Presentation is loading. Please wait.

Presentation is loading. Please wait.

AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM

Published byMadison Spencer Modified over 6 years ago

Similar presentations

Presentation on theme: "AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM"— Presentation transcript:

1 AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM
By, Talia ringer, dan grossman and Franziska roesner PRESENTED BY: Mohammad

2 Introduction AUDACIOUS:
Android User-Driven Access Control in Only User Space A secure library implementation whose primary goal is to provide a system for User-Driven access control in android applications without modifying the underlying operating system.

3 Goals of AUDACIOUS Goal 1: Goal 2: Unmodified Operating System Goal 3:
User-driven Access Control Access to sensitive resources is only granted when the user interacts with the corresponding ACG. Goal 2: Unmodified Operating System The final implementation should not make any changes to the underlying operating system. Goal 3: Regulate Resource use, not just access Design should provide guarantees about the flow of resources. Goal 4: Permission Model Flexibility Allow applications to use alternative permission models for some functionalities.

4 Goals of AUDACIOUS(cont.)

5 Techniques used to secure ACG’s
Event flow UI context Resource flow UI interaction is strictly invoked by the user UI does not trick the user into interactions Resources are accessed appropriately via ACGs Defense via taint analysis Defense via explicit Internal/External UI checking Defense via regulating Information Flow. Can be disrupted via event forgery. Can be disrupted by cover attacks. Disrupted by abusing granted permissions to perform malicious tasks.

6 Libraries ACG LIBRARY Developed in Android and is event-driven.
It works on bytecode than source code. Invalidates view if library detects a potentially malicious or “evil” event. Application code is not executed. Two ACG interfaces – one for temporary permissions and one for permanent permissions. Views are wrapped so that applications cannot modify the ACG UI after creation. We can use the library in two ways Define it in a layout Access it programically.

7

8 Libraries(cont.) SPARTA LIBRARY Information flow tool
Two stages - App store approval and Runtime approval SPARTA operates on source code. SPARTA compares the flows with allowable flows defined in a flow policy file. A human verifies the output of SPARTA in the context of the policy. SPARTA is extended by implementing an ACG type so SPARTA can distinguish ACGs from each other.

9

10 Summary of ACG applications

11 Fighting evil: Analysis
Evil application developed is made to bypass the library security features Out of 57 attacks, 55 were defended One of the missed attack was an result of Android Bug . The other was due to limitation of android OS.

12 Performance

13 Limitation We cannot modify events or interfere with the flow of events. Partially obscured toast are to be invalidated but it is not and this bug has been reported to android. OS limitations leads to flag value being never set if we construct an event by programs. SPARTA does not ensure that correct resources are used at correct time. If ACG library is updated, all the applications using it has to be updated to include the latest version of library. No way to check obscured flag during a random check.

14 Criticism Existing applications cannot be benefitted by ACG unless it is refactored by the developer again for ACG library. If the OS prevented events from being created or modified, we would not need to run a analysis. ACG does not protect against all type of attacks When randomness test are done too frequently it may affect the performance of the application.

15 THANK YOU

Download ppt "AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM"

Similar presentations

Operating System Security

Operating System Security
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Bending Binary Programs to your Will Rajeev Barua.

Bending Binary Programs to your Will Rajeev Barua.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.

Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
1 BTEC HNC Systems Support Castle College 2007/8 Systems Analysis Lecture 9 Introduction to Design.

1 BTEC HNC Systems Support Castle College 2007/8 Systems Analysis Lecture 9 Introduction to Design.
APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.

APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.
Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000 Bob Balzer Information Sciences Institute Legend: Changes from previous.

Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000 Bob Balzer Information Sciences Institute Legend: Changes from previous.
1 Lecture 4: Threads Operating System Fall 2006. 2 Contents Overview: Processes & Threads Benefits of Threads Thread State and Operations User Thread.

1 Lecture 4: Threads Operating System Fall Contents Overview: Processes & Threads Benefits of Threads Thread State and Operations User Thread.
Developing Security Mobile Applications for Android Presenter, Joel Elixson Author, Jesse Burns of iSEC Partners.

Developing Security Mobile Applications for Android Presenter, Joel Elixson Author, Jesse Burns of iSEC Partners.
Lecture 7 Integrity & Veracity UFCE8K-15-M: Data Management.

Lecture 7 Integrity & Veracity UFCE8K-15-M: Data Management.
Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

Similar presentations

Ads by Google