Skip to main content
SpringerLink
Log in

Using Labeling to Prevent Cross-Service Attacks Against Smart Phones

  • Conference paper
Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4064))

Abstract

Wireless devices that integrate the functionality of PDAs and cell phones are becoming commonplace, making different types of network services available to mobile applications. However, the integration of different services allows an attacker to cross service boundaries. For example, an attack carried out through the wireless network interface may eventually provide access to the phone functionality. This type of attacks can cause considerable damage because some of the services (e.g., the GSM-based services) charge the user based on the traffic or time of use. In this paper, we demonstrate the feasibility of these attacks by developing a proof-of-concept exploit that crosses service boundaries. To address these security issues, we developed a solution based on resource labeling. We modified the kernel of an integrated wireless device so that processes and files are marked in a way that allows one to regulate the access to different system resources. Labels are set when certain network services are accessed. The labeling is then transferred between processes and system resources as a result of either access or execution. We also defined a language for creating labeling rules, and demonstrated how the system can be used to prevent attacks that attempt to cross service boundaries. Experimental evaluation shows that the implementation introduces little overhead. Our security solution is orthogonal to other protection schemes and provides a critical defense for the growing problem of cell phone viruses and worms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Airscanner Corp. Advisory 05081102 vxFtpSrv 0.9.7 Remote Code Execution Vulnerability (2005), http://www.airscanner.com/security/05081102_vxftpsrv.htm

  2. Airscanner Corp. Advisory 05081203 vxTftpSrv 1.7.0 Remote Code Execution Vulnerability (2005), http://www.airscanner.com/security/05081203_vxtftpsrv.htm

  3. Biba, K.: Integrity Considerations for Secure Computer Systems. Technical Report TR-3153, MITRE Corp, Bedford, MA (1977)

    Google Scholar 

  4. Bluetooth SIG: Bluetooth (2006), http://www.bluetooth.org

  5. Cowan, C., Pu, C., Maier, D.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: Proceedings of the 7th USENIX Security Symposium, pp. 63–78 (1998)

    Google Scholar 

  6. Elser, D.: PicoWebServer Remote Unicode Stack Overflow Vulnerability (May 2005), http://seclists.org/lists/bugtraq/2005/May/0333.html

  7. Dagon, D., Martin, T., Starner, T.: Mobile Phones as Computing Devices: The Viruses are Coming! IEEE Pervasive Computing (October/December 2004)

    Google Scholar 

  8. Ito, E.: FtpSvr - Ftp Server (1999), http://www.oohito.com/wince/arm_j.htm

  9. Edjlali, G., Acharya, A., Chaudhary, V.: History-based Access Control for Mobile Code. In: ACM Conference on Computer and Communication Security (1998)

    Google Scholar 

  10. F-Secure Corporation. F-Secure Virus Descriptions: Skulls (2004), http://www.f-secure.com/v-descs/skulls.shtml

  11. Familiar Linux - A Linux Distribution For Handheld Devices (2006), http://familiar.handhelds.org/

  12. Fraser, T.: LOMAC: MAC you can live with. In: Proc. of the 2001 Usenix Annual Technical Conference (June 2001)

    Google Scholar 

  13. GSMA. GPRS - General Packet Radio Service (2006), http://www.gsmworld.com

  14. GSMA. GSM - Global System for Mobile Communications (2006), http://gsmworld.com

  15. Hewlett-Packard. HP iPAQ h5500 (2006), http://welcome.hp.com/country/us/en/prodserv/handheld.html

  16. HTC. HTC Blue Angel (2006), http://www.htc.com.tw

  17. i-mate. i-mate PDA2k (2006), http://imate.com/t-DETAILSP_DA2K.aspx

  18. Koziol, J., Litchfield, D., Aitel, D., Anley, C., Eren, S., Mehta, N., Hassell, R.: The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. Wiley, Chichester (2003)

    Google Scholar 

  19. Loscocco, P., Smalley, S.: Integrating Exible Support For Security Policies Into The Linux Operating System. In: Proceedings of the FREENIX Track of the 2001 USENIX Annual Technical Conference (2001)

    Google Scholar 

  20. Microsoft. Platform Builder for WindowsCE 5.0, Compiler Option Reference (2005), http://msdn.microsoft.com/library/default.asp?url=/library/enus/wcepbguide5/html/wce50congs-enablesecuritychecks.asp

  21. Microsoft. Microsoft WindowsCE .NET 4.2 Platform, Memory Architecture (2006), http://msdn.microsoft.com/library/default.asp?url=/library/enus/wcemain4/html/_wcesdk_windows_ce_memory_architecture.asp

  22. Microsoft. Windows Mobile (2006), http://www.microsoft.com/windowsmobile/pocketpc/

  23. Newmad Technologies AB. PicoWebServer (2005), http://www.newmad.se/rnd-freesw-pico.htm

  24. Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC3261 (2002)

    Google Scholar 

  25. Christensen, M.T.S.N., Sorensen, K.: Umbrella - We can’t prevent the rain. -But we don’t get wet! Master’s thesis, Aalborg University (January 2005)

    Google Scholar 

  26. Sabelfeld, A., Myers, A.C.: Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)

    Article  Google Scholar 

  27. San. Hacking Windows CE. Phrack, 0x0b(0x3f) (August 2005)

    Google Scholar 

  28. Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST Model for Role-Based Access Control: Towards A Unified Standard. In: Proceedings of the fifth ACM workshop on Role-based access control, pp. 47–63 (2000)

    Google Scholar 

  29. SecurityFocus. BugTraq (2006), http://www.securityfocus.com/archive

  30. SJ Labs, Inc. Voice Over IP Software (2005), http://www.sjlabs.com

  31. Symantec Security Response. SymbOS.Cabir (2004), http://securityresponse.symantec.com/avcenter/venc/data/epoc.cabir.html

  32. Symbian, Inc. Information about Mosquitos Trojan (2004), http://www.symbian.com/press-office/2004/pr040810.html

  33. Vieka Technology Inc. PE FTP Server (2005), http://www.vieka.com/peftpd.htm

  34. Watson, R.N.M.: TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In: USENIX Annual Technical Conference, FREENIX Track, pp. 15–28 (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Santa Barbara, USA

    Collin Mulliner & Giovanni Vigna

  2. Georgia Institute of Technology, Atlanta, USA

    David Dagon & Wenke Lee

Authors
  1. Collin Mulliner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Dagon
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. RWE AG, Opernplatz 1, 45128, Essen, Germany

    Roland Büschkes

  2. Wilhelm-Schickard-Institute for Computer Science, University of Tübingen, Tübingen, Germany

    Pavel Laskov

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Mulliner, C., Vigna, G., Dagon, D., Lee, W. (2006). Using Labeling to Prevent Cross-Service Attacks Against Smart Phones. In: Büschkes, R., Laskov, P. (eds) Detection of Intrusions and Malware & Vulnerability Assessment. DIMVA 2006. Lecture Notes in Computer Science, vol 4064. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11790754_6

Download citation

  • DOI: https://doi.org/10.1007/11790754_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-36014-8

  • Online ISBN: 978-3-540-36017-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation