, G.: GPD/STIP Specification Overview, Specification Version 2.3, GlobalPlatform (2007)
GlobalPlatform Device Technology: Device Application Security Management - Concepts and Description Document Specification. Online (2008)
M-Shield Mobile Security Technology: Making Wireless Secure. Whilte Paper, Texas Instruments (2008). http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.eps
TCG Mobile Trusted Module Specification. Online (2008)
ARM Security Technology: Building a Secure System using TrustZone Technology. White Paper PRD29-GENC-009492C, ARM (2009)
GlobalPlatform Device Technology: TEE System Architecture. Specification Version 0.4, GlobalPlatform (2011)
Trusted Platform Module Main Specification
Trusted Computing Group, Online (2011)
Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 132–145. ACM, New York (2004). http://doi.acm.org/10.1145/1030083.1030103, doi:10.1145/1030083.1030103
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold boot attacks on encryption keys. In: Proceedings of the 17th Conference on Security Symposium, pp. 45–60. USENIX Association, Berkeley, CA, USA (2008)
Kostiainen, K., Ekberg, J.E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: Proceedings of the 4th International Symposium on Information. Computer, and Communications Security (ASIACCS 2009), pp. 104–115. ACM, New York (2009). http://doi.acm.org/10.1145/1533057.1533074
Wilson, P., Frey, A., Mihm, T., Kershaw, D., Alves, T.: Implementing embedded security on dual-virtual-CPU systems. IEEE Des. Test Comput. 24, 582–591 (2007)
Muchnick, S.S.: Advanced Compiler Design and Implementation. Morgan Kaufmann, San Francisco (1997)
Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. In: IACR Cryptology ePrint Archive (2004). http://eprint.iacr.org/2004/100
Maebe, J., De Keulenaer, R., De Sutter, B., De Bosschere, K.: Mitigating smart card fault injection with link-time code rewriting: a feasibility study. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 221–229. Springer, Heidelberg (2013)
Defense Advanced Research Projects Agency: DARPA BAA06-40, A TRUST for Integrated Circuits Visited, September 2014
Defense Science Board Task Force: High Performance Microchip Supply. http://www.acq.osd.mil/dsb/reports/ADA435563.eps. Accessed September 2014
Lieberman, J.I.: The national security aspects of the global migration of the U.S. semiconductor industry. http://www.fas.org/irp/congress/2003_cr/s060503.html. Accessed September 2014
Diablo: Diablo is a better link-time optimizer. https://diablo.elis.ugent.be/. Accessed October 2014
Oxford Dictionaries: Definition of obfuscate. http://www.oxforddictionaries.com/definition/english/obfuscate
U.S. Department Of Commerce: Defense Industrial Base Assessment: Counterfeit Electronics. Bureau of Industry and Security, Office of Technology Evaluation. http://www.bis.doc.gov/defenseindustrialbaseprograms/osies/defmarketresearchrpts/final_counterfeit_electronics_report.eps. Accessed January 2010
Koushanfar, F., Sadeghi, A.-R., Seudie, H.: EDA for secure and dependable cybercars: Challenges and opportunities. In: 49th ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 220–228 (2012)
Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan detection using IC fingerprinting. In: IEEE Symposium on Security and Privacy (SP 2007), pp. 296–310 (2007)
Arora, D., Ravi, S., Raghunathan, A., Jha, N.K.: Secure embedded processing through hardware-assisted run-time monitoring. In: Design, Automation and Test in Europe, vol. 1, pp. 178–183 (2005). doi:10.1109/DATE.2005.266
Patel, K., Parameswaran, S., Shee, S.L.: Ensuring secure program execution in multiprocessor embedded systems: a case study. In: IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS), pp. 57–62 (2007)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 388. Springer, Heidelberg (1999)
Vermoen, D., Witteman, M., Gaydadjiev, G.N.: Reverse engineering java card applets using power analysis. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 138–149. Springer, Heidelberg (2007)
Quisquater, J.-J., Samyde, D.: Automatic code recognition for smartcards using a kohonen neural network. In: CARDIS, USENIX 21–22 November, San Jose, CA, USA (2002)
Eisenbarth, T., Paar, C., Weghenkel, B.: Building a side channel based disassembler. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Transactions on Computational Science X. LNCS, vol. 6340, pp. 78–99. Springer, Heidelberg (2010)
Msgna, M., Markantonakis, K., Mayes, K.: Precise instruction-level side channel profiling of embedded processors. In: Huang, X., Zhou, J. (eds.) ISPEC 2014. LNCS, vol. 8434, pp. 129–143. Springer, Heidelberg (2014). doi:10.1007/978-3-319-06320-1_11
Msgna, M., Markantonakis, K., Naccache, D., Mayes, K.: Verifying software integrity in embedded systems: a side channel approach. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 261–280. Springer, Heidelberg (2014). doi:10.1007/978-3-319-10175-0_18
What is SHA-1. https://en.wikipedia.org/wiki/SHA-1
Netlist Definition. Xilinx. http://www.xilinx.com/itp/xilinx10/help/iseguide/mergedProjects/constraints_editor/html/ce_d_netlist.htm
iOS Security Sandbox white paper. https://www.cs.auckland.ac.nz/courses/compsci702s1c/lectures/rs-slides/6-iOS-SecuritySandbox.eps
https://www.apple.com/privacy/docs/iOS_Security_Guide_Oct_2014.eps
http://developer.android.com/tools/publishing/app-signing.html
http://developer.android.com/guide/topics/security/permissions.html
What is MAC/DAC. https://www.internetsociety.org/sites/default/files/02_4.eps
http://www.tclouds-project.eu/downloads/factsheets/tclouds-factsheet-07-attestation.eps
Zeller, T.: The ghost in the CD; Sony BMG stirs a debate over software used to guard content, The New York Times, c1, November 14 (2005)
Gratzer, V., Naccache, D.: Alien vs. quine, the vanishing circuit and other tales from the industry’s crypt. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 48–58. Springer, Heidelberg (2006)
Chevallier-Mames, B., Naccache, D., Paillier, P., Pointcheval, D.: How to disembed a program? In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 441–454. Springer, Heidelberg (2004)
Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998)
Benaloh, J.C., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994)
Acknowledgement
Mehari G. Msgna is sponsored by the Information Network Security Agency, Addis Ababa, Ethiopia.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Msgna, M.G., Ferradi, H., Akram, R.N., Markantonakis, K. (2016). Secure Application Execution in Mobile Devices. In: Ryan, P., Naccache, D., Quisquater, JJ. (eds) The New Codebreakers. Lecture Notes in Computer Science(), vol 9100. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49301-4_26
Download citation
DOI: https://doi.org/10.1007/978-3-662-49301-4_26
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49300-7
Online ISBN: 978-3-662-49301-4
eBook Packages: Computer ScienceComputer Science (R0)