Presentation is loading. Please wait.

Presentation is loading. Please wait.

Syracuse University, New York, USA

Published byDeja Girdley Modified over 9 years ago

Similar presentations

Presentation on theme: "Syracuse University, New York, USA"— Presentation transcript:

1 Syracuse University, New York, USA
A Systematic Security Evaluation of Android’s Multi-User Framework Paul Ratazzi, Yousra Aafer, Amit Ahlawat, Hao Hao, Yifei Wang, Wenliang Du EECS Syracuse University, New York, USA MoST Workshop

2 Outline Introduction & Motivation Background: Implementation
Methodology Hypotheses & Findings Conclusion -capabilities that secondary users are not supposed to have

3 Introduction and Motivation
Two new ways of sharing Android tablets Multiple Users (MU) – introduced in 4.2 Restricted Profiles (RP) – introduced in 4.3 Google's advice to share “only with people you trust” raises questions about security and privacy Our work Understand the implementation Develop a systematic evaluation methodology Generate hypothesis Test hypothesis to demonstrate specific vulnerabilities -capabilities that secondary users are not supposed to have

4 Background: Implementation (1/2)
Framework – userId uid = userId * PER_USER_RANGE + (appId % PER_USER_RANGE) e.g., app runs as uid for user 0 (Owner) and uid for user 10 Framework – Permissions MANAGE_USERS, INTERACT_ACROSS_USERS, INTERACT_ACROSS_USERS_FULL (systemOrSignature) -capabilities that secondary users are not supposed to have

5 Background: Implementation (2/2)
Framework - Package management Each userId has its own set of enabled app Filesystem User-specific package data isolated under /data/user/<userId> External storage isolated by way of Linux mount namespaces Kernel No changes necessary Run-time Concept of current user vs. inactive user(s) PM allows different users to choose different set of apps. It also allows owner to choose which apps are allowed for RPs However, the framework is actually platform centric. An app is only installed once for the whole platform but only enabled or disabled For specific users. Package list maps packages names to corresponding data directories , appIds, gids. No changes at level of kernel since linux is naturally a multi user system  userid + appId = uid

6 Methodology (1/3) Identify subjects associated with secondary user
Apps and activities Identify objects shared among users Evaluate access control path between subjects and objects Does access control exist along path? Is the subject properly identified (user, app, state, etc.)? We begin with Yaghmour’s [5] high-level architectural view shown in Fig. Various categories of system resources We rely on this diagram to identify objects and subjects that have interesting security aspects unique to multi-user Then we evaluate the suitability of the access control paths between them. subjects: apps, stock apps Objects: resources: public interfaces of other apps, services, abstracted hardware devices, kernel objects

7 Methodology (2/3) Access control paths IPC to service or provider
IPC to exported activity System call Person None Access path between subjects and objects

8 Methodology (3/3) Insights & observations... Lead to questions:
Multi-user features have introduced important new considerations for the subjects and objects identified Several access control paths have been modified to account for the presence of multiple users Lead to questions: Do Android’s access control points properly account for the new considerations regarding subjects and objects? If not, can a secondary user exploit these shortcomings, and what is the potential damage? Establish a set of working hypotheses -capabilities that secondary users are not supposed to have

9 Findings: Unprotected Activities
Hypothesis 1: “Secondary users may be able to bypass their restrictions by exploiting the unprotected public interfaces of system apps”. We systematically compared the Settings UI elements accessible to the owner with that of a secondary user. Settings app implements restrictions based on type of user by hiding certain menu items, while their corresponding activities are exported. Secondary users can launch these hidden activities directly via intents and bypass the intended restrictions ! Examples: VPN Settings, Mobile network, mobile plan settings, etc…

10 Findings: Unrestricted Administrative Functions
Hypothesis 2: “Secondary users may be able to maliciously reconfigure critical platform-wide settings that are persistent across user switches”. Secondary users possess certain administrative capabilities which are normally preserved for privileged users. Secondary users can set a malicious environment for the owner to use. Examples: Wi-Fi Settings can be changed by secondary users and are persistent across users. Attack: Connect to a malicious hotspot to control all traffic to/from device.

11 Findings: Use of Sensors and Hardware Devices:
Hypothesis 3: “Inactive users may be able to spy on active users by exploiting improper access control enforcement on shared hardware resources”. If no proper access control, a non-current user can spy on logged-in user. To ensure that a hardware resource is only bound to currently logged-in user: Identify if the user requesting the resource is logged-in. Track if the user who initiated the request is continuously logged-in during the service lifetime. dIf Android does not enforce proper access control on media/sensors resources based on user status, a non-current user can spy on logged-in user.

12 Findings: Exploiting Media Resources
Two access control points should be enforced by the MediaServer: At Request time: check if the userid is equal to current userid. At User switch time: revoke any resources accessed. We designed an app that launches the camera under two scenarios: The app schedules video recording when the victim user is logged in. The app starts video recording immediately while attacker is logged in. Success on both scenarios: There is no access control based on user status at request time, nor at user switch time! To ensure that a media resource is not accessible to a non-logged in user, We investigated the MediaServer and confirmed this observation.

13 Findings: Exploiting Media Resources
-capabilities that secondary users are not supposed to have

14 Findings: Exploiting Motion, Environmental and Position Sensors
SensorService should apply at least one of the following access controls: At Registration time/Switch time: only allow current users to register listeners, and unregister all listeners one a switch happens. At Dispatch time: deliver sensor updates only to listeners belonging to current users. We designed an app that: schedules registration to receive sensor event when the victim user is logged in. registers a listener to receive sensor events when the attacker user is logged in. In both two scenarios, the app is able to receive sensor updates about victim user!! To ensure that a non-logged in user cannot receive sensor updates, the

15 Findings: Shared Package Information
Hypothesis 4: “sharedUserId permissions may not be properly separated when sharedUserId apps are installed by different users:” Although sharedUserId app’s data is properly isolated in multi-user, this is not the case with permissions! Permissions are leaked across user boundaries between apps sharing the same UserId. Cause: Platform centric design of PackageManager. We created a pair of sharedUserId apps belonging to different users. Each one of them declares a different permissions. The effective permissions assigned is the union of all permissions.

16 Findings: Shared Package Information
Hypothesis 5: “A malicious user may exploit the shared package management to modify another user’s app bytecode or prevent them from installing apps” All users share the same package code for a specific package name. If a package has been installed for a specific user, the PackageManager will consider it an update. DoS: A malicious user can install dummy apps to prevent other users from installing new apps. -capabilities that secondary users are not supposed to have

17 Conclusion Description of the multi-user support
Systematic approach for studying if proper access control is enforced Provide insights into potential problems through a comprehensive analysis of object/subject resources Several concerns -capabilities that secondary users are not supposed to have

Download ppt "Syracuse University, New York, USA"

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.
Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.

Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.
Operating System Security

Operating System Security
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
Internet of Things Security Architecture

Internet of Things Security Architecture
Joshua Fabian Tyler Young James C. Peyton Jones Garrett M. Clayton Integrating the Microsoft Kinect With Simulink: Real-Time Object Tracking Example (

Joshua Fabian Tyler Young James C. Peyton Jones Garrett M. Clayton Integrating the Microsoft Kinect With Simulink: Real-Time Object Tracking Example (
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
What’s new in this release? September 6, 2012. Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.

What’s new in this release? September 6, Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By : Versha Thakur Shravani Aishwarya

By : Versha Thakur Shravani Aishwarya
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Similar presentations

Ads by Google