This is a joint seminar between Computer Science Theory and the ECE Computer Engineering Group
Speaker: Yevgeniy Vahlis
AT&T Security Research Center
Title: MiST: Guaranteed Secure Transactions on Compromised Mobile Devices
Our increasing reliance on smartphones and connected mobile devices presents formidable challenges to security researchers. Malware is often designed to exploit software vulnerabilities to gain and steal sensitive information, which is available in abundance on modern smartphones.
In this work we present MiST, a provably secure system for protecting user input and output on smartphone devices. Relying on basic isolation (which can be based either in hardware or in software by virtualization) software verification tools, and standard cryptographic assumptions, our system guarantees that any data entered by the user on the device and any data displayed to the user on the screen remains private and untampered, even if the user operating system is completely compromised by malware.
Our system does not rely on security expertise of application developers, and does not require the user to trust any specific application to be free of vulnerabilities. Instead, we achieve security by isolating the user interface part of each application, and formally verifying a thin cryptographic communication layer between the UI and the rest of the application.
Finally, we present an implementation of our system on the Android platform using Xen virtualization, which may be of independent interest.
Joint work with Jeffrey Bickford, Mikhail Istomin, and Aaron Tomb.