-
TALUS: Reinforcing TEE Confidentiality with Cryptographic Coprocessors (Technical Report)
Authors:
Dhiman Chakraborty,
Michael Schwarz,
Sven Bugiel
Abstract:
Platforms are nowadays typically equipped with tristed execution environments (TEES), such as Intel SGX and ARM TrustZone. However, recent microarchitectural attacks on TEEs repeatedly broke their confidentiality guarantees, including the leakage of long-term cryptographic secrets. These systems are typically also equipped with a cryptographic coprocessor, such as a TPM or Google Titan. These copr…
▽ More
Platforms are nowadays typically equipped with tristed execution environments (TEES), such as Intel SGX and ARM TrustZone. However, recent microarchitectural attacks on TEEs repeatedly broke their confidentiality guarantees, including the leakage of long-term cryptographic secrets. These systems are typically also equipped with a cryptographic coprocessor, such as a TPM or Google Titan. These coprocessors offer a unique set of security features focused on safeguarding cryptographic secrets. Still, despite their simultaneous availability, the integration between these technologies is practically nonexistent, which prevents them from benefitting from each other's strengths. In this paper, we propose TALUS, a general design and a set of three main requirements for a secure symbiosis between TEEs and cryptographic coprocessors. We implement a proof-of-concept of TALUS based on Intel SGX and a hardware TPM. We show that with TALUS, the long-term secrets used in the SGX life cycle can be moved to the TPM. We demonstrate that our design is robust even in the presence of transient execution attacks, preventing an entire class of attacks due to the reduced attack surface on the shared hardware.
△ Less
Submitted 6 June, 2023;
originally announced June 2023.
-
A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites (Extended Version)
Authors:
Sanam Ghorbani Lyastani,
Michael Backes,
Sven Bugiel
Abstract:
Heuristics for user experience state that users will transfer their expectations from one product to another. A lack of consistency between products can increase users' cognitive friction, leading to frustration and rejection. This paper presents the first systematic study of the external, functional consistency of two-factor authentication user journeys on top-ranked websites. We find that these…
▽ More
Heuristics for user experience state that users will transfer their expectations from one product to another. A lack of consistency between products can increase users' cognitive friction, leading to frustration and rejection. This paper presents the first systematic study of the external, functional consistency of two-factor authentication user journeys on top-ranked websites. We find that these websites implement only a minimal number of design aspects consistently (e.g., naming and location of settings) but exhibit mixed design patterns for setup and usage of a second factor. Moreover, we find that some of the more consistently realized aspects, such as descriptions of two-factor authentication, have been described in the literature as problematic and adverse to user experience. Our results advocate for more general UX guidelines for 2FA implementers and raise new research questions about the 2FA user journeys.
△ Less
Submitted 17 October, 2022;
originally announced October 2022.
-
Towards a Principled Approach for Dynamic Analysis of Android's Middleware
Authors:
Oliver Schranz,
Sebastian Weisgerber,
Erik Derr,
Michael Backes,
Sven Bugiel
Abstract:
The Android middleware, in particular the so-called systemserver, is a crucial and central component to Android's security and robustness. To understand whether the systemserver provides the demanded security properties, it has to be thoroughly tested and analyzed. A dedicated line of research focuses exclusively on this task. While static analysis builds on established tools, dynamic testing appr…
▽ More
The Android middleware, in particular the so-called systemserver, is a crucial and central component to Android's security and robustness. To understand whether the systemserver provides the demanded security properties, it has to be thoroughly tested and analyzed. A dedicated line of research focuses exclusively on this task. While static analysis builds on established tools, dynamic testing approaches lack a common foundation, which prevents the community from comparing, reproducing, or even re-using existing results from related work. This raises questions about whether the underlying approach of any proposed solution is the only possible or optimal one, if it can be re-used as a building block for future analyses, or whether results generalize. In this work, we argue that in order to steer away from incompatible custom toolchains and towards having comparable analyses with reproducible results, a more principled approach to dynamically analyzing the Android system is required. As an important first step in this direction, we propose a unified dynamic analysis platform that provides re-usable solutions for common challenges as the building blocks for future analyses and allows to compare different approaches under the same assumptions.
△ Less
Submitted 11 October, 2021;
originally announced October 2021.
-
simTPM: User-centric TPM for Mobile Devices (Technical Report)
Authors:
Dhiman Chakraborty,
Lucjan Hanzlik,
Sven Bugiel
Abstract:
Trusted Platform Modules are valuable building blocks for security solutions and have also been recognized as beneficial for security on mobile platforms, like smartphones and tablets. However, strict space, cost, and power constraints of mobile devices prohibit an implementation as dedicated on-board chip and the incumbent implementations are software TPMs protected by Trusted Execution Environme…
▽ More
Trusted Platform Modules are valuable building blocks for security solutions and have also been recognized as beneficial for security on mobile platforms, like smartphones and tablets. However, strict space, cost, and power constraints of mobile devices prohibit an implementation as dedicated on-board chip and the incumbent implementations are software TPMs protected by Trusted Execution Environments. In this paper, we present simTPM, an alternative implementation of a mobile TPM based on the SIM card available in mobile platforms. We solve the technical challenge of implementing a TPM2.0 in the resource-constrained SIM card environment and integrate our simTPM into the secure boot chain of the ARM Trusted Firmware on a HiKey960 reference board. Most notably, we address the challenge of how a removable TPM can be bound to the host device's root of trust for measurement. As such, our solution not only provides a mobile TPM that avoids additional hardware while using a dedicated, strongly protected environment, but also offers promising synergies with co-existing TEE-based TPMs. In particular, simTPM offers a user-centric trusted module. Using performance benchmarks, we show that our simTPM has competitive speed with a reported TEE-based TPM and a hardware-based TPM.
△ Less
Submitted 20 May, 2019;
originally announced May 2019.
-
Studying the Impact of Managers on Password Strength and Reuse
Authors:
Sanam Ghorbani Lyastani,
Michael Schilling,
Sascha Fahl,
Sven Bugiel,
Michael Backes
Abstract:
Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systemati…
▽ More
Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically.
In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.
△ Less
Submitted 24 December, 2017;
originally announced December 2017.
-
ARTist: The Android Runtime Instrumentation and Security Toolkit
Authors:
Michael Backes,
Sven Bugiel,
Oliver Schranz,
Philipp von Styp-Rekowsky,
Sebastian Weisgerber
Abstract:
We present ARTist, a compiler-based application instrumentation solution for Android. ARTist is based on the new ART runtime and the on-device dex2oat compiler of Android, which replaced the interpreter-based managed runtime (DVM) from Android version 5 onwards. Since dex2oat is yet uncharted, our approach required first and foremost a thorough study of the compiler suite's internals and in partic…
▽ More
We present ARTist, a compiler-based application instrumentation solution for Android. ARTist is based on the new ART runtime and the on-device dex2oat compiler of Android, which replaced the interpreter-based managed runtime (DVM) from Android version 5 onwards. Since dex2oat is yet uncharted, our approach required first and foremost a thorough study of the compiler suite's internals and in particular of the new default compiler backend Optimizing. We document the results of this study in this paper to facilitate independent research on this topic and exemplify the viability of ARTist by realizing two use cases. Moreover, given that seminal works like TaintDroid hitherto depend on the now abandoned DVM, we conduct a case study on whether taint tracking can be re-instantiated using a compiler-based instrumentation framework. Overall, our results provide compelling arguments for preferring compiler-based instrumentation over alternative bytecode or binary rewriting approaches.
△ Less
Submitted 22 July, 2016;
originally announced July 2016.
-
Android Security Framework: Enabling Generic and Extensible Access Control on Android
Authors:
Michael Backes,
Sven Bugiel,
Sebastian Gerling,
Philipp von Styp-Rekowsky
Abstract:
We introduce the Android Security Framework (ASF), a generic, extensible security framework for Android that enables the development and integration of a wide spectrum of security models in form of code-based security modules. The design of ASF reflects lessons learned from the literature on established security frameworks (such as Linux Security Modules or the BSD MAC Framework) and intertwines t…
▽ More
We introduce the Android Security Framework (ASF), a generic, extensible security framework for Android that enables the development and integration of a wide spectrum of security models in form of code-based security modules. The design of ASF reflects lessons learned from the literature on established security frameworks (such as Linux Security Modules or the BSD MAC Framework) and intertwines them with the particular requirements and challenges from the design of Android's software stack. ASF provides a novel security API that supports authors of Android security extensions in develo** their modules. This overcomes the current unsatisfactory situation to provide security solutions as separate patches to the Android software stack or to embed them into Android's mainline codebase. As a result, ASF provides different practical benefits such as a higher degree of acceptance, adaptation, and maintenance of security solutions than previously possible on Android. We present a prototypical implementation of ASF and demonstrate its effectiveness and efficiency by modularizing different security models from related work, such as context-aware access control, inlined reference monitoring, and type enforcement.
△ Less
Submitted 4 April, 2014;
originally announced April 2014.