earp principled storage sharing and protection for mobile
play

Earp: Principled Storage, Sharing, and Protection for Mobile Apps - PowerPoint PPT Presentation

Earp: Principled Storage, Sharing, and Protection for Mobile Apps Yuanzhong Xu , Tyler Hunt, Youngjin Kwon, Martin Georgiev, Vitaly Shmatikov , Emmett Witchel UT !Austin, ! Cornell !Tech Santa !Clara, !CA, !3/18/2016 Desktop


  1. 
 Earp: Principled Storage, Sharing, and Protection for Mobile Apps Yuanzhong Xu , Tyler Hunt, Youngjin Kwon, Martin Georgiev, 
 Vitaly Shmatikov † , Emmett Witchel UT !Austin, ! † Cornell !Tech 
 Santa !Clara, !CA, !3/18/2016

  2. Desktop era • Applications mostly work individually • They rely on the OS to store and exchange data, in the form of files OS Files 2

  3. Data protection in desktop era OS protects data: • File ownership and file handle permissions access control checks • App processes hold file OS handles (file descriptors) Files 3

  4. Mobile era contacts, calendar, media storage collections • Apps interact with each other as much as with user login the platform — an app “ecosystem” • “Hub” apps provide services to other apps OS (Platform) 4

  5. Data protection in mobile platforms contacts, calendar, media storage collections Check what apps have access to what data access control checks • Apps check user login interactions • Platform checks file access control checks access OS (Platform) 5

  6. No principled solution for app-level checks photo album • Different data models — contact info how data structures access control checks represent semantics calendar events • Different protection requirements Different high-level semantics: • Developers have to write not just files! ad hoc checks 6

  7. How would a developer write ad hoc checks? Example: implement a DB rows photo manager … 1. Design a data model • Organize photos with albums Photo files Thumbnails • Maintain metadata in database • Keep indexes to files 7

  8. How would a developer write ad hoc checks? Example: implement a DB rows photo manager 2. Define protection requirements public • Each app can have its own Photo files private photos and albums Thumbnails • Apps share some public photos and albums 8

  9. How would a developer write ad hoc checks? Problem: ad hoc checks are hard, Example: implement a error-prone DB rows photo manager 3. Implement the protection • Implement fine-grained permissions 
 Photo files — ACL columns in DB, append Thumbnails WHERE clauses in queries Transfer via IPC, no direct file access… • Protect files 
 • What if we want a group of — permission bits not enough for many apps apps to access photos? • How to change permissions? • How to hide location info What is the API? about a photo? 9

  10. Reality: all-or-nothing “protection” Specifications DB rows • Developers give up fine-grained protection… Photo files • Let apps have access to either all Thumbnails or none of the photos! • Violates the principle of least privilege 10

  11. Reality: apps have insufficient protection • iOS: Snapchat automatically saves photos to shared gallery • Android: Dropbox stores files in public external storage • Firefox OS: email attachments copied to public SD card when opened • Mistakes in network-based authentication protocols (OAuth): • Sun et al. CCS ’12, Viennot et al. SIGMETRICS ’14

  12. Ideally: separate specification from enforcement Specifications DB rows • App specifies data model with public protection requirement Photo files Thumbnails Enforcement access control checks • Platform enforces protection, 
 OS (Platform) no ad hoc checks in apps 12

  13. Problem: semantic gap in existing platforms Specifications DB rows Highly structured 
 public app-level data Photo files Thumbnails No visibility to structures Enforcement access control checks Unstructured byte OS (Platform) ? ? ? streams 13 13

  14. Platform needs to understand structured data Specifications DB rows Highly structured 
 public app-level data Photo files Thumbnails Enforcement access control checks Platform-level structured OS (Platform) abstraction & protection 14

  15. Earp 4. Uniform API: subset descriptor 
 1. Make relational model — capability handle, representing an access a platform-level abstraction control view (but more than just a DB view) App specify desc Relational Platform 2. Integrate protection requirements with the data model — annotated 3. Platform enforces protection for the app relational schema 15

  16. Unify storage and inter-app services No need for OAuth Service callbacks App function add () {…}; Proxy function list() {…}; … desc Relational Platform Virtual Virtual Virtual Database or table table tables 16 16

  17. Subset descriptors are flexible downgrade: add more restrictions e.g., exclude some sensitive rows/columns desc open desc transfer: desc (temporarily) delegate access to another app database/service 17

  18. Photo manager example revisited objects in different tables Operations: • View photos directly albums photos textual tags • View photos in an album • Search photos with a certain tag FILE-type column 18

  19. Photo manager example revisited objects in different tables Protection requirements: • Each app has its own private albums photos textual tags photos and albums • Apps share public photos and albums public 19

  20. Specify protection in data model #1 albums photos textual tags Per-object permissions (per-row ACLs) 20

  21. Fine-grained permissions are insufficient Problem with permissions only: sharing collections of data. albums photos textual tags Need to transitively updating ACLs of many objects! • Complicated permission management Share this • Consistency challenge album? 21

  22. Specify protection in data model #2 confers access confers access Capability relationships: Cross-table relationships can confer access albums photos textual tags rights, in one direction (red arrows). • Avoid transitively updating ACLs • Achieve flexible access control with simple ACLs 22

  23. Done! Data model is specified. Let the platform enforce protection! 23

  24. But there is an efficiency challenge confers access confers access Capability relationships make 
 albums photos textual tags access rights on one object may depend on other objects Cross-table checks for every access? 24

  25. Minimize cross-table checks with descriptors successful query proves access Solution: “ buffer ” computed access rights in descriptors • E.g., derive fine-grained descriptors based on query d1 d3 results d0 d2 Directly allow access to the photo 25

  26. Making it simpler to use • Simple high-level APIs that hide object graph details about descriptors APIs • Automates descriptor creation and management desc database 26

  27. Implementation: browser-based platform A modified Firefox OS: • Apps written purely in Web App sandbox code (HTML5, JavaScript) APP in JavaScript • Structured APIs implemented object graph library in the platform (browser) API for structured data JavaScript Engine Earp reference monitor Paper discusses ways to apply SQLite databases services Earp innovations to Android DOM Browser runtime (platform) 27

  28. List of Earp apps Local apps Proxies for remote services • Photo manager • Egg-based social service • Contacts • Google Drive • Access control based on • Per-app private folders categories and data fields • Email • Temporary, restricted access to attachments 28

  29. Expressive access control can be efficient Microbenchmarks: mostly outperforms baseline (Firefox OS) • Earp apps directly use SQLite, and access control is efficient • Firefox OS apps use IndexedDB (built on top of SQLite) 29

  30. Expressive access control can be efficient remote latecy: local latency: Macrobenchmarks for remote proxy<->remote app<->proxy services Elgg read • Local proxies add 2% - 8% Elgg write latency Google Drive read Google Drive write 30

  31. Conclusion • Inconsistent data abstractions in existing platforms • App: inter-related, structured data objects • Platform: unstructured byte streams • Earp provides structured data as a platform-level abstraction • Principled storage, sharing, and protection 31

Recommend


More recommend