Taming the Robot

Abstract

Smart phones contain a lot of private information, such as contact lists, email, SMS and the browsing history. Their operating systems are based on traditional desktop operating systems and have all the attack vectors known from desktop computers, but typically employ less means of defence. As smart phones become more and more wide spread they are increasingly targeted by attackers, setting private user data at risk [1]. A compromised smart phone may cost money if the attacker is able to send premium SMS without the user's consent. The attacker may also target the carrier with denial of service attacks through bot-nets built out of smart phones. In our research we focus on a secure smart phone architecture. Our architecture allows the reuse of existing software, and enables us to integrate components that require high security. Challenges Smart phone operating systems such as iOS and Android are based on traditional desktop operating system kernels. As such, any flaw in the kernel can allow an adversary to take control of the phone. Due to the kernels complexity, such flaws are common. A recent study found 88 exploitable bugs in the Android kernel [2]. Typical countermeasures known from desktop computers such as virus scanners and firewalls are not applicable to smart phones due to their limited performance and power envelope. Security updates are installed less frequently which increases the time until a vulnerability is fixed. Securing the phone by disabling functionality, e.g. disabling the camera or disallowing installation of custom applications, is not possible because it would severely cut down on features, which appeal to the normal user. Approach Our secure system is based on a microkernel, which provides fine grained resource access control and strict isolation between components. However, due to timing and financial constraints, creating a secure operating system and a healthy ecosystem (app store, developer community) from scratch is not feasible. Thus, we employ virtualization technology to run Android in a sand-box on top of the micro kernel. This enables us to run high-security applications such as a cryptographic key store side-by-side with Android in a secure way. A compromised Android does not allow an adversary to compromise high security applications to, for example, steal the user's private keys. An interesting scenario features two instances of Android in parallel, in different isolated partitions. One partition runs a hardened business Android that, for example, does not allow the user to install applications. The other partition runs an unrestricted Android to be used as the user's private environment.