Quire: Lightweight Provenance for Smart Phone Operating Systems (1102.2445v1)

Abstract: Smartphone apps often run with full privileges to access the network and sensitive local resources, making it difficult for remote systems to have any trust in the provenance of network connections they receive. Even within the phone, different apps with different privileges can communicate with one another, allowing one app to trick another into improperly exercising its privileges (a Confused Deputy attack). In Quire, we engineered two new security mechanisms into Android to address these issues. First, we track the call chain of IPCs, allowing an app the choice of operating with the diminished privileges of its callers or to act explicitly on its own behalf. Second, a lightweight signature scheme allows any app to create a signed statement that can be verified anywhere inside the phone. Both of these mechanisms are reflected in network RPCs, allowing remote systems visibility into the state of the phone when an RPC is made. We demonstrate the usefulness of Quire with two example applications. We built an advertising service, running distinctly from the app which wants to display ads, which can validate clicks passed to it from its host. We also built a payment service, allowing an app to issue a request which the payment service validates with the user. An app cannot not forge a payment request by directly connecting to the remote server, nor can the local payment service tamper with the request.

• The paper introduces a novel method for annotating IPC call chains, ensuring authenticated app interactions and mitigating permission misuse.
• It employs HMAC-based lightweight cryptography to maintain message integrity with minimal overhead in inter-process communications.
• Quire demonstrates practical applications in advertising and payment systems, reinforcing security in sensitive smartphone operations.

Quire: Lightweight Provenance for Smartphone Operating Systems

The research paper titled "Quire: Lightweight Provenance for Smartphone Operating Systems" presents a novel approach to mitigating security challenges faced by smartphone platforms, specifically Android. This work systematically addresses issues arising from the permission model applied by Android and demonstrates how mutual distrust among apps can be managed through provenance tracking and secure communications.

Overview and Techniques

Quire introduces a suite of extensions to Android operations, focusing on reinforcing the security of inter-process communication (IPC) and remote procedure call (RPC) interactions. The system primarily seeks to enable a fine-grained provenance of requests from applications, thus allowing a robust mechanism to ensure that only authorized requests are processed by sensitive system resources.

Quire's solution is built on two foundational techniques:

1. IC Tracking and Authentication: Through augmenting IPC messages with call-chain annotations, the approach allows the recipient to evaluate the complete chain of applications involved in a request. This ensures that apps are safeguarded against Confused Deputy attacks by validating permissions across the entire call chain.
2. Secure Messaging with Lightweight Cryptography: By employing HMACs (Hash-based Message Authentication Codes), Quire ensures the integrity and authenticity of messages with minimal computational overhead, offering a scalable and efficient mechanism compared to traditional digital signatures.

Key Applications

The paper explores several applications of the Quire framework that demonstrate its practical relevance:

• Advertising Systems: By isolating advertisements in separate processes and leveraging Quire for secure IPC, this design prevents click fraud by guaranteeing that interaction events are legitimate and supported by provenance data.
• Payment Services: Quire facilitates secure in-app micropayments by ensuring that only authenticated and verified requests reach the payment servers. This credibility is achieved by seamless remote attestation mechanisms between local apps and their corresponding remote services.

These exemplify how Quire's provenance and security enhancements can significantly bolster application interactions, leveraging the Os benefits rather than relying solely on user-mediated permission settings.

Performance and Security Assessments

This work carefully evaluates the performance implications of introducing these security measures. The results indicate that Quire achieves a considerable improvement in security with a tolerable overhead in response time for both IPC and RPC communications. The provenance annotation introduces a minimal constant overhead for IPC call-chain tracking. Quire’s impact on RPC is similarly limited, with an overhead that is insignificant in the context of typical network latencies.

Security analyses highlight Quire's potential to address notable challenges, including preventing unauthorized data access, verifying data integrity, and enforcing robust security policies that adapt to dynamic application states.

Theoretical Implications and Future Research

Quire stands out by integrating the theoretical constructs of logical authentication systems (inspired by Abadi et al.) with practical implementations, thus serving as a viable bridge from theory to impactful application in OS security. Its potential scalability and low overhead make it suitable for wider adoption in varied contexts, beyond just mobile platforms.

Future research can extend Quire to other environments, such as web browsers, where provenance is equally critical for ensuring secure and reliable interactions among web components and plugins. Additionally, integrating Quire with emerging hardware-level security features like TPMs could further strengthen its assurances against physical and network-based attacks.

In conclusion, Quire represents a substantial contribution to the field of mobile security, offering a scalable framework for implementing detailed provenance and trust evaluation mechanisms applicable across various application domains. This research lays the groundwork for continued advancements in secure operating system design, with a clear path forward for integrating increasingly sophisticated security paradigms.