the betrayal at cloud city
play

The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based - PowerPoint PPT Presentation

Nov 12, 2022 •320 likes •1.33k views

The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends Omar Alrawi* , Chaoshun Zuo * , Ruian Duan, Ranjita Pai Kasturi, Zhiqiang Lin, Brendan Saltaformaggio *First Co-Authors Conference Conference Conference More

  1. The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends Omar Alrawi* , Chaoshun Zuo * , Ruian Duan, Ranjita Pai Kasturi, Zhiqiang Lin, Brendan Saltaformaggio *First Co-Authors

  2. Conference

  3. Conference

  4. Conference

  5. More Than What’s on The Surface

  6. Mobile App More Than What’s on The Surface

  7. Mobile App More Than What’s on The Surface Cloud Backend

  8. Mobile App More Than What’s on The Surface Web App Cloud Backend

  9. Mobile App More Than What’s on The Surface Web App Software Services Cloud Backend

  10. Mobile App More Than What’s on The Surface Web App Software Services Operating System Cloud Backend

  11. Mobile App More Than What’s on The Surface Web App Software Services Operating System Cloud Backend (v)Hardware

  12. Mobile Backends All Over the News

  13. Mobile Backends All Over the News

  14. Mobile Backends All Over the News

  15. Prior Work • The rise of backends • Acar et al. "SoK: Lessons learned from android security research for appified software platforms." IEEE S&P , 2016.

  16. Prior Work • The rise of backends • Acar et al. "SoK: Lessons learned from android security research for appified software platforms." IEEE S&P , 2016. • Evolution of backends

  17. Prior Work • The rise of backends • Acar et al. "SoK: Lessons learned from android security research for appified software platforms." IEEE S&P , 2016. • Evolution of backends • App Thinning 1 [1] Mojica, Gregg. Working with App Thinning in iOS 9https://www.appcoda.com/app-thinning/, Accessed Aug 2019

  18. Prior Work • The rise of backends • Acar et al. "SoK: Lessons learned from android security research for appified software platforms." IEEE S&P , 2016. • Evolution of backends • App Thinning 1 • Security of Backends [1] Mojica, Gregg. Working with App Thinning in iOS 9https://www.appcoda.com/app-thinning/, Accessed Aug 2019

  19. Prior Work • The rise of backends • Acar et al. "SoK: Lessons learned from android security research for appified software platforms." IEEE S&P , 2016. • Evolution of backends • App Thinning 1 • Security of Backends • Zuo et al. "Authscope: Towards automatic discovery of vulnerable authorizations in online services." ACM CCS ., 2017 • Zuo et al. "Why does your data leak? uncovering the data leakage in cloud from mobile apps.” IEEE S&P . 2019 • Appthority 2 [1] Mojica, Gregg. Working with App Thinning in iOS 9https://www.appcoda.com/app-thinning/, Accessed Aug 2019 [2] K. Watkins, “HospitalGown: The Backend Exposure Putting Enterprise Data at Risk,” Appthority, Tech. Rep., 2017.

  20. Mel is an app developer. Mel just wants to ship his killer app.

  21. Mobile App Web App Software Services Mel is an app Operating System developer. (v)Hardware Mel just wants to ship his killer app.

  22. Let’s Help Mel

  23. Challenges for Mel Let’s Help Mel

  24. Challenges for Mel • What backends does my app use? Let’s Help Mel

  25. Challenges for Mel • What backends does my app use? • How do I check if they are secure? Let’s Help Mel

  26. Challenges for Mel • What backends does my app use? • How do I check if they are secure? Let’s Help Mel • How do I fix them?

  27. Challenges for Mel • What backends does my app use? • How do I check if they are secure? Let’s Help Mel • How do I fix them? • Can I fix them (attribution)?

  28. Challenges for Mel • What backends does my app use? • How do I check if they are secure? Let’s Help Mel • How do I fix them? • Can I fix them (attribution)?

  29. Challenges for Mel • What backends does my app use? • How do I check if they are secure? Let’s Help Mel • How do I fix them? • Can I fix them (attribution)? Mel’s Dream: Upload APK and vet all backends!

  30. What Backends My App Uses?

  31. What Backends My App Uses?

  32. What Backends My App Uses?

  33. What Backends My App Uses?

  34. What Backends My App Uses?

  35. What Backends My App Uses?

  36. How Many Backends?

  37. How Many Backends? 10 or More Unique Backends on Average

  38. How Many Backends? 10 or More Unique Backends on Average

  39. How Do I Check If They Are Secure?

  40. How Do I Check If They Are Secure?

  41. First: Bug finding via input perturbation How Do I Check If They Are Secure?

  42. First: Bug finding via input perturbation How Do I Check If They Are Secure?

  43. First: Bug finding via input perturbation How Do I Check If They Are Secure?

  44. First: Bug finding via input perturbation How Do I Check If They Are Secure?

  45. First: Bug finding via input perturbation How Do I Check If They Are Secure? SQLi, XSS, XXE

  46. How Do I Check If They Are Secure?

  47. Second: Scan services for known vulnerabilities How Do I Check If They Are Secure?

  48. Second: Scan services for known vulnerabilities 65K Ports How Do I Check If They Are Secure?

  49. Second: Scan services for known vulnerabilities 65K Ports How Do I Check If They Are Secure?

  50. Second: Scan services for known vulnerabilities 65K Ports How Do I Check If They Are Secure?

  51. Second: Scan services for known vulnerabilities 65K Ports How Do I Check If They Are Secure?

  52. Second: Scan services for known vulnerabilities 65K Ports How Do I Check If They Are Secure?

  53. Can I Fix Them?

  54. Mobile App Web App Software Services Can I Fix Them? Operating System (v)Hardware

  55. First-Party: If Mel owns the whole stack Mobile App Web App Software Services Can I Fix Them? Operating System (v)Hardware

  56. First-Party: If Mel owns the whole stack Mobile App Mel is responsible for this portion Web App Software Services Can I Fix Them? Operating System (v)Hardware

  57. Mobile App Web App Software Services Can I Fix Them? Operating System (v)Hardware

  58. Third-Party: If Mel uses an SDK Mobile App SDK Access Web App Software Services Can I Fix Them? Operating System No Access! (v)Hardware

  59. Mobile App Web App Software Services Can I Fix Them? Operating System (v)Hardware

  60. Hybrid: If Mel uses a rented platform Mobile App Mel is responsible for this portion Web App Software Services Can I Fix Them? Operating System (v)Hardware

  61. Hybrid: If Mel uses a rented platform Mobile App Mel is responsible for this portion Web App Software Services Can I Fix Them? Operating System Platform Provider is responsible Rented! for this portion (v)Hardware

  62. How Do I Fix Them?

  63. How Do I Fix Them?

  64. How Do I Fix Them? Data Aggregation and Consolidation

  65. How Do I Fix Them? Data Aggregation and Consolidation

  66. How Do I Fix Them? Data Aggregation and Consolidation

  67. How Do I Fix Them? Data Aggregation and Consolidation

  68. Geo and Net Distribution How can Mel be expected to solve everything?

  69. Google Play Store

  70. Google Play Store • Top 5,000 apps from August 2018

  71. Google Play Store • Top 5,000 apps from August 2018 • We found • Over 600 0-DAY • Over 900 N-DAY

  72. Google Play Store Mobile App • Top 5,000 apps from August 2018 Web App • We found Software Services • Over 600 0-DAY • Over 900 N-DAY Operating System (v)Hardware

  73. Google Play Store Mobile App • Top 5,000 apps from August 2018 Web App • We found Software Services • Over 600 0-DAY • Over 900 N-DAY • 0-day vulnerabilities affect web Operating System apps (v)Hardware

  74. Google Play Store Mobile App • Top 5,000 apps from August 2018 Web App • We found Software Services • Over 600 0-DAY • Over 900 N-DAY • 0-day vulnerabilities affect web Operating System apps • N-day affects software below the (v)Hardware web apps

  75. Overall Vulnerabilities

  76. Overall Vulnerabilities Over 1,600 Vulnerability Instances

  77. Overall Vulnerabilities

  78. Overall Vulnerabilities Over 600 ZERO-DAYS!

  79. Overall Vulnerabilities

  80. Overall Vulnerabilities Audited over 9,000 backends

  81. Overall Vulnerabilities

  82. Overall Vulnerabilities Over 1,000 third-party backends. Used by multiple mobile apps!

  83. Top Vulnerabilities

  84. Top Vulnerabilities

  85. Top Vulnerabilities

  86. Top Vulnerabilities

  87. Top Vulnerabilities

  88. Top Vulnerabilities

  89. Top Vulnerabilities BEWARE: Can Install Malicious Apps Through Redirection

  90. Top Vulnerabilities

  91. Top Vulnerabilities

  92. Top Zero-Day Vulnerabilities

  93. Top Zero-Day Vulnerabilities

  94. Top Zero-Day Vulnerabilities

  95. http tps: s://Mobil bileBackend.vet

  96. What’s Next? WORKING WITH 3 RD NOTIFICATION IMPACT ON APP USERS PARTY LIBRARIES

Recommend

A cloud robotics architecture for an emergency management and monitoring service in a smart city

A cloud robotics architecture for an emergency management and monitoring service in a smart city

A cloud robotics architecture for an emergency management and monitoring service in a smart city environment G. Ermacora, A. Toma, B. Bona, M. Chiaberge, M. Silvagni, M. Gaspardone, R. Antonini Fly4smartcity Cloud computing + UAV (Smart) city

511 views • 14 slides
Linguistic Harbingers of Betrayal me, Vlad Niculae , Cornell University with

Linguistic Harbingers of Betrayal me, Vlad Niculae , Cornell University with

Linguistic Harbingers of Betrayal me, Vlad Niculae , Cornell University with Srijan Kumar , University of Maryland College Park Jordan Boyd-Graber , University of Colorado Boulder and Cristian Danescu-Niculescu-Mizil

1.05k views • 79 slides
Tmeless Dz CHANNEL tdc tdc Love, family, betrayal, intrigue... Emotions have no

Tmeless Dz CHANNEL tdc tdc Love, family, betrayal, intrigue... Emotions have no

Tmeless Dz CHANNEL tdc tdc Love, family, betrayal, intrigue... Emotions have no geographical boundaries. Turkey has produced the highest number of fjctions ranked among the best-performing drama series outside its home country.* Turkey

517 views • 20 slides
Video Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation &

Video Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation &

Video Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation & salvation Acceptance Provision Occupation ! drive us to be the Hands, Feet & Voice of Jesus Jacob - deceiver/schemer Israel - Prince of God

326 views • 20 slides
Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation &

Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation &

Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation & salvation Lisa Jennings Racine Rens 1 Now Joseph had been taken down to Egypt. Potiphar, an Egyptian who was one of Pharaohs officials, the

568 views • 20 slides
Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation &

Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation &

Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation & salvation 25 So they went up out of Egypt and came to their father Jacob in the land of Canaan. 26 They told him, Joseph is still alive! In fact, he is

486 views • 13 slides
Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come from? Why Cloud? Cloud for small, medium, enterprise, and government Barriers to adoption Embracing Cloud Social Mobile Cloud

972 views • 45 slides
Gangs of New York Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal,

Gangs of New York Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal,

Gangs of New York Joseph April 20th - Sept 21st a new sermon series - jealousy, betrayal, temptation & salvation Then Joseph could not control himself before all those who stood by him. He cried, Make everyone go out from me. So no

618 views • 25 slides
SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud

SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud

SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud Tour of the buzzwords, myths and realities Whats in store for me, the boss, the company, the industry? Your cloud, our cloud their

224 views • 19 slides
CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

Cornell CS5412 Cloud Computing (Spring 2015) 1 CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is cheaper! The cloud business model is growing at an unparalleled pace without any limit in sight

632 views • 45 slides
CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

1 CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is cheaper The cloud business model is growing at an unparalleled pace without any limit in sight In the future everything will be on the cloud

945 views • 65 slides
The Cloud Is Big! The Cloud Is Hot! IT industry Constitutes about 2% of total US energy

The Cloud Is Big! The Cloud Is Hot! IT industry Constitutes about 2% of total US energy

The Data Furnace: Heating Up with Cloud Computing Jie Liu , Michel Goraczko, Jiakang Lu Sean James, Christian Belady Kamin Whitehouse Microsoft University of Virginia The Cloud Is Big! The Cloud Is Hot! IT industry Constitutes about 2%

551 views • 16 slides
THE KISS OF BETRAYAL Mark 14:43-52 EVENTS OF PASSOVER WEEK: 1. Jesus has a coronation as King.

THE KISS OF BETRAYAL Mark 14:43-52 EVENTS OF PASSOVER WEEK: 1. Jesus has a coronation as King.

THE KISS OF BETRAYAL Mark 14:43-52 EVENTS OF PASSOVER WEEK: 1. Jesus has a coronation as King. 2. Jesus goes into the temple and clears the money changers. (Mark 11:18) 3. Jesus authority is in question. EVENTS OF PASSOVER WEEK: 4. Jesus

482 views • 32 slides
Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing

Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing

Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing Understanding: Distributed Application Design Resource Management Automation Virtualized Computing Environments High-performance Computing

1.02k views • 49 slides
NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises

NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises

NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises Connecting clouds New workloads Components to disrupt SOFTLAYER CAPABILITIES OVERVIEW 5 GLOBAL CLOUD PLATFORM Unified architecture enabled by

390 views • 17 slides
github.com/18F/cg-workshop I Want You to use cloud.gov : Focus on mission " :

github.com/18F/cg-workshop I Want You to use cloud.gov : Focus on mission " :

09:00 Welcome Shashank Khandelwal 09:10 cloud.gov Overview 09:40 cloud.gov Hands-on I 10:20 Break 10:30 Federalist Will Slack 10:40 cloud.gov Hands-on II 11:30 Q & A github.com/18F/cg-workshop I Want You to use cloud.gov

461 views • 34 slides
Cloud Ross Mallace Commercial Director Cloud/SaaS Cloud is here. ALL By 2020 most core

Cloud Ross Mallace Commercial Director Cloud/SaaS Cloud is here. ALL By 2020 most core

Banking in the Cloud Ross Mallace Commercial Director Cloud/SaaS Cloud is here. ALL By 2020 most core most banking initiatives will be in the cloud John Schlesinger Changing Cloud Adoption in Financial Services Over 100

561 views • 20 slides
Optimizing Energy Efficiency at City of Saint Cloud Wastewater Treatment Plant Emily Campion

Optimizing Energy Efficiency at City of Saint Cloud Wastewater Treatment Plant Emily Campion

Optimizing Energy Efficiency at City of Saint Cloud Wastewater Treatment Plant Emily Campion Advisor: AJ Van den Berghe Company Overview Treats industrial, commercial, and residential wastewater prior to discharge into the Mississippi

632 views • 16 slides
A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is

A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is

A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is highly scalable, and managed infrastructure capable of hosting end- customer applications and billed by consumption. - Forrester Virtual

399 views • 6 slides
Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland,

Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland,

Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland, Marketing Director, Elastifile Agenda Why Cloud? How Cloud? Real-World Example Why Cloud? IC Design Complexity is Steadily Increasing Process

604 views • 31 slides
Cloud-iQ New features including xSP reporting Crayon Channel Team Cloud-iQ updates The Cloud-iQ

Cloud-iQ New features including xSP reporting Crayon Channel Team Cloud-iQ updates The Cloud-iQ

Cloud-iQ New features including xSP reporting Crayon Channel Team Cloud-iQ updates The Cloud-iQ Platform is Crayons Cloud Service Scaling Engine. Offering best in class self- provisioning, billing and reporting capabilities to

346 views • 12 slides
Building a Private Cloud Cloud Infrastructure Using Opensource Building a Private Cloud OSCON

Building a Private Cloud Cloud Infrastructure Using Opensource Building a Private Cloud OSCON

Building a Private Cloud Cloud Infrastructure Using Opensource Building a Private Cloud OSCON 2010 Building a Private Cloud with Ubuntu Server 10.04 Enterprise Cloud (Eucalyptus) OSCON 2010 (Note: Special thanks to Jim Beasley, my lead Cloud

604 views • 37 slides
SUSE OpenStack Cloud 126 126 What is SUSE OpenStack Cloud You know of Cloud Compute right?

SUSE OpenStack Cloud 126 126 What is SUSE OpenStack Cloud You know of Cloud Compute right?

SUSE OpenStack Cloud 126 126 What is SUSE OpenStack Cloud You know of Cloud Compute right? Maybe you use AWS or Azure? Allowing pay-as-you-go model for IT infrastructure and toward dynamic software-defined service delivery.

168 views • 16 slides
Towards ds a self elf auto tomated CE CERN Clo Cloud Jos Castro Len CERN Cloud

Towards ds a self elf auto tomated CE CERN Clo Cloud Jos Castro Len CERN Cloud

Towards ds a self elf auto tomated CE CERN Clo Cloud Jos Castro Len CERN Cloud Infrastructure CERN Cloud Team Who am I? Outlines Introduction CERN Cloud service Automation status Upcoming challenges Improvement

799 views • 34 slides

More recommend