An Example of an Android Security Extension YAASE - Yet Another Android Security Extension.

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

ECOS: Leveraging Software-Defined Networks to Support Mobile Application Offloading Aaron Gember, Christopher Dragga, Aditya Akella University of Wisconsin-Madison.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Authz work in GGF David Chadwick

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

Google Android as a mobile development platform T Internet Technologies for Mobile Computing Olli Mäkinen.

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

Enhancing User Privacy on Android Devices Bachelor of Computer Science (Honours) Name: Quang Do Supervisor: Raymond Choo Associate Supervisor: Ben Martini.

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.

 Security and Smartphones By Parker Moore. The Smartphone Takeover  Half of mobile phone subscribers in the United States have a smartphone.  An estimated.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

United States Department of Justice Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg,

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

Android Security Extensions. Android Security Model Main objective is simplicity Users should not be bothered Does the user care? Most do not care…until.

Self-service Cloud Computing Presented by: Yu Bai (ybai181) Butt, S., Lagar-Cavilla, H. A., Srivastava, A., & Ganapathy, V. (2012, October). Self-service.

1 Policy-based architecture. 2 Policy management view of the architecture IP MMed domain is a converged services domain where voice, video, data are provided.

XML Meta Documents Security Based on Extended Provisional Authorization.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Comparing Java and.Net Security: Lessons Learned and Missed - Nathanael Paul, David Evans Presented by Dan Frohlich.

FireDroid: Hardening Security in Almost-Stock Android Presented By: Kenneth Siu.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Arpit Jain Mtech2. Outline Introduction Attacks Solution Experimental Evaluation References.

Android - Location Based Services. Google Play services facilitates adding location awareness to your app with automated location tracking Geo fencing.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Preserving User Privacy from Third-party Applications in Online Social Networks Yuan Cheng, Jaehong Park and Ravi Sandhu Institute for Cyber Security University.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Dynamic Vetting Android Applications for Privilege-escalation Risks Jiaojiao Fu 1.

Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi

The eCSG Mobile App Mario Torrisi INFN – Division of Catania 24 June 2013 Webinar on the eCSG 1.

Privacy in Mobile Systems Karthik Dantu and Steve Ko.

Introduction to Android Programming. Features of Android.

Argus EMI Authorization Integration

REDCap Mobile Application

More Security and Programming Language Work on SmartPhones

Institute for Cyber Security

Presented by: Saurav Kumar Bengani

Boxify: Full-fledged App Sandboxing for Stock Android

Institute for Cyber Security

HARDENING CLIENT COMPUTERS

O. Otenko PERMIS Project Salford University © 2002

Key concepts of authorization, QoS, and policy control

AAA: A Survey and a Policy- Based Architecture and Framework

Chapter 8: Security Policy

Chapter 10. Mobile Device Security

Presentation transcript:

An Example of an Android Security Extension YAASE - Yet Another Android Security Extension

YAASE Main Features A Policy-based System for Controlling Information Flow Fine-grained Data Filtering No modifications to Android API No trust on apps Control over IPC and system-level calls (internet) Data filtering capabilities Tuneable

YAASE Architecture Grey = New components added Dashed = Modified Android components

Policy-based AC Terms A policy is a rule that governs the behaviour of a system PEP stands for Policy Enforcement Point It is responsible for intercepting the requests and enforcing the access control decisions PDP stands for Policy Decision Point It is responsible for evaluating policies and coming up with a decision Policy Provider is the repository where policies are stored

YAASE Policy Language PolicyName: Requester can do operation on Resource [have to perform action] handle dataLabelExpression By default, if no policy is specified no action is granted!

Example of a Privilege Escalation FeedMe: A news feed app requiring access to internet NavApp: A navigation app requiring access to GPS

Policies for Apps PolFeedMe: FeedME can do send on Internet handle “NoLabels” PolNavApp: NavApp can do access on GPS handle “FineLocation”

Restrict Approach Sandbox System Sandbox P2P1 FeedMeNavAppAndroid Apps C P1 GPS P2 NET SS AA Policy Provider YAASE PDP Access to NavApp PEP

Sandbox System Sandbox P2P1 FeedMeNavAppAndroid Apps C P1 GPS P2 NET SS AA Policy Provider YAASE PDP PEP Restrict Approach

Sandbox System Sandbox P2P1 FeedMeNavAppAndroid Apps C P1 GPS P2 NET SS AA Policy Provider YAASE PDP PEP

Restrict Approach Sandbox System Sandbox P2P1 FeedMeNavAppAndroid Apps C P1 GPS P2 NET SS AA NO ACCESS Policy Provider YAASE PDP PEP

Relaxed Approach Sandbox System Sandbox P2P1 FeedMeNavAppAndroid Apps C P1 GPS P2 NET SS AA Policy Provider YAASE PDP PEP

Relaxed Approach Sandbox System Sandbox P2P1 FeedMe D:FL NavAppAndroid Apps C P1 GPS P2 NET SS AA Policy Provider YAASE PDP PEP

Relaxed Approach Sandbox System Sandbox P2P1 FeedMeNavAppAndroid Apps C P1 GPS P2 NET SS AA Policy Provider YAASE PDP INTERNET D:FL PEP

Enforced Policy PolFeedMe: FeedME can do send on Internet handle “NoLabels”

Relaxed Approach Sandbox System Sandbox P2P1 FeedMeNavAppAndroid Apps C P1 GPS P2 NET SS AA Policy Provider YAASE PDP INTERNET D:FL PEP

Final Thoughts Standard Android Security framework is insufficient Plethora of security extensions have been presented Now it is time that Google starts to take some actions

Readings Russello, Giovanni, et al. "Yaase: Yet another android security extension." Privacy, security, risk and trust (passat), 2011 ieee third international conference on and 2011 ieee third international conference on social computing (socialcom). IEEE, 2011.

Questions?