Transcript Semantically Rich Application-Centric Security in Android

Semantically Rich ApplicationCentric Security in Android
Machigar Ongtang, Stephen McLaughlin, William Enck and
Patrick McDaniel
Annual Computer Seurity Application
Conference '09
Speaker：Kuo
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Outline
•
•
•
•
•
•
•
Introduction
Smartphone application security
Android Security
Application policies
Saint Policy
Saint Architecture
Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Outline
•
•
•
•
•
•
•
Introduction
Smartphone application security
Android Security
Application policies
Saint Policy
Saint Architecture
Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Introduction
• Android permission
application A
application B
<permission 付帳功能/>
<uses-permission 付帳功能/>
Callee
Caller
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
application A
application B
<permission 付帳功能/>
<uses-permission 付帳功能/>
Callee
Caller
• inter-component communication (ICC).
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
application A
<permission 付帳功能/>
application C
application B
<uses-permission 付帳功能/>
<uses-permission 付帳功能/>
application D
<uses-permission 付帳功能/>
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Outline
•
•
•
•
•
•
•
Introduction
Smartphone application security
Android Security
Application policies
Saint Policy
Saint Architecture
Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Smartphone application security
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
• PersonalShopper should
only use trusted payment services.
• PersonalShopper may only want to restrict the
use of the service to only trusted networks under
safe conditions.
• PersonalShopper may require certain versions
of service software be used.
• PersonalShopper may wish to ensure
transaction information is not leaked by the
phone’s ledger application.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Outline
•
•
•
•
•
•
•
Introduction
Smartphone application security
Android Security
Application policies
Saint Policy
Saint Architecture
Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Android Security
• Component Type
–
–
–
–
Activity components
Service components
Content provider components
Broadcast receiver components
• Component Interaction
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Component Type
• Activity components
– define anapplication’s
user interface
• Service components
– Perform background processing.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Component Type
• Content provider components
– Store and share data using a relational database
interface
• Broadcast receiver components
– act as mailboxes for
messages from other
applications.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Component Interaction
• Developers assign applications collections of
permission labels.
• if the target component’s access permission
label is in that collection:allows ICC
establishment to proceed.
• If the label isn’t in the collection, establishment is
denied
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Outline
•
•
•
•
•
•
•
Introduction
Smartphone application security
Android Security
Application policies
Saint Policy
Saint Architecture
Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
application A
Permission
<permission 付帳功能/>
Callee
• Permission
<permission android:description="string resource"
android:icon="drawable resource"
android:label="string resource"
android:name="string"
android:permissionGroup="string"
android:protectionLevel=["normal" |
"dangerous" | "signature" |
"signatureOrSystem"] />
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Permission
• Permission Protection Levels :
four protection levels
– Normal : are granted to any application that requests
them in its manifes
– Dangerous : are granted only after user confirmation
– Signature : are granted only to applications signed
by the same developer key
– signature or system: act like signature permissions
but exist for legacy compatibility with the older system
permission type.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
application A
application B
<permission 付帳功能
Level: normal />
<uses-permission 付帳功能/>
Callee
Caller
application A
application B
<permission 付帳功能
Level: dangerous />
user
confirmation
<uses-permission 付帳功能/>
Callee
Caller
application A
application B
<permission 付帳功能
Level: signature />
Signature of
A
<uses-permission 付帳功能/>
Caller
Callee
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Application policies
1. permission-granting policy(install-time)
– regulates permission assignment.
2. interaction policy(run-time)
– regulates runtime interaction between an application
and its opponent.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Application policies
1. permission-granting policy (install-time)
1.1 Android’s protection level-based policy
1.2 signature-based policy
• the policy grants (or denies) the permission by
default with an exception list that denies (grants) the
applications signed by the listed keys
1.3 configuration-based policy
• Control permission assignment based on the
configuration parameters of the requesting
application
• Ex: application version
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
application B
application A
<permission 付帳功能/>
<uses-permission 付帳功能/>
<Set of signature : 2233e
9988w>
Caller
2233e
Callee
allow
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Application policies
2. interaction policy (run-time)
2.1 permission-based access control policy
2.2 signature-based policy
•
restrict the set of the opponent applications based on their
signatures
2.3 configuration-based policy
•
the applications can define the desirable configurations of the
opponent applications
•
Ex: application version
2.4 phone context-based policy
•
governs runtime interactions based on context such as location,
time…etc
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Outline
•
•
•
•
•
•
•
Introduction
Smartphone application security
Android Security
Application policies
Saint Policy
Saint Architecture
Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
SAINT policy
• Install-Time Policy Enforcement
• Run-Time Policy Enforcement
• Administrative Policy
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Use pay permission from A
Pay permission policy from B
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Install-Time Policy Enforcement
a. the Saint-enhanced Android installer retrieves the
requested permissions from the manifest file
b. For each permission, it queries the AppPolicy
provider
c. The AppPolicy provider consults its policy
database,and returns a decision based on
matching rules
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
• Saint install-time policy consists of
– a permission label
– an owner
• is always the application declaring the permission.
– a set of conditions
• are a collection of checks on the properties of the application
requesting for it.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Run-Time Policy Enforcement
1. The caller initiates the IPC through the
middleware framework
2. Saint queries the AppPolicy provider for
policies
3. The AppPolicy provider checks the policy
conditions satisfied, and returns the result
pay
Pay permission policy from B
Pay permission policy from A
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
4. the conditions are satisfied, the IPC is directed
to the existing Android permission check
enforcement software
5. Android will then allow the IPC to continue
based on traditional Android policy.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
•
Saint enforces two types of runtime policies:
1) access policies
• identify the caller’s security requirements
on the IPC, and requirements on the IPC
2) expose policies
• identify the callee’s security requirements
on the IPC.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Administrative Policy
• Goal: how policy itself can be changed
• administrative models allowing the updater to
modify, add, or delete policy
• If the SaintOverride compile flag is set, Saint
allows user override to application policy.
• Saint XML policy schema includes the Override
flag for each policy rule defined by the
application.
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Outline
•
•
•
•
•
•
•
Introduction
Smartphone application security
Android Security
Application policies
Saint Policy
Saint Architecture
Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Saint Architecture
• Saint Installer
• Saint Mediator
• AppPolicy Provider
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Outline
•
•
•
•
•
•
•
Introduction
Smartphone application security
Android Security
Application policies
Saint Policy
Saint Architecture
Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Conclusion
• Saint addresses the current limitations of
Android security through install-time permission
granting policies and runtime inter-application
communication policies
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Thanks!
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室