WO2017197554A1

WO2017197554A1 - Mitigation of sensor-based covert channels in mobile devices

Info

Publication number: WO2017197554A1
Application number: PCT/CN2016/082176
Authority: WO
Inventors: Jianping Wang; Wen QI; Xinyu Wang
Original assignee: Intellectual Ventures Hong Kong Limited
Priority date: 2016-05-16
Filing date: 2016-05-16
Publication date: 2017-11-23

Abstract

Technologies are generally described to mitigate of sensor-based covert channels. In some examples, a foreground application may cause particular interactions with a device sensor to occur, where the interactions may encode potentially sensitive information. A background application may then attempt to retrieve the interactions from the device sensor and leak the encoded information. In order to address this, a sensor virtualization module may restrict background application access to the sensor, for example by preventing sensor access or by providing intentionally-degraded sensor data to background applications.

Description

MITIGATION OF SENSOR-BASED COVERT CHANNELS IN MOBILE DEVICES

BACKGROUND

Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.

Modern computing systems such as mobile devices may use permission-based mechanisms to prevent unauthorized access. However, such mechanisms may be vulnerable to attacks involving colluding applications. In such attacks, two or more applications, each appearing harmless, cooperate to establish a covert channel, thereby leaking confidential information. Covert channels usually work in a way that one application may modify the status of a system component, while another application may read the status. Conventional covert channel detection schemes to fight against this type of collusion based covert channels may not be sufficient to prevent such attacks.

SUMMARY

The present disclosure generally describes techniques to mitigate sensor-based covert channels.

According to some examples, a method is provided to mitigate sensor-based covert channels on a mobile device. The method may include determining an interaction of a foreground application being executed on the mobile device and allowing the foreground application to access a sensor on the mobile device. The method may further include determining a request by a background application for original data from the sensor while the foreground application is accessing the sensor, where the background application is being executed on the mobile device, and determining whether the background application is a third-party application. The method may further include, in response to a determination that the background application is a third-party application, obtaining the original data from the sensor, degrading the original data, and providing the degraded data to the background application.

According to other examples, a mobile device configured to mitigate sensor-based covert channels is provided. The mobile device may include a sensor configured to receive external input, a processor embodied in an integrated circuit and configured to execute a foreground application and a background application, and a sensor virtualization module. The sensor virtualization module may be configured to determine an interaction of the foreground application with the sensor, allow the foreground application to access the sensor, and determine a request by a background application for original data from the sensor while the foreground application is accessing the sensor. The sensor virtualization module may be further configured to determine whether the original data is to be provided to the background application, and in response to a determination that the original data is not to be provided to the background application, obtain the original data from the sensor, generate degraded data from the original data, and provide the degraded data to the background application.

According to further examples, a sensor virtualization module configured to mitigate sensor-based covert channels is provided. The sensor virtualization module may include a sensor data processor configured to receive original sensor data from a sensor and generate degraded sensor data from the original sensor data and a processor embodied in an integrated circuit. The processor may be configured to determine that the original sensor data is associated with an interaction with a foreground application and provide the original sensor data to the foreground application. The processor may be further configured to determine a request by a background application for the original sensor data and, in response to the determination of the request by the background application for the original sensor data, provide the degraded sensor data to the background application.

The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other features of this disclosure will become more fully apparent from the following description and appended claims, taken in conjunction with the accompanying drawings. Understanding that these drawings depict only several embodiments in accordance with the disclosure and are, therefore, not to be considered limiting of its scope, the disclosure will be described with additional specificity and detail through use of the accompanying drawings, in which:

FIG. 1 illustrates how covert channels may be implemented on a mobile device；

FIG. 2 illustrates how sensor virtualization may be implemented on a mobile device to mitigate sensor-based covert channels；

FIG. 3 illustrates how degraded sensor data used to mitigate sensor-based covert channels may be generated from original sensor data via noise addition and timing adjustment；

FIG. 4 illustrates how degraded sensor data used to mitigate sensor-based covert channels may be generated from original sensor data via decreased sampling rates；

FIG. 5 illustrates a general purpose computing device, which may be used to mitigate sensor-based covert channels；

FIG. 6 is a flow diagram illustrating an example method to mitigate sensor-based covert channels that may be performed by a computing device such as the computing device in FIG. 5； and

FIG. 7 illustrates a block diagram of an example computer program product,

all arranged in accordance with at least some embodiments described herein.

DETAILED DESCRIPTION

In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented herein. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the Figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations, all of which are explicitly contemplated herein.

This disclosure is generally drawn, inter alia, to methods, apparatus, systems, devices, and/or computer program products related to mitigation of user-behavior-based covert channels.

Briefly stated, technologies are generally described to mitigate user-behavior or sensor-based covert channels. In some examples, a foreground application may cause particular interactions with a device sensor to occur, where the interactions may encode potentially sensitive information. A background application may then attempt to retrieve the interactions from the device sensor and leak the encoded information. In order to address such a collusion based covert channel attack, a sensor virtualization module may restrict background application access to the sensor, for example through prevention of sensor access or by providing intentionally degraded sensor data to background applications.

As adoption of mobile computing devices increases, concerns regarding data privacy and security correspondingly increase. For example, malicious applications may abuse data and application programming interface (API) access to surreptitiously monitor and leak sensitive data, such as identity information, authentication information, information about contacts, and/or financial information. Many computing platforms may attempt to prevent such security breaches by implementing permission-based mechanisms to make users aware of permissions given to applications at installation time. With such a mechanism, if a user notices that an application requires too many sensitive permissions, the user may cancel the application install process. Moreover, a security application may separately analyze permissions requested by particular applications in order to evaluate security risks.

However, permission-based mechanisms may be susceptible to certain forms of covert channel attack. One such attack is an application colluding attack, in which two individual applications are designed to each require a different subset of permissions but also establish a covert channel to share and leak sensitive information. This type of attack may be able to bypass permission-based analysis, because the applications may not individually seem to request sufficient permissions to enable data leakage. Once installed, the applications may establish one or more covert channels between each other via various system functions (for example, vibrations, system settings, volume settings, screen status, and/or displayed content) , system logs, file status, or any other suitable channel. For example, one application may collect sensitive data and encode the data as a sequence of changes to one or more device sensors and/or components. Another application may then monitor the sensors and other components to retrieve and decode the data.

FIG. 1 illustrates how covert channels may be implemented on a mobile device, arranged in accordance with at least some embodiments described herein.

According to a diagram 100, inter-application covert channels may be established by direct communications, as depicted in a diagram 102, or based on user behavior, as depicted in a diagram 120. According to the diagram 102, a data collector application 106 may have access to sensitive data 104 but not to an external network 112. The sensitive data 104 may include information such as a device identifier, contacts, current device location, the sensitive data described previously, and/or any other suitable data. The data collector application 106 may collect the sensitive data 104 and encode the sensitive data 104 as a sequence of changes to one or more sensors, components, system status, and system functions 108. A data leaker application 110 with access to the external network 112 but not to the sensitive data 104 may then monitor the sensors, components, system status, and system functions 108 to detect the sequence of changes, decode the sequence of changes to recover the sensitive data 104, then leak the sensitive data 104 out via the external network 112.

As an alternative, a data collector application may not directly encode sensitive data as changes to system sensors, components, status, and functions. Instead, the data collector application may cause a user to encode the sensitive data. According to the diagram 120, a data collector application 122 may have access to the sensitive data 104 but not to the external network 112, and may be configured to collect the sensitive data 104. However, instead of directly encoding the sensitive data 104 as a sequence of changes to system sensors, components, status, and/or functions, the data collector application 122 may be configured to induce a user 126 to make different motions 128 (for example, keystrokes, tapping, displacement, tilting, and/or rotation) having different frequencies and at different time points, where the pattern of the motions 128 may be used to encode the sensitive data 104. In some embodiments, the data collector application 122 may be configured as a game 124 that the user 126 expects to interact with via the motions 128. In turn, the data leaker application 110 may be configured to monitor the status of the sensors 130 to detect the motions 128, decode the motions 128 to recover the sensitive data 104, then leak the sensitive data 104 out via the external network 112.

The design of applications to implement sensor-based covert channels may involve addressing a number of challenges. For example, because different types of motion sensors may vary in accuracy and/or resolution, appropriate motions (for example, keystrokes, tapping, displacement, tilting, and/or rotation) may be selected for data encoding in order to increase channel reliability. As another example, because motion detection may require relatively high accuracy to reduce noise resulting from bit loss and/or insertion, appropriate encoding motion patterns (for example, sequences of motions) may be selected for data encoding in order to maintain accuracy. As yet another example, communications between applications may be synchronized to avoid the inclusion of extraneous sensor data, which may result in additional channel noise. Synchronization may be accomplished by any suitable method. In one embodiment, specific motions may be used to initiate and end user interaction with the data collector application 122. Once a user has made these specific motions, the data collector application 122 and the data leaker application 110 may simultaneously detect the motions via the sensors 130 and may coordinate data transmission accordingly.

In some embodiments, sensor-based covert channels may be mitigated by targeting the challenged described above. For example, a mobile device may be configured to use sensor virtualization to disrupt synchronization between different applications, which may increase channel error rate. As another example, a mobile device may be configured to insert noise into the covert channel, which may also increase channel error rate.

FIG. 2 illustrates how sensor virtualization may be implemented on a mobile device to mitigate sensor-based covert channels, arranged in accordance with at least some embodiments described herein.

According to a diagram 200, a mobile device 202 may include one or more sensors 204. The mobile device 202 may be a laptop, a smartphone, a personal digital assistant, a tablet computer, a wearable computer, or the like. The sensor 204 may include an accelerometer, a gyroscope or gyroscopic sensor, a geomagnetic sensor, a proximity sensor, an ambient light sensor, or any other suitable device sensor. The mobile device 202 may be configured to implement a sensor virtualization module 208, which may be coupled to the sensor 204 and configured to receive original sensor data 206 from the sensor 204. The sensor virtualization module 208 may be configured to serve as an intermediary between the sensor 204 and other applications executing on the mobile device 202 that may request data from the sensor 204. In some embodiments, the sensor virtualization module 208, upon receiving a request for the original sensor data 206 from an application executing on the mobile device 202, may determine whether the original sensor data 206 is to be provided to the application. The sensor virtualization module 208 may determine whether the original sensor data 206 is to be provided to the requesting application based on an aspect of the application.

In some embodiments, the sensor virtualization module 208 may be configured to only provide the original sensor data 206 to the single application that is likely to have caused and/or be associated with changes to the sensor 204. For example, the sensor virtualization module 208 may maintain or have access to a list of applications that are accessing or have recently accessed the sensor 204. Each application in the list may be prioritized or ordered by the application’s likelihood of causing and/or association with changes to the sensor 204, with the application likely to have caused or be associated with changes to the sensor 204 at the top of the list. The sensor virtualization module 208 may then be configured to only provide the original sensor data 206 to the application at the top of the list. In some embodiments, changes to the sensor 204 may occur in response to the direct interaction of a user of the mobile device 202 with a particular application 220. The application 220 may be referred to as the “foreground” application 220, and may be placed at the top of the list. Foreground applications are those executed on the mobile device 202 and with which the user may be interacting (e.g., viewing, providing input, etc. ) . A foreground application with which the user is interacting may cause or be associated with changes to the sensor 204. Thus, the foreground application may be place higher in the list of applications (e.g., top position) compared to other applications, which may cause or be associated with fewer or no changes to the sensor 204. During execution, the foreground application 220 may request access to the sensor 204 by sending a request 222 for the original sensor data 206 to the sensor virtualization module 208. The sensor virtualization module 208 may then determine whether the foreground application 220 is a foreground application and therefore at the top of the application list. Upon determining that the foreground application 220 is a foreground application and at the top of the application list, the sensor virtualization module 208 may then allow the foreground application 220 to access the sensor 204 and may provide the original sensor data 206 to the foreground application 220.

Applications being executed on the mobile device 202 other than the foreground application 220 may be referred to as “background” applications, and may be applications that a user of the mobile device 202 is not currently interacting with. For example, a background application 230 may be executed on the mobile device 202 at the same time as the foreground application 220. In some embodiments, the background application 230 may attempt to access the sensor 204 while the foreground application 220 is accessing the sensor 204, for example by sending a request 232 for the original sensor data 206 to the sensor virtualization module 208. The sensor virtualization module 208 may then determine whether the background application 230 is a foreground application. Upon determining that the background application 230 is not a foreground application and is not at the top of the application list, the sensor virtualization module 208 may then deny access to the sensor 204 and/or refrain from providing the original sensor data 206 to the background application 230. Accordingly, the sensor virtualization module 208 may disrupt any synchronization between the foreground application 220 and the background application 230 via the sensor 204, thereby reducing the effectiveness, if not defeating, potential covert channels between the applications.

In some situations, the background application 230 may actually use data from the sensor 204 for legitimate purposes, such as exercise tracking. In these situations, the sensor virtualization module 208 may be configured to provide the background application 230 limited access to sensor 204. For example, the sensor virtualization module 208 may be configured to provide degraded sensor data 234 to the background application 230 instead of the original sensor data 206. In some embodiments, the sensor virtualization module 208 includes or implements a sensor data processor 210. The sensor data processor 210 may be configured to receive the original sensor data 206 and generate the degraded sensor data 234 for transmission to the background application 230. In some embodiments, the sensor data processor 210 may be configured to generate the degraded sensor data 234 by the addition of noise to the original sensor data 206. For example, the sensor data processor 210 may add timing noise to the original sensor data 206 by delaying all or portions of the original sensor data 206 by some variable time. As another example, the sensor data processor 210 may add data noise to the original sensor data 206 by increasing and/or decreasing the amplitude of all or portions of the original sensor data 206 by some variable amount. In some embodiments, the sensor data processor 210 may be configured to generate the degraded sensor data 234 by reducing a sampling frequency associated with the original sensor data 206, thereby reducing the resolution of the original sensor data 206. In yet other embodiments, the sensor data processor 210 may be configured to generate the degraded sensor data 234 using random data. While in some situations the performance of the background application 230 may be reduced due to the degraded sensor data 234, this may be an acceptable tradeoff for mitigating sensor-based covert channels.

In some embodiments, the sensor virtualization module 208 may be configured to provide the original sensor data 206 to foreground applications and not provide the original sensor data 206 or instead provide the degraded sensor data 234 to background applications without consulting an application list. In these embodiments, each application may have an associated foreground or background identifier, and the sensor virtualization module 208 may base its determination accordingly.

In some embodiments, the sensor virtualization module 208 may also (or instead) determine whether to provide the original sensor data 206 to an application based on whether the application is a first-party application or a third-party application. A first-party application may be an application provided by the manufacturer of the mobile device 202 or the provider of the operating system of the mobile device 202, and/or preinstalled on the mobile device 202. A third-party application may be provided by an entity not necessarily associated with the manufacturer of the mobile device 202 or the provider of the operating system of the mobile device 202, and/or may be installed by the user. A first-party application may be presumed to be approved by a trusted party (in other words, the manufacturer of the mobile device 202 and/or the provider of the operating system) , whereas a third-party application may not have such assurances. Accordingly, the sensor virtualization module 208 may be configured to provide the original sensor data 206 to first-party applications but refrain from providing the original sensor data 206 or instead provide the degraded sensor data 234 to third-party applications.

In some embodiments, the sensor virtualization module 208 may be configured to combine the first-party and third-party distinction described above with the previously-described application list to determine whether the original sensor data 206 is to be provided to a particular application. For example, first-party applications may not be included in the application list, and the sensor virtualization module 208 may be configured to automatically provide the original sensor data 206 to the first-party applications not included in the application list. When an application requests the original sensor data 206, the sensor virtualization module 208 may determine whether the application appears on the application list. If not, the sensor virtualization module 208 may determine that the requesting application is a first-party application, and may provide the original sensor data 206 to the requesting application. If the sensor virtualization module 208 determines that the application does appear on the application list, then the sensor virtualization module 208 may determine whether the requesting application is at the top of the list, as described above. If the requesting application is at the top of the list, then the sensor virtualization module 208 may provide the original sensor data 206 to the application. If the requesting application is not at the top of the list, then the sensor virtualization module 208 may not provide the original sensor data 206 to the application and/or may provide the degraded sensor data 234 to the requesting application.

As described above, the sensor data processor 210 may be configured to generate the degraded sensor data 234 by the addition of noise to the original sensor data 206 and/or by reducing a sampling frequency associated with the original sensor data 206.

FIG. 3 illustrates how degraded sensor data used to mitigate sensor-based covert channels may be generated from original sensor data via noise addition and timing adjustment, arranged in accordance with at least some embodiments described herein.

According to a diagram 300, timing and/or data noise may be added to original sensor data to generate degraded sensor data for mitigating sensor-based covert channels. The original sensor data in the diagram 300, depicted in a diagram 310, is roll data from a roll sensor configured to determine the angular movement of a mobile device, represented as roll degrees as a function of sensor reading index, which may correspond to time points or time duration. Of course, in other embodiments the original sensor data may be data from other sensors, as described above. The original sensor data depicted in the diagram 310 may include a number of

features

312, 314, and 316, each of which may be characterized by duration (in terms of the sensor reading index) and height or depth (in terms of degrees) .

A sensor data processor such as the sensor data processor 210 may be configured to use the original sensor data depicted in the diagram 310 to generate degraded sensor data. For example, the sensor data processor may add timing and/or data noise. A diagram 320 depicts degraded sensor data that may be generated from the original sensor data depicted in the diagram 310 by the addition of both timing noise and data noise. The degraded sensor data includes a number of

features

322, 324, and 326 that may be based on the

features

312, 314, and 316 of the original sensor data. However, the degraded sensor data may have been generated from the original sensor data via the addition of data noise and timing noise. As a result, the features 322- 326 may have more data noise than the corresponding features 312-316, as shown by the rapid variations in the features 322-326 as compared to the features 312-316. Moreover, the addition of timing noise may cause the sensor reading index offsets between

features

322, 324 and 326 to differ from the sensor reading index offsets between the corresponding

features

312, 314, and 316 in the original sensor data. The differences in feature characteristics and feature timing caused by the addition of data and/or timing noise may then be used to mitigate sensor-based covert channels that rely on feature identification and synchronization. The exact data and/or timing noise (for example, data variation frequency and/or feature offsets) added to the original sensor data may be predetermined and/or dynamically determined by the sensor data processor or some other associated entity.

FIG. 4 illustrates how degraded sensor data used to mitigate sensor-based covert channels may be generated from original sensor data via decreased sampling rates, arranged in accordance with at least some embodiments described herein.

As described above, a sensor data processor such as the sensor data processor 210 may be configured to generated degraded sensor data from original sensor data by reducing a sampling frequency associated with the original sensor data. A diagram 400 depicts how successive reduction of sampling frequency associated with original sensor data results in data degradation. A diagram 410 depicts original sensor data recorded at a normal sampling rate or frequency. A diagram 420 depicts the original sensor data sampled at a frequency that is one-tenth the normal sampling frequency. A diagram 430 depicts the original sensor data sampled at a frequency that is one-twentieth the normal sampling frequency, and a diagram 440 depicts the original sensor data sampled at a frequency that is one-thirtieth the normal sampling frequency. As shown in the diagrams 410-440, data features and fluctuations that are relatively well-defined at the normal sampling frequency may become successively coarsened and may even disappear entirely as sampling frequency is reduced. Accordingly, sensor-based covert channels that rely on data transmission via features and fluctuations in the sensor data may be mitigated by sampling frequency reduction. In some embodiments, the exact extent of frequency reduction may be predetermined or dynamically determined by the sensor data processor and/or an associated entity.

FIG. 5 illustrates a general purpose computing device, which may be used to mitigate sensor-based covert channels, arranged in accordance with at least some embodiments described herein.

For example, the computing device 500 may be used to degrade sensor data to mitigate sensor-based covert channels as described herein. In an example basic configuration 502, the computing device 500 may include one or more processors 504 and a system memory 506. A memory bus 508 may be used to communicate between the processor 504 and the system memory 506. The basic configuration 502 is illustrated in FIG. 5 by those components within the inner dashed line.

Depending on the desired configuration, the processor 504 may be of any type, including but not limited to a microprocessor (μP) , a microcontroller (μC) , a digital signal processor (DSP) , or any combination thereof. The processor 504 may include one more levels of caching, such as a cache memory 512, a processor core 514, and registers 516. The example processor core 514 may include an arithmetic logic unit (ALU) , a floating point unit (FPU) , a digital signal processing core (DSP core) , or any combination thereof. An example memory controller 518 may also be used with the processor 504, or in some implementations the memory controller 518 may be an internal part of the processor 504.

Depending on the desired configuration, the system memory 506 may be of any type including but not limited to volatile memory (such as RAM) , non-volatile memory (such as ROM, flash memory, etc. ) or any combination thereof. The system memory 506 may include an operating system 520, a sensor virtualization module 522, and program data 524. The sensor virtualization module 522 may include a sensor data processor 526 to degrade sensor data to mitigate sensor-based covert channels as described herein. The program data 524 may include, among other data, first-/third-party application data 528 or the like, as described herein.

The computing device 500 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 502 and any desired devices and interfaces. For example, a bus/interface controller 530 may be used to facilitate communications between the basic configuration 502 and one or more data storage devices 532 via a storage interface bus 534. The data storage devices 532 may be one or more removable storage devices 536, one or more non-removable storage devices 538, or a combination thereof. Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDD) , optical disk drives such as compact disc (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSDs) , and tape drives to name a few. Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.

The system memory 506, the removable storage devices 536 and the non-removable storage devices 538 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVDs) , solid state drives, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by the computing device 500. Any such computer storage media may be part of the computing device 500.

The computing device 500 may also include an interface bus 540 for facilitating communication from various interface devices (e.g., one or more output devices 542, one or more peripheral interfaces 550, and one or more communication devices 560) to the basic configuration 502 via the bus/interface controller 530. Some of the example output devices 542 include a graphics processing unit 544 and an audio processing unit 546, which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 548. One or more example peripheral interfaces 550 may include a serial interface controller 554 or a parallel interface controller 556, which may be configured to communicate with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device, etc. ) or other peripheral devices (e.g., printer, scanner, etc. ) via one or more I/O ports 558. An example communication device 560 includes a network controller 562, which may be arranged to facilitate communications with one or more other computing devices 566 over a network communication link via one or more communication ports 564. The one or more other computing devices 566 may include servers at a datacenter, customer equipment, and comparable devices.

The network communication link may be one example of a communication media. Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media. A “modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF) , microwave, infrared (IR) and other wireless media. The term computer readable media as used herein may include both storage media and communication media.

The computing device 500 may be implemented as a part of a general purpose or specialized server, mainframe, or similar computer that includes any of the above functions. The computing device 500 may also be implemented as a personal computer including both laptop computer and non-laptop computer configurations.

FIG. 6 is a flow diagram illustrating an example method to mitigate sensor-based covert channels that may be performed by a computing device such as the computing device in FIG. 5, arranged in accordance with at least some embodiments described herein.

Example methods may include one or more operations, functions or actions as illustrated by one or more of

blocks

622, 624, 626, 628, and/or 630, and may in some embodiments be performed by a computing device such as the computing device 600 in FIG. 6. The operations described in the blocks 622-630 may also be stored as computer-executable instructions in a computer-readable medium such as a computer-readable medium 620 of a computing device 610.

An example process to mitigate sensor-based covert channels may begin with block 622, “DETERMINE THAT AN INTERACTION IS OCCURRING WITH A FOREGROUND APPLICATION” , where a sensor virtualization module or similar implemented on a device may determine that an interaction is occurring with a foreground application. A foreground application may be an application with which a device user is directly and currently interacting. For example, a game application that accepts user input via user or device motions sensed via one or more sensors may be a foreground application if a user is currently or was most recently providing input to the game application via sensed motions. In some embodiments, the interaction with the foreground application may be initiated by some entity other than a device user. For example, another application executing on the device may interact with the foreground application, or some networked entity may interact with the foreground application.

Block 622 may be followed by block 624, “ALLOW THE FOREGROUND APPLICATION TO ACCESS A SENSOR” , where the sensor virtualization module provides access to one or more sensors to the foreground application. The sensors may include one or more of an accelerometer, a gyroscopic sensor, a geomagnetic sensor, a proximity sensor, an ambient light sensor, or any other suitable sensor, and in some embodiments may be particular sensors configured to sense user motion associated with the interaction with the foreground application. In some embodiments, the sensor virtualization module may be configured to determine that the foreground application is allowed to access the sensor as described above. For example, the sensor virtualization module may determine that the foreground application is a first-party application and/or appears at the top of a list of applications accessing the sensor.

Block 624 may be followed by block 626, “DETERMINE THAT A BACKGROUND APPLICATION IS REQUESTING DATA ASSOCIATED WITH THE FOREGROUND APPLICATION FROM THE SENSOR” , where the sensor virtualization module may determine that another application is requesting data from the sensor at the same or substantially similar time as the foreground application is accessing the sensor, and that the other application is a background application. For example, as described above, the foreground application and the background application may be attempting to establish a covert channel for data transmission based on interactions with the sensor. In other embodiments, the background application may be an otherwise innocuous application that operates based on data from the sensor.

Block 626 may be followed by block 628, “DETERMINE WHETHER THE BACKGROUND APPLICATION IS A THIRD-PARTY APPLICATION” , where the sensor virtualization module may determine whether the background application requesting data from the sensor is a third-party application. In some embodiments, the identification of the application as a background application may imply that the application is a third-party application, as described above. In some embodiments, the sensor virtualization module may not determine whether the background application is a third-party application, and may proceed to block 630 directly from block 626.

Finally, block 628 may be followed by block 630, “DEGRADE THE DATA AND SEND THE DEGRADED DATA TO THE BACKGROUND APPLICATION IN RESPONSE TO DETERMINATION THAT THE BACKGROUND APPLICATION IS A THIRD-PARTY APPLICATION” , where the sensor virtualization module may degrade the original sensor data via, for example, a sensor data processor to generate degraded sensor data. The original sensor data may be degraded by the addition of data and/or timing noise, and/or by reduction of sampling frequency, as described above. The sensor virtualization module may then provide the degraded sensor data to the background application. In some embodiments, the sensor virtualization module may provide the degraded sensor data to the background application in response to determination that the background application is a third-party application. In some embodiments, the sensor virtualization module may provide the degraded sensor data to the background application without determining whether the background application is a third-party application. In other embodiments, the sensor virtualization module may refrain from providing any sensor data to the background application.

FIG. 7 illustrates a block diagram of an example computer program product, arranged in accordance with at least some embodiments described herein.

In some examples, as shown in FIG. 7, a computer program product 700 may include a signal bearing medium 702 that may also include one or more machine readable instructions 704 that, when executed by, for example, a processor may provide the functionality described herein. Thus, for example, referring to the processor 504 in FIG. 5, the sensor virtualization module 522 and/or the processor 504 may undertake one or more of the tasks shown in FIG. 7 in response to the instructions 704 conveyed to the processor 504 by the medium 702 to perform actions associated with mitigating sensor-based covert channels as described herein. Some of those instructions may include, for example, instructions to determine that an interaction is occurring with a foreground application, allow the foreground application to access a sensor, determine that a background application is requesting data associated with the foreground application from the sensor, determine whether the background application is a third-party application, and/or degrade the data and send the degraded data to the background application in response to determination that the background application is a third-party application, according to some embodiments described herein.

In some implementations, the signal bearing media 702 depicted in FIG. 7 may encompass computer-readable media 706, such as, but not limited to, a hard disk drive, a solid state drive, a compact disc (CD) , a digital versatile disk (DVD) , a digital tape, memory, etc. In some implementations, the signal bearing media 702 may encompass recordable media 707, such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, etc. In some implementations, the signal bearing media 702 may encompass communications media 710, such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc. ) . Thus, for example, the program product 700 may be conveyed to one or more modules of the processor 504 by an RF signal bearing medium, where the signal bearing media 702 is conveyed by the wireless communications media 710 (e.g., a wireless communications medium conforming with the IEEE 802.11 standard) .

According to some embodiments, the original data may include acceleration data, gyroscopic data, geomagnetic data, proximity data, and/or ambient light data. The method may further comprise determining that the background application is a first-party application and, in response to a determination that the background application is a first-party application, obtaining the original data from the sensor and providing the original data to the first-party application. Degrading the original data may include adding noise to the original data, and adding noise to the original data may include adding timing noise and/or data noise to the original data. Degrading the original data may include reducing a sampling frequency associated with the original data, and reducing the sampling frequency may include reducing the sampling frequency to remove fluctuations in the original data.

According to some embodiments, the sensor may include an accelerometer, a gyroscopic sensor, a geomagnetic sensor, a proximity sensor, and/or an ambient light sensor. The sensor virtualization module may be further configured to determine whether the original data is to be provided to the background application by a determination that the background application is a third-party application, and in response to the determination that the background application is a third-party application, a determination that the original data is not to be provided to the background application. The sensor virtualization module may be further configured to determine whether the original data is to be provided to the background application based on a determination that the background application is a first-party application and, in response, obtain the original data from the sensor and provide the original data to the background application.

According to other embodiments, the sensor virtualization module may be further configured to generate degraded data from the original data by addition of timing noise to the original data, addition of data noise to the original data, and/or reduction of a sampling frequency associated with the original data. The sensor virtualization module may be further configured to reduce the sampling frequency to remove fluctuations in the original data.

According to some embodiments, the original data may include acceleration data, gyroscopic data, geomagnetic data, proximity data, and/or ambient light data. The processor may be further configured to determine that the background application is a third-party application. The processor may be further configured to provide the original sensor to the background application upon determination that the background application is a first-party application. The sensor data processor may be configured to add timing noise and/or data noise to the original sensor data to generate the degraded sensor data. The sensor data processor may be further configured to reduce a sampling frequency associated with the original data to generate the degraded sensor data. The sensor data processor may be further configured to reduce the sampling frequency to remove fluctuations in the original data.

There is little distinction left between hardware and software implementations of aspects of systems； the use of hardware or software is generally (but not always, in that in certain contexts the choice between hardware and software may become significant) a design choice representing cost vs. efficiency tradeoffs. There are various vehicles by which processes and/or systems and/or other technologies described herein may be effected (e.g., hardware, software, and/or firmware) , and that the preferred vehicle will vary with the context in which the processes and/or systems and/or other technologies are deployed. For example, if an implementer determines that speed and accuracy are paramount, the implementer may opt for a mainly hardware and/or firmware vehicle； if flexibility is paramount, the implementer may opt for a mainly software implementation； or, yet again alternatively, the implementer may opt for some combination of hardware, software, and/or firmware.

The foregoing detailed description has set forth various embodiments of the devices and/or processes via the use of block diagrams, flowcharts, and/or examples. Insofar as such block diagrams, flowcharts, and/or examples contain one or more functions and/or operations, it will be understood by those within the art that each function and/or operation within such block diagrams, flowcharts, or examples may be implemented, individually and/or collectively, by a wide range of hardware, software, firmware, or virtually any combination thereof. In one embodiment, several portions of the subject matter described herein may be implemented via application specific integrated circuits (ASICs) , field programmable gate arrays (FPGAs) , digital signal processors (DSPs) , or other integrated formats. However, those skilled in the art will recognize that some aspects of the embodiments disclosed herein, in whole or in part, may be equivalently implemented in integrated circuits, as one or more computer programs executing on one or more computers (e.g., as one or more programs executing on one or more computer systems) , as one or more programs executing on one or more processors (e.g., as one or more programs executing on one or more microprocessors) , as firmware, or as virtually any combination thereof, and that designing the circuitry and/or writing the code for the software and/or firmware would be well within the skill of one of skill in the art in light of this disclosure.

The present disclosure is not to be limited in terms of the particular embodiments described in this application, which are intended as illustrations of various aspects. Many modifications and variations can be made without departing from its spirit and scope, as will be apparent to those skilled in the art. Functionally equivalent methods and apparatuses within the scope of the disclosure, in addition to those enumerated herein, will be apparent to those skilled in the art from the foregoing descriptions. Such modifications and variations are intended to fall within the scope of the appended claims. The present disclosure is to be limited only by the terms of the appended claims, along with the full scope of equivalents to which such claims are entitled. It is also to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting.

In addition, those skilled in the art will appreciate that the mechanisms of the subject matter described herein are capable of being distributed as a program product in a variety of forms, and that an illustrative embodiment of the subject matter described herein applies regardless of the particular type of signal bearing medium used to actually carry out the distribution. Examples of a signal bearing medium include, but are not limited to, the following: a recordable type medium such as a floppy disk, a hard disk drive, a compact disc (CD) , a digital versatile disk (DVD) , a digital tape, a computer memory, a solid state drive, etc. ； and a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc. ) .

Those skilled in the art will recognize that it is common within the art to describe devices and/or processes in the fashion set forth herein, and thereafter use engineering practices to integrate such described devices and/or processes into data processing systems. That is, at least a portion of the devices and/or processes described herein may be integrated into a data processing system via a reasonable amount of experimentation. Those having skill in the art will recognize that a data processing system may include one or more of a system unit housing, a video display device, a memory such as volatile and non-volatile memory, processors such as microprocessors and digital signal processors, computational entities such as operating systems, drivers, graphical user interfaces, and applications programs, one or more interaction devices, such as a touch pad or screen, and/or control systems including feedback loops and control motors (e.g., feedback for sensing position and/or velocity of gantry systems； control motors to move and/or adjust components and/or quantities) .

A data processing system may be implemented utilizing any suitable commercially available components, such as those found in data computing/communication and/or network computing/communication systems. The herein described subject matter sometimes illustrates different components contained within, or connected with, different other components. It is to be understood that such depicted architectures are merely exemplary, and that in fact many other architectures may be implemented which achieve the same functionality. In a conceptual sense, any arrangement of components to achieve the same functionality is effectively "associated" such that the desired functionality is achieved. Hence, any two components herein combined to achieve a particular functionality may be seen as "associated with" each other such that the desired functionality is achieved, irrespective of architectures or intermediate components. Likewise, any two components so associated may also be viewed as being "operably connected" , or "operably coupled" , to each other to achieve the desired functionality, and any two components capable of being so associated may also be viewed as being "operably couplable" , to each other to achieve the desired functionality. Specific examples of operably couplable include but are not limited to physically connectable and/or physically interacting components and/or wirelessly interactable and/or wirelessly interacting components and/or logically interacting and/or logically interactable components.

With respect to the use of substantially any plural and/or singular terms herein, those having skill in the art can translate from the plural to the singular and/or from the singular to the plural as is appropriate to the context and/or application. The various singular/plural permutations may be expressly set forth herein for sake of clarity.

It will be understood by those within the art that, in general, terms used herein, and especially in the appended claims (e.g., bodies of the appended claims) are generally intended as “open” terms (e.g., the term “including” should be interpreted as “including but not limited to, ” the term “having” should be interpreted as “having at least, ” the term “includes” should be interpreted as “includes but is not limited to, ” etc. ) . It will be further understood by those within the art that if a specific number of an introduced claim recitation is intended, such an intent will be explicitly recited in the claim, and in the absence of such recitation no such intent is present. For example, as an aid to understanding, the following appended claims may contain usage of the introductory phrases "at least one" and "one or more" to introduce claim recitations. However, the use of such phrases should not be construed to imply that the introduction of a claim recitation by the indefinite articles "a" or "an" limits any particular claim containing such introduced claim recitation to embodiments containing only one such recitation, even when the same claim includes the introductory phrases "one or more" or "at least one" and indefinite articles such as "a" or "an" (e.g., “a” and/or “an” should be interpreted to mean “at least one” or “one or more” ) ； the same holds true for the use of definite articles used to introduce claim recitations. In addition, even if a specific number of an introduced claim recitation is explicitly recited, those skilled in the art will recognize that such recitation should be interpreted to mean at least the recited number (e.g., the bare recitation of "two recitations, "without other modifiers, means at least two recitations, or two or more recitations) .

Furthermore, in those instances where a convention analogous to “at least one of A, B, and C, etc. ” is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., “a system having at least one of A, B, and C” would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc. ) . It will be further understood by those within the art that virtually any disjunctive word and/or phrase presenting two or more alternative terms, whether in the description, claims, or drawings, should be understood to contemplate the possibilities of including one of the terms, either of the terms, or both terms. For example, the phrase “A or B” will be understood to include the possibilities of “A”or “B” or “A and B. ”

As will be understood by one skilled in the art, for any and all purposes, such as in terms of providing a written description, all ranges disclosed herein also encompass any and all possible subranges and combinations of subranges thereof. Any listed range can be easily recognized as sufficiently describing and enabling the same range being broken down into at least equal halves, thirds, quarters, fifths, tenths, etc. As a non-limiting example, each range discussed herein can be readily broken down into a lower third, middle third and upper third, etc. As will also be understood by one skilled in the art all language such as “up to, ” “at least, ” “greater than, ” “less than, ” and the like include the number recited and refer to ranges which can be subsequently broken down into subranges as discussed above. Finally, as will be understood by one skilled in the art, a range includes each individual member. Thus, for example, a group having 1-3 cells refers to groups having 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers to groups having 1, 2, 3, 4, or 5 cells, and so forth.

While various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.

Claims

A method to mitigate sensor-based covert channels on a mobile device, the method comprising:

determining an interaction of a foreground application being executed on the mobile device；

allowing the foreground application to access a sensor on the mobile device；

determining a request by a background application for original data from the sensor while the foreground application is accessing the sensor, the background application being executed on the mobile device；

determining whether the background application is a third-party application； and

in response to a determination that the background application is a third-party application, obtaining the original data from the sensor, degrading the original data, and providing the degraded data to the background application.
The method of claim 1, wherein the original data includes one or more of acceleration data, gyroscopic data, geomagnetic data, proximity data, and ambient light data.
The method of claim 1, further comprising:

determining that the background application is a first-party application, and

in response to a determination that the background application is a first-party application:

obtaining the original data from the sensor； and

providing the original data to the first-party application.
The method of claim 1, wherein degrading the original data comprises adding noise to the original data.
The method of claim 4, wherein adding noise to the original data comprises adding one or more of timing noise and data noise to the original data.
The method of claim 1, wherein degrading the original data comprises reducing a sampling frequency associated with the original data.
The method of claim 6, wherein reducing the sampling frequency comprises reducing the sampling frequency to remove fluctuations in the original data.
A mobile device configured to mitigate sensor-based covert channels, the system comprising:

a sensor configured to receive external input；

a processor embodied in an integrated circuit and configured to execute a foreground application and a background application； and

a sensor virtualization module configured to:

determine an interaction of the foreground application with the sensor；

allow the foreground application to access the sensor；

determine a request by a background application for original data from the sensor while the foreground application is accessing the sensor；

determine whether the original data is to be provided to the background application； and

in response to a determination that the original data is not to be provided to the background application:

obtain the original data from the sensor；

generate degraded data from the original data； and

provide the degraded data to the background application.
The mobile device of claim 8, wherein the sensor includes one or more of an accelerometer, a gyroscopic sensor, a geomagnetic sensor, a proximity sensor, and an ambient light sensor.
The mobile device of claim 8, wherein the sensor virtualization module is further configured to determine whether the original data is to be provided to the background application by:

a determination that the background application is a third-party application； and

in response to the determination that the background application is a third-party application, a determination that the original data is not to be provided to the background application.
The mobile device of claim 8, wherein the sensor virtualization module is further configured to:

determine whether the original data is to be provided to the background application based on a determination that the background application is a first-party application； and

in response to the determination that the background application is a first-party application:

obtain the original data from the sensor； and

provide the original data to the background application.
The mobile device of claim 8, wherein the sensor virtualization module is further configured to generate degraded data from the original data by addition of one or more of timing noise and data noise to the original data.
The mobile device of claim 8, wherein the sensor virtualization module is further configured to generate degraded data from the original data by reduction of a sampling frequency associated with the original data.
The mobile device of claim 13, wherein the sensor virtualization module is further configured to reduce the sampling frequency to remove fluctuations in the original data.
A sensor virtualization module configured to mitigate sensor-based covert channels, the module comprising:

a sensor data processor configured to receive original sensor data from a sensor and generate degraded sensor data from the original sensor data； and

a processor embodied in an integrated circuit and configured to:

determine that the original sensor data is associated with an interaction with a foreground application；

provide the original sensor data to the foreground application；

determine a request by a background application for the original sensor data； and

in response to the determination of the request by the background application for the original sensor data, provide the degraded sensor data to the background application.
The sensor virtualization module of claim 15, wherein the original data includes one or more of acceleration data, gyroscopic data, geomagnetic data, proximity data, and ambient light data.
The sensor virtualization module of claim 15, wherein the processor is further configured to determine that the background application is a third-party application.
The sensor virtualization module of claim 15, wherein the processor is further configured to provide the original sensor data to the background application upon determination that the background application is a first-party application.
The sensor virtualization module of claim 15, wherein the sensor data processor is configured to add one or more of timing noise and data noise to the original sensor data to generate the degraded sensor data.
The sensor virtualization module of claim 15, wherein the sensor data processor is further configured to reduce a sampling frequency associated with the original data to generate the degraded sensor data.
The sensor virtualization module of claim 20, wherein the sensor data processor is further configured to reduce the sampling frequency to remove fluctuations in the original data.