Security Analysis of the Palm Operating System and its Weaknesses Against Malicious Code Threats

Portable devices, such as Personal Digital Assistants (PDAs), are particularly vulnerable to malicious code threats due to their widespread implementation and current lack of a security framework. Although well known in the security industry to be insecure, PDAs are ubiquitous in enterprise environments and are being used for such applications as one-time-password generation, storage of medical and company confidential information, and e-commerce. It is not enough to assume all users are conscious of computer security and it is crucial to understand the risks of using portable devices in a security infrastructure. Furthermore, it is not possible to employ a secure application on top of an insecure foundation. Palm operating system (OS) devices own nearly 80 percent of the global handheld computing market [11]. It is because of this that the design of the Palm OS and its supporting hardware platform were analyzed. The presented research provides detail into specific scenarios, weaknesses, and mitigation recommendations related to data protection, malicious code, virus storage, and virus propagation. Additionally, this work can be used as a model by users and developers to gain a deeper understanding of the additional security risks that these and other portable devices introduce.

[1]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[2]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[3]  J. B. Hoy,et al.  Computer Security: Virus Highlights Need for Improved Internet Management , 1989 .

[4]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[5]  Lawrence E. Bassham,et al.  A Guide to the Selection of Anti-Virus Tools and Techniques , 1992 .

[6]  Bruce Schneier Inside risks: the Trojan horse race , 1999, CACM.

[7]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[8]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[9]  David Chaum,et al.  Design Concepts for Tamper Responding Systems , 1983, CRYPTO.

[10]  Andrew J. Clark,et al.  Physical Protection of Cryptographic Devices , 1987, EUROCRYPT.

[11]  Peter Gutmann An Open-Source Cryptographic Coprocessor , 2000, USENIX Security Symposium.

[12]  Edward W. Felten,et al.  Hand-Held Computers Can Be Better Smart Cards , 1999, USENIX Security Symposium.

[13]  Bruce Schneier,et al.  The trojan horse race , 1999 .

[14]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[15]  Niels Provos,et al.  Encrypting Virtual Memory , 2000, USENIX Security Symposium.