Personal smart devices provide users with powerful capabilities for communication, productivity, health, education, and entertainment. Applications often operate over sensitive data related to the user: collecting and processing input data from sensors (e.g., fingerprint scans, location updates), or rendering output data to the user (e.g., displaying financial information). This sensitive data is the target of many attacks from a variety of different attack vectors, ranging from malicious applications to compromises of the platform software (e.g., operating system (OS) and privileged services). Any OS-provided controls naturally depend on the security of the OS itself, which has a large attack surface and has proven vulnerable in practice. There have been efforts to leverage trusted hardware to isolate critical components (e.g., fingerprint authentication), but these require the user to give up control of their device. Today, users are ultimately unable to reason about or control how their sensitive data is processed, protected, or shared.
This project focuses on how to design new abstractions and minimal enforcement layers to provide more control and accountability for sensitive I/O data. We leverage recent advances in trusted hardware to isolate these critical enforcement layers such that their guarantees hold regardless of the correctness of the rest of the software on the system (including the OS). Currently, we focus on user devices, since they are a critical endpoint for the collection, processing, and display of sensitive data; however, this project also extends to processing and usage of the data off-device (e.g., in cloud environments controlled by application owners). All of this work seeks to provide end-users with full control over their devices while accommodating the needs of the many (mutually distrusting) parties in the broader ecosystem.
SeCloak focuses on addressing a single point in the policy space for giving control back to users: on/off control of peripherals (e.g., camera, microphone). SeCloak runs as a platform-agnostic layer that provides the abstraction of secure, virtual switches that the user can reliably configure.
AIO introduces a new “accountable path” abstraction, which represents the end-to-end software stack between underlying hardware devices and a local (or remote) application endpoint. Accountable paths allow for more expressive policies to be enforced over the functionality of the software stack; these policies may be used to augment the path with various assurances (e.g., confidentiality, integrity) or even track provenance of data. AIO enables principles to generate and verify attestations over (parts of) these paths, which allows them to reason about the relevant state of the system. We have implemented a number of applications that make use of accountable paths to simplify their implementations while enhancing security (e.g., mobile banking).
Assurance and Control over Sensitive Data on Personal Devices
SeCloak: ARM TrustZone-based Mobile Peripheral Control
Matthew Lentz, Rijurekha Sen, Peter Druschel, Bobby Bhattacharjee
Mobisys 2018 (Conference on Mobile Systems, Applications, and Services)
Please contact Prof. Lentz for further information.