mobile applications and
play

Mobile Applications and Cloud Computing Mobile Applications and - PowerPoint PPT Presentation

Security aspects in Mobile Applications and Cloud Computing Mobile Applications and Cloud Computing 2015 Leonardo Aniello, Ph.D. aniello@dis.uniroma1.it Outline Security aspects in mobile applications Current situation Security


  1. Security aspects in Mobile Applications and Cloud Computing Mobile Applications and Cloud Computing 2015 Leonardo Aniello, Ph.D. aniello@dis.uniroma1.it

  2. Outline • Security aspects in mobile applications • Current situation • Security measures • Security weaknesses • Ongoing theses • Security aspects in cloud computing • Security categories • Some known attacks • Case study: SUNFISH • Topics for theses

  3. Outline • Security aspects in mobile applications • Current situation • Security measures • Security weaknesses • Ongoing theses Sufatrio, Darell J. J. Tan, Tong-Wei Chua, Vrizlynn L. L. Thing “ Securing Android: A Survey, Taxonomy, and Challenges ” ACM Comput. Surv. 47(4): 58 (2015)

  4. Security aspects in mobile applications Current situation • Pervasive spread of smart mobile devices (i.e., smartphones and tablets) • Still growing, 5.6 billion devices expected in 2019 • Android holds about 80% of global market share • This is why Android became the best target of malware attacks • High convenience for attackers • ROI

  5. Security aspects in mobile applications Current situation Symantec, Internet Security Threat Report, April 2015

  6. Security aspects in mobile applications Current situation Symantec, Internet Security Threat Report, April 2015

  7. Security aspects in mobile applications Current situation Symantec, Internet Security Threat Report, April 2015

  8. Security aspects in mobile applications Current situation Programs and files that are created to do harm Programs not obviously malicious but can be annoying or even harmful Aggressive techniques to place advertising in your device Symantec, Internet Security Threat Report, April 2015

  9. Security aspects in mobile applications Android Security Measures • Sandboxing • Provides app isolation and containment • Each app runs in its own VM and is assigned a unique Linux user ID – Permissions for all the files of the app are set so that only the user ID assigned to that app can access them – Principle of least privilege : each app has access only to the components it actually requires • Anyway it is possible to share data and services with other apps – Linux user ID sharing – Permissions

  10. Security aspects in mobile applications Android Security Measures • Permission model • Regulate sensitive API calls that access protected resources (i.e., camera, SD card, ...) • Each app requests a set of permissions at install time • The user has to grant either all or none of such permissions • App signing to verify and certify the developer • Component encapsulation to restrict access to it

  11. Security aspects in mobile applications Android Security Measures • Permission model - improved in Marshmallow • Permissions granted at runtime immediately before an app needs it http://www.phonearena.com/ http://www.androidcentral.com/

  12. Security aspects in mobile applications Security Weaknesses • Open market model • Apps easy to reverse-engineer • facilitate repackaging for malware injection • Lack of isolation for third-party libraries, such as advertisement and analytics (A&A) • Such libs may abuse granted permissions • Conversely host apps may tamper with them

  13. Security aspects in mobile applications Security Weaknesses • Vulnerabilities of Inter component communication • Apps may unintentionally expose sensitive interfaces • Malware may intercept broadcasts to stop their propagation or to steal sensitive info • Malicious apps may invoke native code through JNI to leverage memory corruption bugs

  14. Security aspects in mobile applications Ongoing Theses • Malware detection by searching for inconsistencies between distinct features • WHYPER: towards automating risk assessment of mobile applications R. Pandita, X. Xiao, W. Yang, W. Enck, T. Xie, USENIX conference on Security 2013 – Inconsistencies between app description and requested permissions • Work in progress… – Monitor consistency between correlated metrics (i.e., battery consumption and CPU usage) - invariants – When such invariants break, an anomaly occurs - malware? – Detection based on machine learning techniques – Adaptive monitoring : vary frequency and granularity of the monitoring with the aim of saving battery

  15. Security aspects in mobile applications Ongoing Theses • Obfuscation techniques for Android malware • Used by malware developers to evade detection • Trivial techniques (repackaging, disassembly & reassembly, changing package name) • Identifier renaming, Call indirection, Code reordering, Junk code insertion • Reflection, Encryption of bytecode, strings, classes • Experimental evaluation – Apply combinations of obfuscation techniques to known malware – Verify detection accuracy of main antivirus (i.e., VirusTotal)

  16. Outline • Security aspects in mobile applications • Current situation I. M. Khalil, A. Khreishah, M. Azeem • Security measures “ Cloud Computing Security: A Survey ” • Security weaknesses Computers journal 2014, 3, 1-35 • Ongoing theses • Security aspects in cloud computing • Security categories • Some known attacks • Case study: SUNFISH • Topics for theses

  17. Security aspects in cloud computing Security categories Category Description Describes the standards required to take precaution measures in cloud computing in order to prevent attacks. It governs the policies of cloud Security Standards computing for security without compromising reliability and performance. Involves network attacks such as Connection Availability, Denial of Network Service, DDoS, flooding attack, internet protocol vulnerabilities, etc. Covers authentication and access control. It captures issues that affect Access Control privacy of user information and data storage. Covers attacks that are specific to the cloud infrastructure (IaaS, PaaS Cloud Infrastructure and SaaS) such tampered binaries and privileged insiders. Covers data related security issues including data migration, integrity, Data confidentiality, and data warehousing. Table 1 in I. M. Khalil, A. Khreishah, M. Azeem : “Cloud Computing Security: A Survey”, Computers journal 2014, 3, 1 -35

  18. Security aspects in mobile applications Some known attacks • Theft of service • Denial of service • Cloud malware • Targeted shared memory • Phishing • Botnets • …

  19. Security aspects in mobile applications Case Study: SUNFISH • SecUre iNFormatIon SHaring in federated heterogeneous private clouds • Horizon2020 EU Project http://www.sunfishproject.eu/ • Problem addressed: lack of infrastructure and technology allowing Public Sector Players to federate their private clouds

  20. Security aspects in mobile applications Case Study: SUNFISH • Cloud Federation • Interconnection of more private/public clouds • On-demand resource provisioning – Face load spikes – Monetize unused resources • Data sharing among clouds – Information sharing allows to have richer datasets • Federated identity management – Single-sign-on

  21. Security aspects in mobile applications Case Study: SUNFISH Information Sharing Governance Model Policy evaluation flows Each piece of data is attached to an access policy which defines who can access it and how sensitive data PRP: Policy Retrieval Point PDP: Policy Decision Point PEP: Policy Enforcement Point PIP: Policy Information Point data requester data transformation service

  22. Security aspects in mobile applications Case Study: SUNFISH Threat Model • Altering of deployed computational logic • Altering of policy evaluation • Alter policy enforcement infrastructure

  23. Security aspects in mobile applications Case Study: SUNFISH Threat Model • Altering of deployed computational logic • Altering of policy evaluation • Alter policy enforcement infrastructure The PEP may retrieve data without enforcing access policies

  24. Security aspects in mobile applications Case Study: SUNFISH Runtime Monitoring Infrastructure

  25. Security aspects in mobile applications Case Study: SUNFISH • Other threat: data manipulation by privileged user • What if stored logs get compromised? How to secure Log DB? • An attacker could remove some entries from log DB to hide a certain data access • Need to guarantee consensus among participants about what happened so far for what concerns data accesses – What interactions took place? – In which order? • Viable solutions (impact on the deployment) – Replicated log DB, vulnerable to collusion – Also store hashes of log entries to a blockchain to overcome collusion » interesting research direction...

  26. Security aspects in mobile applications Case Study: SUNFISH The blockchain is a distributed public record of transaction, available to everyone to view and verify • A chain of blocks, where each block • consists of a header, hash of the previous block and transactions • generated every 10 minute • Once a block is part of the chain, transactions inside it are practically irreversible • One of the most popular disruptive technologies • Bitcoin is a protocol that https://bitcoin.org relies on blockchain

  27. Security aspects in mobile applications Case Study: SUNFISH Very promising technology, but… …today Bitcoin can handle a transaction rate of 7 tps … http://www.economist.com/

Recommend


More recommend