Mobile Devices Control System at Kernel Level

Mobile Devices Control System at Kernel Level

Tae-Kyou Park

, Jea-Min Lim

1 _{Department of Aerospace Software Engineering, Hanseo University, South Korea}

2 _{College of Informatics, Korea University, South Korea}

1_{[email protected]}

2_{[email protected]}

Abstract

—

Index Term

—

I. INTRODUCTION

With the wide spread of mobile device, we usually take along with it no matter when, no matter where and no matter in which organization we are. The mobile device takes a positive role in the ubiquitous realization.

Many organizations have achieved the concept of BOYD (Bring Your Own Device) in both public and private for their business efficiency. With this upward trend expected to the critical obstacle, they highlight the most importance of the security [1]. It has brought the social unrest everywhere because of the leakage of the confidential information or infringement of the personal information by such things on purpose or not, like voice recording, camera shooting, data saving, loss mobile phone, virus hacking, information sharing, etc.

Many attempts are being made to solve the security problems in multilateral measures like legal, institutional, technical, physical and ethical methods. However, it is not so simple even just one range of the technical method that requires high cost budget and highly advanced technology.

In this paper, we propose the mobile device control system which can achieve the high level of security policy more flexibly at a relatively low cost by new technology to handle the visitors (including employees) to the organization. In other words, we are introducing the new methods and procedures which can control the cameras, microphone, USB of the mobile device by adopting the LSM (Linux Security Module) [2] in the embedded Linux kernel level which is operating Android OS rather than the security of a conventional, general, physical or application level.

In this paper, we are investigating the control methods and weakness of the existing security system in Section 2, and we are describing the application scenario of the mobile device control system in Section 3. In Section 4, we show the

design of mobile device control system with LSM applicative at the kernel level and in Section 5, we demonstrate the results of testing and implementation contents of this system and finally we make a conclusion in Section 6.

II. EXISTINGSECURITYCONTROLMETHODS

A. Physical and Technical Methods

There are largely three major methods of mobile device security control system in many organizations to manage the visitors in the restricted area or security zone.

First, it is a physical and procedural method not to permit carrying but to leave the mobile devices at the reception or conditionally to allow bring after putting the security sticker onto the camera lens.

The second method which is mostly adopted by relatively bigger size organizations for the resident staffs is MDM having multi-functions such as the security, surveillance, applications, contents supporting, etc. through the network level. Most of MDM are forcing the employees to install MDM agent into their individual mobile devices to the application level to arrange the integrated management by their many different type of internal regulations and policies. The requirements from the organizations for the MDM solutions are various and different but the largely common goal is to prevent the leakage of the confidential information by controlling the cameras, recording and USB. Although the users are free to use their own mobile devices outside but in the organizations the authority is not allowing the users to use the devices which can be a means of the information leakage at the security zone. As a control method of the mobile device in the organization, base link connection systems are applied between access control system and Wi-Fi base station, AP base station covering the organization at the application level.

The third method is to use a device mounted with BOYD embedded kernel level on Android mobile device.

Fig. 1. Comparison of Normal Android and KNOX

B. Weaknesses of the conventional methods

The weaknesses of the conventional method in physical and procedural control system are as follows.

Firstly, it‟s a controversial matter of the deprivation of calling right by collecting and keeping the mobile devices from the employees and visitors at the reception.

Secondly, it could be only applicable for the visitors because it would cause so much inconvenient and inefficient to employees if they are not allowed to use their mobile devices in the organization. If every visitor is forced to put the security stickers onto the camera lens, there would be a long queue or in a bustling at the reception because of many visitors at one time. Also, there could be serious risks happened if someone takes a photo of important scene after removing the stickers.

Furthermore, there remain a few problems in MDM solution as below even if they have spent so much expenditure and management cost during implementing and operating.

Firstly, it is vulnerable to the security because the mobile device can be easily escaped from the MDM control by deleting or stopping the App, as only the application level of agent App is installed by its nature of MDM. Moreover, the implementation of the application level is not fundamentally reactive to the virus code. In other words, there exists the possibility to bypass the security measures through such as rooting at a low level than the application.

Secondly, it is likely weak in the propagation shadow region which can be formed by the radio wave by using mobile device in the security zone under Wi-Fi network or AP control system [11]. If propagation shadow zone is formed in the security zone, control system might not be in working properly.

Thirdly, it is not flexible to the various cases even if the security measures in the organizations can be different to the degree of every zone, but since MDM requires just one standardized policy only, it‟s not possible to manage flexible security policy.

The fourthly, it is inept at accurate tracking investigation for the security incident due to lack of detailed log at the kernel level when someone faked the mobile device illegally. Finally, it is too expensive and very limited to the users even if KNOX device materialized with hardware and application at the kernel level may be the good choice but

limit to the particular country or organization [10] (for example, intelligence agency in USA) .

Fig. 2. Scenario of device control system

III.SCENARIOOFDEVICECONTROLSYSTEM

A. Minimum requirements of device control system

In this paper, we designated the requirements of device control system as follows based on the problem areas of the conventional methods for the employees‟ and visitors‟ mobile devices. The first requirement is to consider the reasonable cost for the implementation. The second condition is the strict capability to control the multi-functions of the mobile device i.e. cameras (for example, front and back view), microphone and USB storage device. Thirdly, it must be able to flexibly and selectively apply in response to the differentiated security policies of the organizations.

B. Scenario of mobile device control system

The visitors (including employees) who want to access the organization should follow the procedures as applied

scenario in Fig. 2. ① At the entrance, the security manager guides the visitor to install the agent App provided by the

organization for himself to his own mobile device. ② The manager approves the visitor‟s mobile device (NFC 7-byte UID password) at the entrance through NFC communication between manager‟s device and visitor‟s one. ③ The functions of mobile device will be locked with management App all or selectively of the cameras (front and back view), microphone and USB storage according to the security

policy of the place to visit in the organization. ④ The visitor is allowed to enter the appointed security zone with his own

device appropriately locked by the security measures. ⑤ The

visitor comes out to the exit after his work. ⑥ After manager‟s approval at the exit through NFC communication between manager‟s and visitor‟s, manager sends and saves the log file recorded user trace data to his mobile device. ⑦ Manager investigates the log file and takes all the necessary

actions if any violation. ⑧ Unless no violation found,

IV. DESIGNOFDEVICECONTROLSYSTEM

A. Linux Security Module

Security mechanisms that are used in the Linux kernel level has usually access control (DAC; discretionary access control, MAC; mandatory access control) and audit trail system. Particularly, the typical projects that was implemented mandatory access control so as to add as a module type in a Linux kernel are such as SELinux [4], [7] and TOMOYO Linux [5]. SELinux as an open source of security project sponsored by NSA is supporting the LSM mechanism which enables the security measures to realize at the kernel level and to operate independently [2]. Also, SEAndroid recently issued by NSA is an attempt to improve the security of Android platform by implementing SELinux into Android [6]. TOMOYO Linux, as a system analysis tool and enabling to monitor the resources, is a project to support mandatory access control by using of it. LSM makes it possible to implement the various type of access control models by using the interface defined at the Linux kernel level [2]. Finally, LSM makes it achievable to implement the security model independently from Linux kernel.

Fig. 3. Stacks of kernel, Android and LSM

B. Design of LSM structure

Fig. 3 shows the kernel and Android framework stack designed and proposed in this paper. The difference from the basically normal framework stack is added user module into the kernel space. It is possible that the mandatory access control function is working only by adding LSM security module into the kernel space without any modification of the existing framework. To send the device control information for the mandatory access control required at the application level to the LSM loaded kernel level by the manager‟s agent App via JNI (Java Native Interface) [14] and Device File, the access goes through the path as shown in Fig. 4.

Fig. 4. Path between agent App and LSM

The device file as an interface for receiving the information at the kernel is designed with the character device and the transmitted information to the kernel module is stored at the device control table as shown in Fig. 5.

Moreover, LSM device control module is responsible directly to the devices that are recorded in the device control table. For any application App to access the device, when it is requested the open system call to the device file as shown in Fig. 5, it raises the query access to the device control-LSM module whether to access or not. In this case, as shown in Fig. 6, it determines the authorization of „grant‟ or „deny‟ by monitoring the device control table based on lock / unlock information of the cameras (front and back), microphone and USB device.

Fig. 5. MAC Procedure with device control table

Fig. 6. Enforced algorithm for device control

invoke the original security_file_perm function by file_perm function in security_ops_TABLE and shows the fig. to be changed by hooking through infosec_file_perm function. Fig. 8 shows the internal structure of the kernel which is managing the device control table through the agent App.

Fig. 7. Kernel structure after LSM initialization

Fig. 8. Device control table by agent App

V. IMPLEMENTATIONANDTESTING

Mobile device control system demonstrated in this paper is now implemented as the prototype that controls the access to force at the kernel level by the module of LSM method for

the cameras and recording microphone. By using this LSM module, it is possible to set control (lock/unlock) at the kernel level for the photographing (front and back cameras control unit) and voice recording (microphone device control). To evaluate the performance overhead as to the implementation, kernel module and management agent App were implemented and tested under the environment as table 1 of Samsung Galaxy Android tablet.

TABLE I

Environment for implementation

Device Samsung Galaxy Tab 10.1 Wi-Fi

Kernel version 2.6.36

Android version 3.2 (Honeycomb)

A. Implementation of device control system

In case the cameras are controlled, the video is not input from the cameras as shown in Fig. 9, instead the black screen is popping up and the warning message (Korean text) is shown at the center of the screen as “You can’t run the camera”. In case the microphone is controlled, as shown in Fig. 10, the warning message (Korean text) displays “No response to the voice recorder” as indicating that it‟s not properly working.

Fig. 10. Warning message (Korean text) disabling voice recorder App when microphone is locked

B. Macro and Micro-Benchmarking

Although the implemented Android system is embedded Linux kernel-based but it is not enough yet to apply a performance measurement method system which is being used as general-purpose Linux. Therefore, with the tool after modifying AnTuTu [8], 12] and LMBench [9] to fit Android which are Android benchmarking tool for macro and micro respectively, we tested how much overhead can be generated by the device control method that was implemented in this paper. Benchmarking is made in two ways to compare. One way is done under the implemented module is not loaded. The other is done under the implemented module is loaded and under control of front-back cameras, microphone.

Fig. 11 shows a comparison of the relative numerical value measured by AnTuTu macro-benchmarking. The benchmark performance score under Linux security module is not loaded is seen a slightly higher. Fig. 12 to 15 measured by LMBench micro-benchmarking, they show a performance comparison of process latency, memory load bandwidth, system call latency, open/close system call latency respectively. Judging by the results of the above benchmarking, although the security module is always operating in open system call path, as shown in Fig. 15, the time spent for open/close system calling even in the security module loaded situation differs almost nothing to delay.

Finally, we can ignore the overhead incurred by time difference between before and after loading the device control security module.

Fig. 11. AnTuTu Benchmark Performance (Higher is better)

Fig. 12. LMBench Process Latency (Lower is better)

Fig. 13. Memory Load (Higher is better)

Fig. 14. System Call Latency (Lower is better)

In this paper, it‟s confirmed that the hardware devices such as the cameras, microphone, etc can be controlled flexibly through the Linux security module in the Android mobile device. That is, unlike the typical MDM solutions, it proved the possibility for the organization to control the visitor‟s mobile device at the kernel level.

This mobile device control system, as not using Wi-Fi, is efficiently free from the propagation shadow area of Wi-Fi radio waves and flexible security measures can be executed by only changing the security policy table according to the every security zone in the organization. Since the device is controlled at the lowest kernel level in the Android system, the choice that the user can bypass the security control is minimized. Also, it‟s confirmed that the overhead cost is almost nothing to the current systems performance incurred when using the proposed method in this paper.

Accordingly, this system can be introduced by small-medium organization, museums, galleries, aircraft, conference room, public space, military security zone, etc to control the visitors‟ such as cameras, microphone, USB device more flexibly and more variously depending on their own type of security measures in each organization.

However, there are still some concerns to overcome. While it is enabling the safe control at the kernel level, when rooting in Linux operating system, mandatory access control is still likely to be disabled.

For the purpose of commercialization, more additional research is necessary about NFC approval method for mobile device, automatic setting method of security measures by utilizing visitor‟s database, additional target devices to control, such as speakers, Bluetooth, Wi-Fi, and so on.

ACKNOWLEDGMENT

This study was supported by 2013 research grant from Hanseo University (Project code: 131 Hang-gong 04).

REFERENCES

[1] Dong-Khu Seon, Hunter Roh, Heoung-Keun Moon, “A Guideline to Adopt Security on Smartphone Service Environments”, Samsung SDS Journal of IT Services, Vol.7, No.2: 53-65, 2010.

[2] Chris Wrigth, Crispin Cowan, Stephen Smalley, “Linux Security Modules: General Security Support for the Linux kernel”, Proceedings of the USENIX Security Conference, 2002.

[3] Kang-Hyun Lee, Doo-Shik Yoon, “An Efficient Approach of MDM for Mobile Security”, Journal of Information Security, v.23, no.2: 29-34, 2013.

[4] Chris Runge, “SELinux: A New Approach to Secure System”, Red Hat global resource library, 2008.

[5] Toshiharu Harada et al., “Task Oriented Management Obviates Your Onus on Linux”, Linux Conference 2004, 2004.

[6] Stephen Smalley, Robert Craig, “Android: Bringing Flexible MAC to Android”, Network & Distributed System Security Symposium (NDSS‟13), 2013.

[7] National Security Agency, Security-Enhanced Linux, http://www.nsa.gov/research/selinux.

[8] AnTuTu Benchmark, http://www.antutu.com/en/Ranking.shtml. [9] LMBench-Tools for Performance Analysis, http://www.bitmover.

com/lmbench.

[10] Samsung Electronics Co., Ltd., White Paper: An Overview of Samsung KNOX, http://www.samsung.com, 2013.

[11] Sun-Kuk Noh, Jae-Sub Kim, “A Study on the Improvement of Propagation Shadow Region for Mobile Communications”, The Journal of Korea Information and Communications Society, Vol.23, No.11: 42-47, 1998.

[12] Cholmin Kim et al., “MobileBench: A Thorough Performance Evaluation Framework for Mobile Systems”, Proceedings of the 1st

[13] Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, and John F. Farrell, “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments”, In Proceedings of the 21st National Information Systems Security Conference, October 1998.