IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone

Chen Tian, Yazhe Wang, Peng Liu, Qihui Zhou, Chengyi Zhang, Zhen Xu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Third-party IME (Input Method Editor) apps are often the preference means of interaction for Android users' input. In this paper, we first discuss the insecurity of IME apps, including the Potentially Harmful Apps (PHA) and malicious IME apps, which may leak users' sensitive keystrokes. The current defense system, such as I-BOX, is vulnerable to the prefix-substitution attack and the colluding attack due to the post-IME nature. We provide a deeper understanding that all the designs with the post-IME nature are subject to the prefix-substitution and colluding attacks. To remedy the above post-IME system's flaws, we propose a new idea, pre-IME, which guarantees that 'Is this touch event a sensitive keystroke?' analysis will always access user touch events prior to the execution of any IME app code. We designed an innovative TrustZone-based framework named IM-Visor which has the pre-IME nature. Specifically, IM-Visor creates the isolation environment named STIE as soon as a user intends to type on a soft keyboard, then the STIE intercepts, translates and analyzes the user's touch input. If the input is sensitive, the translation of keystrokes will be delivered to user apps through a trusted path. Otherwise, IM-Visor replays non-sensitive keystroke touch events for IME apps or replays non-keystroke touch events for other apps. A prototype of IM-Visor has been implemented and tested with several most popular IMEs. The experimental results show that IM-Visor has small runtime overheads.

Original languageEnglish (US)
Title of host publicationProceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages145-156
Number of pages12
ISBN (Electronic)9781538605417
DOIs
StatePublished - Aug 30 2017
Event47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 - Denver, United States
Duration: Jun 26 2017Jun 29 2017

Publication series

NameProceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017

Other

Other47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
CountryUnited States
CityDenver
Period6/26/176/29/17

Fingerprint

Application programs
Substitution reactions
Defects

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Cite this

Tian, C., Wang, Y., Liu, P., Zhou, Q., Zhang, C., & Xu, Z. (2017). IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone. In Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 (pp. 145-156). [8023118] (Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2017.12
Tian, Chen ; Wang, Yazhe ; Liu, Peng ; Zhou, Qihui ; Zhang, Chengyi ; Xu, Zhen. / IM-Visor : A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone. Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 145-156 (Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017).
@inproceedings{ae814be416a640c78693639f82bd8821,
title = "IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone",
abstract = "Third-party IME (Input Method Editor) apps are often the preference means of interaction for Android users' input. In this paper, we first discuss the insecurity of IME apps, including the Potentially Harmful Apps (PHA) and malicious IME apps, which may leak users' sensitive keystrokes. The current defense system, such as I-BOX, is vulnerable to the prefix-substitution attack and the colluding attack due to the post-IME nature. We provide a deeper understanding that all the designs with the post-IME nature are subject to the prefix-substitution and colluding attacks. To remedy the above post-IME system's flaws, we propose a new idea, pre-IME, which guarantees that 'Is this touch event a sensitive keystroke?' analysis will always access user touch events prior to the execution of any IME app code. We designed an innovative TrustZone-based framework named IM-Visor which has the pre-IME nature. Specifically, IM-Visor creates the isolation environment named STIE as soon as a user intends to type on a soft keyboard, then the STIE intercepts, translates and analyzes the user's touch input. If the input is sensitive, the translation of keystrokes will be delivered to user apps through a trusted path. Otherwise, IM-Visor replays non-sensitive keystroke touch events for IME apps or replays non-keystroke touch events for other apps. A prototype of IM-Visor has been implemented and tested with several most popular IMEs. The experimental results show that IM-Visor has small runtime overheads.",
author = "Chen Tian and Yazhe Wang and Peng Liu and Qihui Zhou and Chengyi Zhang and Zhen Xu",
year = "2017",
month = "8",
day = "30",
doi = "10.1109/DSN.2017.12",
language = "English (US)",
series = "Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "145--156",
booktitle = "Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017",
address = "United States",

}

Tian, C, Wang, Y, Liu, P, Zhou, Q, Zhang, C & Xu, Z 2017, IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone. in Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017., 8023118, Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017, Institute of Electrical and Electronics Engineers Inc., pp. 145-156, 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017, Denver, United States, 6/26/17. https://doi.org/10.1109/DSN.2017.12

IM-Visor : A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone. / Tian, Chen; Wang, Yazhe; Liu, Peng; Zhou, Qihui; Zhang, Chengyi; Xu, Zhen.

Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 145-156 8023118 (Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - IM-Visor

T2 - A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone

AU - Tian, Chen

AU - Wang, Yazhe

AU - Liu, Peng

AU - Zhou, Qihui

AU - Zhang, Chengyi

AU - Xu, Zhen

PY - 2017/8/30

Y1 - 2017/8/30

N2 - Third-party IME (Input Method Editor) apps are often the preference means of interaction for Android users' input. In this paper, we first discuss the insecurity of IME apps, including the Potentially Harmful Apps (PHA) and malicious IME apps, which may leak users' sensitive keystrokes. The current defense system, such as I-BOX, is vulnerable to the prefix-substitution attack and the colluding attack due to the post-IME nature. We provide a deeper understanding that all the designs with the post-IME nature are subject to the prefix-substitution and colluding attacks. To remedy the above post-IME system's flaws, we propose a new idea, pre-IME, which guarantees that 'Is this touch event a sensitive keystroke?' analysis will always access user touch events prior to the execution of any IME app code. We designed an innovative TrustZone-based framework named IM-Visor which has the pre-IME nature. Specifically, IM-Visor creates the isolation environment named STIE as soon as a user intends to type on a soft keyboard, then the STIE intercepts, translates and analyzes the user's touch input. If the input is sensitive, the translation of keystrokes will be delivered to user apps through a trusted path. Otherwise, IM-Visor replays non-sensitive keystroke touch events for IME apps or replays non-keystroke touch events for other apps. A prototype of IM-Visor has been implemented and tested with several most popular IMEs. The experimental results show that IM-Visor has small runtime overheads.

AB - Third-party IME (Input Method Editor) apps are often the preference means of interaction for Android users' input. In this paper, we first discuss the insecurity of IME apps, including the Potentially Harmful Apps (PHA) and malicious IME apps, which may leak users' sensitive keystrokes. The current defense system, such as I-BOX, is vulnerable to the prefix-substitution attack and the colluding attack due to the post-IME nature. We provide a deeper understanding that all the designs with the post-IME nature are subject to the prefix-substitution and colluding attacks. To remedy the above post-IME system's flaws, we propose a new idea, pre-IME, which guarantees that 'Is this touch event a sensitive keystroke?' analysis will always access user touch events prior to the execution of any IME app code. We designed an innovative TrustZone-based framework named IM-Visor which has the pre-IME nature. Specifically, IM-Visor creates the isolation environment named STIE as soon as a user intends to type on a soft keyboard, then the STIE intercepts, translates and analyzes the user's touch input. If the input is sensitive, the translation of keystrokes will be delivered to user apps through a trusted path. Otherwise, IM-Visor replays non-sensitive keystroke touch events for IME apps or replays non-keystroke touch events for other apps. A prototype of IM-Visor has been implemented and tested with several most popular IMEs. The experimental results show that IM-Visor has small runtime overheads.

UR - http://www.scopus.com/inward/record.url?scp=85031702914&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85031702914&partnerID=8YFLogxK

U2 - 10.1109/DSN.2017.12

DO - 10.1109/DSN.2017.12

M3 - Conference contribution

AN - SCOPUS:85031702914

T3 - Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017

SP - 145

EP - 156

BT - Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Tian C, Wang Y, Liu P, Zhou Q, Zhang C, Xu Z. IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone. In Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 145-156. 8023118. (Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017). https://doi.org/10.1109/DSN.2017.12