On 23 July 2014 15:15, <[email protected]> wrote: > Google is taking a step further towards securing Android smartphones by > introducing Android L, which is built on Samsung's Knox technologies [1]. > > The Knox enhances the security of the smartphone by resorting to the > following security technologies: > > - TPM, implementing static root of trust
Samsung phones running Knox do not have a TPM in the standard TCG meaning of the word. > However, it is still vulnerable to memory based rootkit attacks [6]: After > trusted boot of the SE-Linux (i.e. the kernel of SE-Android), memory based > rookit may still be introduced to kernel due to vulnerabilities, etc. > ... Samsung has a thing they call 'TIMA' (Trustzone Integrity Measurement) which monitors the kernel for intrusions like this, as well as making ongoing kernel measurements for attestation purposes. As you can probably guess from the name, this is done from trustzone. Cheers, Joe On 23 July 2014 15:15, <[email protected]> wrote: > Google is taking a step further towards securing Android smartphones by > introducing Android L, which is built on Samsung's Knox technologies [1]. > > The Knox enhances the security of the smartphone by resorting to the > following security technologies: > > - TPM, implementing static root of trust > > - ARM TrustZone, providing hardware mechanism in support of TPM > > - SE-Android, introducing mandatory access control for better > security > > - Linux Container or other light-weight virtualization > technologies, implementing separate domains for enterprise run-time > environment and personal run-time environment > > Without further elaborating the aforementioned technologies, it is concluded > that Knox provides a secure platform for smartphones so that they may be > used in mission-critical applications, especially in pursuit of BYOD in > enterprise environment. > > However, it is still vulnerable to memory based rootkit attacks [6]: After > trusted boot of the SE-Linux (i.e. the kernel of SE-Android), memory based > rookit may still be introduced to kernel due to vulnerabilities, etc. Such > kind of attacks is beyond the TPM’s scope. If lucky, the rootkit may inherit > the highest security label of the bugged code running in the kernel, > bypassing any security mediation. > > Simply put, it is hard to detect any security compromises if the detection > code runs within the same kernel it is intended to protect [5]. Fortunately, > academic researchers already found a way that may take advantage of > virtualization for further protection [2]. Specifically, virtual machine > introspection (VMI) technology may be leveraged to provide real-time > inspection of systems' health conditions. Moreover, such technology has > already been implemented in some use cases [3][4], sans mobile platforms. > > The suggested improvement on the security architecture of Knox and Android L > is to introduce a hypervisor (like Xen), beneath the SE-Android. > Furthermore, a light-weight agent is running in Dom0, side by side with the > SE-Android. It takes advantage of VMI (like XenAccess) to inspect the health > of SE-Android by collecting the statistics of key elements in the kernel > (like hash value of system calls table, etc.), and passing them on to the > backend MDM servers, through a secure connection. The MDM servers host the > actual analytics engine and carry out weight-lifting. > > This way, even if the kernel space of SE-Android is corrupted, the agent is > able to detect the changes due to corruption. > > References > > Android L builds on Samsung’s Knox fortifications > A Virtual Machine Introspection Based Architecture for Intrusion Detection > Insider Threat Detection on the Windows Operating System Using Virtual > Machine Introspection > Changing the Game for Anti-Virus in the Virtual Datacenter > Root Out Rootkits An inside look at McAfee Deep Defender > Security Challenges in Virtualized Environments > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
