CRII: SaTC: Vetting and Improving the Usage of Trusted Execution Environments for Authentication in Mobile Devices

CRII：SaTC：审查和改进可信执行环境在移动设备中进行身份验证的使用

• 批准号: 1849803
• 负责人: Antonio Bianchi
• 金额: $ 17.5万
• 依托单位: University of Iowa
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-06-01 至 2019-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1849803&HistoricalAwards=false
• 关键词: CRII; SaTC; Vetting; Improving; Usage

In mobile devices, authentication protocols are used to ensure that users' intentions are communicated untampered to the applications' backend servers. Unfortunately, traditional authentication protocols do not defend against "root-attackers," i.e., attackers able to fully compromise the main operating system of a victim's device. Trusted Execution Environments (TEEs), specific hardware components available in modern mobile devices, can be used to mitigate this threat, since they run a separate, smaller codebase than the main operating system. This project explores how it is possible to use TEEs to implement "root-resilient" authentication protocols, i.e., authentication protocols effective against root-attackers.This project is divided into three main tasks. The first task consists in performing a comprehensive study of the existing Application Programming Interfaces (APIs) that developers of mobile apps can use to interact with TEEs. This study will concentrate on understanding if and how these APIs can be used to implement root-resilient authentication protocols. The second task focuses on developing an automated analysis system that will be used to perform a large-scale study assessing the security of TEE-based authentication protocols implemented by existing applications. The third task consists of implementing an authentication framework helping developers in using TEEs for authentication purposes.The project has the potential to improve the security of millions of mobile device users by enabling root-resilient authentication in thousands of mobile application programs. By performing a large-scale analysis of such mobile "apps", this project will identify weaknesses in existing programs. Additionally, the authentication framework developed by this project could potentially allow thousands of developers to implement root-resilient authentication protocols with reduced effort. The developed software, techniques, and findings will be disseminated by releasing the source code of the implemented software, publishing academic articles, and presenting results at academic conferences.In addition, produced software and data will also be shared on a dedicated website (http://homepage.divms.uiowa.edu/~bianch/mobiletees/). After project completion, produced software and data will be available for at least three years.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在移动设备中，身份验证协议用于确保用户的意图不被篡改地传达到应用程序的后端服务器。不幸的是，传统的身份验证协议无法防御“根攻击者”，即能够完全破坏受害者设备的主操作系统的攻击者。可信执行环境 (TEE) 是现代移动设备中可用的特定硬件组件，可用于减轻这种威胁，因为它们运行一个独立的、比主操作系统更小的代码库。该项目探索如何使用 TEE 来实现“root-resilient”身份验证协议，即有效对抗 root 攻击者的身份验证协议。该项目分为三个主要任务。第一项任务包括对移动应用程序开发人员可用来与 TEE 交互的现有应用程序编程接口 (API) 进行全面研究。本研究将集中于了解是否以及如何使用这些 API 来实现 root 弹性身份验证协议。第二项任务重点是开发一个自动分析系统，该系统将用于执行大规模研究，评估现有应用程序实现的基于 TEE 的身份验证协议的安全性。第三项任务包括实现一个身份验证框架，帮助开发人员使用 TEE 进行身份验证。该项目有潜力通过在数千个移动应用程序中启用 root 弹性身份验证来提高数百万移动设备用户的安全性。通过对此类移动“应用程序”进行大规模分析，该项目将识别现有程序中的弱点。此外，该项目开发的身份验证框架可能允许数千名开发人员以更少的工作量实现根弹性身份验证协议。所开发的软件、技术和研究结果将通过发布所实现的软件的源代码、发表学术文章以及在学术会议上展示成果来传播。此外，所开发的软件和数据也将在专门的网站（http://homepage.divms.uiowa.edu/~bianch/mobiletees/）上共享。项目完成后，生成的软件和数据将至少可用三年。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。