-
Shattered Trust: When Replacement Smartphone Components Attack
Authors:
Omer Shwartz,
Amir Cohen,
Asaf Shabtai,
Yossi Oren
Abstract:
Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves. Third-party driver source code to support these components is integrated into the vendor's source code. In contrast to 'pluggable' drivers, such as USB or network drivers, the…
▽ More
Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves. Third-party driver source code to support these components is integrated into the vendor's source code. In contrast to 'pluggable' drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor.
In this paper, we call this trust into question, considering the fact that touchscreens are often shattered and then replaced with aftermarket components of questionable origin. We analyze the operation of a commonly used touchscreen controller. We construct two standalone attacks, based on malicious touchscreen hardware, that function as building blocks toward a full attack: a series of touch injection attacks that allow the touchscreen to impersonate the user and exfiltrate data, and a buffer overflow attack that lets the attacker execute privileged operations. Combining the two building blocks, we present and evaluate a series of end-to-end attacks that can severely compromise a stock Android phone with standard firmware. Our results make the case for a hardware-based physical countermeasure.
△ Less
Submitted 13 May, 2018;
originally announced May 2018.
-
The Secure Machine: Efficient Secure Execution On Untrusted Platforms
Authors:
Ofir Shwartz,
Yitzhak Birk
Abstract:
In this work we present the Secure Machine, SeM for short, a CPU architecture extension for secure computing. SeM uses a small amount of in-chip additional hardware that monitors key communication channels inside the CPU chip, and only acts when required. SeM provides confidentiality and integrity for a secure program without trusting the platform software or any off-chip hardware. SeM supports ex…
▽ More
In this work we present the Secure Machine, SeM for short, a CPU architecture extension for secure computing. SeM uses a small amount of in-chip additional hardware that monitors key communication channels inside the CPU chip, and only acts when required. SeM provides confidentiality and integrity for a secure program without trusting the platform software or any off-chip hardware. SeM supports existing binaries of single- and multi-threaded applications running on single- or multi-core, multi-CPU. The performance reduction caused by it is only few percent, most of which is due to the memory encryption layer that is commonly used in many secure architectures.
We also developed SeM-Prepare, a software tool that automatically instruments existing applications (binaries) with additional instructions so they can be securely executed on our architecture without requiring any programming efforts or the availability of the desired program`s source code.
To enable secure data sharing in shared memory environments, we developed Secure Distributed Shared Memory (SDSM), an efficient (time and memory) algorithm for allowing thousands of compute nodes to share data securely while running on an untrusted computing environment. SDSM shows a negligible reduction in performance, and it requires negligible and hardware resources. We developed Distributed Memory Integrity Trees, a method for enhancing single node integrity trees for preserving the integrity of a distributed application running on an untrusted computing environment. We show that our method is applicable to existing single node integrity trees such as Merkle Tree, Bonsai Merkle Tree, and Intel`s SGX memory integrity engine. All these building blocks may be used together to form a practical secure system, and some can be used in conjunction with other secure systems.
△ Less
Submitted 11 March, 2018;
originally announced March 2018.
-
Detecting the large entries of a sparse covariance matrix in sub-quadratic time
Authors:
Ofer Shwartz,
Boaz Nadler
Abstract:
The covariance matrix of a $p$-dimensional random variable is a fundamental quantity in data analysis. Given $n$ i.i.d. observations, it is typically estimated by the sample covariance matrix, at a computational cost of $O(np^{2})$ operations. When $n,p$ are large, this computation may be prohibitively slow. Moreover, in several contemporary applications, the population matrix is approximately spa…
▽ More
The covariance matrix of a $p$-dimensional random variable is a fundamental quantity in data analysis. Given $n$ i.i.d. observations, it is typically estimated by the sample covariance matrix, at a computational cost of $O(np^{2})$ operations. When $n,p$ are large, this computation may be prohibitively slow. Moreover, in several contemporary applications, the population matrix is approximately sparse, and only its few large entries are of interest. This raises the following question, at the focus of our work: Assuming approximate sparsity of the covariance matrix, can its large entries be detected much faster, say in sub-quadratic time, without explicitly computing all its $p^{2}$ entries? In this paper, we present and theoretically analyze two randomized algorithms that detect the large entries of an approximately sparse sample covariance matrix using only $O(np\text{ poly log } p)$ operations. Furthermore, assuming sparsity of the population matrix, we derive sufficient conditions on the underlying random variable and on the number of samples $n$, for the sample covariance matrix to satisfy our approximate sparsity requirements. Finally, we illustrate the performance of our algorithms via several simulations.
△ Less
Submitted 20 December, 2015; v1 submitted 12 May, 2015;
originally announced May 2015.
-
Roy's largest root under rank-one alternatives:The complex valued case and applications
Authors:
Prathapasinghe Dharmawansa,
Boaz Nadler,
Ofer Shwartz
Abstract:
The largest eigenvalue of a Wishart matrix, known as Roy's largest root (RLR), plays an important role in a variety of applications. Most works to date derived approximations to its distribution under various asymptotic regimes, such as degrees of freedom, dimension, or both tending to infinity. However, several applications involve finite and relative small parameters, for which the above approxi…
▽ More
The largest eigenvalue of a Wishart matrix, known as Roy's largest root (RLR), plays an important role in a variety of applications. Most works to date derived approximations to its distribution under various asymptotic regimes, such as degrees of freedom, dimension, or both tending to infinity. However, several applications involve finite and relative small parameters, for which the above approximations may be inaccurate. Recently, via a small noise perturbation approach with fixed dimension and degrees of freedom, Johnstone and Nadler derived simple yet accurate stochastic approximations to the distribution of Roy's largest root in the real valued case, under a rank-one alternative. In this paper, we extend their results to the complex valued case. Furthermore, we analyze the behavior of the leading eigenvector by developing new stochastic approximations. Specifically, we derive simple stochastic approximations to the distribution of the largest eigenvalue under five common complex single-matrix and double-matrix scenarios. We then apply these results to investigate several problems in signal detection and communications. In particular, we analyze the performance of RLR detector in cognitive radio spectrum sensing and constant modulus signal detection in the high signal-to-noise ratio (SNR) regime. Moreover, we address the problem of determining the optimal transmit-receive antenna configuration (here optimality is in the sense of outage minimization) for rank-one multiple-input multiple-output Rician Fading channels at high SNR.
△ Less
Submitted 16 November, 2014;
originally announced November 2014.
