CAREER: Rethinking Mobile Security in the New Age of App-As-A-Platform

职业：重新思考应用程序即平台新时代的移动安全

• 批准号: 1748334
• 负责人: Long Lu
• 金额: $ 50.05万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-08-01 至 2023-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1748334&HistoricalAwards=false
• 关键词: CAREER; Rethinking; Mobile; Security; New

An ongoing evolution in the design of mobile applications (apps) and services, called "app-as-a-platform", is posing fundamental challenges to mobile security and privacy, exposing consumers, enterprises, and governments to new threats. Existing security technologies were not designed to address apps' emerging role as micro-platforms and are, therefore, incapable of providing sufficient protections. This research project is developing security foundations in three dimensions of app-as-a-platform architectures: (1) In-app Dimension, where modules within the same app can adversely affect or manipulate one another, (2) App-cloud Dimension, where apps may spy on or abuse integrated cloud services, and vice versa, and (3) App-IoT Dimension, where unauthorized apps can manipulate IoT (Internet-of-Things)-connected devices. This research project is investigating approaches to safeguard mobile apps' integration with third-party modules, cloud services, and IoT devices that are organized by app-as-a-platform architectures. The project is developing security foundations for these architectures by retrofitting mobile middleware and operating systems (OS) with new isolation, mediation, and attestation primitives and mechanisms. To establish a principled defense against threats to app-as-a-platform systems, the researchers are designing new OS abstractions for in-process memory isolation, language constructs for module-level security enforcement, trustworthy web integration mechanisms, remote attestation of mobile agents, and an IoT authorization and interoperation framework. The project also provides unique education and training opportunities for both graduate and undergraduate students.

移动应用程序（app）和服务的设计正在不断演变，被称为“应用程序即平台”（app-as-a-platform），这对移动安全和隐私构成了根本性的挑战，使消费者、企业和政府面临新的威胁。现有的安全技术并不是为了解决应用程序作为微平台的新兴角色而设计的，因此无法提供足够的保护。本研究项目在应用即平台架构的三个维度上开发安全基础：(1)应用内维度，同一应用内的模块可能会对彼此产生不利影响或操纵；(2)应用云维度，应用可能会监视或滥用集成的云服务，反之亦然；(3)应用物联网维度，未经授权的应用可以操纵物联网连接的设备。该研究项目旨在研究保护移动应用与第三方模块、云服务和物联网设备集成的方法，这些设备由应用即平台架构组织。该项目通过使用新的隔离、中介和认证原语和机制改造移动中间件和操作系统（OS），为这些体系结构开发安全基础。为了建立针对应用即平台系统威胁的原则性防御，研究人员正在设计新的操作系统抽象，用于进程内内存隔离，用于模块级安全执行的语言结构，可信赖的web集成机制，移动代理的远程认证以及物联网授权和互操作框架。该项目还为研究生和本科生提供了独特的教育和培训机会。

项目成果

P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling

P2IM：通过自动外设接口建模进行可扩展且独立于硬件的固件测试

• 发表时间: 2020
• 期刊: 29th USENIX Security Symposium
• 作者: Feng, Bo;Mera, Alejandro;Lu, Long
• 通讯作者: Lu, Long

OAT: Attesting Operation Integrity of Embedded Devices

• DOI: 10.1109/sp40000.2020.00042
• 发表时间: 2018-02
• 期刊: 2020 IEEE Symposium on Security and Privacy (SP)
• 作者: Zhichuang Sun;Bo Feng;Long Lu;S. Jha

SoK: Attacks on Industrial Control Logic and Formal Verification-Based Defenses

• DOI: 10.1109/eurosp51992.2021.00034
• 发表时间: 2020-06
• 期刊: 2021 IEEE European Symposium on Security and Privacy (EuroS&P)
• 作者: Ruimin Sun;Alejandro Mera;Long Lu;D. Choffnes

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

• DOI: 10.1145/3052973.3052998
• 发表时间: 2017-04
• 期刊: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
• 作者: Drew Davidson;Yaohui Chen;F. George;Long Lu;S. Jha

D-Box: DMA-enabled Compartmentalization for Embedded Applications

• DOI: 10.14722/ndss.2022.24053
• 发表时间: 2022-01
• 期刊: ArXiv
• 作者: Alejandro Mera;Yi Hui Chen;Ruimin Sun;E. Kirda;Long Lu