aw are preventing abuse of privacy sensitive sensors via
play

AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation - PowerPoint PPT Presentation

AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Giuseppe Petracca Ahmad-Atamli Reineh Trent Jaeger gxp18@cse.psu.edu atamli@cs.ox.ac.uk tjaeger@cse.psu.edu The Pennsylvania State University University of


  1. AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings Giuseppe Petracca Ahmad-Atamli Reineh Trent Jaeger gxp18@cse.psu.edu atamli@cs.ox.ac.uk tjaeger@cse.psu.edu The Pennsylvania State University University of Oxford, UK The Pennsylvania State University School of Electrical Engineering and Computer Science Dept. of Electrical Engineering and Computer Science School of Electrical Engineering and Computer Science Institute for Networking and Security Research Institute for Networking and Security Research Yuqiong Sun Jens Grossklags yuqiong_sun@symantec.com jens.grossklags@in.tum.de Symantec Research Labs, US Technical University of Munich, DE 1

  2. Increasing Availability of Privacy-Sensitive Sensors Controlling when applications may use privacy-sensitive sensors (i.e., cameras, microphones, and touch screens): Entertainment Banking Screen Sharing G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 2

  3. Abuse of Privacy-Sensitive Sensors G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 3

  4. Real World Incidents G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 4

  5. Current Authorization Mechanisms Install-Time First-Use Beginning in Android 6.0 (API level 23), users grant permissions to apps while the app is running, not whey the install the app! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 5

  6. Shortcomings G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 6

  7. Shortcomings G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 7

  8. Shortcomings G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 8

  9. What Is The Access Control Problem? Series ISSN: XXXX-XXXX JAEGER M S YNTHESIS L ECTURES ON C & & Morgan Claypool Publishers I NFORMATION S ECURITY , P RIV ACY, AND T RUST Series Editor: Ravi Sandhu, University of Texas at San Antonio Operating System Operating System Security Security Trent Jaeger, The Pennsylvania State University Operating systems provide the fundamental mechanisms for securing computer processing. Since the 1960s, operating systems designers have explored how to build “secure” operating systems — operating systems whose OPERATING SYSTEM SECURITY mechanisms protect the system against a motivated adversary. Recently, the importance of ensuring such security has become a mainstream issue for all operating systems. In this book, we examine past research that outlines the requirements for a secure operating system and research that implements example systems that aim for such requirements. For system designs that aimed to satisfy these requirements, we see that the complexity of software systems often results in implementation challenges that we are still exploring to this day. However, if a system design does not aim for achieving the secure operating system requirements, then its security features fail to protect the system in a myriad of ways. We also study systems that have been retrofit with secure operating system features after an initial deployment. In all cases, the conflict between function on one hand and security on the other leads to difficult choices and the potential for unwise compromises. From this book, we hope that systems designers and implementers will learn the requirements for operating systems that effectively enforce Trent Jaeger security and will better understand how to manage the balance between function and security. About SYNTHESIs Morgan Claypool This volume is a printed version of a work that appears in the Synthesis Digital Library of Engineering and Computer Science. Synthesis Lectures provide concise, original presentations of important research and development topics, published quickly, in digital and print formats. For more information & visit www.morganclaypool.com S YNTHESIS L ECTURES ON ISBN: 978-1-59829-212-1 I NFORMATION S ECURITY , P RIV ACY, AND T RUST & 90000 Morgan Claypool Publishers w w w . m o r g a n c l a y p o o l . c o m 9 781598 292121 Ravi Sandhu, Series Editor G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 9

  10. Confused Deputy Problem Permission holder (Android system) may be tricked into using its permissions (sensor access) based on a misleading/malicious request (from an app) Typically related to servers being tricked into unauthorized file access E.g., web server serving a password file by mishandling malicious request Goal in this case : System only grants sensor access when system and user approve How does the Android system validate user approval? How do users know what they are approving? Good news : Android system can capture all user input events G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 10

  11. Proposed Defenses Input-Driven Access Control (IDAC) Authorize an operation request that immediately follows a user input event User inputs associated with operation authorizations Binding between the user inputs and the authorized operations still unknown to the system! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 11

  12. Proposed Defenses User-Driven Access Control (UDAC) Applications must use system-defined gadgets associated with particular operations Binding between the user input and the authorized operation explicit to the system Binding still not explicit to the user! G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 12

  13. Limitations of Prior Work Leverage the user as weak link to circumvent protection mechanisms! “User Interface Attacks” User may fail to: Identify the application requesting sensor access Recognize subtle changes in the Graphic User Interface (GUI) Understand the operation granted by a particular gadget G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 13

  14. User Interface Attacks (Bait-and-Switch) Window A x Interac(on #1 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 14

  15. User Interface Attacks (Bait-and-Switch) Window A x Interac(on #2 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 15

  16. User Interface Attacks (Bait-and-Switch) Window A x Interac(on #3 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 16

  17. User Interface Attacks (Bait-and-Switch) Window A x Interac(on #4 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 17

  18. User Interface Attacks (Bait-and-Switch) Window A x Interac(on #5 G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 18

  19. User Interface Attacks (Bait-and-Switch) Window A x The applica*on maintained Interac(on #4 the windowing display context but switched the widget to record audio “Bait-and-Switch A:ack” G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 19

  20. User Interface Attacks (Application Spoofing) Window A x G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 20

  21. User Interface Attacks (Application Spoofing) Window A x A click by the user allows the Legi(mate App to record audio G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 21

  22. User Interface Attacks (Application Spoofing) Window A x “Applica(on Spoofing A:ack” A click by the user allows the Spoofing App to record audio G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 22

  23. Proposed Defenses User-Driven Access Control (UDAC) Applications must use system-defined gadgets Compatibility Issue associated with particular operations G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 23

  24. Proposed Defenses User-Driven Access Control (UDAC) Applications must use system-defined gadgets associated with particular operations 3,000,000+ apps Need Redesign No Customization G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 24

  25. Research Objectives Prevent User Interface Attacks Maintain a low authorization effort for the user Ensure compatibility with existing applications Ensure a performance overhead not perceivable by the user G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 25

  26. Preventing Operation Switching Attacks Goal : Prevent applications from changing the mapping between a widget and the associated operation Window A x Take Photo Record Video G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 26-1

  27. Preventing Operation Switching Attacks Goal : Prevent applications from changing the mapping between a widget and the associated operation Window A x Take Photo Record Video G. Petracca et al. - AW ARE : Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings 26-2

Recommend


More recommend