CamFlow: Managed Data-sharing for Cloud Services

A model of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications whereas many companies build on this infrastructure to offer higher level, cloud-hosted PaaS services and/or SaaS applications. From the start, strong isolation between cloud tenants was seen to be of paramount importance, provided first by virtual machines (VM) and later by containers, which share the operating system (OS) kernel. Increasingly it is the case that applications also require facilities to effect isolation and protection of data managed by those applications. They also require flexible data sharing with other applications, often across the traditional cloud-isolation boundaries; for example, when government provides many related services for its citizens on a common platform. Similar considerations apply to the end-users of applications. But in particular, the incorporation of cloud services within `Internet of Things' architectures is driving the requirements for both protection and cross-application data sharing. These concerns relate to the management of data. Traditional access control is application and principal/role specific, applied at policy enforcement points, after which there is no subsequent control over where data flows; a crucial issue once data has left its owner's control by cloud-hosted applications and within cloud-services. Information Flow Control (IFC), in addition, offers system-wide, end-to-end, flow control based on the properties of the data. We discuss the potential of cloud-deployed IFC for enforcing owners' dataflow policy with regard to protection and sharing, as well as safeguarding against malicious or buggy software. In addition, the audit log associated with IFC provides transparency, giving configurable system-wide visibility over data flows. [...]Comment: 14 pages, 8 figure

ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware

Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android's permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. In this paper, we propose Authorization Check Miner (ACMiner), a framework for evaluating the correctness of Android's access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities. We used ACMiner to study the AOSP version of Android 7.1.1 to identify 28 vulnerabilities relating to missing authorization checks. In doing so, we demonstrate ACMiner's ability to help domain experts process thousands of authorization checks scattered across millions of lines of code

Establishing mandatory access control on Android OS

Common characteristic of all mobile operating systems for smart devices is an extensive middleware that provides a feature-rich API for the onboard sensors and user’s data (e.g., contacts). To effectively protect the device’s integrity, the user’s privacy, and to ensure non-interference between mutually distrusting apps, it is imperative that the middleware enforces rigid security and privacy policies. This thesis presents a line of work that integrates mandatory access control (MAC) mechanisms into the middleware of the popular, open source Android OS. While our early work established a basic understanding for the integration of enforcement hooks and targeted very specific use-cases, such as multi-persona phones, our most recent works adopt important lessons learned and design patterns from established MAC architectures on commodity systems and intertwine them with the particular security requirements of mobile OS architectures like Android. Our most recent work also complemented the Android IPC mechanism with provisioning of better provenance information on the origins of IPC communication. Such information is a crucial building block for any access control mechanism on Android. Lastly, this dissertation outlines further directions of ongoing and future research on access control on modern mobile operating systems.Gemeinsame Charakteristik aller modernen mobilen Betriebssysteme für sog. ”smart devices” ist eine umfangreiche Diensteschicht, die funktionsreiche Programmierschnittstellen zu der Gerätehardware sowie den Endbenutzerdaten (z.B. Adressbuch) bereitstellt. Um die Systemintegrität, die Privatsphäre des Endbenutzers, sowie die Abgrenzung sich gegenseitig nicht vertrauender Apps effektiv zu gewährleisten, ist es unabdingbar, dass diese Diensteschichten rigide Sicherheitspolitiken umsetzen. Diese Dissertation präsentiert mehrere Forschungsarbeiten, die “Mandatory Access Control” (MAC) in die Diensteschicht des weit verbreiteten Android Betriebssystems integrieren. Die ersten dieser Arbeiten schufen ein grundlegendes Verständnis für die Integration von Zugriffsmechanismen in das Android Betriebssystem und waren auf sehr spezielle Anwendungsszenarien ausgerichtet. Neuere Arbeiten haben hingegen wichtige Erkenntnisse und Designprinzipien etablierter MAC Architekturen auf herkömmlichen Betriebssystemen für Android adaptiert und mit den speziellen Sicherheitsanforderungen mobiler Systeme verflochten. Die letzte Arbeit in dieser Reihe hat zudem Androids IPC Mechanismus untersucht und dahingehend ergänzt, dass er bessere Informationen über den Ursprung von IPC Nachrichten bereitstellt. Diese Informationen sind fundamental für jedwede Art von Zugriffskontrolle auf Android. Zuletzt diskutiert diese Dissertation aktuelle und zukünftige Forschungsthemen für Zugriffskontrollen auf modernen, mobilen Endgeräten

Towards Modular and Flexible Access Control on Smart Mobile Devices

Smart mobile devices, such as smartphones and tablets, have become an integral part of our daily personal and professional lives. These devices are connected to a wide variety of Internet services and host a vast amount of applications, which access, store and process security- and privacy-sensitive data. A rich set of sensors, ranging from microphones and cameras to location and acceleration sensors, allows these applications and their back end services to reason about user behavior. Further, enterprise administrators integrate smart mobile devices into their IT infrastructures to enable comfortable work on the go. Unsurprisingly, this abundance of available high-quality information has made smart mobile devices an interesting target for attackers, and the number of malicious and privacy-intrusive applications has steadily been rising. Detection and mitigation of such malicious behavior are in focus of mobile security research today. In particular, the Android operating system has received special attention by both academia and industry due to its popularity and open-source character. Related work has scrutinized its security architecture, analyzed attack vectors and vulnerabilities and proposed a wide variety of security extensions. While these extensions have diverse goals, many of them constitute modifications of the Android operating system and extend its default permission-based access control model. However, they are not generic and only address specific security and privacy concerns. The goal of this dissertation is to provide generic and extensible system-centric access control architectures, which can serve as a solid foundation for the instantiation of use-case specific security extensions. In doing so, we enable security researchers, enterprise administrators and end users to design, deploy and distribute security extensions without further modification of the underlying operating system. To achieve this goal, we first analyze the mobile device ecosystem and discuss how Android's security architecture aims to address its inherent threats. We proceed to survey related work on Android security, focusing on system-centric security extensions, and derive a set of generic requirements for extensible access control architectures targeting smart mobile devices. We then present two extensible access control architectures, which address these requirements by providing policy-based and programmable interfaces for the instantiation of use-case specific security solutions. By implementing a set of practical use-cases, ranging from context-aware access control, dynamic application behavior analysis to isolation of security domains we demonstrate the advantages of system-centric access control architectures over application-layer approaches. Finally, we conclude this dissertation by discussing an alternative approach, which is based on application-layer deputies and can be deployed whenever practical limitations prohibit the deployment of system-centric solutions

Preventing Capability Abuse through Systematic Analysis of Exposed Interface

Connectivity and interoperability are becoming more and more critical in today’s software and cyber-physical systems. Different components of the system can better collaborate, enabling new innovation opportunities. However, to support connectivity and interoperability, systems and applications have to expose certain capabilities, which inevitably expands their attack surfaces and increases the risk of being abused. Due to the complexity of software systems and the heterogeneity of cyber-physical systems, it is challenging to secure their exposed interfaces and completely prevent abuses. To address the problems in a proactive manner, in this dissertation, we demonstrate that systematic studies of exposed interfaces and their usage in the real world, leveraging techniques such as program analysis, can reveal design-level, implementation-level, as well as configuration-level security issues, which can help with the development of defense solutions that effectively prevent capability abuse. This dissertation solves four problems in this space. First, we detect inconsistent security policy enforcement, a common implementation flaw. Focusing on the Android framework, we design and build a tool that compares permissions enforced on different code paths and identifies the paths enforcing weaker permissions. Second, we propose the Application Lifecycle Graph (ALG), a novel modeling approach to describing system-wide app lifecycle, to assist the detection of diehard behaviors that abuse lifecycle interfaces. We develop a lightweight runtime framework that utilizes ALG to realize fine-grained app lifecycle control. Third, we study real-world programmable logic controller programs for identifying insecure configurations that can be abused by adversaries to cause safety violations. Lastly, we conduct the first systematic security study on the usage of Unix domain sockets on Android, which reveals both implementation flaws and configuration weaknesses.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/149960/1/yurushao_1.pd