NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Semantically Rich Application- Centric Security in Android Machigar Ongtang, Stephen McLaughlin, William Enck and.

Slides:

Advertisements

Similar presentations

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Advertisements

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Machigar Ongtang, Stephen McLaughlin, William Enck, Patrick McDaniel Department of Computer Science and Engineering The Pennsylvania State University ACSCA.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

CS4101 嵌入式系統概論 Design and Development 金仲達教授國立清華大學資訊工程學系 Slides from Computers as Components: Principles of Embedded Computing System Design, Wayne Wolf,

國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage.

國立台灣大學資訊工程學系 Chapter 4: Threads. 資工系網媒所 NEWS 實驗室 Objectives To introduce the notion of a thread — a fundamental unit of CPU utilization that forms the.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Windows Vista Security model and vulnerabilities.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Adaptive Web Caching: Towards a New Caching Architecture Authors and Institutions: Scott Michel, Khoi Nguyen, Adam Rosenstein and Lixia Zhang UCLA Computer.

張燕光資訊工程學系 Dept. of Computer Science & Information Engineering,

Lesson 18: Configuring Application Restriction Policies

Pervasive Computing: Development and Evaluation 金仲達教授清華大學資訊工程學系.

Dr. Kalpakis CMSC 461, Database Management Systems Introduction.

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

William Enck, Machigar Ongtang, and Patrick McDaniel.

FileSecure Implementation Training Patch Management Version 1.1.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

國立台灣大學資訊工程學系 Chapter 4: Threads. 資工系網媒所 NEWS 實驗室 Objectives To introduce the notion of a thread — a fundamental unit of CPU utilization that forms the.

APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.

Copyright © 2010, OpenFlow - Innovate in Your Network 指導教授：王國禎學生：洪維藩國立交通大學資訊科學與工程研究所行動計算與寬頻網路實驗室.

Copyright © 2011, Resource allocation for MMOG based on AFK players in the cloud 指導教授：王國禎博士學生：陳治豪國立交通大學網路工程研究所行動計算與寬頻網路實驗室.

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

Database Management System (DBMS) an Introduction DeSiaMore 1.

Regulatory Transparency and Efficiency in the Communications Industry in Australia Jennifer Bryant Office of Regulation Review Australia.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

PORSCHA PORSCHA : POLICY ORIENTED SECURE CONTENT HANDLING IN ANDROID Machigar Ongtang, Kevin Butler, Patrick McDaniel Dhurakij Pundit University, University.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

INFO1408 Database Design Concepts Week 15: Introduction to Database Management Systems.

Intelligent Space 國立台灣大學資訊工程研究所智慧型空間實驗室 Service Behavior Consistency in the OSGi Platform Authors Y.Qin, H.Hao,L.Jun, G.Jidong and L.Jian Proceedings.

Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

The LSAM Proxy Cache - a Multicast Distributed Virtual Cache Joe Touch USC / Information Sciences Institute 元智大學資訊工程研究所系統實驗室陳桂慧

CFTP - A Caching FTP Server Mark Russell and Tim Hopkins Computing Laboratory University of Kent Canterbury, CT2 7NF Kent, UK 元智大學資訊工程研究所系統實驗室陳桂慧.

國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Optimal Provisioning for Elastic Service Oriented Virtual Network Request in Cloud.

Android Permissions Demystified

Intelligent Space 國立台灣大學資訊工程研究所智慧型空間實驗室 Managing Quality of Context in Pervasive Computing Authors Y.Bu, T.Gu, X.Tao, J.Li, S.Chen, and J.Lu Proceedings.

Understand Permissions LESSON Security Fundamentals.

Intelligent Space 國立台灣大學資訊工程研究所智慧型空間實驗室 Brainstorming Principles Reporter Chun-Feng Liao Sep 12,2005 Source D.Bellin and S.S.Simone, ”Brainstorming: A.

Intelligent Space 國立台灣大學資訊工程研究所智慧型空間實驗室 Jena: A Semantic Web Framework for Java Reporter C.F.Liao ( 廖峻鋒 ) May 17,2007.

多媒體網路安全實驗室 Anonymous Authentication Systems Based on Private Information Retrieval Date： Reporter: Chien-Wen Huang 出處: Networked Digital Technologies,

Ad insertion at proxies to improve cache hit rates Amit Gupta and Geoffrey baehr, Sun Microsystems Laboratories 901 San Antonio Road Palo Alto,CA

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 7 Module 7 Data Base Security  MModified by :Ahmad Al Ghoul  PPhiladelphia.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Copyright © 2010, Install OpenFlow Mininet 指導教授：王國禎學生：洪維藩國立交通大學資訊科學與工程研究所行動計算與寬頻網路實驗室.

Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:

多媒體網路安全實驗室 Private Information Retrieval Scheme Combined with E- Payment in Querying Valuable Information Date： Reporter: Chien-Wen Huang 出處:

Nguyen Thi Thanh Nha HMCL by Roelof Kemp, Nicholas Palmer, Thilo Kielmann, and Henri Bal MOBICASE 2010, LNICST 2012 Cuckoo: A Computation Offloading Framework.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 SPATE: Small-group PKI-less Authenticated Trust Establishment Yue-Hsun Lin, Ahren Studer, Hsu-Chun Hsiao, Jonathan.

Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.

 Project Team: Suzana Vaserman David Fleish Moran Zafir Tzvika Stein  Academic adviser: Dr. Mayer Goldberg  Technical adviser: Mr. Guy Wiener.

ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.

Introduction to DBMS Purpose of Database Systems View of Data

Reactive Android Development

Understanding Android Security

Android System Security

Introduction to the Linux Kernel

Security & .NET 12/1/2018.

Understanding Android Security

Access Control What’s New?

Presentation transcript:

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Semantically Rich Application- Centric Security in Android Machigar Ongtang, Stephen McLaughlin, William Enck and Patrick McDaniel Annual Computer Seurity Application Conference '09 Speaker ： Kuo

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Outline Introduction Smartphone application security Android Security Application policies Saint Policy Saint Architecture Conclusion

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Outline Introduction Smartphone application security Android Security Application policies Saint Policy Saint Architecture Conclusion

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Introduction Android permission Callee application A Caller application B

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 inter-component communication (ICC). Callee application A Caller application B

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 application A application D application B application C

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Outline Introduction Smartphone application security Android Security Application policies Saint Policy Saint Architecture Conclusion

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Smartphone application security

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 PersonalShopper should only use trusted payment services. PersonalShopper may only want to restrict the use of the service to only trusted networks under safe conditions. PersonalShopper may require certain versions of service software be used. PersonalShopper may wish to ensure transaction information is not leaked by the phone’s ledger application.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Outline Introduction Smartphone application security Android Security Application policies Saint Policy Saint Architecture Conclusion

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Android Security Component Type –Activity components –Service components –Content provider components –Broadcast receiver components Component Interaction

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Component Type Activity components –define anapplication’s user interface Service components –Perform background processing.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Component Type Content provider components –Store and share data using a relational database interface Broadcast receiver components –act as mailboxes for messages from other applications.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Component Interaction Developers assign applications collections of permission labels. if the target component’s access permission label is in that collection:allows ICC establishment to proceed. If the label isn’t in the collection, establishment is denied

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Outline Introduction Smartphone application security Android Security Application policies Saint Policy Saint Architecture Conclusion

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Permission <permission android:description="string resource" android:icon="drawable resource" android:label="string resource" android:name="string" android:permissionGroup="string" android:protectionLevel=["normal" | "dangerous" | "signature" | "signatureOrSystem"] /> Callee application A

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Permission Permission Protection Levels : four protection levels –Normal : are granted to any application that requests them in its manifes –Dangerous : are granted only after user confirmation –Signature : are granted only to applications signed by the same developer key –signature or system: act like signature permissions but exist for legacy compatibility with the older system permission type.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 <permission 付帳功能 Level: normal /> Callee application A <permission 付帳功能 Level: dangerous /> Callee application A <permission 付帳功能 Level: signature /> Callee application A Caller application B Caller application B Caller application B user confirmation Signature of A

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Application policies 1.permission-granting policy(install-time) –regulates permission assignment. 2.interaction policy(run-time) –regulates runtime interaction between an application and its opponent.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Application policies 1.permission-granting policy (install-time) 1.1 Android’s protection level-based policy 1.2 signature-based policy the policy grants (or denies) the permission by default with an exception list that denies (grants) the applications signed by the listed keys 1.3 configuration-based policy Control permission assignment based on the configuration parameters of the requesting application Ex: application version

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 <Set of signature : 2233e 9988w> Callee application A Caller application B 2233e allow

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Application policies 2.interaction policy (run-time) 2.1 permission-based access control policy 2.2 signature-based policy restrict the set of the opponent applications based on their signatures 2.3 configuration-based policy the applications can define the desirable configurations of the opponent applications Ex: application version 2.4 phone context-based policy governs runtime interactions based on context such as location, time…etc

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Outline Introduction Smartphone application security Android Security Application policies Saint Policy Saint Architecture Conclusion

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 SAINT policy Install-Time Policy Enforcement Run-Time Policy Enforcement Administrative Policy

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室

Pay permission policy from B Use pay permission from A

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Install-Time Policy Enforcement a.the Saint-enhanced Android installer retrieves the requested permissions from the manifest file b.For each permission, it queries the AppPolicy provider c.The AppPolicy provider consults its policy database,and returns a decision based on matching rules

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Saint install-time policy consists of –a permission label –an owner is always the application declaring the permission. –a set of conditions are a collection of checks on the properties of the application requesting for it.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室

Run-Time Policy Enforcement 1.The caller initiates the IPC through the middleware framework 2.Saint queries the AppPolicy provider for policies 3.The AppPolicy provider checks the policy conditions satisfied, and returns the result pay Pay permission policy from B Pay permission policy from A

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 4.the conditions are satisfied, the IPC is directed to the existing Android permission check enforcement software 5.Android will then allow the IPC to continue based on traditional Android policy.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Saint enforces two types of runtime policies: 1)access policies identify the caller’s security requirements on the IPC, and requirements on the IPC 2)expose policies identify the callee’s security requirements on the IPC.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室

Administrative Policy Goal: how policy itself can be changed administrative models allowing the updater to modify, add, or delete policy If the SaintOverride compile flag is set, Saint allows user override to application policy. Saint XML policy schema includes the Override flag for each policy rule defined by the application.

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Outline Introduction Smartphone application security Android Security Application policies Saint Policy Saint Architecture Conclusion

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Saint Architecture Saint Installer Saint Mediator AppPolicy Provider

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Outline Introduction Smartphone application security Android Security Application policies Saint Policy Saint Architecture Conclusion

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Conclusion Saint addresses the current limitations of Android security through install-time permission granting policies and runtime inter-application communication policies

NTHU CS ISLAB 國立清華大學資訊工程研究所資訊安全實驗室 Thanks!