What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented.

Slides:

Advertisements

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

Advertisements

Operating System Security

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center Security.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Access Control Intro, DAC and MAC System Security.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Security of Mobile Applications Vitaly Shmatikov CS 6431.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Enhancing User Privacy on Android Devices Bachelor of Computer Science (Honours) Name: Quang Do Supervisor: Raymond Choo Associate Supervisor: Ben Martini.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

1.1 System Performance Security Module 1 Version 5.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.

© 2009 Research In Motion Limited Advanced Java Application Development for the BlackBerry Smartphone Trainer name Date.

Leave Me Alone: App-level Protection Against

USER DRIVEN ACCESS CONTROL: RETHINKING PERMISSION GRANTING IN MODERN OPERATING SYSTEM Presentation by: Manik Challana Presented at : IEEE Symposium on.

Chapter 4 Application Level Security in Cellular Networks.

, Josef NollNISnet NISnet meeting Mobile Applied Trusted Computing Josef Noll,

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

Android Security Extensions. Android Security Model Main objective is simplicity Users should not be bothered Does the user care? Most do not care…until.

Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.

Vulnerability Study of the Android Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson (Group 8)

Leave Me Alone: App- level Protection Against Runtime Information Gathering on Android NAN ZHANG, KAN YUAN, MUHAMMAD NAVEED†, XIAOYONG ZHOU AND XIAOFENG.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Arpit Jain Mtech2. Outline Introduction Attacks Solution Experimental Evaluation References.

Wireless and Mobile Security

Academic Year 2014 Spring Academic Year 2014 Spring.

Trusted Operating Systems

SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.

Privilege Management Chapter 22.

Cosc 4735 Primer: Marshmallow Changes and new APIs in android 6.0 (api 23)

Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.

Security risks in a network. Remote access  When you connect a computer to a network it is visible to all other computers on the network. When you connect.

Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.

© 2015 IBM Corporation John Guidone Account Executive IBM Security IBM MaaS360.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi

CMGT 430 OUTLET Teaching Effectively/ FOR MORE CLASSES VISIT

Mobile device security Practical advice on how to keep your mobile device and the data on it safe.

ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

Principles Identified - UK DfT -

chownIoT Secure Handling of Smart Home IoT Devices Ownership Change

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.

Content Protection Support in

Understanding Android Security

Android Access Control

EMV® 3-D Secure - High Level Overview

Thomas Ulz, Thomas Pieber, Christian Steger1

Official levels of Computer Security

THE ORANGE BOOK Ravi Sandhu

An Overview Rick Anderson Pat Demko

OS Access Control Mauricio Sifontes.

Understanding Android Security

Chapter 10. Mobile Device Security

Android Access Control

Presentation transcript:

What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented by Emma Hu Literature by S. Demetriou et al. Presented by Emma Hu

Motivation  Increase use in smartphone accessories such as Bluetooth earpieces, health devices, fitness bands etc.  Increase in malicious attacks  Previous studies show that external devices connected to Android are vulnerable  Increase use in smartphone accessories such as Bluetooth earpieces, health devices, fitness bands etc.  Increase in malicious attacks  Previous studies show that external devices connected to Android are vulnerable

Background  Android security model  Discretionary access control (DAC) system  SEAndroid (Security Enhanced Android)  Mandatory access control (MAC) system built on top of android  Security context  user: role: domain or type [:level] and a SID  Android security model  Discretionary access control (DAC) system  SEAndroid (Security Enhanced Android)  Mandatory access control (MAC) system built on top of android  Security context  user: role: domain or type [:level] and a SID

Problem  SEAndroid does not have the granularity for controlling external resources  Bluetooth, NFC, SMS ID, Audio port  SEAndroid does not have the granularity for controlling external resources  Bluetooth, NFC, SMS ID, Audio port

Results  SMS  SMSDispatcher broadcasts to all apps that register with the event have the RECEIVE_SMS permission  SMS and MMS fully exposed to those with READ_SMS or RECEIVE_SMS permissions  Audio  Completely unprotected when connected to the phone’s Audio jack  NFC  5/17 popular NDC apps include storage of sensitive information  No authentication and encryption protection  SMS  SMSDispatcher broadcasts to all apps that register with the event have the RECEIVE_SMS permission  SMS and MMS fully exposed to those with READ_SMS or RECEIVE_SMS permissions  Audio  Completely unprotected when connected to the phone’s Audio jack  NFC  5/17 popular NDC apps include storage of sensitive information  No authentication and encryption protection

Table 1: top apps from Google play Figure 1: example of a Bluetooth app

SEACAT  Employs a hybrid MAC & DAC approach  Extends SEAndroid’s MAC to protect resources with distinct identifier e.g. SMS, NFC  Adds in a DAC module to allow user and app developer to specify interaction rules  Focuses on protecting Bluetooth, Audio, NFC, Internet, and SMS channels  Employs a hybrid MAC & DAC approach  Extends SEAndroid’s MAC to protect resources with distinct identifier e.g. SMS, NFC  Adds in a DAC module to allow user and app developer to specify interaction rules  Focuses on protecting Bluetooth, Audio, NFC, Internet, and SMS channels

Details  Challenges  SEAndroid does not model external resources  Integration with current Android DAC and SEAndroid Mac  Design Implementation  Policy specification – new categories of types e.g. BT_type, NFC_type  App labelling – grant trusted apps permissions  External resource labelling  Challenges  SEAndroid does not model external resources  Integration with current Android DAC and SEAndroid Mac  Design Implementation  Policy specification – new categories of types e.g. BT_type, NFC_type  App labelling – grant trusted apps permissions  External resource labelling

Fig 2. Screenshot of SEACAT App labelling and Device labelling

Fig 3. SEACAT Architecture

Fig 4. SEACAT Security hook

SEACAT Results  Effectiveness  Successfully prevents unauthorised resource access  Performance  Overhead is mostly negligible  Largest overhead is 279.9ms (total time ) for Bluetooth pairing  Effectiveness  Successfully prevents unauthorised resource access  Performance  Overhead is mostly negligible  Largest overhead is 279.9ms (total time ) for Bluetooth pairing

Paper Summary  Android is not designed to handle external resources  SEACAT is introduced as a new security system to extend Android’s security model  MAC and DAC across different Android layers  Android is not designed to handle external resources  SEACAT is introduced as a new security system to extend Android’s security model  MAC and DAC across different Android layers

Issues and Improvements  The paper only looks at Bluetooth, NFC, Audio, SMS, and Internet  Doesn’t account for other channels like Wireless and Infrared  Doesn’t offer MAC protection for audio devices as it can’t distinguish between types of audio devices.  Only analysed one “Audio” device (Jawbone UP)  User / developer has to manually construct security rules / policies which decreases usability  Doesn’t protect against spoofing attacks  SEACAT assumes kernel is not compromised  The paper only looks at Bluetooth, NFC, Audio, SMS, and Internet  Doesn’t account for other channels like Wireless and Infrared  Doesn’t offer MAC protection for audio devices as it can’t distinguish between types of audio devices.  Only analysed one “Audio” device (Jawbone UP)  User / developer has to manually construct security rules / policies which decreases usability  Doesn’t protect against spoofing attacks  SEACAT assumes kernel is not compromised

References  [1] Demetriou, S., Zhou, X. Y., Naveed, M., Lee, Y., Yuan, K., Wang, X., & Gunter, C. A. (2015). What's in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources. In NDSS.  [2] Demetriou, S. (2014). Android at risk: current threats stemming from unprotected local and external resources.  [1] Demetriou, S., Zhou, X. Y., Naveed, M., Lee, Y., Yuan, K., Wang, X., & Gunter, C. A. (2015). What's in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources. In NDSS.  [2] Demetriou, S. (2014). Android at risk: current threats stemming from unprotected local and external resources.