admin
play

Admin Project checkpoint #2 due tonight Keep letting us know of any - PowerPoint PPT Presentation

Sep 16, 2023 •211 likes •847 views

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • Project checkpoint #2 due tonight • Keep letting us know of any fuzzing issues with HW3 – Double check that you followed the instructions – Make sure to put things in C: instead of D: – It’s possible to run into issues on the MS side, so let us know and we’ll loop them in if needed (in the meantime you can relax J ) 12/1/17 CSE 484 / CSE M 584 - Fall 2017 2

  3. This Week: Mac OS X High Sierra Issue • Given physical access, if root password not set, can login (creating a root account?) without a password • Manual fix: set root password 12/1/17 CSE 484 / CSE M 584 - Fall 2017 3

  4. Back to Mobile Security: Challenges with Isolated Apps So mobile platforms isolate applications for security, but… 1. Permissions: How can applications access sensitive resources? 2. Communication: How can applications communicate with each other? 12/1/17 CSE 484 / CSE M 584 - Fall 2017 4

  5. State of the Art Prompts (time-of-use) Manifests (install-time) 12/1/17 CSE 484 / CSE M 584 - Fall 2017 5

  6. [Felt et al.] Are Manifests Usable? Do users pay attention to permissions? … but 88% of users looked at reviews. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 6

  7. [Felt et al.] Are Manifests Usable? Do users understand the warnings? 12/1/17 CSE 484 / CSE M 584 - Fall 2017 7

  8. [Felt et al.] Are Manifests Usable? Do users act on permission information? “Have you ever not installed an app because of permissions?” 12/1/17 CSE 484 / CSE M 584 - Fall 2017 8

  9. Android 6.0: Prompts! • First-use prompts for sensitive permission (like iOS). • Big change! Now app developers need to check for permissions or catch exceptions. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 9

  10. [Felt et al.] Over-Permissioning • Android permissions are badly documented. • Researchers have mapped APIs à permissions. www.android-permissions.org (Felt et al.), http://pscout.csl.toronto.edu (Au et al.) 12/1/17 CSE 484 / CSE M 584 - Fall 2017 10

  11. [Hornyack et al.] Improving Permissions: AppFence 12/1/17 CSE 484 / CSE M 584 - Fall 2017 11

  12. [our work] Improving Permissions: User-Driven Access Control Let this application access my location no now . In Insigh ght: A user’s natural UI actions within an application implicitly carry permission-granting semantics. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 12

  13. [our work] Improving Permissions: User-Driven Access Control Let this application access my location no now . Insigh In ght: Ou Our r study shows ws: A user’s natural UI actions within Many users already believe (52% of 186) an application implicitly carry – and/or desire (68%) – that resource access permission-granting semantics. follows the user-driven access control model. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 13

  14. New OS Primitive: Access Control Gadgets (ACGs) Approach: Make resource-related UI elements first-class operating system objects (access control gadgets). • To receive resource access, applications must embed a system-provided ACG. • ACGs allow the OS to capture the user’s permission granting intent in application-agnostic way. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 14

  15. (2) Inter-Process Communication • Primary mechanism in Android: Intents – Sent between application components • e.g., with startActivity(intent) – Explicit: specify component name • e.g., com.example.testApp.MainActivity – Implicit: specify action (e.g., ACTION_VIEW) and/or data (URI and MIME type) • Apps specify Intent Filters for their components. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 15

  16. Unauthorized Intent Receipt Attack #1: Eavesdropping / Broadcast Theft com.example.goodapp2 com.example.goodapp1 com.example.badapp 12/1/17 CSE 484 / CSE M 584 - Fall 2017 16

  17. Unauthorized Intent Receipt Attack #2: Service/Activity Hijacking “Caution: To ensure that your app is secure, always use an explicit intent when starting a Servier. Using an implicit intent to start a service is a security hazard because you can't be certain what service will respond to the intent, and the user can't see which service starts.” 12/1/17 CSE 484 / CSE M 584 - Fall 2017 17

  18. [Chin et al.] Unauthorized Intent Receipt • Attack #1: Eavesdropping / Broadcast Thefts – Implicit intents make intra-app messages public. • Attack #2: Activity Hijacking – May not always work: • Attack #3: Service Hijacking – Android picks one at random upon conflict! 12/1/17 CSE 484 / CSE M 584 - Fall 2017 18

  19. [Chin et al.] Intent Spoofing • Attack #1: General intent spoofing – Receiving implicit intents makes component public. – Allows data injection. • Attack #2: System intent spoofing – Can’t directly spoof, but victim apps often don’t check specific “action” in intent. com.example.goodapp2 com.example.goodapp1 com.example.badapp 12/1/17 CSE 484 / CSE M 584 - Fall 2017 19

  20. [Felt et al.] Permission Re-Delegation • An application without a permission gains additional privileges through another application. • Demo video Demo pressButton(0) malware • Settings application is deputy: has permissions, Settings toggleWifi() and accidentally exposes APIs that use those toggleWifi() permissions. Permission System API 12/1/17 CSE 484 / CSE M 584 - Fall 2017 20

  21. More on Android… 12/1/17 CSE 484 / CSE M 584 - Fall 2017 21

  22. Incomplete Isolation Embedded UIs and libraries always run with the host application’s permissions! (No same-origin policy here…) Ad from ad library Map from Google library Social button Like us on from Facebook Facebook! library [Shekhar et al.] 12/1/17 CSE 484 / CSE M 584 - Fall 2017 22

  23. Android Application Signing • Apps are signed – Often with self-signed certificates – Signed application certificate defines which user ID is associated with which applications – Different apps run under different UIDs • Shared UID feature – Shared Application Sandbox possible, where two or more apps signed with same developer key can declare a shared UID in their manifest 12/1/17 CSE 484 / CSE M 584 - Fall 2017 23

  24. Shared UIDs • App 1: Requests GPS / camera access • App 2: Requests Network capabilities • Generally: – First app can’t exfiltrate information – Second app can’t exfiltrate anything interesting • With Shared UIDs (signed with same private key) – Permissions are a superset of permissions for each app – App 1 can now exfiltrate; App 2 can now access GPS / camera 12/1/17 CSE 484 / CSE M 584 - Fall 2017 24

  25. File Permissions • Files written by one application cannot be read by other applications – Previously, this wasn’t true for files stored on the SD card (world readable!) – Android cracked down on this • It is possible to do full file system encryption – Key = Password/PIN combined with salt, hashed 12/1/17 CSE 484 / CSE M 584 - Fall 2017 25

  26. Memory Management • Address Space Layout Randomization to randomize addresses on stack • Hardware-based No eXecute (NX) to prevent code execution on stack/heap • Stack guard derivative • Some defenses against double free bugs (based on OpenBSD’s dmalloc() function) • etc. [See http://source.android.com/tech/security/index.html] 12/1/17 CSE 484 / CSE M 584 - Fall 2017 26

  27. Android Fragmentation • Many different variants of Android (unlike iOS) – Motorola, HTC, Samsung, … • Less secure ecosystem – Inconsistent or incorrect implementations – Slow to propagate kernel updates and new versions [https://developer.android.com/about/dashbo ards/index.html] 12/1/17 CSE 484 / CSE M 584 - Fall 2017 27

  28. What about iOS? • Apps are sandboxed • No “sideloading” apps • Encrypted user data – Unless you jailbreak – See recent news… • App Store review process is (maybe) stricter – But not infallible: e.g., see Wang et al. “Jekyll on iOS: When Benign Apps Become Evil” (USENIX Security 2013) 12/1/17 CSE 484 / CSE M 584 - Fall 2017 28

  29. CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [start] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  30. Poor Usability Causes Problems si.ed u 12/1/17 CSE 484 / CSE M 584 - Fall 2017 30

  31. Importance in Security • Why is usability important? – People are the critical element of any computer system • People are the real reason computers exist in the first place – Even if it is possible for a system to protect against an adversary, people may use the system in other, less secure ways 12/1/17 CSE 484 / CSE M 584 - Fall 2017 31

  32. Usable Security Roadmap • 2 case studies – Phishing – SSL warnings • Step back: root causes of usability problems, and how to address 12/1/17 CSE 484 / CSE M 584 - Fall 2017 32

  33. Case Study #1: Phishing • Design question: How do you help users avoid falling for phishing sites? 12/1/17 CSE 484 / CSE M 584 - Fall 2017 33

Recommend

Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to:

Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to:

Labour Administration and Inspection Programme (LAB/ADMIN) Information Session 101 st ILC, June 2012 Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to: Lead ILOs work on technical support and

396 views • 7 slides
Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development Who am I, and what do I do? Ian P. Christian (aka. pookey) Coding PHP for about 8 years Work for VoIP.co.uk Involved with symfony and

1.13k views • 51 slides
HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN

HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN

HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN RICE AGENDA > Welcome > Benefits Announcements & Open Enrollment Katy Dwyer & Amy Hawkins > Absence Lessons Learned in Workday

382 views • 36 slides
WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building,

WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building,

WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building, not per user Login by going to your school site /wp-admin Example: ct.central301.net/wp-admin or chs.central301.net/wp-admin Passwords

425 views • 18 slides
CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin:

CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin:

CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin: Check Piazza. Today: Finish Path Routing. ???? Path Routing. Given G = ( V , E ) , ( s 1 , t 1 ) ,..., ( s k , t k ) , find a set of k paths

1.82k views • 154 slides
DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S

DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S

DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S T I N A C H U M I L L A S D E S I G N E R & D R U P A L F R O N T E N D @chumillas ckrina I N D E X Initiative overview Design System

1.12k views • 60 slides
PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nts admin admin rsity rsity s admin istrati istrati users consol depen istrati on on

407 views • 21 slides
Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED

Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED

!! Working Group Meeting May 23, 2016 Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED CURRENT PROPOSED Circulation Diagrams SERVICE SERVICE KITCHEN BLUE ZONE BLUE ZONE & PARKING

285 views • 17 slides
Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M

Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M

Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M Admin Studies, PhD Director, Waubra Foundation Overview Wind farm noise damages health and well-being over a wide area Noise guidelines

245 views • 13 slides
Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital

Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital

Digital Communications Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital Communications Creating engaging content Digital Communications Writing up your article Digital Communications Visual appeal

683 views • 40 slides
Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team

Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team

Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team Referral Care Management Co-ordination 12 Admin Staff Manage Proxy/Integrated Co-location Primary Services Referrals Homecare

240 views • 13 slides
KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM "

KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM "

KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM " \ -- DISPLAY - NAME =" JOYREX 2001" \ -- ADMIN - ROLE ="O PEN S OURCE A RCHITECT " D ELIVERING SOFTWARE D EVELOPED A

695 views • 24 slides
Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting

Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting

Cheselbournes Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting The EYFS Questions Pre- School Admin Welcome Pack all information should be in this document. Please

472 views • 24 slides
Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives

Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives

Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives Autorun & Autoplay ADMIN$ shares 2 abc123 academia access account Admin admin admin1 admin12 admin123 adminadmin administrator

643 views • 17 slides
Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions

Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions

Overview Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions Basic definitions Complex Networks, Course 303A, Spring, 2009 Books Books Examples of Examples of Complex Networks Complex Networks

368 views • 14 slides
Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks,

Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks,

Overview Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks, CSYS/MATH 303, Spring, 2010 Class admin Basic definitions Basic definitions Popularity Popularity Basic definitions Examples of Examples

460 views • 16 slides
Requirements for the Phase Down of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee

Requirements for the Phase Down of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee

Requirements for the Phase Down of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee Meeting DNREC DAQ October 8, 2019 Review Committee Goal To help the Department craft/tailor the regulation ( 7 DE Admin. Code 1151

187 views • 15 slides
Requirements for the Phase- out of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee

Requirements for the Phase- out of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee

Requirements for the Phase- out of Hydrofluorocarbons 7 DE Admin Code 1151 Review Committee Meeting DNREC DAQ September 24, 2019 Review Committee Goal To help the Department craft/tailor the regulation ( 7 DE Admin. Code 1151

680 views • 29 slides
Admin Halfway point on our journey!

Admin Halfway point on our journey!

Admin Halfway point on our journey! https://thefreethinkingmindblog.files.wordpress.com/2016/10/sisyphusgif.gif Share/celebrate/commiserate Be sure to get your keyboard for lab 5! Today: Steps toward C mastery C Language, advanced

1.06k views • 20 slides
SADDLEBACK HIGH SCHOOL 2020 DISTANCE LEARNING PARENT PRESENTATION Meet The Admin Team! Mr.

SADDLEBACK HIGH SCHOOL 2020 DISTANCE LEARNING PARENT PRESENTATION Meet The Admin Team! Mr.

SADDLEBACK HIGH SCHOOL 2020 DISTANCE LEARNING PARENT PRESENTATION Meet The Admin Team! Mr. Bustamante Principal E-Mail Edward.Bustamante@sausd.us Mr. Bs Instagram Account @bustieclause Ms. Kassaei IB Coordinator/Site Admin Oversees 7

208 views • 20 slides
Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean

Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean

Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean to me? Solution Architect, Network Architect Hosting Provider Database Admin, System Admin, Magento Admin Developer Front-end

272 views • 13 slides
Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics

Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics

Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics 3. Create a Basic Wordpress Website 4. Using Oxygen 5. Website Design 6. Client Portal Course contents 1. Admin and Set up a. (Give

641 views • 39 slides
Welcome Treasurers Thanks for your commitment to your preschool in 2012. CPS and Admin

Welcome Treasurers Thanks for your commitment to your preschool in 2012. CPS and Admin

Welcome Treasurers Thanks for your commitment to your preschool in 2012. CPS and Admin Bandit trusts you have an enjoyable year with your preschooler and serving your community. Who am I? Nerida Gill Multi-awarding winning CPS

434 views • 6 slides
Web admin webinar Erwin Siweris, Petra Polaskova, Laura Uotila Communication team Interreg

Web admin webinar Erwin Siweris, Petra Polaskova, Laura Uotila Communication team Interreg

European Union | European Regional Development Fund Sharing solutions for better regional policies Web admin webinar Erwin Siweris, Petra Polaskova, Laura Uotila Communication team Interreg Europe 17 February, 2017 Web admin webinar 1.

1.05k views • 35 slides

More recommend