Jaeho Lee (Rice University), Ang Chen (Rice University), Dan S. Wallach (Rice University)

A good security practice for handling sensitive data, such as passwords, is to overwrite the data buffers with zeros once the data is no longer in use. This protects against attackers who gain a snapshot of a device’s physical memory, whether by in- person physical attacks, or by remote attacks like Meltdown and Spectre. This paper looks at unnecessary password retention in Android phones by popular apps, secure password management apps, and even the lockscreen system process. We have performed a comprehensive analysis of the Android framework and a variety of apps, and discovered that passwords can survive in a variety of locations, including UI widgets where users enter their passwords, apps that retain passwords rather than exchange them for tokens, old copies not yet reused by garbage collectors, and buffers in keyboard apps. We have developed solutions that successfully fix these problems with modest code changes.

View More Papers

Anonymous Multi-Hop Locks for Blockchain Scalability and Interoperability

Giulio Malavolta (Friedrich-Alexander University Erlangen-Nürnberg), Pedro Moreno Sanchez (TU Wien), Clara Schneidewind (TU Wien), Aniket Kate (Purdue University), Matteo Maffei (TU Wien)

Read More

Data Oblivious ISA Extensions for Side Channel-Resistant and High...

Jiyong Yu (UIUC), Lucas Hsiung (UIUC), Mohamad El'Hajj (UIUC), Christopher W. Fletcher (UIUC)

Read More

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to...

Alberto Sonnino (University College London (UCL)), Mustafa Al-Bassam (University College London (UCL)), Shehar Bano (University College London (UCL)), Sarah Meiklejohn (University College London (UCL)), George Danezis (University College London (UCL))

Read More

Profit: Detecting and Quantifying Side Channels in Networked Applications

Nicolás Rosner (University of California, Santa Barbara), Ismet Burak Kadron (University of California, Santa Barbara), Lucas Bang (Harvey Mudd College), Tevfik Bultan (University of California, Santa Barbara)

Read More