Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

Total Recall

This repository contains code for the following research.

Publication

"Total Recall: Persistence of Passwords in Android," Jaeho Lee, Ang Chen and Dan S. Wallach, The 26th Network and Distributed System Security Symposium (NDSS '19), San Diego, CA, USA, February 2019 [PDF] [Slides] [Slides_pptx] [BibTex]

Motivation

In memory disclosure attacks, an unprivileged attacker can steal sensitive data from device memory. A good security practice for handling sensitive data, such as passwords, is to overwrite the data buffers with zeros once the data is no longer in use. This protects against attackers who gain a snapshot of a device’s physical memory. For instance, the recent memory dumping vulnerability in the Nexus 5X phone allows an attacker to obtain the full memory dump of the device even if the phone is locked.

e.g., Google Nexus 5X Bootloader Unauthorized Memory Dumping via USB

Problem

However, the password retention in memory is widespread in Android, and password strings are easily recognizable from memory dump. The lack of support in the Android framework and developers' various mistakes cause this retention problem.

Solutions

We offer two solutions:

  • SecureTextView: a secure version of Android TextView that can eliminate password retention in the Android framework.
  • KeyExporter: a simple abstraction for accessing passwords that helps developers follows stronger cryptographic practices to prevent password misuse.

Contents

  • apps: list of analyzed password authentication apps
  • pmdump: process memory acquisition tool on Linux or Android
  • keyexporter: Standalone KeyExporter APIs
  • SecureTextView: Android framework patch for SecureTextView
  • lockscreen_patch: Android framework patch for lockscreen process
  • evaluation: apps after applying KeyExporter APIs

People

About

No description, website, or topics provided.

Resources

Releases

No releases published

Packages

No packages published