Understanding and defending against the security threats on mobile and IoT devices

Abstract

Mobile and IoT devices are being rapidly deployed in our home, factories, and infrastructures. As they become more and more connected and mission-critical, these omnipresent devices bring in growing security and privacy concerns. For example, the attacks on IoT devices are becoming increasingly complex and destructive. With wide deployment of machine learning (ML) technology on mobile devices, the privacy of on-device ML models are also endangered. In this thesis, I aim at improving the security of mobile and IoT devices with large-scale study to understand the security threats and novel systems to detect and defend against the advanced attacks.For IoT devices, I present OAT, an attestation system that captures the integrity of both control flow and critical data to detect advanced attacks on IoT devices. Our design of OAT strikes a balance between prover's constraints (embedded devices' limited computing power and storage) and verifier's requirements (complete verifiability and forensic assistance). OAT advances the state-of-the-art attestation on IoT devices by providing strong control-flow verification and light-weight critical data integrity check. Our evaluation on real embedded programs shows that OAT incurs a mild runtime overhead of 2.7%. For mobile devices, I first present large-scale study of insufficient machine learning (ML) model protection in mobile apps. Based on the 46,753 trending Android apps collected from the US and Chinese app markets, alarmingly, this study shows that 41% of ML apps do not protect their models at all. For those apps that use model protection or encryption, we were able to extract the models from 66% of them via unsophisticated dynamic analysis techniques. Our financial and security impact analysis on (stolen) models indicates that the consequence can be severe for both the model vendors and the app owners. To protect on-device ML models, I then present a novel on-device model inference system, ShadowNet. ShadowNet protects the model privacy with Trusted Execution Environment (TEE) while securely outsourcing the heavy linear layers of the model to the untrusted hardware accelerators. ShadowNet achieves this by transforming the weights of the linear layers before outsourcing them and restoring the results inside the TEE. The non- linear layers are also kept secure inside the TEE. The transformation of the weights and the restoration of the results are designed in a way that can be implemented efficiently. We have built a ShadowNet prototype based on TensorFlow Lite and applied it on four popular CNNs, namely, MobileNets, ResNet-44, AlexNet and MiniVGG. Our evaluation shows that ShadowNet achieves strong security guarantees with reasonable performance, offering a practical solution for secure on-device model inference.--Author's abstract