protecting mobile devices from physical memory attacks
play

Protecting Mobile Devices from Physical Memory Attacks with - PowerPoint PPT Presentation

Dec 26, 2022 •8 likes •318 views

Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen Cao, Sencun Zhu, Jingqiang Lin, Peng Liu, Yubin Xia, and Bo Luo Why do Physical-space Threats Concern for SmartPhones? Why do Physical-space Threats

  1. Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen Cao, Sencun Zhu, Jingqiang Lin, Peng Liu, Yubin Xia, and Bo Luo

  2. Why do Physical-space Threats Concern for SmartPhones?

  3. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc. https://patriotpower.ogsd.net/2650/news/the-lost-phone-retriever/

  4. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc. https://www.theexplode.com/stolen-phone-by-imei-number/

  5. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc.

  6. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc.

  7. Why do Physical-space Threats Concern for SmartPhones? • Smartphones are easy to be lost or stolen • Powered-on smartphones run hundreds of background apps • Once stolen/lost, attackers physically possess the smartphones and sensitive data retain on the phone • Password, bank account, health data, etc.

  8. DRAM is a Low-hanging Fruit for Attackers Processor Core Logic Instruction Data Cache Cache Bus On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  9. DRAM is a Low-hanging Fruit for Attackers Processor Core Logic Instruction Data Cache Cache Bus On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  10. DRAM is a Low-hanging Fruit for Attackers Processor Core Logic Instruction Data Cache Cache Bus On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  11. DRAM is a Low-hanging Fruit for Attackers Processor Core Logic Instruction Data Cache Cache Bus On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  12. DRAM is a Low-hanging Fruit for Attackers • When the smartphone is locked, Processor how can an attacker extract Core Logic sensitive data? Instruction • Modern smartphones enforce Data Cache Cache full disk encryption Bus • Off-chip DRAM is problematic! On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  13. DRAM is a Low-hanging Fruit for Attackers • When the smartphone is locked, Processor how can an attacker extract Core Logic sensitive data? Instruction • Modern smartphones enforce Data Cache Cache full disk encryption Bus • Off-chip DRAM is problematic! On-Chip External RAM Controller RAM/iRAM Off-Chip Off-Chip ROM DRAM

  14. Attacks to DRAM

  15. Attacks to DRAM

  16. Attacks to DRAM • DDR bus monitoring • Cold boot attack

  17. Attacks to DRAM • DDR bus monitoring • Cold boot attack https://www.futureplus.com

  18. Attacks to DRAM • DDR bus monitoring • Cold boot attack https://www1.informatik.uni-erlangen.de/frost

  19. MemVault – Memory Vault • Avoid using DRAM to store cleartext Processor sensitive data Core Logic Instruction Data Cache Cache Immunity to Capacity Controllability Intrusiveness Physical Attacks ✓ OCRAM ~ 128 - 256 KB Memory Not in used On-Chip External RAM /iRAM Mapped after booting RAM/iRAM Controller ✓ Cache ~ 1 MB Transparent Always in used Off-Chip Off-Chip ROM DRAM

  20. Why OCRAM/iRAM is immune to Physical Attacks? • DDR bus monitoring • No external pins • Cold boot attack • Attacker cannot remove OCRAM/iRAM and install it to another machine • SoC bootup code is mandatory for SoC to reboot • The code clears OCRAM/iRAM automatically

  21. Questions to Answer • iRAM has limited size • Encrypt data on DRAM • Leave “hot” data in cleartext in iRAM • Performance overhead • Only encrypt sensitive data • How to determine sensitive data? • Let developers tell us • Developers cannot tell if intermediate results are sensitive • Taint analysis based on TaintDroid • Developers only determine the taint source

  22. MemVault – Overview Stack Tainted Dummy Frames Object Stack Frame DRAM DRAM iRAM Vault T1 T1 S S S T2 T2 T2 Untainted Taint Encrypted Source Object Object

  23. MemVault – Stack Protection • Local variables on the 0xFFFFFFFF interpreter stack Grow Downwards Stack Frame 0 Stack Frame 1 • If a variable is tainted, the stack frame is moved to iRAM • No tainted value is ever written Stack Frame 1 to the original stack frame • New stack frame in iRAM has a Current Frame Pointer (FP) 0x00000000 pointer to track the origin stack frame for stack maintenance

  24. MemVault – Object Protection • A trampoline for each object • If pointer to trampoline is NULL, the object is never tainted • If the trampoline pointer is non- NULL, the object might be tainted and the object is encrypted • If iramObj is null, the encrypted object is decrypted to iRAM • If iramObj is non-null, the cleartext object is directly addressable • Next and previous for LRU Object in the DRAM Trampoline Object in the iRAM • iRAM has limited space • Cleartext references for GC

  25. Key Management • Key is randomly generated per app • AES in CTR mode • Virtual address of the object is used as IV • Key and key schedules are also kept in iRAM • Key is discarded when the app terminates

  26. Implementation • On top of TaintDroid (port to Android 4.4.3) • Encryption/decryption is implemented as a redirection layer of the interpreter Instruction Format Instruction Semantics Instrumentation move-op-R vA vA ← R S_DS & S_IS iget-op vA vB fC vA ← vB(fC) R & S_DS & S_IS … … … S_IS: Switch to iRAM stack, if working on DRAM stack and the resulting stack is tainted S_DS: Switch to DRAM stack, if working on iRAM stack and the resulting stack is untainted R: Redirect object access if necessary

  27. Evaluation • WordPress • Password • BankDroid private synchronized void loadAccount(Preferences preferences) { • Account Number Storage storage = preferences.getStorage(); • Password mStoreUri = Base64.decode(storage.getString(mUuid + • KeePass ".storeUri", null)); + MemVault.addTaintArray(mStoreUri); • MasterKey ... • Password } • K-9 email client Code snippet of K-9 email client • Password • Email

  28. Net CPU LCD Evaluation - Performance 600 Power Consumption (Joules/hour) 500 400 300 WordPress BankDroid KeePass K-9 200 Android 985 239 79 269 100 TaintDroid 1001 247 82 277 0 MemVault 1008 248 83 277 d d t d d t d d t d d t l l l l i i u i i u i i u i i u o o o o o o o o a a a a r r r r r r r r V V V V d D d D d D d D n n n n t m t m t m t m A n A n A n A n i e i e i e i e a a a a M M M M T T T T App Start Time (in ms) KeePass K-9 WordPress BankDroid TaintDroid + 18.8% MemVault + 37.2 % Additional Power Consumption

  29. Comparison with Existing Memory Encryption Solutions Architecture Software Granularity Code Memory Overhead Environment Modification Limitation ✓ Cryptkeeper x86 Linux 4 KB None 1.09x ∼ 9.00x ✓ RamCrypt x86 Linux 4 KB None 1.25x ∼ 2.70x ✓ Bear ARM Micro-Kernel 16B ~ 128 KB Significant 1.50x ∼ 3.40x ✓ Esorics’17 x86 Linux 16 B None/Significa 1.17x ∼ 10.00x+ nt Case ARM Slef-contained Whole app Significant 32 KB 1.03x ✓ Sentry ARM Android 4 KB None 1.48x ∼ 2.74x ✓ MemVault ARM Android Object Trivial 1.37x

  30. Conclusion • MemVault is able to minimize the exposure of sensitive data in DRAM • MemVault only needs minor modifications to the source code • MemVault selectively encrypts sensitive data to improve performance • Limitations • MemVault only protects data within Dalvik virtual machine • E.g., the buffer of the touchscreen driver cannot be protected • TaintDroid has false negative • Future direction • Chip level full memory encryption (like Intel SGX or AMD SME)

  31. Thanks! leguan@cs.uga.edu

Recommend

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical memory over a bus Devices access memory over I/O bus with DMA Devices can appear to be a region of memory 1 / 41 Realistic ~2005 PC

1.54k views • 50 slides
Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

406 views • 36 slides
Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas

Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas

www.iaik.tugraz.at S C I E N C E P A S S I O N T E C H N O L O G Y Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas Unterluggauer, Mario Werner

621 views • 57 slides
A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat

A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat

A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat Scandalis Dr. Julius O. Smith III Nick Porcaro Berklee Voltage, March 10-11 2017 02/20/2017 1 Overview The story of physical modeling stretches

597 views • 58 slides
A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat

A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat

A Brief History of Physical Modeling Synthesis, Leading up to Mobile Devices and MPE Pat Scandalis Dr. Julius O. Smith III Nick Porcaro Berklee Voltage, March 10-11 2017 02/20/2017 1 Overview The story of physical modeling stretches

764 views • 59 slides
Protecting Mobile Agents Anna Suen suen@cs.fsu.edu January 22, 2003 Preview Review:

Protecting Mobile Agents Anna Suen suen@cs.fsu.edu January 22, 2003 Preview Review:

Protecting Mobile Agents January 22, 2003 Protecting Mobile Agents Anna Suen suen@cs.fsu.edu January 22, 2003 Preview Review: Mobile Agent System Model Types of Attacks Agent Threats Techniques for protecting agents 2

230 views • 10 slides
A Brief History of Physical Modeling Leading up to Mobile Devices Pat Scandalis Dr. Julius O.

A Brief History of Physical Modeling Leading up to Mobile Devices Pat Scandalis Dr. Julius O.

A Brief History of Physical Modeling Leading up to Mobile Devices Pat Scandalis Dr. Julius O. Smith III Nick Porcaro CCRMA Open House 4/22/2016 04/22/2016 1 Overview The story of physical modeling stretches back nearly 1000 years

839 views • 68 slides
Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits,

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits,

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits, Roni Forte , Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein Speaker: Pavel Lifshits SMART BATTERY

739 views • 39 slides
A new categorization system for side-channel attacks on mobile devices & more Veelasha

A new categorization system for side-channel attacks on mobile devices & more Veelasha

A new categorization system for side-channel attacks on mobile devices & more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia Radboud University, Nijmegen, NL 2 Digital Security

759 views • 55 slides
Securing Mobile Devices & Protecting the Privacy of Users Martina Lindorfer Technische

Securing Mobile Devices & Protecting the Privacy of Users Martina Lindorfer Technische

Securing Mobile Devices & Protecting the Privacy of Users Martina Lindorfer Technische Universitt Wien martina@iseclab.org https://martina.lindorfer.in @lindorferin About Me Assistant Professor at TU Wien (Security &

319 views • 17 slides
Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory protection Special security issues for memory Buffer overflows Lecture 8 Page 1 CS 236 Online What Is In Memory? Executable code

401 views • 24 slides
Localization ocalization of mobile devices of mobile devices L Seminar: Mobile Computing IFW

Localization ocalization of mobile devices of mobile devices L Seminar: Mobile Computing IFW

Localization ocalization of mobile devices of mobile devices L Seminar: Mobile Computing IFW C42 Tuesday, 29th May 2001 Roger Zimmermann Overview Overview Introduction Why Technologies Absolute Positioning Relative

314 views • 30 slides
Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU

Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU

Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU Virtual Memory Operating System System Calls CS 140 Lecture Notes: Virtual Machines Slide 1 Process Abstraction Physical Hardware Instruction

60 views • 4 slides
Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda Protecting mobile devices and your privacy Protecting Mobile Devices and Your Privacy Before We Start The City of Phoenix does not

971 views • 52 slides
Rock-Paper-Fibers Bringing Physical Affordance to Mobile Touch Devices Frederik Rudeck Patrick

Rock-Paper-Fibers Bringing Physical Affordance to Mobile Touch Devices Frederik Rudeck Patrick

Rock-Paper-Fibers Bringing Physical Affordance to Mobile Touch Devices Frederik Rudeck Patrick Baudisch Preview Motivation on current touch devices, every interaction feels the same Microsoft Surface Jord, S., et al. The reacTable. TEI

757 views • 54 slides
Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

599 views • 46 slides
Physical Modeling of Musical Instruments on Handheld Mobile Devices. Pat Scandalis (CTO, acting

Physical Modeling of Musical Instruments on Handheld Mobile Devices. Pat Scandalis (CTO, acting

Physical Modeling of Musical Instruments on Handheld Mobile Devices. Pat Scandalis (CTO, acting CEO) gps@moforte.com Dr. Julius O. Smith III (Founding Consultant) Nick Porcaro (Chief Scientist) moForte Inc. Acoustical Society of America

460 views • 45 slides
Physical Posters as Gateways to Context-aware Services for Mobile Devices Enrico Rukzio,

Physical Posters as Gateways to Context-aware Services for Mobile Devices Enrico Rukzio,

WMCSA 2004 December 2nd, Low Wood, Lake Windermere (UK) Physical Posters as Gateways to Context-aware Services for Mobile Devices Enrico Rukzio, Albrecht Schmidt, Heinrich Hussmann Media Informatics Group, University of Munich 1/18 Enrico

457 views • 19 slides
Physical Modeling of Musical Instruments on Handheld Mobile Devices. Pat Scandalis (CTO, acting

Physical Modeling of Musical Instruments on Handheld Mobile Devices. Pat Scandalis (CTO, acting

Physical Modeling of Musical Instruments on Handheld Mobile Devices. Pat Scandalis (CTO, acting CEO) gps@moforte.com Dr. Julius O. Smith III (Founding Consultant) Nick Porcaro (Chief Scientist) moForte Inc. moForte.coms Technical Deck

965 views • 79 slides
Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman <erik@minemu.org> Programming Languages type-safe vs. not type-safe Programming Languages type-safe vs. not type-safe Java Python Ruby Javascript

1.22k views • 111 slides
Virtual Memory Programmer can assume he/she has infinite amount of physical memory

Virtual Memory Programmer can assume he/she has infinite amount of physical memory

4/27/17 Virtual Memory Idea: Give the programmer the illusion of a large address space while having a small physical memory So that the programmer does not worry about managing physical memory Virtual Memory Programmer can assume

817 views • 12 slides
A Few Problems with Physical Addressing Main memory 0: 1: Physical address 2: Virtual Memory

A Few Problems with Physical Addressing Main memory 0: 1: Physical address 2: Virtual Memory

A Few Problems with Physical Addressing Main memory 0: 1: Physical address 2: Virtual Memory 3: (PA) CPU 4: 4 5: Process Abstraction, Part 2: Private Address Space 6: 7: 8: ... M-1: Motivation : why not direct physical memory

376 views • 6 slides
Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents

Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents

Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents Against DoS Mobile Agents Against DoS Biljana Cubaleska 1 , Markus Schneider 2 1 University of Hagen, Dept. Of Communication Systems, Germany 2

511 views • 21 slides

More recommend