SmartPhones and Security: New Capabilities and New Challenges - DLS Talk by David Lie, U. of T.

Hugh Dempster Building (6245 Agronomy Rd.), Room 110

Speaker:  David Lie, Associate Professor, University of Toronto

Title:  SmartPhones and Security: New Capabilities and New Challenges

Abstract:

The growth in smartphone usage presents both new capabilities and challenges for security practitioners.  On one hand, smartphones represent a computing device that is always with the user, is always on, and generally has an Internet connection, making them useful devices for monitoring and securing user data.  On the other hand, these same properties mean that smartphones tend to contain a great deal of private information, making them a serious threat against the personal privacy and security of users. In this talk I will present some of the systems we have built that demonstrate ways that smartphones can improve user security.  The first, called Caelus, uses a smartphone to monitor the integrity of data stored in the cloud.  Caelus exploits the property that smartphones are rarely switched off to enable low-cost, near real-time monitoring of the integrity and consistency of personal data stored in the cloud.  The second, called Unicorn, explores ways that smartphones can be used to solve one of the oldest security problems -- securely accessing a remote system.  Unicorn implements a scheme called 'two-factor attestation', which uses a smartphone to both protect authentication secrets and verify the attestation, thus freeing the user from both of these security critical and often error-prone tasks. We have also built systems that aim to improve smartphone security.  In this instance, I will discuss our PScout tool, which enables us to analyze the permission system of Android. PScout uses static analysis of the Android source code to extract a mapping of Android APIs to permissions and we have confirmed that PScout runs unmodified across Android versions 2.2 up to 4.1 (others have reported using it on more recent versions).  Our analysis of the data reveals several interesting properties of the Android permissions system.

Bio:

David Lie received his B.S. from the University of Toronto in 1998, and his M.S. and Ph.D from Stanford University in 2001 and 2004 respectively. He is currently an Associate Professor in the Department of Electrical and Computer Engineering at the University of Toronto and the Canada Research Chair in Secure and Reliable Computer Systems.  David is also a recipient of the MRI Early Researcher Award.  While at Stanford, David founded and led the XOM (eXecute Only Memory) Processor Project, which supports the execution of tamper and copy-resistant software. He was the recipient of a best paper award at SOSP for this work.  More recently, he and his students have developed the PScout Android Permission mapping tool, whose datasets have been downloaded over 10,000 times and used in dozens of subsequent papers.  David has served on various  program committees including OSDI, ASPLOS, Usenix Security and IEEE Security & Privacy.  Currently, his interests are focused on securing mobile platforms, cloud computing security and increasing the reliability of software.