Trustworthy Secure Middleware Architecture for Mobile Devices
We are currently in a smart-phone era. Mobile devices are gaining more popular than the exis- ting traditional computers. As the growth of technology increases, the possibility of increasing risks are higher. The risk of possible attacks for a mobile device are increasing and could be with physical access and remote access. Even though we do not have a major attack on mobile devices in past, there are some attacks which happened such as by sharing the non-signed and non-verified downloaded executable files to one another [MSCU2011]. Mobile security is one of the most important and key element in today’s world. Security and privacy-related are most important topics in such mobile devices scenarios. The possible factors of mobile attacks are less, because of less heterogeneity. To understand the heterogeneity and homogeneity with re- spect to mobile devices, consider a smart device which is manufactured by different companies with different operating system (handset manufacturers). For example, if we consider a black- berry or an apple which manufactures its own hardware and software (Operating System). In this scenario, the security features of the hardware is tightly coupled with the software they designed. So, the overall security outcome of such scenario is much better. The smart phone OS makers reluctant to give access to such hardware security features. But, even if the OS makers are willing to share such information via their customised APIs, the application developers or other parties are forced to fully trust the smart phone OS makers hardware based security API functions. Also, the companies such as apple are not sharing the information or APIs to access secure isolated environments. When comes to homogeneity, Even though the companies such as Motorola, LG, Samsung are bound in using the standard open platform Android, they are en- ding up manufacturing their own custom hardware specifications and custom software designs. This leads in implementing custom and buggy security properties as there is no standardization. Again in this case, application developers are forced to trust the modified OS and to fully trust the security based API functions if available.
To strengthen the security and the trust of a mobile device, we need to have a more security mechanisms in order to have a trustworthy mobile devices, access to security features for apps and more transparent trust assessment of security features, and a better APIs and uniform me- chanisms integrated with a trust or a reputation framework. Such security mechanisms can be achieved by designing a generic secure middleware architecture. The architecture could poten- tially improve the security levels of all components.
The current smart phones middleware already have a secure isolation execution environment with a secure storage attached to it. So that the secure storage can have possibility to store keys, encrypt data or keys and authentication/access controls. The advantage of having a trusted middleware is to have a safe and secure storage environment to store the user settings of a device. For example, if a user needs to migrate the user settings from one device (if any stored in our middleware based secure storage) to another device. The defined middleware components are:
- Secure API functions.
- Normal component where register and un-register of a secure access.
- Secure storage component.
- Hybrid isolation execution.
Often security researchers evaluate the effectiveness of the system by their ability to resist attack [LFC2006]. For mobile devices, android/iOS/Symbian/etc can be tested in similar way. But testing a hardware based security features are usually hard as there are no standardization and the details of internal hardware security properties.
Based on this current scenario, we want to define a standard middleware security architecture which has a secure storage and execution on a device. This will boost the security and privacy of a mobile device. To create such a trust, we need to have a generic middleware security architecture and must be capable of handling security properties. These security properties can therefore helpful application developers, end users and manufacturers.
- Jörg Daubert
Forschungsgebiete: CYSEC, privacy-trust, Telecooperation , – SPIN: Smart Protection in Infrastructures and Networks