E-wallet and e-health mobile apps have already started to revolutionize the way people make purchases, and how they handle their health records. As mobile apps start to han- dle security-sensitive data, smartphones become an attrac- tive target for attacks. In particular, data such as personal photos, location trails, and online banking information have a high value to spammers and identity thieves.
As a result, mobile applications have emerged recently with questionable practices] as well as outright malware . Unfortunately, protecting data on mobile devices is far from trivial. Typically, mobile apps rely on ad-hoc OS and application-level mechanisms to protect sensitive data and prevent leaks.
However, the Trusted Computing Base (TCB) code that mobile apps depend upon is very complex: popular mobile platforms based on iOS, Android, or Windows 8 comprise a full blown OS, local services, and system libraries, consisting of millions of lines of code (LOC). Therefore it is difficult to ensure the absence of exploitable code vulnerabilities that could be used to disable security checks and retrieve sensitive data.
However, while prior research has managed to ex- plore the limits in shrinking the TCB of trusted computing systems, the functionality of these systems may be too restrictive for mobile applications. Mobile apps are typically written in high-level languages and compiled to intermediate code (e.g., Dalvik bytecode or .NET managed code). Flicker and TrustVisor can only execute small pieces of application logic written in native code but they have no built-in runtime engine and are unable to interpret intermediate code.
This paper presents the design, implementation, and evaluation of the Trusted Language Runtime (TLR), a system that protects the confidentiality and integrity of .NET mobile applications from OS security breaches.
TLR uses three techniques to keep the TCB small: (i) allow application developers to factor out the security-sensitive app logic into classes that transparently run in a trusted environment, (ii) isolate the TLR and the trusted app code from the bulk of the system software by using ARM TrustZone tech- nology, and (iii) borrow parts of the runtime engine design from the .NET Micro Framework (NETMF), a small .NET implementation designed for embedded devices.
TLR enables separating an application’s security-sensitive logic from the rest of the application, and isolates it from the OS and other apps. TLR provides runtime support for the secure compo- nent based on a .NET implementation for embedded devices. TLR reduces the TCB of an open source .NET implementa- tion by a factor of 78 with a tolerable performance cost.
The main benefit of the TLR is to bring the developer benefits of managed code to trusted computing. With the TLR, develop- ers can build their trusted components with the productivity benefits of modern high-level languages, such as strong typ- ing and garbage collection.
We describe our TLR prototype implementation on real TrustZone hardware, rather than in an ARM simulator. We present the challenges related to the TrustZone compatibility and portability issues of a large OS, namely Linux.
To read this external content in full, download the complete paper from the online archives at the Max Planck Institute f or Software Systems.