He Liu, Stefan Saroiu, Alec Wolman, Himanshu Raj
With the proliferation of e-commerce, e-wallet, and e-health smart-phone applications, the need for trusted mobile applications is greater than ever. Unlike their desktop counterparts, many mobile applications rely heavily on sensor inputs. As a result, trust often requires authenticity and integrity of sensor readings. For example, applications may need trusted readings from sensors such as a GPS, camera, or microphone. Recent research has started to recognize the need for “trusted sensors”, yet providing the right programming abstractions and system support for building mobile trusted applications is an open problem.
This paper proposes two software abstractions for offering trusted sensors to mobile applications. We present the design and implementation of these abstractions on both x86 and ARM platforms. We implement a trusted GPS sensor on both platforms, and we provide a privacy control for trusted location using differential privacy. Our evaluation shows that implementing these abstractions comes with moderate overhead on both x86 and ARM platforms. We find these software abstractions to be versatile and practical – using them we implement one novel enterprise mobile application.
Link to full paper: http://cseweb.ucsd.edu/~h8liu/tenor.pdf
Public Review uploaded by LakshmiSubramanian:
Public Review prepared by Lakshmi Subramanian
This paper tackles an important problem of build a software abstraction layer that offers a trusted sensor abstraction for mobile applications. With the rapid adoption of a wide range of sensors in existing smartphones, this abstraction is critical for mobile applications and end-users from both a security and privacy perspective. The paper
proposes two abstractions: the sensor attestation and the sensor seal abstractions. I found the sensor seal abstraction to be richer, flexible and more useful where they "seal" a sensor information and bind it to a sensor policy.
This paper is a great engineering effort that shows how to combine the various pieces of mainly existing software in a useful system that is relevant to mobile sensing, covering both high-level concepts and low-level implementation challenges, like proper dealing of interrupts
by hypervisors. While the techniques used in the paper are well established in the trusted computing community, the value of this paper really lies in the details of the design and the implementation of the system. The authors have implemented the trusted sensor abstraction
for both the x86 and ARM platforms which is a fairly substantial amount of systems development work. Also showing how these abstractions can be used in the context of different applications is also a highly valuable contribution. While a good portion is reserved for implementation details, the paper comes across a little weak in terms of the lessons learnt from the implementation. For a security centric paper, the threat model and the trust model can be better articulated. The differential privacy specification in the paper is still a little vague and can be potentially improved in future work.
Overall, this paper is a great first step towards providing a trusted sensor abstraction for mobile devices, a clear necessity for future generation mobile devices and applications. Given the rate
at which new applications and services are being rolled out, this paper provides a key missing piece required for enhancing the security and privacy of mobile devices. With such an abstraction, one can begin to reason about much stronger security guarantees for distributed and crowd-sourced mobile applications and services which rely on sensing data gathered from several smartphones. There are several avenues to build on top of this work including leveraging this abstraction for higher
level security properties, enhancing the differential privacy story, crowd-sourced mobile services and studying the same problem under different trust models and threat models.
We thank the MobiSys reviewers and our shepherd for their thoughtful comments. We are pleased to see the reviewers recognize the importance of this research area, and the need for infrastructure to enable a new class of applications – those that rely on trusted sensors. We find the public review fair, but we would like to note two additional points.
First, we think the paper’s threat model clearly states which attacks our system is designed to handle and which it cannot. If readers have additional questions about threats, we would be happy to answer them here.
Second, much previous work on trusted computing has focused on building low-level primitives. In contrast, we think it has been less successful in exposing trusted computing abstractions to developers. This is one reason why there has not been a proliferation of applications that use TPMs, beyond encrypted file-systems. One of the important contributions of this paper is the development of abstractions that solve an end-to-end application scenario, that are easy to use, and that enable developers to directly leverage trusted computing in their applications.