October 2, 2012
Sandia Thinking Big For Android Security Research
Lee Rannals for redOrbit.com — Your Universe Online
"Smartphones are now ubiquitous and used as general-purpose computing devices as much as desktop or laptop computers," Sandia's David Fritz said in a statement. "But even though they are easy targets, no one appears to be studying them at the scale we're attempting."
The MegaDroid project will help researchers at Sandia and other places who struggle to understand large-scale networks. Sandia said it expects to complete a sophisticated demonstration of the MegaDroid project that could be presented to potential industry or government collaborators.
John Floren, a computer scientist, said the virtual Android network at Sandia is carefully insulated from other networks at the Labs and the outside world.
He said a key element to the project is a "spoof" Global Positioning System (GPS). The researchers created simulated GPS data of smartphone users in an urban environment, which is important to the study because features on the devices are location-dependent and could easily be controlled and manipulated by attackers.
The team then fed that data into the GPS input of an Android virtual machine. The software on the virtual machine treats the location data as indistinguishable from real GPS data, which offers the scientists a more accurate emulation environment to study what hackers can do to smartphone networks.
Sandia's latest development represents a significant step for those wanting to understand and limit the damage from network disruptions due to glitches in software or protocols. These disruptions can cause economic and other losses for individual consumers, as well as companies.
"You can't defend against something you don't understand," Floren said in the statement. He said the larger the scale, the better, because more computer nodes offer more data for researchers.
The latest project builds upon the Megatux project that started in 2009, in which Sandia scientists ran a million virtual Linux machines. Sandia ran another project later on that focused on Microsoft's Windows operating system called MegaWin.
The researchers said the challenge in studying Android-based machines is the complexity of the software. Google wrote about 14 million lines of code into the software, and the system runs on top of a Linux kernel, which doubles the amount of code.
"It's possible for something to go wrong on the scale of a big wireless network because of a coding mistake in an operating system or an application, and it's very hard to diagnose and fix," Fritz said in a statement. "You can't possibly read through 15 million lines of code and understand every possible interaction between all these devices and the network."
The team believes Sandia will continue to work on tools that industry leaders and developers can use to diagnose and fix problems in computer networks.
MegaDroid will be useful as a tool to find problems that could manifest themselves when large numbers of smartphones interact.
"You could also extend the technology to other platforms besides Android," Keith Vanderveen, manager of Sandia's Scalable and Secure Systems Research department, said in a statement. "Apple's iOS, for instance, could take advantage of our body of knowledge and the toolkit we're developing." He said Sandia also plans to use MegaDroid to explore issues of data protection and data leakage, which he said concerns government agencies such as the departments of Defense and Homeland Security.