DOCSLIB.ORG

Assessing Threats to Mobile Devices & Infrastructure

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Assessing Threats to Mobile Devices & Infrastructure 1 Draft NISTIR 8144 2 Assessing Threats to 3 Mobile Devices & Infrastructure 4 The Mobile Threat Catalogue 5 Christopher Brown 6 Spike Dog 7 Joshua M Franklin 8 Neil McNab 9 Sharon Voss-Northrop 10 Michael Peck 11 Bart Stidham 12 13 14 15 16 17 18 19 Draft NISTIR 8144 20 Assessing Threats to 21 Mobile Devices & Infrastructure 22 The Mobile Threat Catalogue 23 Joshua M Franklin 24 National Cybersecurity Center of Excellence 25 National Institute of Standards and Technology 26 27 Christopher Brown 28 Spike Dog 29 Neil McNab 30 Sharon Voss-Northrop 31 Michael Peck 32 The MITRE Corporation 33 McLean, VA 34 35 Bart Stidham 36 STS Mobile 37 38 39 40 September 2016 41 42 43 44 U.S. Department of Commerce 45 Penny Pritzker, Secretary 46 47 National Institute of Standards and Technology 48 Willie May, Under Secretary of Commerce for Standards and Technology and Director 49 National Institute of Standards and Technology Interagency Report 8144 50 50 pages (September 2016) 51 52 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 53 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 54 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 55 available for the purpose. 56 There may be references in this publication to other publications currently under development by NIST in accordance 57 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 58 may be used by federal agencies even before the completion of such companion publications. Thus, until each 59 publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For 60 planning and transition purposes, federal agencies may wish to closely follow the development of these new 61 publications by NIST. 62 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to 63 NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 64 http://csrc.nist.gov/publications. 65 66 Public comment period: September 12, 2016 through October 12, 2016 67 National Institute of Standards and Technology 68 Attn: Computer Security Division, Information Technology Laboratory 69 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 70 Email: [email protected] 71 All comments are subject to release under the Freedom of Information Act (FOIA). 72 NISTIR 8144 (DRAFT) ASSESSING THREATS TO MOBILE TECHNOLOGIES 73 Reports on Computer Systems Technology 74 The Information Technology Laboratory (ITL) at the National Institute of Standards and 75 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 76 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 77 methods, reference data, proof of concept implementations, and technical analyses to advance the 78 development and productive use of information technology. ITL’s responsibilities include the 79 development of management, administrative, technical, and physical standards and guidelines for 80 the cost-effective security and privacy of other than national security-related information in federal 81 information systems. 82 Abstract 83 Mobile devices pose a unique set of threats, yet typical enterprise protections fail to address the 84 larger picture. In order to fully address the threats presented by mobile devices, a wider view of 85 the mobile security ecosystem is necessary. This document discusses the Mobile Threat 86 Catalogue, which describes, identifies, and structures the threats posed to mobile information 87 systems. 88 89 Keywords 90 cellular security; enterprise mobility; mobility management; mobile; mobile device; mobile 91 security; mobile device management; telecommunications 92 93 94 Acknowledgements 95 The NCCoE and NIST would like to thank Michael Ogata and Andrew Regenscheid of NIST; 96 Vincent Sritapan of the Department of Homeland Security (DHS) Science & Technology 97 Directorate; and Kori Fisk and Mary Yang of MITRE for their contributions to this document. 98 Note to Readers 99 The development of this interagency report and the Mobile Threat Catalogue supports the Study 100 on Mobile Device Security, as a part of the Cybersecurity Act of 2015 - Title IV, Section 401. 101 Mobile threats and mitigations supporting the Congressional Study on Mobile Device Security 102 and the Mobile Threat Catalogue may incorporate submissions from request for information 103 (RFI) – Mobile Threats & Defenses from FedBizOps solicitation number: QTA00NS16SDI0003. 104 Trademark Information 105 All product names are registered trademarks or trademarks of their respective companies. The 106 Bluetooth logo is property of the Bluetooth Special Interest Group (SIG). ii NISTIR 8144 (DRAFT) ASSESSING THREATS TO MOBILE TECHNOLOGIES 107 Table of Contents 108 1 Introduction ............................................................................................................ 1 109 1.1 Purpose .......................................................................................................... 1 110 1.2 Scope .............................................................................................................. 1 111 1.3 Audience ......................................................................................................... 2 112 1.4 Document Structure ........................................................................................ 2 113 1.5 Document Conventions ................................................................................... 2 114 2 Mobile Device & Infrastructure Attack Surface ................................................... 3 115 2.1 Mobile Technology Stack ................................................................................ 3 116 2.2 Communication Mechanisms .......................................................................... 5 117 2.2.1 Subscriber Identity Module (SIM) ......................................................... 5 118 2.2.2 Cellular Air Interface ............................................................................. 6 119 2.2.3 WiFi ...................................................................................................... 6 120 2.2.4 Global Navigation Satellite System (GNSS) ......................................... 7 121 2.2.5 Bluetooth .............................................................................................. 7 122 2.2.6 Near Field Communication (NFC) ........................................................ 7 123 2.2.7 Secure Digital (SD) Card ...................................................................... 7 124 2.2.8 Power & Synchronization Port .............................................................. 8 125 2.3 Supply Chain .................................................................................................. 8 126 2.4 Mobile Ecosystem ........................................................................................... 8 127 2.4.1 Cellular Infrastructure ........................................................................... 9 128 2.4.2 Public Application Stores ...................................................................... 9 129 2.4.3 Private Application Stores .................................................................. 10 130 2.4.4 Device & OS Vendor Infrastructure .................................................... 10 131 2.4.5 Enterprise Mobility Management Systems ......................................... 10 132 2.4.6 Enterprise Mobile Services ................................................................. 10 133 3 Mobile Threat Catalogue ..................................................................................... 11 134 3.1 Methodology ................................................................................................. 11 135 3.2 Catalogue Structure ...................................................................................... 11 136 3.3 Category Descriptions ................................................................................... 12 137 3.3.1 Mobile Device Technology Stack ....................................................... 12 138 3.3.2 Network Protocols, Technologies, and Infrastructure ......................... 13 iii NISTIR 8144 (DRAFT) ASSESSING THREATS TO MOBILE TECHNOLOGIES 139 3.3.3 Authentication ..................................................................................... 14 140 3.3.4 Supply Chain ...................................................................................... 15 141 3.3.5 Physical Access ................................................................................. 15 142 3.3.6 Ecosystem .......................................................................................... 15 143 3.3.7 Enterprise Mobility .............................................................................. 15 144 3.3.8 Payment ............................................................................................. 16 145 3.4 Next Steps .................................................................................................... 16 146 147 List of Appendices 148 Appendix A— Acronyms ............................................................................................ 17 149 Appendix B— References .........................................................................................
Load more

Recommended publications
  • A Study of Android Application Security
    A Study of Android Application Security William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri Systems and Internet Infrastructure Security Laboratory Department of Computer Science and Engineering The Pennsylvania State University enck, octeau, mcdaniel, swarat @cse.psu.edu { } Abstract ingly desire it, markets are not in a position to provide security in more than a superficial way [30]. The lack of The fluidity of application markets complicate smart- a common definition for security and the volume of ap- phone security. Although recent efforts have shed light plications ensures that some malicious, questionable, and on particular security issues, there remains little insight vulnerable applications will find their way to market. into broader security characteristics of smartphone ap- In this paper, we broadly characterize the security of plications. This paper seeks to better understand smart- applications in the Android Market. In contrast to past phone application security by studying 1,100 popular studies with narrower foci, e.g., [14, 12], we consider a free Android applications. We introduce the ded decom- breadth of concerns including both dangerous functional- piler, which recovers Android application source code ity and vulnerabilities, and apply a wide range of analysis directly from its installation image. We design and exe- techniques. In this, we make two primary contributions: cute a horizontal study of smartphone applications based on static analysis of 21 million lines of recovered code. We design and implement a Dalvik decompilier, • Our analysis uncovered pervasive use/misuse of person- ded. ded recovers an application’s Java source al/phone identifiers, and deep penetration of advertising solely from its installation image by inferring lost and analytics networks.
    [Show full text]
  • An Introduction to Cellular Security Joshua Franklin
    An Introduction to Cellular Security Joshua Franklin Last Changed: 20140121 Intro License Creative Commons: Attribution, Share-Alike http://creativecommons.org/licenses/by -sa/3.0/ 2 Intro Introduction • Cellular networks are a dense subject – This is not a deep dive • The standards are large, complicated documents • Involves physics, telecommunications, politics, geography, security... • We will discuss older cellular networks first and build upon this knowledge • The GSM, UMTS, and LTE standards are more or less backwards compatible – Major consideration during standards development 3 Intro Who Am I? • Joshua Franklin • I hold a Masters in Information Security and Assurance from George Mason – Graduate work focused on mobile operating systems • I work in election and mobile security 4 Intro Learning Objectives • Become familiar with the GSM, UMTS, and LTE family of cellular standards • Be introduced to spectrum allocation and antennas • Learn the security architecture of cellular networks • Be introduced to how cellular networks have been hacked in the past We will deeply explore LTE security while only touching on GSM and UMTS. LTE is the new standard moving forward (a.k.a., the new hotness). Previous cellular standards are being phased out. 5 Intro Excluded Topics This class does not cover: • Wireless physics • Ancient wireless networks (AMPS, IMS, smoke signals ) • Wired systems (PSTN/POTS/DSL) • Standards other GSM, UMTS, and LTE – CDMA2000, EV-DO, WiMax • In-depth discussion of GPRS, EDGE, and HSPA variants • SMS and MMS (text messaging) • Mobile operating systems (iOS, Android, Windows Phone) • QoS , Mobility management, and VoLTE • Internetwork connections Warning: This class is U.S.-centric but the standards are used worldwide.
    [Show full text]
  • Coleman-Coding-Freedom.Pdf
    Coding Freedom !" Coding Freedom THE ETHICS AND AESTHETICS OF HACKING !" E. GABRIELLA COLEMAN PRINCETON UNIVERSITY PRESS PRINCETON AND OXFORD Copyright © 2013 by Princeton University Press Creative Commons Attribution- NonCommercial- NoDerivs CC BY- NC- ND Requests for permission to modify material from this work should be sent to Permissions, Princeton University Press Published by Princeton University Press, 41 William Street, Princeton, New Jersey 08540 In the United Kingdom: Princeton University Press, 6 Oxford Street, Woodstock, Oxfordshire OX20 1TW press.princeton.edu All Rights Reserved At the time of writing of this book, the references to Internet Web sites (URLs) were accurate. Neither the author nor Princeton University Press is responsible for URLs that may have expired or changed since the manuscript was prepared. Library of Congress Cataloging-in-Publication Data Coleman, E. Gabriella, 1973– Coding freedom : the ethics and aesthetics of hacking / E. Gabriella Coleman. p. cm. Includes bibliographical references and index. ISBN 978-0-691-14460-3 (hbk. : alk. paper)—ISBN 978-0-691-14461-0 (pbk. : alk. paper) 1. Computer hackers. 2. Computer programmers. 3. Computer programming—Moral and ethical aspects. 4. Computer programming—Social aspects. 5. Intellectual freedom. I. Title. HD8039.D37C65 2012 174’.90051--dc23 2012031422 British Library Cataloging- in- Publication Data is available This book has been composed in Sabon Printed on acid- free paper. ∞ Printed in the United States of America 1 3 5 7 9 10 8 6 4 2 This book is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE !" We must be free not because we claim freedom, but because we practice it.
    [Show full text]
  • WHO ARE COMPUTER CRIMINALS? by Kevin W. Jennings, M.S.C.J. A
    WHO ARE COMPUTER CRIMINALS? by Kevin W. Jennings, M.S.C.J. A dissertation submitted to the Graduate Council of Texas State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy with a Major in Criminal Justice August 2014 Committee Members: Brian L. Withrow, Chair Bob Edward Vásquez Jay D. Jamieson Matthew Draper Jose R. Agustina COPYRIGHT by Kevin W. Jennings 2014 FAIR USE AND AUTHOR’S PERMISSION STATEMENT Fair Use This work is protected by the Copyright Laws of the United States (Public Law 94-553, section 107). Consistent with fair use as defined in the Copyright Laws, brief quotations from this material are allowed with proper acknowledgment. Use of this material for financial gain without the author’s express written permission is not allowed. Duplication Permission As the copyright holder of this work I, Kevin Jennings, authorize duplication of this work, in whole or in part, for educational or scholarly purposes only. DEDICATION To Hal Jennings, Judy Jennings, and Matthew Draper, for showing me the path. To Sara Jennings, for joining me on the journey. ACKNOWLEDGEMENTS This dissertation never would have been possible without the support of many people who have guided me and cheered me on throughout this process. Dr. Brian Withrow was an excellent chair, and Doctors Vasquez, Jamieson, Draper, and Agustina all did their part in making this paper possible. Thank you for helping me, but even more important, thank you for putting up with me. I also need to give a big thank you to my mentor Dr. Tomas Mijares, who could not be on my committee but helped and guided me throughout the process of learning, teaching, and growing at Texas State University.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Introduction
    Introduction Toward a Radical Criminology of Hackers In the expansive Rio Hotel and Casino in Las Vegas, I stood in line for around an hour and a half to pay for my badge for admittance into DEF CON 21, one of the largest hacker conventions in the world. The wad of cash in my hand felt heavier than it should have as I approached the badge vendor. DEF CON is an extravagant affair and attendees pay for it (though, from my own readings, the conference administrators work to keep the costs reduced). The line slowly trickled down the ramp into the hotel con- vention area where the badge booths were arranged. As I laid eyes on the convention, my jaw dropped. It was packed. Attendees were already mov- ing hurriedly throughout the place, engaged in energetic conversations. Black t- shirts— a kind of hacker uniform— were everywhere. Las Vegas- and gambling- themed décor lined the walls and floors. Already, I could see a line forming at the DEF CON merchandise booth. Miles, a hacker I had gotten to know throughout my research, mentioned that if I wanted some of the “swag” or “loot” (the conference merchandise), I should go ahead and get in line, a potential three- to four-hour wait. Seemingly, everyone wanted to purchase merchandise to provide some evidence they were in attendance. Wait too long and the loot runs out. After winding through the serpentine line of conference attendees wait- ing for admittance, I approached the badge vendors and (dearly) departed with almost $200. Stepping into the convention area, I felt that loss in the pit of my stomach.
    [Show full text]
  • Detection of Rogue Devices in Wireless Networks
    Detection of rogue devices in Wireless Networks by Jeyanthi Hall A thesis submitted to the Faculty of Graduate Studies and Research in partial fulfilment of the requirements for the degree of Doctor of Philosophy Ottawa-Carleton Institute for Computer Science School of Computer Science Carleton University Ottawa, Ontario August 2006 © Copyright August 2006, Jeyanthi Hall Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Library and Bibliotheque et Archives Canada Archives Canada Published Heritage Direction du Branch Patrimoine de I'edition 395 Wellington Street 395, rue Wellington Ottawa ON K1A 0N4 Ottawa ON K1A 0N4 Canada Canada Your file Votre reference ISBN: 978-0-494-18221-5 Our file Notre reference ISBN: 978-0-494-18221-5 NOTICE: AVIS: The author has granted a non­ L'auteur a accorde une licence non exclusive exclusive license allowing Library permettant a la Bibliotheque et Archives and Archives Canada to reproduce,Canada de reproduire, publier, archiver, publish, archive, preserve, conserve,sauvegarder, conserver, transmettre au public communicate to the public by par telecommunication ou par I'lnternet, preter, telecommunication or on the Internet,distribuer et vendre des theses partout dans loan, distribute and sell theses le monde, a des fins commerciales ou autres, worldwide, for commercial or non­ sur support microforme, papier, electronique commercial purposes, in microform,et/ou autres formats. paper, electronic and/or any other formats. The author retains copyright L'auteur conserve la propriete du droit d'auteur ownership and moral rights in et des droits moraux qui protege cette these. this thesis. Neither the thesis Ni la these ni des extraits substantiels de nor substantial extracts from it celle-ci ne doivent etre imprimes ou autrement may be printed or otherwise reproduits sans son autorisation.
    [Show full text]
  • How Hackers Think: a Mixed Method Study of Mental Models and Cognitive Patterns of High-Tech Wizards
    HOW HACKERS THINK: A MIXED METHOD STUDY OF MENTAL MODELS AND COGNITIVE PATTERNS OF HIGH-TECH WIZARDS by TIMOTHY C. SUMMERS Submitted in partial fulfillment of the requirements For the degree of Doctor of Philosophy Dissertation Committee: Kalle Lyytinen, Ph.D., Case Western Reserve University (chair) Mark Turner, Ph.D., Case Western Reserve University Mikko Siponen, Ph.D., University of Jyväskylä James Gaskin, Ph.D., Brigham Young University Weatherhead School of Management Designing Sustainable Systems CASE WESTERN RESERVE UNIVESITY May, 2015 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the thesis/dissertation of Timothy C. Summers candidate for the Doctor of Philosophy degree*. (signed) Kalle Lyytinen (chair of the committee) Mark Turner Mikko Siponen James Gaskin (date) February 17, 2015 *We also certify that written approval has been obtained for any proprietary material contained therein. © Copyright by Timothy C. Summers, 2014 All Rights Reserved Dedication I am honored to dedicate this thesis to my parents, Dr. Gloria D. Frelix and Dr. Timothy Summers, who introduced me to excellence by example and practice. I am especially thankful to my mother for all of her relentless support. Thanks Mom. DISCLAIMER The views expressed in this dissertation are those of the author and do not reflect the official policy or position of the Department of Defense, the United States Government, or Booz Allen Hamilton. Table of Contents List of Tables ....................................................................................................................
    [Show full text]
  • Tilburg University Breaking and Remaking Law and Technology Dizon
    Tilburg University Breaking and remaking law and technology Dizon, Michael Publication date: 2016 Document Version Publisher's PDF, also known as Version of record Link to publication in Tilburg University Research Portal Citation for published version (APA): Dizon, M. (2016). Breaking and remaking law and technology: A socio-techno-legal study of hacking. [s.n.]. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Download date: 27. sep. 2021 B REAKING AND R EMAKING L AW AND TECHNOL OGY A Socio-Techno-Legal Study of Hacking MICHAEL ANTHONY C. DIZON B REAKING AND R EMAKING L AW AND TECHNOL OGY A Socio-Techno-Legal Study of Hacking Proefschrift ter verkrijging van de graad van doctor aan Tilburg University op gezag van de rec- tor magnificus, prof.dr. E.H.L. Aarts, in het openbaar te verdedigen ten overstaan van een door het college voor promoties aangewezen commissie in de aula van de Universiteit op dinsdag 28 juni 2016 om 16.15 uur door MICHAEL ANTHONY CO DIZON geboren op 13 juni 1975 te Quezon City, Filipijnen Promotores: prof.dr.
    [Show full text]
  • Android™ Hacker's Handbook
    ffi rs.indd 01:50:14:PM 02/28/2014 Page ii Android™ Hacker’s Handbook ffi rs.indd 01:50:14:PM 02/28/2014 Page i ffi rs.indd 01:50:14:PM 02/28/2014 Page ii Android™ Hacker’s Handbook Joshua J. Drake Pau Oliva Fora Zach Lanier Collin Mulliner Stephen A. Ridley Georg Wicherski ffi rs.indd 01:50:14:PM 02/28/2014 Page iii Android™ Hacker’s Handbook Published by John Wiley & Sons, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana ISBN: 978-1-118-60864-7 ISBN: 978-1-118-60861-6 (ebk) ISBN: 978-1-118-92225-5 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or autho- rization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifi cally disclaim all warranties, including without limitation warranties of fi tness for a particular purpose.
    [Show full text]
  • Analysis and Classification of Android Malware
    Analysis and Classification of Android Malware Kimberly Kim-Chi Tam Information Security Department Royal Holloway, University of London A thesis submitted for the degree of Doctor of Philosophy 2016 Acknowledgements First I would like to acknowledge my supervisor and advisor, Dr. Lorenzo Cavallaro and Professor Cid Carlos, for the amazing opportunity to do my PhD at Royal Holloway University of London. It would not have been possible without you two. I would also like to acknowledge my fellow Royal Holloway University of London lab members and external collaborators for their partnership in collaborative work. In particular I would like to thank Salahuddin Khan for his technical expertise, his professionalism, and his friendship. Similarly, I feel much gratitude towards Professor Kevin Jones and Dr. War- rick Cooke for their extensive advice for both fine-tuning this thesis in detail and the overall story and flow. Parts of this research was funded by UK EPSRC grant EP/L022710/1. I would also like to thank Hewlett-Packard in Bristol for the internship op- portunity during my PhD as well as all of their support since then. Finally, I want to acknowledge my family and friends scattered across the globe. Organizing opportunities to connect has been a real challenge over the last few years, but we always managed it. So thank you all for the fun and help throughout the good times and bad. I could not have gotten this far without your awesomeness. “One does not discover new lands without consenting to lose sight of the shore for a very long time.” Andre Gide 2 Abstract With the integration of mobile devices into our daily lives, smartphones are privy to increasing amounts of sensitive information.
    [Show full text]
  • Paper, My Focus Was Mainly on Designing, Imple- Menting and Evaluating Securepay
    VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE PH.D. THESIS RADHESH KRISHNAN KONOTH VRIJE UNIVERSITEIT AMSTERDAM, 2020 Faculty of Science The research reported in this dissertation was conducted at the Faculty of Science — at the Department of Computer Science — of the Vrije Universiteit Amsterdam This work was supported by the MALPAY consortium, consisting of the Dutch national police, ING, ABN AMRO, Rabobank, Fox-IT, and TNO. This thesis represents the position of the author and not that of the aforementioned consortium partners Copyright © 2020 by Radhesh Krishnan Konoth VRIJE UNIVERSITEIT VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE ACADEMISCH PROEFSCHRIFT ter verkrijging van de graad Doctor of Philosophy aan de Vrije Universiteit Amsterdam, op gezag van de rector magnicus prof.dr. V. Subramaniam, in het openbaar te verdedigen ten overstaan van de promotiecommissie van de Faculteit der Bètawetenschappen op maandag 7 december 2020 om 13.45 uur in de online bijeenkomst van de universiteit, De Boelelaan 1105 door Radhesh Krishnan Konoth geboren te Koorkenchery, India promotor: prof.dr.ir. H. J. Bos copromotor: dr. K. Razavi ഞാൻ ഈ പുസ്തകം എെ അനും അയ്ും സമർിുു “Those that have an attitude of service towards others are the beauty of society." - Amma Acknowledgements Let me begin by acknowledging the people who supported me during this won- derful journey. First and foremost, I am greatly indebted to my supervisor Herbert Bos for providing me the opportunity to do a Ph.D. Thank you Herbert for taking that risk and for believing in me. This journey would not have been possible without your support and guidance.
    [Show full text]