PINPOINT: Efficient and Effective Resource Isolation for Mobile Security and Privacy

by   Paul Ratazzi, et al.

Virtualization is frequently used to isolate untrusted processes and control their access to sensitive resources. However, isolation usually carries a price in terms of less resource sharing and reduced inter-process communication. In an open architecture such as Android, this price and its impact on performance, usability, and transparency must be carefully considered. Although previous efforts in developing general-purpose isolation solutions have shown that some of these negative side effects can be mitigated, doing so involves overcoming significant design challenges by incorporating numerous additional platform complexities not directly related to improved security. Thus, the general purpose solutions become inefficient and burdensome if the end-user has only specific security goals. In this paper, we present PINPOINT, a resource isolation strategy that forgoes general-purpose solutions in favor of a "building block" approach that addresses specific end-user security goals. PINPOINT embodies the concept of Linux Namespace lightweight isolation, but does so in the Android Framework by guiding the security designer towards isolation points that are contextually close to the resource(s) that need to be isolated. This strategy allows the rest of the Framework to function fully as intended, transparently. We demonstrate our strategy with a case study on Android System Services, and show four applications of PINPOINTed system services functioning with unmodified market apps. Our evaluation results show that practical security and privacy advantages can be gained using our approach, without inducing the problematic side-effects that other general-purpose designs must address.


page 1

page 6

page 8

page 9


Look Mum, no VM Exits! (Almost)

Multi-core CPUs are a standard component in many modern embedded systems...

Shining Light On Shadow Stacks

Control-Flow Hijacking attacks are the dominant attack vector to comprom...

Towards a Formal Approach for Detection of Vulnerabilities in the Android Permissions System

Android is a widely used operating system that employs a permission-base...

Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions

For parents of young children and adolescents, the digital age has intro...

A Qualitative Comparison of MPSoC Mobile and Embedded Virtualization Techniques

Virtualization is generally adopted in server and desktop environments t...

On Temporal Isolation Assessment in Virtualized Railway Signaling as a Service Systems

Railway signaling systems provide numerous critical functions at differe...

vLibOS: Babysitting OS Evolution with a Virtualized Library OS

Many applications have service requirements that are not easily met by e...

Please sign up or login with your details

Forgot password? Click here to reset