This week marks the dawn of the 8th semester, the final semester in my course. We are required to do a project worth 18 credits spanning the entire duration of the semester. I've always wanted to do a project which involves digging down into the hardware level and getting my hands dirty with assembly/low level code, maybe excessive web programming in the past made me lust for a system's project. Back in my 3rd semester the course that changed my outlook towards Computer Science was the Computer Architecture course handled by Dr. Viraj Kumar. We learnt a lot in that course and by far it was my favorite course in the whole of Engineering. So I contacted Professor Viraj along with a couple of my friends(Sreya & Abhinav) and asked him for a project in the system's field. He got back to us in no time and introduced us to a contact of his who works at Microsoft Research, Dr Sriram Rajamani. In a week's time we met to discuss a potential project.
The theme of the project is Secure Computing in Android/ARM devices. Information Security in the traditional sense involves an array of crypto algorithms and secure communication over client/server protocol . In the current landscape if we want to make an app secure so that it cannot be tampered by the user or malicious software one such solution is to have all the sensitive information stored on the server, this method has its advantages but the main gripe is the application needs to be connected to the internet all the time. This has become a mainstay in the PC gaming industry to curb piracy, recently even Android applications have taken this route to achieve a secure environment. The other problem with this approach is the requirement for an application server which has to cater to all the user's queries. Dr Sriram who has pioneered in the field of Secure Computation interfaces for products such as the Azure suggested that we look into a concept known as enclave. An enclave is a part of application software/code which is isolated from the privileged software (i.e Operating System). As it turns out ARM processors the most popular choice for Android phones has a new feature known as TrustZone which is actually present in 96% of all Android Phones, TrustZone allows for a Trusted Execution Environment(TEE). From our understanding TrustZone is barely used in Android, and most of the solutions are proprietary. So we embarked to build an application which uses TrustZone for secure computing and allow for an offline solution to the classic problem.
Our choice of application was a quiz application. Traditionally questions are retrieved from the server every time and the user's answer is sent to the server and is checked with the answer key and a response is retrieved and the user's score is also maintained in the server. Our application downloads the questions and answers from the server in an encrypted format and the key is stored in the enclave. The quizzes are downloaded only when Internet Connection is available and the result is also stored in the enclave so that the user will not be able to access the answers or modify his score. The user's score will be uploaded to the server when the network is available.
We built a simple quiz application which at the moment is not secure, but works in an offline environment. In this approach we need a remote json file to hold the index for the list of quizzes, the json file will further have links to other remote files containing the quizzes.
We hope to continue our progress and to find a way to enable TrustZone on the Android emulator or QEMU by next week.
The theme of the project is Secure Computing in Android/ARM devices. Information Security in the traditional sense involves an array of crypto algorithms and secure communication over client/server protocol . In the current landscape if we want to make an app secure so that it cannot be tampered by the user or malicious software one such solution is to have all the sensitive information stored on the server, this method has its advantages but the main gripe is the application needs to be connected to the internet all the time. This has become a mainstay in the PC gaming industry to curb piracy, recently even Android applications have taken this route to achieve a secure environment. The other problem with this approach is the requirement for an application server which has to cater to all the user's queries. Dr Sriram who has pioneered in the field of Secure Computation interfaces for products such as the Azure suggested that we look into a concept known as enclave. An enclave is a part of application software/code which is isolated from the privileged software (i.e Operating System). As it turns out ARM processors the most popular choice for Android phones has a new feature known as TrustZone which is actually present in 96% of all Android Phones, TrustZone allows for a Trusted Execution Environment(TEE). From our understanding TrustZone is barely used in Android, and most of the solutions are proprietary. So we embarked to build an application which uses TrustZone for secure computing and allow for an offline solution to the classic problem.
Our choice of application was a quiz application. Traditionally questions are retrieved from the server every time and the user's answer is sent to the server and is checked with the answer key and a response is retrieved and the user's score is also maintained in the server. Our application downloads the questions and answers from the server in an encrypted format and the key is stored in the enclave. The quizzes are downloaded only when Internet Connection is available and the result is also stored in the enclave so that the user will not be able to access the answers or modify his score. The user's score will be uploaded to the server when the network is available.
We built a simple quiz application which at the moment is not secure, but works in an offline environment. In this approach we need a remote json file to hold the index for the list of quizzes, the json file will further have links to other remote files containing the quizzes.
We hope to continue our progress and to find a way to enable TrustZone on the Android emulator or QEMU by next week.
No comments:
Post a Comment