1 / 19

David Barrera, H. Güne¸s Kayacık , P.C. van Oorschot , Anil Somayaji

A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. Carleton University, Ottawa , ON, Canada ACM CCS(2010). David Barrera, H. Güne¸s Kayacık , P.C. van Oorschot , Anil Somayaji. Agenda. Introduction Access control systems

vashon
Télécharger la présentation

David Barrera, H. Güne¸s Kayacık , P.C. van Oorschot , Anil Somayaji

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Methodology for Empirical Analysis ofPermission-Based Security Modelsand its Application to Android Carleton University, Ottawa, ON, Canada ACM CCS(2010) David Barrera, H. Güne¸sKayacık, P.C. van Oorschot, Anil Somayaji

  2. Agenda • Introduction • Access control systems • Permission-Based Security • Related Work • Android Permission Model • Self-Organizing Maps(SOM) • Result • Further Discussion&Conclusion

  3. Introduction • Restrict actions on specific resources • Access control lists (ACLs) • permission-based security models • Empirical analysis • Objectives • investigate how the permission-based system in Android is used in practice • Identify the strengths and limitations of the current implementation

  4. Introduction • Android uses ACLs extensively to mediate inter-process communication (IPC) and to control access to special functionality on the device • Advantages • Prevent malware • inform users what applications are capable of doing once installed • Contribution • a novel methodology for exploring and empirically analyzing permission-based models

  5. Accesscontrol systems • Access control lists allows a subject to perform an action on an object only if the subject has been assigned the necessary permissions. • More sophisticated ACL-based systems allow the specification of a complex policy to control more parameters of how an object can be accessed. • Each ACL only restricts access to one action.

  6. Permission-Based Security • Android requires that developers declare in a manifest a list of permissions which the user must accept prior to installing an application • Google Chrome web browseruses a permission-based architecture in its extension system • Blackberry OS enforces through signature validation thatan application has been granted permissions to access thecontrolled APIs

  7. Related Work • Enck et al. describe the design and implementationof a framework to detect potentially malicious applications based on permissions requested by Android applications • Barth et al. analyzed 25 browser extensions forFirefox and identified that 78% are given more privilegesthan necessary

  8. Android Permission Model • Android Market • Android applications are written in Java syntaxand each run in a custom virtual machine known asDalvik • Anythird party application can define new Functionality

  9. Android Permission Model • Every application written for the Android platform must include an XML-formatted file named AndroidManifest.xml. • Permissions are enforced by Android at runtime, but must be accepted by the user at install time

  10. Android Permission Model • we used the Android Asset Packaging Tool to extract the manifest and read all XML entries of type uses-permission • x = [x1, x2, …, xj ]T {0, 1}j • xj:the permission j is requested • Some error • Duplicate permission error • Request permission that do not exist

  11. Self-Organizing Maps(SOM) • SOM is a type of neural network algorithm, which employs unsupervised learning • Characteristics: • SOM provides a 2-dimensional visualization of the high dimensional data • the component analysis of SOM can identify correlation between permissions.

  12. Self-Organizing Maps(SOM)

  13. Self-Organizing Maps(SOM)

  14. Results • Effectively clustering the applications requesting similar permissions into the same neighborhood. • Winner-take-all • Applications from different categories can request similar sets of permissions

  15. Results • a.p.INTERNETpermission is requested by the majority of applications in our dataset (over 60%)

  16. Results • The analysis of component planes can reveal correlations between permissions • a.p.INTERNET permission fails to provide sufficiently fine-grained control of the resources • Many permissions are requested by only a few applications.

  17. Further Discussion&Conclusion • Having finer-grained permissions in a permission-based system enables users to have detailed control over what actions are allowed to take place • Enhancements: • Logical permission grouping→fine-grained hierarchical permission • Logically grouping all self-defined permissions under one category • Hope that the SOM-based methodology, including visualization, is of use to others exploring independent permission-based models

More Related