-
PolyScope: Multi-Policy Access Control Analysis to Triage Android Scoped Storage
Authors:
Yu-Tsung Lee,
Haining Chen,
William Enck,
Hayawardh Vijayakumar,
Ninghui Li,
Zhiyun Qian,
Giuseppe Petracca,
Trent Jaeger
Abstract:
Android's filesystem access control is a crucial aspect of its system integrity. It utilizes a combination of mandatory access controls, such as SELinux, and discretionary access controls, like Unix permissions, along with specialized access controls such as Android permissions to safeguard OEM and Android services from third-party applications. However, when OEMs introduce differentiating feature…
▽ More
Android's filesystem access control is a crucial aspect of its system integrity. It utilizes a combination of mandatory access controls, such as SELinux, and discretionary access controls, like Unix permissions, along with specialized access controls such as Android permissions to safeguard OEM and Android services from third-party applications. However, when OEMs introduce differentiating features, they often create vulnerabilities due to their inability to properly reconfigure this complex policy combination. To address this, we introduce the POLYSCOPE tool, which triages Android filesystem access control policies to identify attack operations - authorized operations that may be exploited by adversaries to elevate their privileges. POLYSCOPE has three significant advantages over prior analyses: it allows for the independent extension and analysis of individual policy models, understands the flexibility untrusted parties have in modifying access control policies, and can identify attack operations that system configurations permit. We demonstrate the effectiveness of POLYSCOPE by examining the impact of Scoped Storage on Android, revealing that it reduces the number of attack operations possible on external storage resources by over 50%. However, because OEMs only partially adopt Scoped Storage, we also uncover two previously unknown vulnerabilities, demonstrating how POLYSCOPE can assess an ideal scenario where all apps comply with Scoped Storage, which can reduce the number of untrusted parties accessing attack operations by over 65% on OEM systems. POLYSCOPE thus helps Android OEMs evaluate complex access control policies to pinpoint the attack operations that require further examination.
△ Less
Submitted 27 February, 2023; v1 submitted 26 February, 2023;
originally announced February 2023.
-
PolyScope: Multi-Policy Access Control Analysis to Triage Android Systems
Authors:
Yu-Tsung Lee,
William Enck,
Haining Chen,
Hayawardh Vijayakumar,
Ninghui Li,
Daimeng Wang,
Zhiyun Qian,
Giuseppe Petracca,
Trent Jaeger
Abstract:
Android filesystem access control provides a foundation for Android system integrity. Android utilizes a combination of mandatory (e.g., SEAndroid) and discretionary (e.g., UNIX permissions) access control, both to protect the Android platform from Android/OEM services and to protect Android/OEM services from third-party apps. However, OEMs often create vulnerabilities when they introduce market-d…
▽ More
Android filesystem access control provides a foundation for Android system integrity. Android utilizes a combination of mandatory (e.g., SEAndroid) and discretionary (e.g., UNIX permissions) access control, both to protect the Android platform from Android/OEM services and to protect Android/OEM services from third-party apps. However, OEMs often create vulnerabilities when they introduce market-differentiating features because they err when re-configuring this complex combination of Android policies. In this paper, we propose the PolyScope tool to triage the combination of Android filesystem access control policies to vet releases for vulnerabilities. The PolyScope approach leverages two main insights: (1) adversaries may exploit the coarse granularity of mandatory policies and the flexibility of discretionary policies to increase the permissions available to launch attacks, which we call permission expansion, and (2) system configurations may limit the ways adversaries may use their permissions to launch attacks, motivating computation of attack operations. We apply PolyScope to three Google and five OEM Android releases to compute the attack operations accurately to vet these releases for vulnerabilities, finding that permission expansion increases the permissions available to launch attacks, sometimes by more than 10X, but a significant fraction of these permissions (about 15-20%) are not convertible into attack operations. Using PolyScope, we find two previously unknown vulnerabilities, showing how PolyScope helps OEMs triage the complex combination of access control policies down to attack operations worthy of testing.
△ Less
Submitted 8 August, 2020;
originally announced August 2020.
-
Regulating Access to System Sensors in Cooperating Programs
Authors:
Giuseppe Petracca,
Jens Grossklags,
Patrick McDaniel,
Trent Jaeger
Abstract:
Modern operating systems such as Android, iOS, Windows Phone, and Chrome OS support a cooperating program abstraction. Instead of placing all functionality into a single program, programs cooperate to complete tasks requested by users. However, untrusted programs may exploit interactions with other programs to obtain unauthorized access to system sensors either directly or through privileged servi…
▽ More
Modern operating systems such as Android, iOS, Windows Phone, and Chrome OS support a cooperating program abstraction. Instead of placing all functionality into a single program, programs cooperate to complete tasks requested by users. However, untrusted programs may exploit interactions with other programs to obtain unauthorized access to system sensors either directly or through privileged services. Researchers have proposed that programs should only be authorized to access system sensors on a user-approved input event, but these methods do not account for possible delegation done by the program receiving the user input event. Furthermore, proposed delegation methods do not enable users to control the use of their input events accurately. In this paper, we propose ENTRUST, a system that enables users to authorize sensor operations that follow their input events, even if the sensor operation is performed by a program different from the program receiving the input event. ENTRUST tracks user input as well as delegation events and restricts the execution of such events to compute unambiguous delegation paths to enable accurate and reusable authorization of sensor operations. To demonstrate this approach, we implement the ENTRUST authorization system for Android. We find, via a laboratory user study, that attacks can be prevented at a much higher rate (54-64% improvement); and via a field user study, that ENTRUST requires no more than three additional authorizations per program with respect to the first-use approach, while incurring modest performance (<1%) and memory overheads (5.5 KB per program).
△ Less
Submitted 2 August, 2018;
originally announced August 2018.
-
A Survey on Sensor-based Threats to Internet-of-Things (IoT) Devices and Applications
Authors:
Amit Kumar Sikder,
Giuseppe Petracca,
Hidayet Aksu,
Trent Jaeger,
A. Selcuk Uluagac
Abstract:
The concept of Internet of Things (IoT) has become more popular in the modern era of technology than ever before. From small household devices to large industrial machines, the vision of IoT has made it possible to connect the devices with the physical world around them. This increasing popularity has also made the IoT devices and applications in the center of attention among attackers. Already, s…
▽ More
The concept of Internet of Things (IoT) has become more popular in the modern era of technology than ever before. From small household devices to large industrial machines, the vision of IoT has made it possible to connect the devices with the physical world around them. This increasing popularity has also made the IoT devices and applications in the center of attention among attackers. Already, several types of malicious activities exist that attempt to compromise the security and privacy of the IoT devices. One interesting emerging threat vector is the attacks that abuse the use of sensors on IoT devices. IoT devices are vulnerable to sensor-based threats due to the lack of proper security measurements available to control use of sensors by apps. By exploiting the sensors (e.g., accelerometer, gyroscope, microphone, light sensor, etc.) on an IoT device, attackers can extract information from the device, transfer malware to a device, or trigger a malicious activity to compromise the device. In this survey, we explore various threats targeting IoT devices and discuss how their sensors can be abused for malicious purposes. Specifically, we present a detailed survey about existing sensor-based threats to IoT devices and countermeasures that are developed specifically to secure the sensors of IoT devices. Furthermore, we discuss security and privacy issues of IoT devices in the context of sensor-based threats and conclude with future research directions.
△ Less
Submitted 6 February, 2018;
originally announced February 2018.
-
Enabling Secure and Usable Mobile Application: Revealing the Nuts and Bolts of software TPM in todays Mobile Devices
Authors:
Ahmad-Atamli Reineh,
Giuseppe Petracca,
Janne Uusilehto,
Andrew Martin
Abstract:
The emergence of mobile applications to execute sensitive operations has brought a myriad of security threats to both enterprises and users. In order to benefit from the large potential in smartphones there is a need to manage the risks arising from threats, while maintaining an easy interface for the users. In this paper we investigate the use of Trusted Platform Model (TPM) 2.0 to develop a secu…
▽ More
The emergence of mobile applications to execute sensitive operations has brought a myriad of security threats to both enterprises and users. In order to benefit from the large potential in smartphones there is a need to manage the risks arising from threats, while maintaining an easy interface for the users. In this paper we investigate the use of Trusted Platform Model (TPM) 2.0 to develop a secure application for smartphones using Windows Phone 8.1. In particular, we suggest a framework based on remote attestation as a proxy to authenticate remote services, where the device is associated to the user and replaces the users credentials. In addition, we use the TPM 2.0 to enable secured information and data storage within the device itself. We present an implementation and performance evaluation of the suggested architecture that uses our novel attestation and authentication scheme and reveal the caveats of using software TPM in todays mobile devices.
△ Less
Submitted 9 June, 2016;
originally announced June 2016.
-
Aware: Controlling App Access to I/O Devices on Mobile Platforms
Authors:
Giuseppe Petracca,
Ahmad Atamli,
Yuqiong Sun,
Jens Grossklags,
Trent Jaeger
Abstract:
Smartphones' cameras, microphones, and device displays enable users to capture and view memorable moments of their lives. However, adversaries can trick users into authorizing malicious apps that exploit weaknesses in current mobile platforms to misuse such on-board I/O devices to stealthily capture photos, videos, and screen content without the users' consent. Contemporary mobile operating system…
▽ More
Smartphones' cameras, microphones, and device displays enable users to capture and view memorable moments of their lives. However, adversaries can trick users into authorizing malicious apps that exploit weaknesses in current mobile platforms to misuse such on-board I/O devices to stealthily capture photos, videos, and screen content without the users' consent. Contemporary mobile operating systems fail to prevent such misuse of I/O devices by authorized apps due to lack of binding between users' interactions and accesses to I/O devices performed by these apps. In this paper, we propose Aware, a security framework for authorizing app requests to perform operations using I/O devices, which binds app requests with user intentions to make all uses of certain I/O devices explicit. We evaluate our defense mechanisms through laboratory-based experimentation and a user study, involving 74 human subjects, whose ability to identify undesired operations targeting I/O devices increased significantly. Without Aware, only 18% of the participants were able to identify attacks from tested RAT apps. Aware systematically blocks all the attacks in absence of user consent and supports users in identifying 82% of social-engineering attacks tested to hijack approved requests, including some more sophisticated forms of social engineering not yet present in available RATs. Aware introduces only 4.79% maximum performance overhead over operations targeting I/O devices. Aware shows that a combination of system defenses and user interface can significantly strengthen defenses for controlling the use of on-board I/O devices.
△ Less
Submitted 7 April, 2016;
originally announced April 2016.
-
AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
Authors:
Giuseppe Petracca,
Yuqiong Sun,
Ahmad Atamli,
Trent Jaeger
Abstract:
Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to co…
▽ More
Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks.We design and implement AuDroid, an extension to the SELinux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the microphone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead.
△ Less
Submitted 1 April, 2016;
originally announced April 2016.
