Abstract
SEIP is a simple and efficient but yet effective solution for the integrity protection of real-world cellular phone platforms, which is motivated by the disadvantages of applying traditional integrity models on these performance and user experience constrained devices. The major security objective of SEIP is to protect trusted services and resources (e.g., those belonging to cellular service providers and device manufacturers) from third party code. We propose a set of simple integrity protection rules based upon open mobile operating system environments and respective application behaviors. Our design leverages the unique features of mobile devices, such as service convergence and limited permissions of user installed applications, and easily identifies the borderline between trusted and untrusted domains on mobile platform. Our approach thus significantly simplifies policy specifications while still achieves a high assurance of platform integrity. SEIP is deployed within a commercially available Linux-based smartphone and demonstrates that it can effectively prevent certain malware. The security policy of our implementation is less than 20kB, and a performance study shows that it is lightweight.
Chapter PDF
References
Android, http://code.google.com/android/
Gpe phone edition, http://gpephone.linuxtogo.org/
J2ME CLDC specifications, version 1.0a, http://jcp.org/aboutjava/communityprocess/final/jsr030/index.html
Limo foundation, https://www.limofoundation.org
LMbench-tools for performance analysis, http://www.bitmover.com/lmbench
Maemo, http://www.maemo.org
Mcafee mobile security report (2008), http://www.mcafee.com/us/research/mobile_security_report_2008.html
Mcafee mobile security report (2009), http://www.mcafee.com/us/local_content/reports/mobile_security_report_2009.pdf
Motomagx security, http://ecosystem.motorola.com/get-inspired/whitepapers/security-whitepaper.pdf
OpenEZX, http://wiki.openezx.org/main_page
Pandalab report, http://pandalabs.pandasecurity.com/blogs/images/pandalabs/2008/04/01/quarterly_report_pandalabs_q1_2008.pdf
Qtopia phone edition, http://doc.trolltech.com
Security in qtopia phones, http://www.linuxjournal.com/article/9896
Setools–policy analysis tools for selinux, http://oss.tresys.com/projects/setools
Understanding the windows mobile security model, http://technet.microsoft.com/en-us/library/cc512651.aspx
Biba, K.J.: Integrity consideration for secure computer system. Technical report, Mitre Corp. Report TR-3153, Bedford, Mass. (1977)
Bose, A., Shin, K.: Proactive security for mobile messaging networks. In: Proc. of ACM Workshop on Wireless Security (2006)
Cheng, J., Wong, S., Yang, H., Lu, S.: Smartsiren: Virus detection and alert for smartphones. In: Proc. of ACM Conference on Mobile Systems, Applications (2007)
Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: Proceedings of the IEEE Symposium on Security and Privacy (1987)
Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Security & Privacy 7(1) (2009)
Fraser, T.: LOMAC: MAC you can live with. In: Proc. of USENIX Annual Technical Conference (2001)
Heath, C.: Symbian os platform security. Symbian press (2006)
Hu, G., Venugopal, D.: A malware signature extraction and detection method applied to mobile networks. In: Proc. of 26th IEEE International Performance, Computing, and Communications Conference (2007)
Hypponen, M.: State of cell phone malware in 2007 (2007), http://www.usenix.org/events/sec07/tech/hypponen.pdf
Jaeger, T., Sailer, R., Shankar, U.: PRIMA: Policy-reduced integrity measurement architecture. In: Proc. of ACM SACMAT (2006)
Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants. In: Proc. of the International Conference on Mobile Systems, Applications, and Services (2008)
Li, N., Mao, Z., Chen, H.: Usable mandatory integrity protections for operating systems. In: Proc. of IEEE Symposium on Security and Privacy (2007)
Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the linux operating system. In: Proceedings of USENIX Annual Technical Conference, June 25-30, pp. 29–42 (2001)
Lunt, T., Denning, D., Schell, R., Heckman, M., Shockley, M.: The seaview security model. IEEE Transactions on Software Engineering 16(6) (1990)
Mulliner, C., Vigna, G., Dagon, D., Lee, W.: Using labeling to prevent cross-service attacks against smart phones. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 91–108. Springer, Heidelberg (2006)
Muthukumaran, D., Sawani, A., Schiffman, J., Jung, B.M., Jaeger, T.: Measuring integrity on mobile phone systems. In: Proc. of ACM SACMAT (2008)
Shankar, U., Jaeger, T., Sailer, R.: Toward automated information-flow integrity verification for security-critical applications. In: Proc. of NDSS (2006)
Venugopal, D., Hu, G., Roman, N.: Intelligent virus detection on mobile devices. In: Proc. of International Conference on Privacy, Security and Trust (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhang, X., Seifert, JP., Acıiçmez, O. (2010). SEIP: Simple and Efficient Integrity Protection for Open Mobile Platforms. In: Soriano, M., Qing, S., López, J. (eds) Information and Communications Security. ICICS 2010. Lecture Notes in Computer Science, vol 6476. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17650-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-17650-0_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17649-4
Online ISBN: 978-3-642-17650-0
eBook Packages: Computer ScienceComputer Science (R0)