Security Monitor for Mobile Devices: Design and Applications
Total Page:16
File Type:pdf, Size:1020Kb
UNIVERSITY OF CALIFORNIA, IRVINE Security Monitor for Mobile Devices: Design and Applications DISSERTATION submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Computer Science by Saeed Mirzamohammadi Dissertation Committee: Professor Ardalan Amiri Sani, UCI, Chair Professor Gene Tsudik, UCI Professor Sharad Mehrotra, UCI Doctor Sharad Agarwal, MSR 2020 Portion of Chapter 1 c 2018 ACM, reprinted, with permission, from [148] Portion of Chapter 1 c 2017 ACM, reprinted, with permission, from [150] Portion of Chapter 1 c 2018 IEEE, reprinted, with permission, from [149] Portion of Chapter 1 c 2020 ACM, reprinted, with permission, from [151] Portion of Chapter 2 c 2018 ACM, reprinted, with permission, from [148] Portion of Chapter 2 c 2017 ACM, reprinted, with permission, from [150] Portion of Chapter 3 c 2018 ACM, reprinted, with permission, from [148] Portion of Chapter 4 c 2018 IEEE, reprinted, with permission, from [149] Portion of Chapter 5 c 2017 ACM, reprinted, with permission, from [150] Portion of Chapter 6 c 2020 ACM, reprinted, with permission, from [151] Portion of Chapter 7 c 2020 ACM, reprinted, with permission, from [151] Portion of Chapter 7 c 2017 ACM, reprinted, with permission, from [150] Portion of Chapter 7 c 2018 IEEE, reprinted, with permission, from [149] Portion of Chapter 7 c 2018 ACM, reprinted, with permission, from [148] All other materials c 2020 Saeed Mirzamohammadi TABLE OF CONTENTS Page LIST OF FIGURES v LIST OF TABLES vii ACKNOWLEDGMENTS viii VITA ix ABSTRACT OF THE DISSERTATION xi 1 Introduction 1 1.1 Applications of the security monitor . .3 1.1.1 Trustworthy Sensor Notifications . .3 1.1.2 Trustworthy Sensor Auditing . .4 1.1.3 Secure Legal Contracts . .5 2 Security monitor Design 6 2.1 Design Overview . .6 2.2 Virtualization-based security monitor . 10 2.2.1 Secure Memory . 13 2.2.2 Secure I/O . 14 2.2.3 Secure Boot & Cryptographic Keys . 15 3 Performance of the security monitor 17 3.1 Virtualization's Performance . 17 3.1.1 Virtualization Evaluation . 20 3.2 TrustZone's Performance . 23 4 Viola: Trustworthy Sensor Notifications for Enhanced Privacy on Mobile Systems 25 4.1 Sensor Notifications . 29 4.1.1 Indicators . 29 4.1.2 Notification Guarantees . 31 4.1.3 Customizable Sensor Notification . 32 4.2 Overview . 32 4.2.1 Threat Model . 34 ii 4.3 Runtime Monitor in Viola . 35 4.3.1 Protection Against Concurrency Attacks . 37 4.4 Verified Invariant Checks . 39 4.4.1 Viola's Invariant Language Syntax . 40 4.4.2 Verified Compiler . 41 4.5 Two-way Notification . 45 4.5.1 Straw-man Approaches . 46 4.5.2 Viola's Solution . 48 4.5.3 Atomicity on register writes . 51 4.6 Implementation . 51 4.6.1 Runtime Monitor . 51 4.6.2 Verified components . 52 4.6.3 Supported Systems and Devices . 53 4.6.4 Trusted Computing Base . 54 4.7 Evaluation . 55 4.7.1 Engineering Effort . 55 4.7.2 Performance . 56 4.7.3 Power Consumption . 59 5 Ditio: Trustworthy Auditing of Sensor Activities in Mobile & IoT Devices 61 5.1 Motivation . 64 5.2 Overview . 66 5.2.1 Design and Workflow . 66 5.2.2 Threat Model . 71 5.2.3 Trusted Computing Base . 73 5.3 Recording Sensor Activity Logs . 74 5.3.1 Untrusted Log Store . 75 5.3.2 Minimizing Recorder Latency . 75 5.3.3 Configuring the Recorder . 77 5.4 Sealing the Logs . 79 5.4.1 Authentication Protocol . 80 5.4.2 Audit Phase . 82 5.5 Formally Verified Companion Tool . 83 5.6 Implementation . 87 5.6.1 Juno Board's Specifics . 88 5.7 Evaluation . 89 5.7.1 Use Cases . 90 5.7.2 Sensor Performance . 91 5.7.3 Power Consumption . 92 5.7.4 Other Results . 93 6 Tabellion: System Support for Secure Legal Contracts 95 6.1 Background . 98 6.2 Attacks on Legal Contracts . 101 6.3 Tabellion: Principles and Design . 102 iii 6.3.1 Secure Primitives . 103 6.3.2 Contract Formation Protocol . 104 6.3.3 Self-Evident Contracts . 107 6.3.4 Contract Verification Process . 108 6.4 Secure Realization of Primitives . 109 6.4.1 Primitive I: Secure Photo . 110 6.4.2 Primitive II: Secure Timestamp . 112 6.4.3 Primitive III: Secure Screenshot . 114 6.4.4 Primitive IV: Secure Notarization . 115 6.5 Fully Functional Platform . 116 6.5.1 Readable Contracts . 116 6.5.2 Contract Submission . 117 6.5.3 Contract Negotiations . 118 6.5.4 Automatic Contract Verification . 119 6.6 Implementation . 120 6.7 Security Evaluation . 122 6.7.1 Threat Model . 122 6.7.2 Security Analysis . 122 6.7.3 Case Analysis . 125 6.8 Evaluation . 126 6.8.1 Performance Evaluation . 126 6.8.2 Energy Measurement . 128 6.8.3 User Study . 128 7 Related Work 131 7.1 TEE-based Security Systems . 131 7.2 Virtual Machine Introspection . 132 7.3 Untrusted Operating System and Drivers . 133 7.4 Other Related Work . 134 7.4.1 Performance of Virtualization . 134 7.4.2 Software Verification . 134 7.4.3 Information Flow Control . 135 7.4.4 System Verification . 136 7.4.5 Attacks on Electronic Signatures . 136 7.4.6 Delay-resistent Systems . 136 8 Conclusions 138 Bibliography 139 iv LIST OF FIGURES Page 2.1 Security monitor overview. .8 2.2 (a) TrustZone-based TEE architecture. (b) Virtualization-based TEE archi- tecture. 11 4.1 LED notification for microphone using Viola. The LED blinks even if the application is in the background or if the display is off. Malicious attempts to break this notification will be blocked. 27 4.2 Viola's design. The darker components belong to Viola. 33 4.3 (Left) The sequence of steps in handling a register write in Viola. (Right) A concurrency attack example in Viola. 38 4.4 The implementation of a microphone LED notification in Viola. For brevity, we have not shown the complete array of device variable states and the device specifications used in the code. 41 4.5 Compilation of Viola invariant code. Viola's compiler translates Viola code to Cminor code, which is then compiled to machine code using the verified CompCert compiler and an assembler. 42 4.6 Two-way invariant check design. 48 4.7 Two-way invariant check flowchart. ..