admin
play

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, - PowerPoint PPT Presentation

Nov 08, 2023 •276 likes •764 views

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada

  1. CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • Monday is a holiday! • Project checkpoint #2 due Wed, 5/31, 11:59pm • Lab 3 due Fri June 2, 8pm 5/24/17 CSE 484 / CSE M 584 - Spring 2017 2

  3. Challenges with Isolated Apps So mobile platforms isolate applications for security, but… 1. Permissions: How can applications access sensitive resources? 2. Communication: How can applications communicate with each other? 5/24/17 CSE 484 / CSE M 584 - Spring 2017 3

  4. (2) Inter-Process Communication • Primary mechanism in Android: Intents – Sent between application components • e.g., with startActivity(intent) – Explicit: specify component name • e.g., com.example.testApp.MainActivity – Implicit: specify action (e.g., ACTION_VIEW) and/or data (URI and MIME type) • Apps specify Intent Filters for their components. 5/24/17 CSE 484 / CSE M 584 - Spring 2017 4

  5. [Chin et al.] Unauthorized Intent Receipt • Attack #1: Eavesdropping / Broadcast Thefts – Implicit intents make intra-app messages public. • Attack #2: Activity Hijacking – May not always work: • Attack #3: Service Hijacking – Android picks one at random upon conflict! 5/24/17 CSE 484 / CSE M 584 - Spring 2017 5

  6. [Chin et al.] Intent Spoofing • Attack #1: General intent spoofing – Receiving implicit intents makes component public. – Allows data injection. • Attack #2: System intent spoofing – Can’t directly spoof, but victim apps often don’t check specific “action” in intent. 5/24/17 CSE 484 / CSE M 584 - Spring 2017 6

  7. [Felt et al.] Permission Re-Delegation • An application without a permission gains additional privileges through another application. • Demo video Demo pressButton(0) malware • Settings application is deputy: has permissions, Settings toggleWifi() and accidentally exposes APIs that use those toggleWifi() permissions. Permission System API 5/24/17 CSE 484 / CSE M 584 - Spring 2017 7

  8. More on Android… 5/24/17 CSE 484 / CSE M 584 - Spring 2017 8

  9. Aside: Incomplete Isolation Embedded UIs and libraries always run with the host application’s permissions! (No same-origin policy here…) Ad from ad library Map from Google library Social button Like us on from Facebook Facebook! library [Shekhar et al.] 5/24/17 CSE 484 / CSE M 584 - Spring 2017 9

  10. Android Application Signing • Apps are signed – Often with self-signed certificates – Signed application certificate defines which user ID is associated with which applications – Different apps run under different UIDs • Shared UID feature – Shared Application Sandbox possible, where two or more apps signed with same developer key can declare a shared UID in their manifest 5/24/17 CSE 484 / CSE M 584 - Spring 2017 10

  11. Shared UIDs • App 1: Requests GPS / camera access • App 2: Requests Network capabilities • Generally: – First app can’t exfiltrate information – Second app can’t exfiltrate anything interesting • With Shared UIDs (signed with same private key) – Permissions are a superset of permissions for each app – App 1 can now exfiltrate; App 2 can now access GPS / camera 5/24/17 CSE 484 / CSE M 584 - Spring 2017 11

  12. File Permissions • Files written by one application cannot be read by other applications – Previously, this wasn’t true for files stored on the SD card (world readable!) – Android cracked down on this • It is possible to do full file system encryption – Key = Password/PIN combined with salt, hashed 5/24/17 CSE 484 / CSE M 584 - Spring 2017 12

  13. Memory Management • Address Space Layout Randomization to randomize addresses on stack • Hardware-based No eXecute (NX) to prevent code execution on stack/heap • Stack guard derivative • Some defenses against double free bugs (based on OpenBSD’s dmalloc() function) • etc. [See http://source.android.com/tech/security/index.html] 5/24/17 CSE 484 / CSE M 584 - Spring 2017 13

  14. Android Fragmentation • Many different variants of Android (unlike iOS) – Motorola, HTC, Samsung, … • Less secure ecosystem – Inconsistent or incorrect implementations – Slow to propagate kernel updates and new versions [https://developer.android.com/about/dashbo ards/index.html] 5/24/17 CSE 484 / CSE M 584 - Spring 2017 14

  15. What about iOS? • Apps are sandboxed • No “sideloading” apps • Encrypted user data – Unless you jailbreak – See recent news… • App Store review process is (maybe) stricter – But not infallible: e.g., see Wang et al. “Jekyll on iOS: When Benign Apps Become Evil” (USENIX Security 2013) 5/24/17 CSE 484 / CSE M 584 - Spring 2017 15

  16. CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  17. Poor Usability Causes Problems si.ed u 5/24/17 CSE 484 / CSE M 584 - Spring 2017 17

  18. Importance in Security • Why is usability important? – People are the critical element of any computer system • People are the real reason computers exist in the first place – Even if it is possible for a system to protect against an adversary, people may use the system in other, less secure ways 5/24/17 CSE 484 / CSE M 584 - Spring 2017 18

  19. Usable Security Roadmap • 2 case studies – Phishing – SSL warnings • Step back: root causes of usability problems, and how to address 5/24/17 CSE 484 / CSE M 584 - Spring 2017 19

  20. Case Study #1: Phishing 5/24/17 CSE 484 / CSE M 584 - Spring 2017 20

  21. A Typical Phishing Page Weird URL http instead of https 5/24/17 CSE 484 / CSE M 584 - Spring 2017 21

  22. Safe to Type Your Password? 5/24/17 CSE 484 / CSE M 584 - Spring 2017 22

  23. Safe to Type Your Password? 5/24/17 CSE 484 / CSE M 584 - Spring 2017 23

  24. Safe to Type Your Password? 5/24/17 CSE 484 / CSE M 584 - Spring 2017 24

  25. Safe to Type Your Password? “Picture-in-picture attacks” Trained users are more likely to fall victim to this! 5/24/17 CSE 484 / CSE M 584 - Spring 2017 25

  26. Experiments at Indiana University • Reconstructed the social network by crawling sites like Facebook, MySpace, LinkedIn and Friendster • Sent 921 Indiana University students a spoofed email that appeared to come from their friend • Email redirected to a spoofed site inviting the user to enter his/her secure university credentials – Domain name clearly distinct from indiana.edu • 72% of students entered their real credentials into the spoofed site 5/24/17 CSE 484 / CSE M 584 - Spring 2017 26

  27. More Details • Control group: 15 of 94 (16%) entered personal information • Social group: 349 of 487 (72%) entered personal information • 70% of responses within first 12 hours • Adversary wins by gaining users’ trust • Also: If a site looks “professional”, people likely to believe that it is legitimate 5/24/17 CSE 484 / CSE M 584 - Spring 2017 27

  28. Phishing Warnings Active (Firefox) Passive (IE) Active (IE) 5/24/17 CSE 484 / CSE M 584 - Spring 2017 28

  29. [Egelman et al.] Are Phishing Warnings Effective? • CMU study of 60 users • Asked to make eBay and Amazon purchases • All were sent phishing messages in addition to the real purchase confirmations • Goal: compare active and passive warnings 5/24/17 CSE 484 / CSE M 584 - Spring 2017 29

  30. [Egelman et al.] Active vs. Passive Warnings • Active warnings significantly more effective – Passive (IE): 100% clicked, 90% phished – Active (IE): 95% clicked, 45% phished – Active (Firefox): 100% clicked, 0% phished Passive (IE) Active (IE) Active (Firefox) 5/24/17 CSE 484 / CSE M 584 - Spring 2017 30

  31. [Egelman et al.] User Response to Warnings • Some fail to notice warnings entirely – Passive warning takes a couple of seconds to appear; if user starts typing, his keystrokes dismiss the warning • Some saw the warning, closed the window, went back to email, clicked links again, were presented with the same warnings… repeated 4-5 times – Conclusion: “ website is not working ” – Users never bothered to read the warnings, but were still prevented from visiting the phishing site – Active warnings work! 5/24/17 CSE 484 / CSE M 584 - Spring 2017 31

  32. [Egelman et al.] Why Do Users Ignore Warnings? • Don’t trust the warning – “ Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad ” • Ignore warning because it’s familiar (IE users) – “ Oh, I always ignore those ” – “ Looked like warnings I see at work which I know to ignore ” – “ I thought that the warnings were some usual ones displayed by IE ” – “ My own PC constantly bombards me with similar messages ” 5/24/17 CSE 484 / CSE M 584 - Spring 2017 32

Recommend

Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to:

Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to:

Labour Administration and Inspection Programme (LAB/ADMIN) Information Session 101 st ILC, June 2012 Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to: Lead ILOs work on technical support and

396 views • 7 slides
Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development Who am I, and what do I do? Ian P. Christian (aka. pookey) Coding PHP for about 8 years Work for VoIP.co.uk Involved with symfony and

1.13k views • 51 slides
HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN

HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN

HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN RICE AGENDA > Welcome > Benefits Announcements & Open Enrollment Katy Dwyer & Amy Hawkins > Absence Lessons Learned in Workday

382 views • 36 slides
WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building,

WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building,

WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building, not per user Login by going to your school site /wp-admin Example: ct.central301.net/wp-admin or chs.central301.net/wp-admin Passwords

425 views • 18 slides
CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin:

CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin:

CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin: Check Piazza. Today: Finish Path Routing. ???? Path Routing. Given G = ( V , E ) , ( s 1 , t 1 ) ,..., ( s k , t k ) , find a set of k paths

1.82k views • 154 slides
DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S

DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S

DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S T I N A C H U M I L L A S D E S I G N E R & D R U P A L F R O N T E N D @chumillas ckrina I N D E X Initiative overview Design System

1.12k views • 60 slides
PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nts admin admin rsity rsity s admin istrati istrati users consol depen istrati on on

407 views • 21 slides
Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED

Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED

!! Working Group Meeting May 23, 2016 Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED CURRENT PROPOSED Circulation Diagrams SERVICE SERVICE KITCHEN BLUE ZONE BLUE ZONE & PARKING

285 views • 17 slides
Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M

Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M

Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M Admin Studies, PhD Director, Waubra Foundation Overview Wind farm noise damages health and well-being over a wide area Noise guidelines

245 views • 13 slides
Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital

Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital

Digital Communications Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital Communications Creating engaging content Digital Communications Writing up your article Digital Communications Visual appeal

683 views • 40 slides
Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team

Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team

Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team Referral Care Management Co-ordination 12 Admin Staff Manage Proxy/Integrated Co-location Primary Services Referrals Homecare

240 views • 13 slides
KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM "

KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM "

KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM " \ -- DISPLAY - NAME =" JOYREX 2001" \ -- ADMIN - ROLE ="O PEN S OURCE A RCHITECT " D ELIVERING SOFTWARE D EVELOPED A

695 views • 24 slides
Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting

Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting

Cheselbournes Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting The EYFS Questions Pre- School Admin Welcome Pack all information should be in this document. Please

472 views • 24 slides
Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives

Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives

Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives Autorun & Autoplay ADMIN$ shares 2 abc123 academia access account Admin admin admin1 admin12 admin123 adminadmin administrator

643 views • 17 slides
Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions

Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions

Overview Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions Basic definitions Complex Networks, Course 303A, Spring, 2009 Books Books Examples of Examples of Complex Networks Complex Networks

368 views • 14 slides
Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks,

Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks,

Overview Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks, CSYS/MATH 303, Spring, 2010 Class admin Basic definitions Basic definitions Popularity Popularity Basic definitions Examples of Examples

460 views • 16 slides
Requirements for the Phase Down of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee

Requirements for the Phase Down of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee

Requirements for the Phase Down of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee Meeting DNREC DAQ October 8, 2019 Review Committee Goal To help the Department craft/tailor the regulation ( 7 DE Admin. Code 1151

187 views • 15 slides
Requirements for the Phase- out of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee

Requirements for the Phase- out of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee

Requirements for the Phase- out of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee Meeting DNREC DAQ September 24, 2019 Review Committee Goal To help the Department craft/tailor the regulation ( 7 DE Admin. Code 1151

680 views • 29 slides
Admin Halfway point on our journey!

Admin Halfway point on our journey!

Admin Halfway point on our journey! https://thefreethinkingmindblog.files.wordpress.com/2016/10/sisyphusgif.gif Share/celebrate/commiserate Be sure to get your keyboard for lab 5! Today: Steps toward C mastery C Language, advanced

1.06k views • 20 slides
SADDLEBACK HIGH SCHOOL 2020 DISTANCE LEARNING PARENT PRESENTATION Meet The Admin Team! Mr.

SADDLEBACK HIGH SCHOOL 2020 DISTANCE LEARNING PARENT PRESENTATION Meet The Admin Team! Mr.

SADDLEBACK HIGH SCHOOL 2020 DISTANCE LEARNING PARENT PRESENTATION Meet The Admin Team! Mr. Bustamante Principal E-Mail Edward.Bustamante@sausd.us Mr. Bs Instagram Account @bustieclause Ms. Kassaei IB Coordinator/Site Admin Oversees 7

208 views • 20 slides
Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean

Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean

Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean to me? Solution Architect, Network Architect Hosting Provider Database Admin, System Admin, Magento Admin Developer Front-end

272 views • 13 slides
Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics

Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics

Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics 3. Create a Basic Wordpress Website 4. Using Oxygen 5. Website Design 6. Client Portal Course contents 1. Admin and Set up a. (Give

641 views • 39 slides
Welcome Treasurers Thanks for your commitment to your preschool in 2012. CPS and Admin

Welcome Treasurers Thanks for your commitment to your preschool in 2012. CPS and Admin

Welcome Treasurers Thanks for your commitment to your preschool in 2012. CPS and Admin Bandit trusts you have an enjoyable year with your preschooler and serving your community. Who am I? Nerida Gill Multi-awarding winning CPS

434 views • 6 slides
Web admin webinar Erwin Siweris, Petra Polaskova, Laura Uotila Communication team Interreg

Web admin webinar Erwin Siweris, Petra Polaskova, Laura Uotila Communication team Interreg

European Union | European Regional Development Fund Sharing solutions for better regional policies Web admin webinar Erwin Siweris, Petra Polaskova, Laura Uotila Communication team Interreg Europe 17 February, 2017 Web admin webinar 1.

1.05k views • 35 slides

More recommend