by Lachlan J. Gunn, N. Asokan, Jan-Erik Ekberg, Hans Liljestrand, Vijayanand Nayani, Thomas Nyman
Hardware Platform Security for Mobile Devices is a new book, published in Now’s Foundations and Trends in Privacy and Security series. A preprint is available here.
See here for more of our research in the area of platform security.
Today, personal mobile devices like smartphones and tablets are ubiquitous. People use mobile devices for fun, for work, and for organizing and managing their lives, including their finances. This became possible because over the last two decades, mobile phones evolved from closed platforms intended for voice calls and messaging to open platforms whose functionality can be extended in myriad ways by third party developers. Such wide-ranging scope of use also means widely different security and privacy requirements for those uses. The mobile device ecosystem involved multiple different stakeholders such as mobile network operators, regulators, enterprise information technology administrators, and of course ordinary users. So, as mobile platforms became gradually open, platform security mechanisms were incorporated into their architectures so that the security and privacy requirements of all stakeholders could be met. Platform security mechanisms help to isolate applications from one another, protect persistent data and other on-device resources (like access to location or peripherals), and help strengthen software against a variety of attack vectors. All major mobile platforms incorporate comprehensive software and hardware platform security architectures, including mechanisms like trusted execution environments (TEEs).
Over the past decade, mobile devices have been undergoing convergences in multiple dimensions. The distinction between “mobile” and “fixed” devices has blurred. Similar security mechanisms and concepts are being used across different platforms, leading to similar security architectures. Hardware enablers used to support platform security have gradually matured. At the same time, there have also been novel types of attacks, ranging from software attacks like return- and data-oriented programming to hardware attacks like side channels that exploit micro-architectural phenomena. It is no longer tenable to assume that the current hardware security mechanisms underpinning mobile platform security are inviolable.
The time is therefore right to take a new look at mobile platform security, which brings us to this book. We focus on hardware platform security. The book is divided into four parts: we begin by looking at the why and how of mobile platform security, followed by a discussion on vulnerabilities and attacks; we conclude by looking forward discussing emerging research that explores ways of dealing with hardware compromise, and building blocks for the next generation of hardware platform security.
Our intent is to provide a broad overview of the current state of practice and a glimpse of possible research directions that can be of use to practitioners, decision makers, and researchers.