38,132 research outputs found
ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware
Billions of users rely on the security of the Android platform to protect
phones, tablets, and many different types of consumer electronics. While
Android's permission model is well studied, the enforcement of the protection
policy has received relatively little attention. Much of this enforcement is
spread across system services, taking the form of hard-coded checks within
their implementations. In this paper, we propose Authorization Check Miner
(ACMiner), a framework for evaluating the correctness of Android's access
control enforcement through consistency analysis of authorization checks.
ACMiner combines program and text analysis techniques to generate a rich set of
authorization checks, mines the corresponding protection policy for each
service entry point, and uses association rule mining at a service granularity
to identify inconsistencies that may correspond to vulnerabilities. We used
ACMiner to study the AOSP version of Android 7.1.1 to identify 28
vulnerabilities relating to missing authorization checks. In doing so, we
demonstrate ACMiner's ability to help domain experts process thousands of
authorization checks scattered across millions of lines of code
What lies beneath? The role of informal and hidden networks in the management of crises
Crisis management research traditionally focuses on the role of formal communication networks in the escalation and management of organisational crises. Here, we consider instead informal and unobservable networks. The paper explores how hidden informal exchanges can impact upon organisational decision-making and performance, particularly around inter-agency working, as knowledge distributed across organisations and shared between organisations is often shared through informal means and not captured effectively through the formal decision-making processes. Early warnings and weak signals about potential risks and crises are therefore often missed. We consider the implications of these dynamics in terms of crisis avoidance and crisis management
Constraining application behaviour by generating languages
Writing a platform for reactive applications which enforces operational
constraints is difficult, and has been approached in various ways. In this
experience report, we detail an approach using an embedded DSL which can be
used to specify the structure and permissions of a program in a given
application domain. Once the developer has specified which components an
application will consist of, and which permissions each one needs, the
specification itself evaluates to a new, tailored, language. The final
implementation of the application is then written in this specialised
environment where precisely the API calls associated with the permissions which
have been granted, are made available.
Our prototype platform targets the domain of mobile computing, and is
implemented using Racket. It demonstrates resource access control (e.g.,
camera, address book, etc.) and tries to prevent leaking of private data.
Racket is shown to be an extremely effective platform for designing new
programming languages and their run-time libraries. We demonstrate that this
approach allows reuse of an inter-component communication layer, is convenient
for the application developer because it provides high-level building blocks to
structure the application, and provides increased control to the platform
owner, preventing certain classes of errors by the developer.Comment: 8 pages, 8th European Lisp Symposiu
Securing Real-Time Internet-of-Things
Modern embedded and cyber-physical systems are ubiquitous. A large number of
critical cyber-physical systems have real-time requirements (e.g., avionics,
automobiles, power grids, manufacturing systems, industrial control systems,
etc.). Recent developments and new functionality requires real-time embedded
devices to be connected to the Internet. This gives rise to the real-time
Internet-of-things (RT-IoT) that promises a better user experience through
stronger connectivity and efficient use of next-generation embedded devices.
However RT- IoT are also increasingly becoming targets for cyber-attacks which
is exacerbated by this increased connectivity. This paper gives an introduction
to RT-IoT systems, an outlook of current approaches and possible research
challenges towards secure RT- IoT frameworks
- …