Upload
truongkien
View
217
Download
0
Embed Size (px)
Citation preview
Introduction Literature Survey Polork Conclusion
A Policy Enforcement Framework for Android
Kaustubh Keskar(10305909)
Guided by: Prof. D. B. Phatak
Department of Computer Science and EngineeringIndian Institute of Technology, Bombay
Mumbai
June 23, 2013
Introduction Literature Survey Polork Conclusion
Outline
1 Introduction
2 Literature Survey
3 Polork
4 Conclusion
Introduction Literature Survey Polork Conclusion
A Policy Enforcement Framework
Deals with users’ security and privacy concerns by allowingthem to define policy rules
Goals
To restrict the usage of resourcesTo mitigate malwareTo prevent privilege escalation attackIn general, to provide fine-grained access control
Users of the system: End-user or trusted third party or both
Context-aware policies
Based on environmental or system attributes like time,location, battery, etc.
Introduction Literature Survey Polork Conclusion
Problem Statement
Goal
To have control over devices, regarding which apps can belaunched (depending upon environmental attributes)
What do we need?
A Policy Enforcement Framework
What will it do?
Monitor apps which are being launched
What action will it take?
Enforce the policies against apps
Allow or Deny (kill) those apps
Introduction Literature Survey Polork Conclusion
Motivation
A policy enforcement framework for Aakash tablet
No apps during quiz/exam timeLimited set of apps during school-timeDifferent set of apps for different subjects/coursesParental control (at home)
Context Attributes (for context-aware policies)
Battery virtualization: Battery consumption information perprocess
Introduction Literature Survey Polork Conclusion
Outline
1 Introduction
2 Literature Survey
3 Polork
4 Conclusion
Introduction Literature Survey Polork Conclusion
Kirin [8]
Framework to mitigate malware (Protect phone from apps)
Provides protection by comparing security policies againstpermissions and action strings defined in app’s manifest file
User has 2 options:Reject the application (Abort installation)Override the result (Continue installation)
Figure: Kirin [8]
Introduction Literature Survey Polork Conclusion
Kirin [8]
Install-time enforcement
Parameters considered for policy
Permission labelsIntents (Action strings)
Examples:
An application must not have PHONE STATE ,RECORD AUDIO, and INTERNET permission labels.
An application must not have theSET PREFERRED APPLICATION permission label andreceive Intents for the CALL action string.
Introduction Literature Survey Polork Conclusion
Saint [10]
Framework to protect apps from other apps
Install-time enforcement: Controls permission assignment
Runtime enforcement: Governs communication accessbetween components
Figure: Saint [10]
Introduction Literature Survey Polork Conclusion
Saint [10]
Example:
(com.xyz .abc) (com.xyz .loc)
required − permission(ACCESS FINE LOCATION)
(access) (com.test.pqr , any , GET LOC ) (any , any)
forbid − permissions(INTERNET )
expose: Callee’s requirements specified by caller (source)access: Caller’s requirements specified by callee (target)
Introduction Literature Survey Polork Conclusion
Outline
1 Introduction
2 Literature Survey
3 Polork
4 Conclusion
Introduction Literature Survey Polork Conclusion
Polork
Polork: Policy Enforcement Framework
Implemented as an Android app
Policies are defined remotely and Polork can download themautomatically
Context-aware policies are supported
Time, Location
Has support for disabling (freezing) the apps [2], [1]
Introduction Literature Survey Polork Conclusion
Attributes
Tag Explanation
Name Name of the policy.
ValidFrom,ValidTill
Between this time range, a policy is consideredas valid.
Priority The lower the assigned value, higher is the pri-ority of the policy.
SeqNumber A secondary attribute used to decide priority ofthe policy.
Cmd Whether to allow launching of an applicationdepends upon value assigned to ‘Cmd’.
Table: Policy Tags
Introduction Literature Survey Polork Conclusion
Attributes
Tag Explanation
Context Contains logical expression (using &&, ‖, !) of all thecontext attributes defined in the policy. A policy isconsidered as valid (or applicable) if the context eval-uates to true. Otherwise, next policy is considered.
CA-Time Defined as “<From-time>, <To-time>”. Time at-tribute evaluates to true, if the current (system) timeis within this time range.
CA-Location
Defined as “<Latitude>, <Longitude>, <Range>”.If the current location is within the range of specifiedlocation, then its value is considered as true.
Pkg Specifies a package name.
Table: Policy Tags
Introduction Literature Survey Polork Conclusion
Commands
Figure: ALLOW
ALLOW P1, P2, P3, P4 (and do nothing else)
Introduction Literature Survey Polork Conclusion
Commands
Figure: DENY
DENY P1, P2, P3, P4 (and do nothing else)
Introduction Literature Survey Polork Conclusion
Commands
System-wide impact
Figure: ALLOW EXCEPT
ALLOW EXCEPT P1, P2, P3, P4= DENY P1, P2, P3, P4 + ALLOW remaining packages
Introduction Literature Survey Polork Conclusion
Commands
System-wide impact
Figure: DENY EXCEPT
DENY EXCEPT P1, P2, P3, P4= ALLOW P1, P2, P3, P4 + DENY remaining packages
Introduction Literature Survey Polork Conclusion
Commands
System-wide impact
Figure: ALLOW ALL
ALLOW ALL = ALLOW all packages
Introduction Literature Survey Polork Conclusion
Commands
System-wide impact
Figure: DENY ALL
DENY ALL = DENY all packages
Introduction Literature Survey Polork Conclusion
Example
Allow all packages except Elixir (com.bartat.android.elixir) andTemple Run (com.imangi.templerun) from 15:00hrs to 19:00hrs
Figure: Example of Policy
Introduction Literature Survey Polork Conclusion
Policy Enforcement - Algorithm
Figure: isAccessAllowed(pkgName)
Introduction Literature Survey Polork Conclusion
Policy Enforcement - Algorithm
Figure: getValidPolicyForPkg(pkgName), getValidSpecialPolicy()
Introduction Literature Survey Polork Conclusion
Policy Enforcement - Algorithm
Figure: isPolicyValid()
Figure: isContextValid()
Introduction Literature Survey Polork Conclusion
Context Attributes
Battery Level
Allow app YouTube, if battery level is more than 50%
Battery Consumption per App
Block app VLC Player, if battery consumed by that app ismore than 10%
Application Foreground Time
Block app Angry Birds, if its foreground time is more than 75minutes
Data Usage
Allow app Firefox, if data usage is less than 20MB
Introduction Literature Survey Polork Conclusion
Outline
1 Introduction
2 Literature Survey
3 Polork
4 Conclusion
Introduction Literature Survey Polork Conclusion
Conclusion
Conclusion:
Implemented first-of-a-kind policy framework which monitorsapps being launched and enforces policies accordingly.
Schools, employers can use it to have control over the devices.
Future Work:
Integration of Context Attributes in Polork
Adding Support for Resource Level Policies
Creating an User Interface to Define Policies
Implementing Polork as a System Service
Introduction Literature Survey Polork Conclusion
References I
Bloat Freezer - Root for Android.
http://www.bloatfreezer.com/, 2013.[Online; accessed on 15-Jun-2013].
FAQ - Link2SD.
http://www.link2sd.info/faq, 2013.[Online; accessed on 15-Jun-2013].
Guangdong Bai, Liang Gu, Tao Feng, Yao Guo, and Xiangqun Chen.
Context-Aware Usage Control for Android.In Security and Privacy in Communication Networks, volume 50 of Lecture Notes of the Institute forComputer Sciences, Social Informatics and Telecommunications Engineering, pages 326–343. SpringerBerlin Heidelberg, 2010.
Hammad Banuri, Masoom Alam, Shahryar Khan, Jawad Manzoor, Bahar Ali, Yasar Khan, Mohsin Yaseen,
Mir Tahir, Tamleek Ali, Quratulain Alam, and Xinwen Zhang.An Android runtime security policy enforcement framework.Personal and Ubiquitous Computing, 16:631–641, 2012.10.1007/s00779-011-0437-6.
Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, and Ahmad-Reza Sadeghi.
XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks.Technical Report TR-2011-04, Technische Universitat Darmstadt, Apr 2011.
Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Stephan Heuser, Ahmad-Reza Sadeghi, and Bhargava
Shastry.Practical and lightweight domain isolation on Android.In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, SPSM’11, pages 51–62, New York, NY, USA, 2011. ACM.
Introduction Literature Survey Polork Conclusion
References II
Mauro Conti, Vu Thien Nga Nguyen, and Bruno Crispo.
CRePE: context-related policy enforcement for android.In Proceedings of the 13th international conference on Information security, ISC’10, pages 331–345, Berlin,Heidelberg, 2011. Springer-Verlag.
William Enck, Machigar Ongtang, and Patrick McDaniel.
On lightweight mobile phone application certification.In Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pages235–245, New York, NY, USA, 2009. ACM.
Mohammad Nauman, Sohail Khan, and Xinwen Zhang.
Apex: extending Android permission model and enforcement with user-defined runtime constraints.In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security,ASIACCS ’10, pages 328–332, New York, NY, USA, 2010. ACM.
Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel.
Semantically Rich Application-Centric Security in Android.In Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC ’09, pages 340–349,Washington, DC, USA, 2009. IEEE Computer Society.
G. Russello, B. Crispo, E. Fernandes, and Y. Zhauniarovich.
YAASE: Yet Another Android Security Extension.In Privacy, security, risk and trust (passat), 2011 ieee third international conference on and 2011 ieee thirdinternational conference on social computing (socialcom), pages 1033 –1040, Oct 2011.
Literature Survey
Outline
5 Literature Survey
Literature Survey
Policy Frameworks
Framework Explanation
Kirin [8] Lightweight certification of apps at install-time
Saint [10] Allows developer to define (context-aware) fine-grained policies
Apex [9] Selectively grant permissions to apps; Impose run-time constraints on usage of resources
CRePE [7] Can define fine-grained context-related security pol-icy; Contexts are activated based on context at-tributes
XManDroid[5]
Monitors communication links between apps and ver-ifies them against security rules
Table: Policy Frameworks
Literature Survey
Policy Frameworks
Framework Explanation
TrustDroid[6]
Domain isolation by preventing interdomain applica-tion communication and data access
ConUCON[3]
Can define fine-grained context-aware security policy;Context is activated based on context attributes
YAASE [11] Performs data tagging and tracking to control thedata flow through applications
SEAF [4] Helps to identify potentially dangerous behavior ofapplications
Table: Policy Frameworks