Embed Size (px)
Citation preview
CSE484/CSEM584:ComputerSecurityandPrivacy
MobilePlatformSecurity
(finish)
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
SecurityMindset:Customs
• ExchangeonRedditcommentthread• Startedwithanobservationabouttheworld:– “ItriedtoshipsomethingtoVenezuela,butitwouldhavecost$80shippingand$1420intaxesanddutyimportfees!”
11/30/16 CSE484/CSEM584-Fall2016 2
SecurityMindset:Customs
• Problem:Extremelyhighcustomsfees.
• Solution?
11/30/16 CSE484/CSEM584-Fall2016 3
Lieaboutthevalueoftheitem,or,better,claimit’sbroken!
11/30/16 CSE484/CSEM584-Fall2016 4
“Thatwon’tmakeitpastthecustomsinspection.Theysnatchitupinaheartbeatthenthrowtherecipientinjailforfraud.”
11/30/16 CSE484/CSEM584-Fall2016 5
“Thatcan’tberight.OtherwiseIcouldjustsendpackagesofpeopleIdon’tlikeinothercountrieswithfakepackingslipstohavethemarrested.”
MobileMalwareAttackVectors
• Uniquetophones:– PremiumSMSmessages– Identifylocation– Recordphonecalls– LogSMS
• Similartodesktop/PCs:– Connectstobotmasters– Stealdata– Phishing– Malvertising
11/30/16 CSE484/CSEM584-Fall2016 6
MobileMalwareExamples“ikeeisnevergoingtogiveyouup”
11/30/16 CSE484/CSEM584-Fall2016 7
(Android)MalwareintheWild
Whatdoesitdo?Root
ExploitRemoteControl FinancialCharges InformationStealing
Net SMS PhoneCall
SMS BlockSMS
SMS Phone# UserAccount
#Families
20 27 1 4 28 17 13 15 3
#Samples
1204 1171 1 256 571 315 138 563 43
[Zhouetal.]
11/30/16 CSE484/CSEM584-Fall2016 8
What’sDifferentaboutMobilePlatforms?
• Applicationsareisolated– Eachrunsinaseparateexecutioncontext– Nodefaultaccesstofilesystem,devices,etc.– DifferentthantraditionalOSeswheremultiple
applicationsrunwiththesameuserpermissions!• AppStore:approvalprocessforapplications
– Market:Vendorcontrolled/Open– Appsigning:Vendor-issued/self-signed– Userapprovalofpermissions
11/30/16 CSE484/CSEM584-Fall2016 9
TwoTypesofAppWeWanttoDefendAgainst
• Malware• Legit,butprivacyinvasive
11/30/16 CSE484/CSEM584-Fall2016 10
(1)PermissionGrantingProblem
Smartphones(andothermodernOSes)trytopreventsuchattacksbylimitingapplications’accessto:
– SystemResources(clipboard,filesystem).– Devices(camera,GPS,phone,…).
Howshouldoperatingsystemgrantpermissionstoapplications?
11/30/16 CSE484/CSEM584-Fall2016 11
StateoftheArtPrompts(time-of-use)
11/30/16 CSE484/CSEM584-Fall2016 12
StateoftheArtPrompts(time-of-use) Manifests(install-time)
Disruptive,whichleadstoprompt-fatigue.
11/30/16 CSE484/CSEM584-Fall2016 13
StateoftheArtPrompts(time-of-use) Manifests(install-time)
Outofcontext;notunderstoodbyusers.
Inpractice,bothareoverlypermissive:Oncegrantedpermissions,appscanmisusethem.
Disruptive,whichleadstoprompt-fatigue.
11/30/16 CSE484/CSEM584-Fall2016 14
AreManifestsUsable?
Douserspayattentiontopermissions?
[Feltetal.]
…but88%ofuserslookedatreviews.
11/30/16 CSE484/CSEM584-Fall2016 15
Dousersunderstandthewarnings?
AreManifestsUsable?[Feltetal.]
11/30/16 CSE484/CSEM584-Fall2016 16
Dousersactonpermissioninformation?
“Haveyouevernotinstalledanappbecauseofpermissions?”
AreManifestsUsable?[Feltetal.]
11/30/16 CSE484/CSEM584-Fall2016 17
Over-Permissioning
• Androidpermissionsarebadlydocumented.• ResearchershavemappedAPIsàpermissions.www.android-permissions.org(Feltetal.),http://pscout.csl.toronto.edu(Auetal.)
[Feltetal.]
11/30/16 CSE484/CSEM584-Fall2016 18
WhyisOver-PermissioningBad?
• Over-permissioning:apphaspermissiontoaccessresourcesbutneveraccessesthem.
• Iftheappneverusestheextrapermissions,whyisitbadthatithasthem?
11/30/16 CSE484/CSEM584-Fall2016 19
Manifestsrelyontheusertomakegoodchoicesatinstalltime
• It’snotclearthatusersknowhowtomaketherightchoice–orthatthereISarightchoice.
• Idon’twantANYapptoaccessmycameraatalltimes.Ijustwantappstoaccessmycamerawhentheyneedtoforlegitimatepurposes!
11/30/16 CSE484/CSEM584-Fall2016 20
Android6.0:Prompts!
• First-usepromptsforsensitivepermission(likeiOS).• Bigchange!Nowappdevelopersneedtocheckfor
permissionsorcatchexceptions.
11/30/16 CSE484/CSEM584-Fall2016 21
Prompsrelyontheusertomakegoodchoicesatusetime
• It’snotclearthatusersknowhowtomaketherightchoiceatusetimeeither.
• Stillonlychecksonfirstuse–theappcanstillusetheresourceforanyreasonitwants,atanytimenoworinthefuture.
11/30/16 CSE484/CSEM584-Fall2016 22
ImprovingPermissions:AppFence[Hornyacketal.]
11/30/16 CSE484/CSEM584-Fall2016 23
Let this application access my location now.
Insight: A user’s natural UI actions within an application implicitly carry permission-granting semantics.
11/30/16 CSE484/CSEM584-Fall2016 24
ImprovingPermissions:User-DrivenAccessControl
[Roesneretal.]
Let this application access my location now.
Insight: A user’s natural UI actions within an application implicitly carry permission-granting semantics.
11/30/16 CSE484/CSEM584-Fall2016 25
Study shows: Many users already believe (52% of 186) – and/or desire (68%) – that resource access follows the user-driven access control model.
ImprovingPermissions:User-DrivenAccessControl
[Roesneretal.]
NewOSPrimitive:AccessControlGadgets(ACGs)
Approach:Makeresource-relatedUIelementsfirst-classoperatingsystemobjects(accesscontrolgadgets).
• Toreceiveresourceaccess,applicationsmustembedasystem-providedACG.
• ACGsallowtheOStocapturetheuser’spermissiongrantingintentinapplication-agnosticway.
11/30/16 CSE484/CSEM584-Fall2016 26
MiscThoughtsFromMobileSecurity
11/30/16 CSE484/CSEM584-Fall2016 27
PermissionRe-Delegation
• Anapplicationwithoutapermissiongainsadditionalprivilegesthroughanotherapplication.
• Settingsapplicationis deputy:haspermissions, andaccidentallyexposesAPIsthatusethose permissions.
API
Settings
Demo malware
toggleWifi()
pressButton(0)
Permission System
toggleWifi()
[Feltetal.]
11/30/16 CSE484/CSEM584-Fall2016 28
AndroidFragmentation
• ManydifferentvariantsofAndroid(unlikeiOS)– Motorola,HTC,Samsung,…
• Lesssecureecosystem– Inconsistentorincorrect
implementations– Slowtopropagatekernel
updatesandnewversions
[https://developer.android.com/about/dashboards/index.html]
11/30/16 CSE484/CSEM584-Fall2016 29
USABLESECURITY
11/30/16 CSE484/CSEM584-Fall2016 30
PoorUsabilityCausesProblems
11/30/16 CSE484/CSEM584-Spring2016 31
si.edu
ImportanceinSecurity
• Whyisusabilityimportant?– Peoplearethecriticalelementofanycomputersystem
• Peoplearetherealreasoncomputersexistinthefirstplace
– Evenifitispossibleforasystemtoprotectagainstanadversary,peoplemayusethesysteminother,lesssecureways
11/30/16 CSE484/CSEM584-Spring2016 32
Today
• 3casestudies– Phishing– SSLwarnings– Passwordmanagers
• Stepback:rootcausesofusabilityproblems,andhowtoaddress
11/30/16 CSE484/CSEM584-Spring2016 33
CaseStudy#1:Phishing
11/30/16 CSE484/CSEM584-Spring2016 34
ATypicalPhishingPage
11/30/16 CSE484/CSEM584-Spring2016 35
WeirdURLhttpinsteadofhttps
SafetoTypeYourPassword?
11/30/16 CSE484/CSEM584-Spring2016 36
SafetoTypeYourPassword?
11/30/16 CSE484/CSEM584-Spring2016 37
SafetoTypeYourPassword?
11/30/16 CSE484/CSEM584-Spring2016 38
SafetoTypeYourPassword?
11/30/16 CSE484/CSEM584-Spring2016 39
“Picture-in-pictureattacks”Trainedusersaremorelikelytofallvictimtothis!
ExperimentsatIndianaUniversity
• ReconstructedthesocialnetworkbycrawlingsiteslikeFacebook,MySpace,LinkedInandFriendster
• Sent921IndianaUniversitystudentsaspoofedemailthatappearedtocomefromtheirfriend
• Emailredirectedtoaspoofedsiteinvitingtheusertoenterhis/hersecureuniversitycredentials– Domainnameclearlydistinctfromindiana.edu
• 72%ofstudentsenteredtheirrealcredentialsintothespoofedsite
11/30/16 CSE484/CSEM584-Spring2016 40
MoreDetails
• Controlgroup:15of94(16%)enteredpersonalinformation
• Socialgroup:349of487(72%)enteredpersonalinformation
• 70%ofresponseswithinfirst12hours• Adversarywinsbygainingusers’trust
• Also:Ifasitelooks“professional”,peoplelikelytobelievethatitislegitimate
11/30/16 CSE484/CSEM584-Spring2016 41
PhishingWarnings
11/30/16 CSE484/CSEM584-Spring2016 42
Passive(IE)
Active(IE)
Active(Firefox)
ArePhishingWarningsEffective?
• CMUstudyof60users• AskedtomakeeBayandAmazonpurchases• Allweresentphishingmessagesinadditiontothe
realpurchaseconfirmations• Goal:compareactiveandpassivewarnings
11/30/16 CSE484/CSEM584-Spring2016 43
[Egelmanetal.]
• Activewarningssignificantlymoreeffective– Passive(IE):100%clicked,90%phished– Active(IE):95%clicked,45%phished– Active(Firefox):100%clicked,0%phished
Activevs.PassiveWarnings
Passive(IE) Active(IE) Active(Firefox)11/30/16 CSE484/CSEM584-Spring2016 44
[Egelmanetal.]
• Somefailtonoticewarningsentirely– Passivewarningtakesacoupleofsecondstoappear;if
userstartstyping,hiskeystrokesdismissthewarning
• Somesawthewarning,closedthewindow,wentbacktoemail,clickedlinksagain,werepresentedwiththesamewarnings…repeated4-5times– Conclusion:“websiteisnotworking”– Usersneverbotheredtoreadthewarnings,butwere
stillpreventedfromvisitingthephishingsite– Activewarningswork!
UserResponsetoWarnings[Egelmanetal.]
11/30/16 CSE484/CSEM584-Spring2016 45
• Don’ttrustthewarning– “Sinceitgavemetheoptionofstillproceedingtothe
website,Ifigureditcouldn’tbethatbad”
• Ignorewarningbecauseit’sfamiliar(IEusers)– “Oh,Ialwaysignorethose”– “LookedlikewarningsIseeatworkwhichIknowto
ignore”– “Ithoughtthatthewarningsweresomeusualones
displayedbyIE”– “MyownPCconstantlybombardsmewithsimilar
messages”
WhyDoUsersIgnoreWarnings?
11/30/16 CSE484/CSEM584-Spring2016 46
[Egelmanetal.]
TheLockIcon
• Goal:identifysecureconnection– SSL/TLSisbeingusedbetweenclientandserverto
protectagainstactivenetworkattacker
• Lockiconshouldonlybeshownwhenthepageissecureagainstnetworkattacker– Semanticssubtleandnotwidelyunderstoodbyusers– Whosecertificateisit??– Probleminuserinterfacedesign
11/30/16 CSE484/CSEM584-Spring2016 47
WillYouNotice?
11/30/16 CSE484/CSEM584-Spring2016 48
[MoxieMarlinspike]
⇒
Cleverfaviconinsertedbynetworkattacker
SiteAuthenticationImage(SiteKey)
11/30/16 CSE484/CSEM584-Spring2016 49
Ifyoudon’trecognizeyourpersonalizedSiteKey,don’tenteryourPasscode
DoTheseIndicatorsHelp?
• “TheEmperor’sNewSecurityIndicators”– http://www.usablesecurity.org/emperor/emperor.pdf
Usersdon’tnoticetheabsenceofindicators!
11/30/16 CSE484/CSEM584-Spring2016 50
CaseStudy#2:BrowserSSLWarnings
• Designquestion:Howtoalerttheuserifasite’sSSLcertificateisuntrusted?
11/30/16 CSE484/CSEM584-Spring2016 51
Firefoxvs.ChromeWarning
33%vs.70%clickthroughrate
[Feltetal.]
11/30/16 CSE484/CSEM584-Spring2016 52
Experimentingw/WarningDesign[Feltetal.]
11/30/16 CSE484/CSEM584-Spring2016 53
Experimentingw/WarningDesign[Feltetal.]
11/30/16 CSE484/CSEM584-Spring2016 54
Experimentingw/WarningDesign[Feltetal.]
11/30/16 CSE484/CSEM584-Spring2016 55
Experimentingw/WarningDesign[Feltetal.]
11/30/16 56CSE484/CSEM584-Spring2016
Experimentingw/WarningDesign[Feltetal.]
11/30/16 57CSE484/CSEM584-Spring2016
OpinionatedDesignHelps!
11/30/16 CSE484/CSEM584-Spring2016 58
[Feltetal.]
Adherence N30.9% 4,551
OpinionatedDesignHelps!
11/30/16 CSE484/CSEM584-Spring2016 59
Adherence N30.9% 4,55132.1% 4,075
[Feltetal.]
Adherence N30.9% 4,55132.1% 4,07558.3% 4,644
Challenge:MeaningfulWarnings
11/30/16 CSE484/CSEM584-Spring2016 60
[Feltetal.]
PasswordManagers
• Separateapplicationand/orextensioninyourbrowser.
• Remembersandautomaticallyenterspasswordsonyourbehalf.
• Seemspossiblyeasierthanrememberingallyourpasswords.Isitmoresecure?
11/30/16 CSE484/CSEM584-Fall2016 61
Question
• Q.Whataretherootcausesofusabilityissuesincomputersecurity?
11/30/16 CSE484/CSEM584-Spring2016 62
Issue#1:Complexities,LackofIntuition
11/30/16 CSE484/CSEM584-Spring2016 63
Wecansee,understand,relateto. Toocomplex,hidden,nointuition.
RealWorld ElectronicWorld
SSL/TLSRSA
XSS
SpywarePhishing
Bufferoverflows
Issue#1:Complexities,LackofIntuition
• Mismatchbetweenperceptionoftechnologyandwhatreallyhappens– Publickeys?– Signatures?– Encryption?– Messageintegrity?– Chosen-plaintextattacks?– Chosen-ciphertextattacks?– Passwordmanagement?– ...
11/30/16 CSE484/CSEM584-Spring2016 64
Issue#2:Who’sinCharge?
11/30/16 CSE484/CSEM584-Spring2016 65
Complex,hidden,andusersmanage
RealWorld ElectronicWorld
SSL/TLSRSA
XSS
SpywarePhishing
Bufferoverflows
Whereanalogybreaksdown:Adversariesintheelectronicworldcanbeintelligent,sneaky,andmalicious.
Userswanttofeellikethey’reincontrol.
Complex,hidden,butdoctorsmanage
Issue#2:Who’sinCharge?
• Systemsdevelopersshouldhelpprotectusers– Usableauthenticationsystems– Usableprivacysettings(e.g.,onsocialmedia)– User-drivenaccesscontrol
• Softwareapplicationshelpusersmanagetheirapplications– Anti-virussoftware– Anti-webtrackingbrowseradd-ons– PwdHash,Keychainforpasswordmanagement– Somesay:Canwetrustsoftwareforthesetasks?
11/30/16 CSE484/CSEM584-Spring2016 66
Issue#3:HardtoGaugeRisks
11/30/16 CSE484/CSEM584-Spring2016 67
"Irememberedhearingaboutitandthinkingthatpeoplethatclickonthoselinksarestupid,"shesays."Thenithappenedtome."Ms.Millersaysshenowchangesherpasswordregularlyandavoidsclickingonstrangelinks.(OpenDoors,byV.Vara,TheWallStreetJournal,Jan29,2007)
“Itwon’thappentome!”(Sometimesareasonableassumption,sometimesnot.)
Issue#4:NoAccountability
• Issue#3isamplifiedwhenusersarenotheldaccountablefortheiractions– E.g.,fromemployers,serviceproviders,etc.– (Notallpartieswillperceiverisksthesameway)
• Also,recallthatauser’spoorsecuritychoicesmayaffectotherpeople
– E.g.,compromiseaccountofuserwithweakpassword,thenexploitalocal(ratherthanremote)vulnerabilitytogetrootaccess
11/30/16 CSE484/CSEM584-Spring2016 68
Issue#5:Annoying,Awkward,orDifficult
• Difficult– Remembering50different,“random”passwords
• Awkward
– Lockcomputerscreeneverytimeleavetheroom
• Annoying
– Browserwarnings,virusalerts,forgottenpasswords,firewalls
• Consequence:– Changinguser’sknowledgemaynotaffecttheirbehavior
11/30/16 CSE484/CSEM584-Spring2016 69
Issue#6:SocialIssues
• Publicopinion,self-image
– Only“nerds”orthe“superparanoid”followsecurityguidelines
• Unfriendly– Lockingcomputerssuggestsdistrustofco-workers
• Annoying
– Sendingencryptedemailsthatsay,“whatwouldyoulikeforlunch?”
11/30/16 CSE484/CSEM584-Spring2016 70
IssueswithUsability
1. Lackofintuition– Seeasafe,understandthreats.Nottrueforcomputers.
2. Who’sincharge?– Doctorskeepyourmedicalrecordssafe,youmanageyour
passwords.
3. Hardtogaugerisks– “Itwouldneverhappentome!”
4. Noaccountability– Asset-holderisnottheonlyoneyoucanloseassets.
5. Awkward,annoying,ordifficult6. Socialissues
11/30/16 CSE484/CSEM584-Spring2016 71
Question
• Q.Whatapproachescanwetaketomitigateusabilityissuesincomputersecurity?
11/30/16 CSE484/CSEM584-Spring2016 72
Response#1:EducationandTraining
• Education:– Teachingtechnicalconcepts,risks
• Training– Changebehaviorthrough:
• Drill• Monitoring• Feedback• Reinforcement• Punishment
• Maybepartofthesolution–butnotthesolution
11/30/16 CSE484/CSEM584-Spring2016 73
Response#2:SecurityShouldBeInvisible
• Securityshouldhappen
– Naturally– ByDefault– Withoutuserinputorunderstanding
• Recognizeandstopbadactions• Startingtoseesomeinvisibility
– SSL/TLS– VPNs– AutomaticSecurityUpdates– User-drivenaccesscontrol
11/30/16 CSE484/CSEM584-Spring2016 74
Response#2:SecurityShouldBeInvisible
• “Easy”atextremes,orforsimpleexamples– Don’tgiveeveryoneaccesstoeverything
• Buthardtogeneralize
• Leadstothingsnotworkingforreasonsuserdoesn’tunderstand
• Userswillthentrytogetthesystemtowork,possiblyfurtherreducingsecurity– E.g.,“dangeroussuccesses”forpasswordmanagers
11/30/16 CSE484/CSEM584-Spring2016 75
Response#3:“3WordUI”:“AreYouSure?”
• Securityshouldbeinvisible– Exceptwhentheusertriessomethingdangerous– Inwhichcaseawarningisgiven
• Buthowdousersevaluatethewarning?Tworealisticcases:– Alwaysheedwarning.Butseeproblems/commonality
withResponse#2(“securityshouldbeinvisible”)– Alwaysignorethewarning.Ifso,thenhowcanitbe
effective?
11/30/16 CSE484/CSEM584-Spring2016 76
Response#4:FocusonUsers,UseMetaphors
• Clear,understandablemetaphors:– Physicalanalogs;e.g.,red-greenlights
• User-centereddesign:Startwithusermodel• Unifiedsecuritymodelacrossapplications
– Userdoesn’tneedtolearnmanymodels,oneforeachapplication
• Meaningful,intuitiveuserinput– Don’tassumethingsonuser’sbehalf– Figureouthowtoasksothatusercananswerintelligently
11/30/16 CSE484/CSEM584-Spring2016 77
Response#5:LeastResistance
• “Matchthemostcomfortablewaytodotaskswiththeleastgrantingofauthority”– Ka-PingYee,SecurityandUsability
• Shouldbe“easy”tocomplywithsecuritypolicy
• “Usersvalueandwantsecurityandprivacy,buttheyregardthemonlyassecondarytocompletingtheprimarytasks”– Karatetal,SecurityandUsability
11/30/16 CSE484/CSEM584-Spring2016 78
