User-Driven Access Control Rethinking Permission Granting in Modern OSes Franziska Roesner, Tadayoshi Kohno University of Washington Alexander Moshchuk,

Slides:

Advertisements

Similar presentations

Finding The Unknown Number In A Number Sentence! NCSCOS 3 rd grade 5.04 By: Stephanie Irizarry Click arrow to go to next question.

Advertisements

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. *See PowerPoint Lecture Outline for a complete, ready-made.

Chapter 1 The Study of Body Function Image PowerPoint

BASIC SKILLS AND TOOLS USING ACCESS

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.

Professional Profiles Module 3 1. Objectives In this module you will learn: Professional Profile basics How to create a Professional Profile How to add.

Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

6 Copyright © 2005, Oracle. All rights reserved. Building Applications with Oracle JDeveloper 10g.

Universität Innsbruck Leopold Franzens Copyright 2006 DERI Innsbruck LarCK Workshop, ISWC/ASWC Busan, Korea 16-Feb-14 Towards Scalable.

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Title Subtitle.

Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.

Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.

Michigan Electronic Grants System Plus

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

Year 6 mental test 5 second questions

Around the World AdditionSubtraction MultiplicationDivision AdditionSubtraction MultiplicationDivision.

5-1 5 Tour of ArcMap and ArcCatalog ArcGIS for Assessors 1.

View-Based Application Development Lecture 1 1. Flows of Lecture 1 Before Lab Introduction to the Game to be developed in this workshop Comparison between.

Photo Slideshow Instructions (delete before presenting or this page will show when slideshow loops) 1.Set PowerPoint to work in Outline. View/Normal click.

1 Communication Methods Audio, video and chat. 2 Objectives Identify different methods of communication – non- verbal, audio, video, and chat Identify.

The basics for simulations

How To Use Google Forms to Create A Test Quick Easy Self-Graded!! Instant Reports.

Campaign Overview Mailers Mailing Lists

ABC Technology Project

MARKETING INFORMATION AND RESEARCH

AITS Client Services Support University of Illinois July 2010.

Microsoft Office Illustrated Fundamentals Unit C: Getting Started with Unit C: Getting Started with Microsoft Office 2010 Microsoft Office 2010.

25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.

15. Oktober Oktober Oktober 2012.

Dynamic Access Control the file server, reimagined Presented by Mark on twitter 1 contents copyright 2013 Mark Minasi.

Generalizable Element Namespace Model Element name visibility isSpecification Classifier isRoot Constraint Body Use Cases CS/SWE 421 Introduction to Software.

Delegated Admin Tool Edit User Profile Training Module.

Services Course Outlook Live Participant Guide.

Chapter 5 Microsoft Excel 2007 Window

Lets play bingo!!. Calculate: MEAN Calculate: MEDIAN

Services Course Windows Live SkyDrive Participant Guide.

Addition 1’s to 20.

25 seconds left…...

2004 EBSCO Publishing Presentation on EBSCOadmin.

Test B, 100 Subtraction Facts

1 Final Cut Pro X Winter Connections Conference 2012.

Services Course Windows Live SkyDrive Participant Guide.

Week 10 Creating Positioned Layouts

We will resume in: 25 Minutes.

Chapter 12 Working with Forms Principles of Web Design, 4 th Edition.

A SMALL TRUTH TO MAKE LIFE 100%

1 Unit 1 Kinematics Chapter 1 Day

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Chapter 11 Creating Framed Layouts Principles of Web Design, 4 th Edition.

CHAPTER 11 FILE INPUT & OUTPUT Introduction to Computer Science Using Ruby (c) 2012 Ophir Frieder et al.

© Paradigm Publishing, Inc Access 2010 Level 2 Unit 2Advanced Reports, Access Tools, and Customizing Access Chapter 8Integrating Access Data.

TM Graphical Monitoring Electronic Service Tools.

© Paradigm Publishing, Inc Excel 2013 Level 2 Unit 2Managing and Integrating Data and the Excel Environment Chapter 6Protecting and Sharing Workbooks.

Chapter 12 User Interface Design

Syracuse University, New York, USA

What’s new in WebSpace Changes and improvements with Xythos 7.2 Effective June 24,

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

User Interface Toolkit Mechanisms For Securing Interface Elements Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB.

USER DRIVEN ACCESS CONTROL: RETHINKING PERMISSION GRANTING IN MODERN OPERATING SYSTEM Presentation by: Manik Challana Presented at : IEEE Symposium on.

AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM

Presentation transcript:

User-Driven Access Control Rethinking Permission Granting in Modern OSes Franziska Roesner, Tadayoshi Kohno University of Washington Alexander Moshchuk, Bryan Parno, Helen J. Wang Microsoft Research Crispin Cowan Microsoft

Modern Client Platforms 2 May 21, 2012 Franziska Roesner iOS, Android, WP, Win8, browsers – Applications isolated from one another. – Limited global sharing. – Cannot access user-owned resources by default: Cross-application data Devices (camera, GPS, …) Resources (clipboard, autocomplete data) Problem: How should platforms grant applications access to user-owned resources? Challenge: Users are in the loop to grant permissions.

State of the Art 3 May 21, 2012 Franziska Roesner Manifests (Android, Windows Phone) Prompts (iOS, browsers) Out of context: Checked at time of install, not time of use. Disruptive: In practice, only prompted at first use to avoid prompt-fatigue. Both are not least-privilege: Once granted permissions, apps can use them, even if not necessary for application functionality.

Permission Granting Goals 4 May 21, 2012 Franziska Roesner In context – Unlike manifests Non-disruptive – Unlike prompts Least privilege – Unlike manifests and prompts Let this application access my location now.

Outline Motivation and Setup User-Driven Access Control – via Access Control Gadgets (ACGs) Capturing Authentic User Intent Implementation Evaluation 5 May 21, 2012 Franziska Roesner

User-Driven Access Control Observation: A user’s natural UI actions in the context of an application carry permission-granting semantics. See also EWS [SVNC ‘04], NitPicker [FH ‘05], CapDesk [M ‘06], Qubes, Polaris [SKYCM ’06], UIBAC [SE ‘08], BLADE [LYPL ‘10]. Challenge: How can the system understand generalized in-app permission-granting behaviors? 6 May 21, 2012 Franziska Roesner

Access Control Gadgets (ACGs) 7 May 21, 2012 Franziska Roesner Approach: Let the system control these UI elements (ACGs) to capture a user’s permission granting intent. Challenges: – How can system capture authentic user intent? – How to prevent disruption of application context? – Can this model support necessary app functionality? – …?

8 May 21, 2012 Franziska Roesner Photo Editor App Camera ACG User’s ViewSystem’s View Kernel Camera Resource Monitor Policy: Which app can access camera in what fashion ACG Photo Editor App <object src= “rm://camera/take Picture”/> 1) User clicks on camera ACG 2) Take picture 3) Receive picture Isolation container

Design Challenges What are appropriate access semantics? How to accurately capture user intent? How can we support: – customized access control gadgets? – ACGs composing multiple resources? – shortcuts and gestures instead of visual gadgets? How can we generalize to application- controlled resource monitors? – e.g., Facebook contacts, Flickr photos 9 May 21, 2012 Franziska Roesner

Access Semantics 10 May 21, 2012 Franziska Roesner One time: Session: Scheduled: Permanent: UI-coupled UI- decoupled Least privilege Permanent Access Few applications (5% of top 100 Android apps) legitimately require permanent access.

Outline Motivation and Setup User-Driven Access Control – via Access Control Gadgets (ACGs) Capturing Authentic User Intent Implementation Evaluation 11 May 21, 2012 Franziska Roesner

Threats by Malicious Applications Manipulate access control gadget display – Directly or by strategic obstruction Clickjacking (trick users into clicking on ACG) – Visual or timing-based Programmatically click on ACG 12 May 21, 2012 Franziska Roesner Requirements: 1. ACG  User: Authentic display of ACG to user. 2. User  ACG: Authentic user actions to ACG.

ACG  User: Display Integrity (1) Display isolation: Apps can’t set ACG’s pixels. (2) Complete visibility: ACGs are active only when completely visible. (3) Sufficient display duration: ACGs activate only after a reaction delay. (4) Limited customization by applications. 13 May 21, 2012 Franziska Roesner 73% of top Android apps need only limited customization.

User  ACG: Authentic Input (1) Input event isolation: – Input events dispatched only from user input devices to ACGs. (2) The kernel controls the cursor over ACGs. (3) Handling nested applications – e.g., iGoogle embeds ad which embeds camera ACG – Must grant permissions to correct application. 14 May 21, 2012 Franziska Roesner

Outline Motivation and Setup User-Driven Access Control – via Access Control Gadgets (ACGs) Capturing Authentic User Intent Implementation Evaluation 15 May 21, 2012 Franziska Roesner

Implementation Implemented as part of the ServiceOS system with 2500 lines of C# code. System support for: – Access control gadgets Resources: camera, GPS, clipboard, autocomplete Access semantics: one-time, session – ACG composition: camera+GPS – Input sequences: copy-and-paste, drag-and-drop – Nested applications – Content picking and application-specific ACGs ACGs in applications: browser and MS Word 16 May 21, 2012 Franziska Roesner Our experience shows that the implementation effort is modest for both system developers and application developers.

Outline Motivation and Setup User-Driven Access Control – via Access Control Gadgets (ACGs) Capturing Authentic User Intent Implementation Evaluation 17 May 21, 2012 Franziska Roesner

18 May 21, 2012 Franziska Roesner X X Location access granted Social engineering risk: moderate (high effort/risk for attacker) Usability: high Least-privilege guarantees: high Discussion: Security Analysis Our User  ACG and ACG  User properties do not prevent applications from gaining unauthorized access by social engineering attacks.

19 May 21, 2012 Franziska Roesner Evaluation Highlights Vulnerability Study – User-driven access control addresses most published vulnerabilities related to resource access: 36 of 44 in Chrome (82%), and 25 of 26 in Firefox (96%). User Expectations – Based on survey showing Android screenshots, most users already believe (52% of 186) – and/or desire (68%) – that resource access follows the user-driven access control model.

Summary User-driven access control captures a user’s permission-granting intent from natural interactions with the system and applications. Access control gadgets enable user-driven permission granting. – In-context, non-disruptive, and least-privilege. ACGs match user expectations. 20 May 21, 2012 Franziska Roesner