IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone

Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017

Volumn , Issue , 2017, Pages 145-156

  Tian, Chen ^a   Wang, Yazhe ^a,b   Liu, Peng ^c   Zhou, Qihui ^a   Zhang, Chengyi ^a,b   Xu, Zhen ^a,b  

^a University of Chinese Academy of Sciences   (China)

^b UNIVERSITY OF CHINESE ACADEMY OF SCIENCES   (China)

^c PENNSYLVANIA STATE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INFORMATION SYSTEMS;

COLLUDING ATTACK; DEFENSE SYSTEM; INPUT METHOD EDITORS; RUNTIME OVERHEADS; SOFT KEYBOARD; SUBSTITUTION ATTACK; THIRD PARTIES; TOUCH INPUTS;

COMPUTER NETWORKS;

EID: 85031702914     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/DSN.2017.12     Document Type: Conference Paper

References (36)

1. Bigdata-research. market research report on china's third party ime market on smart phone in the third quarter of 2016. http://www. bigdata-research.cn/content/201611/365.html. Accessed on November 2016.
2. Caffeinemark 3.0. http://www.benchmarkhq.ru/cm30/info.html. Accessed on November 2016.
3. random common sentences. http://www.englishinuse.net/. Accessed on August 2016.
4. The reference of android developer. inputmethodmanger. https://developer.android.com/reference/android/view/inputmethod/ InputMethodManager.html. Accessed on November 2016.
5. Trustzone, tee and trusted video path implementation. http://www.arm.com/files/event/Developer Track 6 TrustZone TEEs and Trusted Video Path implementation considerations.pdf. Accessed on November 2016.
6. Alfred V Aho and Margaret J Corasick. Efficient string matching: an aid to bibliographic search. Communications of the ACM, 18(6):333-340, 1975.
7. Devdatta Akhawe, Warren He, Zhiwei Li, Reza Moazzezi, and Dawn Song. Clickjacking revisited: A perceptual view of ui security. 2014.
8. Adam J. Aviv, Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. Practicality of accelerometer side channels on smartphones. In Computer Security Applications Conference, pages 41-50, 2012.
9. Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In ACM Sigsac Conference on Computer and Communications Security, pages 1028-1031, 2014.
10. Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. What the app is that? deception and countermeasures in the android user interface. pages 931-948, 2015.
11. Ferdinand Brasser, Daeyoung Kim, Christopher Liebchen, Vinod Ganapathy, Liviu Iftode, and Ahmad-Reza Sadeghi. Regulating arm trustzone devices in restricted spaces. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services, pages 413-425. ACM, 2016.
12. Jin Chen, Haibo Chen, Erick Bauman, Zhiqiang Lin, Binyu Zang, and Haibing Guan. You shouldn't collect my secrets: thwarting sensitive keystroke leakage in mobile ime apps. In Usenix Conference on Security Symposium, 2015.
13. Landon P. Cox, Peter Gilbert, Geoffrey Lawler, Valentin Pistol, Ali Razeen, Bi Wu, and Sai Cheemalapati. Spandex: Secure password tracking for android. 2014.
14. Android Developer. Inputconnection. https://developer.android.com/ reference/android/view/inputmethod/InputConnection.html/.
15. Android Developer. Windowmanager. https://developer.android.com/ reference/android/view/WindowManager.html/.
16. William Enck, Peter Gilbert, Byung Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick Mcdaniel, and Anmol N. Sheth. Taintdroid: an information flow tracking system for real-time privacy monitoring on smartphones. In Usenix Conference on Operating Systems Design & Implementation, pages 393-407, 2015.
17. Jann Horn. Cve-2014-7911: Privilege escalation using objectinputstream. https://www.reddit.com/r/netsec/comments/2mr9cz/ cve20147911 android 50 privilege escalation using/. Accessed on Novvember 2014.
18. Heqing Huang, Sencun Zhu, Kai Chen, and Peng Liu. From system services freezing to system server shutdown in android: All you need is a loop in an app. In The ACM Sigsac Conference, pages 1236-1247, 2015.
19. Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. Supor: Precise and scalable sensitive user input detection for android apps. In 24th USENIX Security Symposium (USENIX Security 15), pages 977-992, 2015.
20. Jinsoo Jang, Sunjune Kong, Minsu Kim, Daegyeong Kim, and Brent Byunghoon Kang. Secret: Secure channel between rich execution environment and trusted execution environment. In Network and Distributed System Security Symposium, 2015.
21. Min Gyung Kang, Stephen Mccamant, Pongsin Poosankam, and Dawn Song. Dta++: Dynamic taint analysis with targeted control-flow propagation. In Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, Usa, February-February, 2011.
22. K.Subramanyam, C.E.Frank, and D.F.Galli. Keyloggers: The overlooked threat to computer security. http://www.keylogger.org/articles/kishoresubramanyam/ keyloggers-the-overlooked-threat-to-computersecurity-7.html./.
23. Wenhao Li, Haibo Li, Haibo Chen, and Yubin Xia. Adattester: Secure online mobile advertisement attestation using trustzone. In The International Conference on Mobile Systems, Applications, and Services, pages 15-26, 2015.
24. Chia-Chi Lin, Hongyang Li, Xiao-yong Zhou, and XiaoFeng Wang. Screenmilker: How to milk your android screen for secrets. In NDSS, 2014.
25. Dongtao Liu, Eduardo Cuervo, Valentin Pistol, Ryan Scudellari, and Landon P. Cox. Screenpass: secure password entry on touchscreen devices. In Proceeding of the International Conference on Mobile Systems, Applications, and Services, pages 291-304, 2013.
26. Claudio Marforio, Nikolaos Karapanos, Claudio Soriente, Kari Kostiainen, and Srdjan apkun. Smartphones as practical and secure location verification tokens for payments. In Network and Distributed System Security Symposium, 2014.
27. Ani Nahapetian. Side-channel attacks on mobile and wearable systems. In IEEE Consumer Communications & NETWORKING Conference, 2016.
28. Chuangang Ren, Yulong Zhang, Hui Xue, Tao Wei, and Peng Liu. Towards discovering and understanding task hijacking in android. In Usenix Conference on Security Symposium, 2015.
29. Yuru Shao, Jason Ott, Qi Alfred Chen, Zhiyun Qian, and Z Morley Mao. Kratos: Discovering inconsistent security policy enforcement in the android framework. In Proc. 23rd Annual Network and Distributed System Security Symposium (NDSS16). ISOC, 2016.
30. Guillermo Suarez-Tangil, Juan E. Tapiador, Pedro Peris-Lopez, and Arturo Ribagorda. Evolution, detection and analysis of malware for smart devices. IEEE Communications Surveys & Tutorials, 16(2):961-987, 2013.
31. He Sun, Kun Sun, Yuewu Wang, and Jiwu Jing. Trustotp: Transforming smartphones into secure one-time password tokens. In ACM Sigsac Conference on Computer and Communications Security, pages 976-988, 2015.
32. He Sun, Kun Sun, Yuewu Wang, Jiwu Jing, and Sushil Jajodia. TrustDump: Reliable Memory Acquisition on Smartphones. 2014.
33. He Sun, Kun Sun, Yuewu Wang, Jiwu Jing, and Haining Wang. Trustice: Hardware-assisted isolated computing environments on mobile devices. In Ieee/ifip International Conference on Dependable Systems and Networks, pages 367-378, 2015.
34. Nan Zhang, Kan Yuan, Muhammad Naveed, Xiaoyong Zhou, and XiaoFeng Wang. Leave me alone: App-level protection against runtime information gathering on android. In 2015 IEEE Symposium on Security and Privacy, pages 915-930. IEEE, 2015.
35. Yajin Zhou and Xuxian Jiang. Dissecting android malware: Characterization and evolution. In IEEE Symposium on Security & Privacy, pages 95-109, 2012.
36. Zongwei Zhou, Virgil D Gligor, James Newsome, and Jonathan M McCune. Building verifiable trusted path on commodity x86 computers. In 2012 IEEE Symposium on Security and Privacy, pages 616-630. IEEE, 2012.