Google is taking a step further towards securing Android smartphones by introducing Android L, which is built on Samsung's Knox technologies [1].
The Knox enhances the security of the smartphone by resorting to the following security technologies: - TPM, implementing static root of trust - ARM TrustZone, providing hardware mechanism in support of TPM - SE-Android, introducing mandatory access control for better security - Linux Container or other light-weight virtualization technologies, implementing separate domains for enterprise run-time environment and personal run-time environment Without further elaborating the aforementioned technologies, it is concluded that Knox provides a secure platform for smartphones so that they may be used in mission-critical applications, especially in pursuit of BYOD in enterprise environment. However, it is still vulnerable to memory based rootkit attacks [6]: After trusted boot of the SE-Linux (i.e. the kernel of SE-Android), memory based rookit may still be introduced to kernel due to vulnerabilities, etc. Such kind of attacks is beyond the TPM’s scope. If lucky, the rootkit may inherit the highest security label of the bugged code running in the kernel, bypassing any security mediation. Simply put, it is hard to detect any security compromises if the detection code runs within the same kernel it is intended to protect [5]. Fortunately, academic researchers already found a way that may take advantage of virtualization for further protection [2]. Specifically, virtual machine introspection (VMI) technology may be leveraged to provide real-time inspection of systems' health conditions. Moreover, such technology has already been implemented in some use cases [3][4], sans mobile platforms. The suggested improvement on the security architecture of Knox and Android L is to introduce a hypervisor (like Xen), beneath the SE-Android. Furthermore, a light-weight agent is running in Dom0, side by side with the SE-Android. It takes advantage of VMI (like XenAccess) to inspect the health of SE-Android by collecting the statistics of key elements in the kernel (like hash value of system calls table, etc.), and passing them on to the backend MDM servers, through a secure connection. The MDM servers host the actual analytics engine and carry out weight-lifting. This way, even if the kernel space of SE-Android is corrupted, the agent is able to detect the changes due to corruption. References 1. Android L builds on Samsung’s Knox fortifications 2. A Virtual Machine Introspection Based Architecture for Intrusion Detection 3. Insider Threat Detection on the Windows Operating System Using Virtual Machine Introspection 4. Changing the Game for Anti-Virus in the Virtual Datacenter 5. Root Out Rootkits An inside look at McAfee Deep Defender 6. Security Challenges in Virtualized Environments -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
