Skip to main content
SpringerLink
Log in

A Secure Architecture for Operating System-Level Virtualization on Mobile Devices

  • Conference paper
  • First Online:
Information Security and Cryptology (Inscrypt 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9589))

Included in the following conference series:

Abstract

In this paper, we present a novel secure architecture for OS-level virtualization on mobile devices. OS-level virtualization allows to simultaneously operate multiple userland OS instances on one physical device. Compared to previous approaches, our main objective is the confidentiality of sensitive user data stored on the device. We isolate the OS instances by restricting them to a set of minimal, controlled functionality and allow communication between components exclusively through well-defined channels. With our secure architecture, we therefore go beyond the common deployment of Linux kernel mechanisms, such as namespaces or cgroups. We develop a specially tailored, stacked LSM concept using SELinux and a custom LSM, leverage Linux capabilities and the cgroups devices subsystem. Based on the architecture, we present secure device virtualization concepts allowing to dynamically assign device functionalities to different OS instances. Furthermore, we develop a mechanism for secure switching between the instances. We realize the architecture with a fully functional and performant implementation on the Samsung Galaxy S4 and Nexus 5 mobile devices, running Android 4.4.4 and 5.1.1, respectively. With a systematic security evaluation, we demonstrate that the secure isolation of OS instances provides confidentiality even when large parts of the system are compromised.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://article.gmane.org/gmane.linux.kernel.lsm/22729.

  2. 2.

    https://android.googlesource.com/kernel/msm.

  3. 3.

    https://github.com/google/protobuf.

References

  1. Almohri, H.M., Yao, D.D., Kafura, D.: DroidBarrier: know what is executing on your Android. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014, pp. 257–264. ACM (2014)

    Google Scholar 

  2. Andrus, J., Dall, C., Hof, A.V., Laadan, O., Nieh, J.: Cells: a virtual mobile smartphone architecture. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP 2011, pp. 173–187. ACM (2011)

    Google Scholar 

  3. Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – fine-grained policy enforcement for untrusted Android applications. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W.M. (eds.) DPM 2013 and SETOP 2013. LNCS, vol. 8247, pp. 213–231. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  4. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 164–177. ACM (2003)

    Google Scholar 

  5. Becher, M., Freiling, F., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile security catching up? Revealing the nuts and bolts of the security of mobile devices. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 96–111 (2011)

    Google Scholar 

  6. Brakensiek, J., Dröge, A., Botteck, M., Härtig, H., Lackorzynski, A.: Virtualization as an enabler for security in mobile devices. In: Proceedings of the 1st Workshop on Isolation and Integration in Embedded Systems, IIES 2008, pp. 17–22. ACM (2008)

    Google Scholar 

  7. Bugiel, S., Davi, L., Dmitrienko, A., Heuser, S., Sadeghi, A.R., Shastry, B.: Practical and lightweight domain isolation on Android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 51–62. ACM (2011)

    Google Scholar 

  8. Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 131–146. USENIX Association (2013)

    Google Scholar 

  9. Chen, W., Xu, L., Li, G., Xiang, Y.: A lightweight virtualization solution for Android devices. IEEE Trans. Comput. 64, 2741–2751 (2015)

    Article  MathSciNet  Google Scholar 

  10. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys 2011, pp. 239–252. ACM (2011)

    Google Scholar 

  11. Dall, C., Nieh, J.: KVM/ARM: the design and implementation of the Linux ARM hypervisor. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2014, pp. 333–348. ACM (2014)

    Google Scholar 

  12. Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357. IEEE Computer Society (1981)

    Google Scholar 

  13. Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones, pp. 1–6 (2010)

    Google Scholar 

  14. Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 235–245. ACM (2009)

    Google Scholar 

  15. Feizollah, A., Anuar, N.B., Salleh, R., Wahab, A.W.A.: A review on feature selection in mobile malware detection. Digit. Invest. 13, 22–37 (2015). Elsevier Science Publishers B. V

    Google Scholar 

  16. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 3–14. ACM (2011)

    Google Scholar 

  17. Hwang, J.Y., bum Suh, S., Heo, S.K., Park, C.J., Ryu, J.M., Park, S.Y., Kim, C.R.: Xen on ARM: system virtualization using Xen hypervisor for ARM-based secure mobile phones. In: 5th IEEE Consumer Communications and Networking Conference, CCNC 2008, pp. 257–261 (2008)

    Google Scholar 

  18. Kamp, P.H., Watson, R.N.: Jails: confining the omnipotent root. In: Proceedings of the 2nd International SANE Conference, vol. 43 (2000)

    Google Scholar 

  19. Laadan, O., Nieh, J.: Operating system virtualization: practice and experience. In: Proceedings of the 3rd Annual Haifa Experimental Systems Conference, SYSTOR 2010, pp. 17:1–17:12. ACM (2010)

    Google Scholar 

  20. Merkel, D.: Docker: lightweight Linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)

    Google Scholar 

  21. Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in Android. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC, pp. 340–349. IEEE Computer Society (2009)

    Google Scholar 

  22. Peng, S., Yu, S., Yang, A.: Smartphone malware and its propagation modeling: a survey. IEEE Commun. Surv. Tutorials 16, 925–941 (2014)

    Article  Google Scholar 

  23. Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  24. Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-level virtualization technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 77–93. Springer, Heidelberg (2014)

    Google Scholar 

  25. Rossier, D.: EmbeddedXEN: a revisited architecture of the XEN hypervisor to support ARM-based embedded virtualization. White Paper, Switzerland (2012)

    Google Scholar 

  26. Russello, G., Conti, M., Crispo, B., Fernandes, E.: MOSES: supporting operation modes on smartphones. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT, pp. 3–12. ACM (2012)

    Google Scholar 

  27. Wessel, S., Huber, M., Stumpf, F., Eckert, C.: Improving mobile device security with operating system-level virtualization. Comput. Secur. (2015). http://www.sciencedirect.com/science/article/pii/S0167404815000206

  28. Wessel, S., Stumpf, F., Herdt, I., Eckert, C.: Improving mobile device security with operating system-level virtualization. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IFIP AICT, vol. 405, pp. 148–161. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  29. Wu, C., Zhou, Y., Patel, K., Liang, Z., Jiang, X.: AirBag: boosting smartphone resistance to malware infection. In: Proceedings of the Network and Distributed System Security Symposium (2014)

    Google Scholar 

  30. Xavier, M.G., Neves, M.V., Rossi, F.D., Ferreto, T.C., Lange, T., De Rose, C.A.F.: Performance evaluation of container-based virtualization for high performance computing environments. In: Proceedings of the 2013 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, PDP 2013, pp. 233–240. IEEE Computer Society (2013)

    Google Scholar 

  31. Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 95–109. IEEE Computer Society (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer AISEC, Garching Near Munich, Germany

    Manuel Huber, Julian Horsch, Michael Velten, Michael Weiss & Sascha Wessel

Authors
  1. Manuel Huber
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julian Horsch
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Velten
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michael Weiss
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sascha Wessel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manuel Huber .

Editor information

Editors and Affiliations

  1. Chinese Academy of Sciences, SKLOIS Institute of Engineering, Beijing, China

    Dongdai Lin

  2. Center for Security Informatics, Indiana University at Bloomington, Indiana, USA

    XiaoFeng Wang

  3. Computer Science, Columbia University, New York, New York, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Huber, M., Horsch, J., Velten, M., Weiss, M., Wessel, S. (2016). A Secure Architecture for Operating System-Level Virtualization on Mobile Devices. In: Lin, D., Wang, X., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2015. Lecture Notes in Computer Science(), vol 9589. Springer, Cham. https://doi.org/10.1007/978-3-319-38898-4_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-38898-4_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-38897-7

  • Online ISBN: 978-3-319-38898-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation