On a typical mobile device today, financial and medical apps nestled up next to everything from karaoke playlists to time-killing games like Fruit Ninja.
How to secure data that matters in this diverse digital buffet is a challenge for many researchers. For Zhihao “Zephyr” Yao, it’s a challenge that fuels his life’s work and also led to an award-winning project.
That project—which earned ACM MobiSys 2023’s Best Artifact Award—demonstrated that making systems less complex can actually enhance mobile platform security. This approach physically isolates and partitions smartphone hardware components and couples this with a minimal operating system—the open source OctopOS—to achieve verifiable security guarantees.
Yao is an assistant professor of computer science at New Jersey Institute of Technology, where he directs the Redoubt System Security Lab. He is also one of Computing’s Top 30 Early Career Professionals for 2024. In the following Q&A, Yao describes
Why open source projects—including his Best Artifact Award-winning one—are essential to hardware and software security now and moving forward
How poor industry priorities—including favoring features over system security—drives his determination to create solutions that positively impact people’s daily lives
The role and responsibilities of researchers in discovering security vulnerabilities and disclosing them to ensure prompt patching and more secure systems for users
How his own ability to prioritize helps to fuel his service to the field, which in turn generates new insights that he integrates into his research, teaching, and mentoring work
You earned the Best Artifact Award at ACM MobiSys 2023 for your project on securing the mobile platform. Can you share the key findings of this project and its potential impact on mobile security?
Our ACM MobiSys 2023 project developed a unique hardware and software solution to minimize the Trusted Computing Base (TCB) on smartphone platforms, namely the Split-Trust hardware design and the OctopOS that manages the hardware. Our work demonstrated that reducing hardware and software complexity substantially enhances the security of mobile platforms. This is achieved by physically isolating and statically partitioning smartphone hardware components, creating an isolated execution domain at the hardware level for security- or privacy-sensitive apps and services. The hardware-level isolation, paired with a minimal operating system that we built (OctopOS), achieves security guarantees that can be formally verified.
... continue reading