Post on 25-Feb-2016
description
User-Driven Access ControlRethinking Permission Granting in Modern OSes
Franziska Roesner, Tadayoshi KohnoUniversity of Washington
Alexander Moshchuk, Bryan Parno, Helen J. WangMicrosoft Research
Crispin CowanMicrosoft
Modern Client Platforms
2May 21, 2012
Franziska Roesner
• iOS, Android, WP, Win8, browsers– Applications isolated from one another.– Limited global sharing.– Cannot access user-owned resources by default:• Cross-application data• Devices (camera, GPS, …)• Resources (clipboard, autocomplete data)
Problem: How should platforms grant applications
access to user-owned resources?
Challenge: Users are in the loop to
grant permissions.
State of the Art
3May 21, 2012
Franziska Roesner
Manifests(Android, Windows Phone)
Prompts(iOS, browsers)
Out of context:Checked at time
of install, not time of use.
Disruptive: In practice, only
prompted at first use to avoid prompt-fatigue.
Both are not least-privilege:Once granted permissions, apps can use them,
even if not necessary for application functionality.
Permission Granting Goals
4May 21, 2012
Franziska Roesner
• In context – Unlike manifests
• Non-disruptive– Unlike prompts
• Least privilege – Unlike manifests and prompts
Let this application access my location now.
Outline
• Motivation and Setup• User-Driven Access Control– via Access Control Gadgets (ACGs)
• Capturing Authentic User Intent• Implementation • Evaluation
5May 21, 2012
Franziska Roesner
User-Driven Access Control
• Observation: A user’s natural UI actions in the context of an application carry permission-granting semantics. See also EWS [SVNC ‘04], NitPicker [FH ‘05], CapDesk [M ‘06], Qubes, Polaris [SKYCM ’06], UIBAC [SE ‘08], BLADE [LYPL ‘10].
• Challenge: How can the system understand generalized in-app permission-granting behaviors?
6May 21, 2012
Franziska Roesner
Access Control Gadgets (ACGs)
7May 21, 2012
Franziska Roesner
• Approach: Let the system control these UI elements (ACGs) to capture a user’s permission granting intent.
• Challenges:– How can system capture authentic user intent?– How to prevent disruption of application context?– Can this model support necessary app functionality?– …?
8May 21, 2012
Franziska Roesner
Photo Editor App
Camera ACG
User’s View System’s View
Kernel
Camera Resource Monitor
Policy: Which app can access camera in what fashion
ACG
Photo Editor App
<object src=“rm://camera/takePicture”/>
1) User clicks on camera ACG
2) Take picture
3) Receive picture
Isolationcontainer
Design Challenges
• What are appropriate access semantics?• How to accurately capture user intent?• How can we support:– customized access control gadgets?– ACGs composing multiple resources?– shortcuts and gestures instead of visual gadgets?
• How can we generalize to application-controlled resource monitors?– e.g., Facebook contacts, Flickr photos
9May 21, 2012
Franziska Roesner
Access Semantics
10May 21, 2012
Franziska Roesner
One time:
Session:
Scheduled:
Permanent:
UI-coupled
UI-decoupled
Least privilege
PermanentAccess
Few applications (5% of top 100 Android apps) legitimately require permanent access.
Outline
• Motivation and Setup• User-Driven Access Control– via Access Control Gadgets (ACGs)
• Capturing Authentic User Intent• Implementation • Evaluation
11May 21, 2012
Franziska Roesner
Threats by Malicious Applications
• Manipulate access control gadget display– Directly or by strategic obstruction
• Clickjacking (trick users into clicking on ACG)
– Visual or timing-based• Programmatically click on ACG
12May 21, 2012
Franziska Roesner
Requirements:1. ACG User: Authentic display of ACG to user.2. User ACG: Authentic user actions to ACG.
ACG User: Display Integrity
(1) Display isolation: Apps can’t set ACG’s pixels.
(2) Complete visibility:ACGs are active only when completely
visible.(3) Sufficient display duration:
ACGs activate only after a reaction delay.(4) Limited customization by applications.
13May 21, 2012
Franziska Roesner
73% of top Android apps need only limited customization.
User ACG: Authentic Input
(1) Input event isolation: – Input events dispatched only from user input devices
to ACGs.(2) The kernel controls the cursor over ACGs.(3) Handling nested applications– e.g., iGoogle embeds ad which embeds camera ACG– Must grant permissions to correct application.
14May 21, 2012
Franziska Roesner
Outline
• Motivation and Setup• User-Driven Access Control– via Access Control Gadgets (ACGs)
• Capturing Authentic User Intent• Implementation • Evaluation
15May 21, 2012
Franziska Roesner
Implementation• Implemented as part of the ServiceOS system with 2500
lines of C# code.• System support for:– Access control gadgets
• Resources: camera, GPS, clipboard, autocomplete• Access semantics: one-time, session
– ACG composition: camera+GPS– Input sequences: copy-and-paste, drag-and-drop– Nested applications– Content picking and application-specific ACGs
• ACGs in applications: browser and MS Word
16May 21, 2012
Franziska Roesner
Our experience shows that the implementation effort is modest for both system developers and
application developers.
Outline
• Motivation and Setup• User-Driven Access Control– via Access Control Gadgets (ACGs)
• Capturing Authentic User Intent• Implementation • Evaluation
17May 21, 2012
Franziska Roesner
18May 21, 2012
Franziska Roesner
XX
Location access granted
• Social engineering risk: moderate(high effort/risk for attacker)
• Usability: high• Least-privilege guarantees: high
Discussion: Security AnalysisOur User ACG and ACG User properties do not prevent applications from gaining unauthorized access by social engineering attacks.
19May 21, 2012
Franziska Roesner
Evaluation Highlights
• Vulnerability Study– User-driven access control addresses most published
vulnerabilities related to resource access: 36 of 44 in Chrome (82%), and 25 of 26 in Firefox (96%).
• User Expectations– Based on survey showing Android screenshots, most
users already believe (52% of 186) – and/or desire (68%) – that resource access follows the user-driven access control model.
Summary
• User-driven access control captures a user’s permission-granting intent from natural interactions with the system and applications.
• Access control gadgets enable user-driven permission granting.– In-context, non-disruptive, and least-privilege.
• ACGs match user expectations.
20May 21, 2012
Franziska Roesner