admin
play

Admin Project checkpoint #2 due tonight Keep letting us know of any - PowerPoint PPT Presentation

Sep 16, 2023 •211 likes •847 views

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • Project checkpoint #2 due tonight • Keep letting us know of any fuzzing issues with HW3 – Double check that you followed the instructions – Make sure to put things in C: instead of D: – It’s possible to run into issues on the MS side, so let us know and we’ll loop them in if needed (in the meantime you can relax J ) 12/1/17 CSE 484 / CSE M 584 - Fall 2017 2

  3. This Week: Mac OS X High Sierra Issue • Given physical access, if root password not set, can login (creating a root account?) without a password • Manual fix: set root password 12/1/17 CSE 484 / CSE M 584 - Fall 2017 3

  4. Back to Mobile Security: Challenges with Isolated Apps So mobile platforms isolate applications for security, but… 1. Permissions: How can applications access sensitive resources? 2. Communication: How can applications communicate with each other? 12/1/17 CSE 484 / CSE M 584 - Fall 2017 4

  5. State of the Art Prompts (time-of-use) Manifests (install-time) 12/1/17 CSE 484 / CSE M 584 - Fall 2017 5

  6. [Felt et al.] Are Manifests Usable? Do users pay attention to permissions? … but 88% of users looked at reviews. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 6

  7. [Felt et al.] Are Manifests Usable? Do users understand the warnings? 12/1/17 CSE 484 / CSE M 584 - Fall 2017 7

  8. [Felt et al.] Are Manifests Usable? Do users act on permission information? “Have you ever not installed an app because of permissions?” 12/1/17 CSE 484 / CSE M 584 - Fall 2017 8

  9. Android 6.0: Prompts! • First-use prompts for sensitive permission (like iOS). • Big change! Now app developers need to check for permissions or catch exceptions. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 9

  10. [Felt et al.] Over-Permissioning • Android permissions are badly documented. • Researchers have mapped APIs à permissions. www.android-permissions.org (Felt et al.), http://pscout.csl.toronto.edu (Au et al.) 12/1/17 CSE 484 / CSE M 584 - Fall 2017 10

  11. [Hornyack et al.] Improving Permissions: AppFence 12/1/17 CSE 484 / CSE M 584 - Fall 2017 11

  12. [our work] Improving Permissions: User-Driven Access Control Let this application access my location no now . In Insigh ght: A user’s natural UI actions within an application implicitly carry permission-granting semantics. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 12

  13. [our work] Improving Permissions: User-Driven Access Control Let this application access my location no now . Insigh In ght: Ou Our r study shows ws: A user’s natural UI actions within Many users already believe (52% of 186) an application implicitly carry – and/or desire (68%) – that resource access permission-granting semantics. follows the user-driven access control model. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 13

  14. New OS Primitive: Access Control Gadgets (ACGs) Approach: Make resource-related UI elements first-class operating system objects (access control gadgets). • To receive resource access, applications must embed a system-provided ACG. • ACGs allow the OS to capture the user’s permission granting intent in application-agnostic way. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 14

  15. (2) Inter-Process Communication • Primary mechanism in Android: Intents – Sent between application components • e.g., with startActivity(intent) – Explicit: specify component name • e.g., com.example.testApp.MainActivity – Implicit: specify action (e.g., ACTION_VIEW) and/or data (URI and MIME type) • Apps specify Intent Filters for their components. 12/1/17 CSE 484 / CSE M 584 - Fall 2017 15

  16. Unauthorized Intent Receipt Attack #1: Eavesdropping / Broadcast Theft com.example.goodapp2 com.example.goodapp1 com.example.badapp 12/1/17 CSE 484 / CSE M 584 - Fall 2017 16

  17. Unauthorized Intent Receipt Attack #2: Service/Activity Hijacking “Caution: To ensure that your app is secure, always use an explicit intent when starting a Servier. Using an implicit intent to start a service is a security hazard because you can't be certain what service will respond to the intent, and the user can't see which service starts.” 12/1/17 CSE 484 / CSE M 584 - Fall 2017 17

  18. [Chin et al.] Unauthorized Intent Receipt • Attack #1: Eavesdropping / Broadcast Thefts – Implicit intents make intra-app messages public. • Attack #2: Activity Hijacking – May not always work: • Attack #3: Service Hijacking – Android picks one at random upon conflict! 12/1/17 CSE 484 / CSE M 584 - Fall 2017 18

  19. [Chin et al.] Intent Spoofing • Attack #1: General intent spoofing – Receiving implicit intents makes component public. – Allows data injection. • Attack #2: System intent spoofing – Can’t directly spoof, but victim apps often don’t check specific “action” in intent. com.example.goodapp2 com.example.goodapp1 com.example.badapp 12/1/17 CSE 484 / CSE M 584 - Fall 2017 19

  20. [Felt et al.] Permission Re-Delegation • An application without a permission gains additional privileges through another application. • Demo video Demo pressButton(0) malware • Settings application is deputy: has permissions, Settings toggleWifi() and accidentally exposes APIs that use those toggleWifi() permissions. Permission System API 12/1/17 CSE 484 / CSE M 584 - Fall 2017 20

  21. More on Android… 12/1/17 CSE 484 / CSE M 584 - Fall 2017 21

  22. Incomplete Isolation Embedded UIs and libraries always run with the host application’s permissions! (No same-origin policy here…) Ad from ad library Map from Google library Social button Like us on from Facebook Facebook! library [Shekhar et al.] 12/1/17 CSE 484 / CSE M 584 - Fall 2017 22

  23. Android Application Signing • Apps are signed – Often with self-signed certificates – Signed application certificate defines which user ID is associated with which applications – Different apps run under different UIDs • Shared UID feature – Shared Application Sandbox possible, where two or more apps signed with same developer key can declare a shared UID in their manifest 12/1/17 CSE 484 / CSE M 584 - Fall 2017 23

  24. Shared UIDs • App 1: Requests GPS / camera access • App 2: Requests Network capabilities • Generally: – First app can’t exfiltrate information – Second app can’t exfiltrate anything interesting • With Shared UIDs (signed with same private key) – Permissions are a superset of permissions for each app – App 1 can now exfiltrate; App 2 can now access GPS / camera 12/1/17 CSE 484 / CSE M 584 - Fall 2017 24

  25. File Permissions • Files written by one application cannot be read by other applications – Previously, this wasn’t true for files stored on the SD card (world readable!) – Android cracked down on this • It is possible to do full file system encryption – Key = Password/PIN combined with salt, hashed 12/1/17 CSE 484 / CSE M 584 - Fall 2017 25

  26. Memory Management • Address Space Layout Randomization to randomize addresses on stack • Hardware-based No eXecute (NX) to prevent code execution on stack/heap • Stack guard derivative • Some defenses against double free bugs (based on OpenBSD’s dmalloc() function) • etc. [See http://source.android.com/tech/security/index.html] 12/1/17 CSE 484 / CSE M 584 - Fall 2017 26

  27. Android Fragmentation • Many different variants of Android (unlike iOS) – Motorola, HTC, Samsung, … • Less secure ecosystem – Inconsistent or incorrect implementations – Slow to propagate kernel updates and new versions [https://developer.android.com/about/dashbo ards/index.html] 12/1/17 CSE 484 / CSE M 584 - Fall 2017 27

  28. What about iOS? • Apps are sandboxed • No “sideloading” apps • Encrypted user data – Unless you jailbreak – See recent news… • App Store review process is (maybe) stricter – But not infallible: e.g., see Wang et al. “Jekyll on iOS: When Benign Apps Become Evil” (USENIX Security 2013) 12/1/17 CSE 484 / CSE M 584 - Fall 2017 28

  29. CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [start] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  30. Poor Usability Causes Problems si.ed u 12/1/17 CSE 484 / CSE M 584 - Fall 2017 30

  31. Importance in Security • Why is usability important? – People are the critical element of any computer system • People are the real reason computers exist in the first place – Even if it is possible for a system to protect against an adversary, people may use the system in other, less secure ways 12/1/17 CSE 484 / CSE M 584 - Fall 2017 31

  32. Usable Security Roadmap • 2 case studies – Phishing – SSL warnings • Step back: root causes of usability problems, and how to address 12/1/17 CSE 484 / CSE M 584 - Fall 2017 32

  33. Case Study #1: Phishing • Design question: How do you help users avoid falling for phishing sites? 12/1/17 CSE 484 / CSE M 584 - Fall 2017 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to:

Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to:

Labour Administration and Inspection Programme (LAB/ADMIN) Information Session 101 st ILC, June 2012 Geneva www.ilo.org/labadmin Who We Are What We Do v LAB/ADMIN was established in 2009 to: Lead ILOs work on technical support and

396 views • 7 slides
Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development Who am I, and what do I do? Ian P. Christian (aka. pookey) Coding PHP for about 8 years Work for VoIP.co.uk Involved with symfony and

1.13k views • 51 slides
HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN

HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN

HR ADMIN FORUM/ HRPM ADMIN NETWORK MEETING September 7, 2017 WELCOME NANCY JAGGER & ERIN RICE AGENDA > Welcome > Benefits Announcements & Open Enrollment Katy Dwyer & Amy Hawkins > Absence Lessons Learned in Workday

382 views • 36 slides
WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building,

WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building,

WEBSITE TRAINING August 21, 2017 Logging in to the admin site Usernames will be per building, not per user Login by going to your school site /wp-admin Example: ct.central301.net/wp-admin or chs.central301.net/wp-admin Passwords

425 views • 18 slides
CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin:

CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin:

CS270: Lecture 2. Admin: CS270: Lecture 2. Admin: Check Piazza. CS270: Lecture 2. Admin: Check Piazza. Today: Finish Path Routing. ???? Path Routing. Given G = ( V , E ) , ( s 1 , t 1 ) ,..., ( s k , t k ) , find a set of k paths

1.82k views • 154 slides
DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S

DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S

DRUPAL ADMIN UI MODERNIZATION Cristina Chumillas - Ymbra DRUPAL ADMIN UI MODERNIZATION C R I S T I N A C H U M I L L A S D E S I G N E R & D R U P A L F R O N T E N D @chumillas ckrina I N D E X Initiative overview Design System

1.12k views • 60 slides
PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nts admin admin rsity rsity s admin istrati istrati users consol depen istrati on on

407 views • 21 slides
Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED

Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED

!! Working Group Meeting May 23, 2016 Cabot School ! DiNisco Design PARTNERSHIP Concept Diagram ADMIN. ADMIN. PREVIOUSLY PROPOSED CURRENT PROPOSED Circulation Diagrams SERVICE SERVICE KITCHEN BLUE ZONE BLUE ZONE & PARKING

285 views • 17 slides
Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M

Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M

Presentation to NSW PAC re Gullen Range, 5 th September, 2014 Michael Crawford, B Sc, BA Admin, M Admin Studies, PhD Director, Waubra Foundation Overview Wind farm noise damages health and well-being over a wide area Noise guidelines

245 views • 13 slides
Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital

Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital

Digital Communications Writing online Georgina.brooke@admin.ox.ac.uk Olivia.Williams@admin.ox.ac.uk Digital Communications Creating engaging content Digital Communications Writing up your article Digital Communications Visual appeal

683 views • 40 slides
Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team

Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team

Trafford Co-ordination Centre www.traffordccg.nhs.uk Trafford Co-ordination Centre Admin Team Referral Care Management Co-ordination 12 Admin Staff Manage Proxy/Integrated Co-location Primary Services Referrals Homecare

240 views • 13 slides
KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM "

KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM "

KUSTOMIZE H ELLO $ OC ADM NEW - PROJECT HCS-C OMPANY \ -- ADMIN ="V INCENT VAN D AM " \ -- DISPLAY - NAME =" JOYREX 2001" \ -- ADMIN - ROLE ="O PEN S OURCE A RCHITECT " D ELIVERING SOFTWARE D EVELOPED A

695 views • 24 slides
Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting

Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting

Cheselbournes Caterpillar Pre-School Monday 6 th July Welcome! Pre-School Admin Tapestry Our Setting The EYFS Questions Pre- School Admin Welcome Pack all information should be in this document. Please

472 views • 24 slides
Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives

Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives

Conficker / Downadup spreading vectors MS08-067 Vulnerability in Server service USB-Flash drives Autorun & Autoplay ADMIN$ shares 2 abc123 academia access account Admin admin admin1 admin12 admin123 adminadmin administrator

643 views • 17 slides
Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions

Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions

Overview Class Admin Overview Overview of Complex Networks Class admin Class admin Basic definitions Basic definitions Complex Networks, Course 303A, Spring, 2009 Books Books Examples of Examples of Complex Networks Complex Networks

368 views • 14 slides
Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks,

Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks,

Overview Outline Overview Overview of Complex Networks Class admin Class admin Complex Networks, CSYS/MATH 303, Spring, 2010 Class admin Basic definitions Basic definitions Popularity Popularity Basic definitions Examples of Examples

460 views • 16 slides
W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc

W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc

W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc Juarez and Bekah Overdorf) Summer School on real-world crypto and privacy June 2017 Outline Website Fingerprintjng for htups sites Website

599 views • 48 slides
Charlie Garrod Bogdan Vasilescu School of Computer Science 17-214 1 Lambdas and streams GUIs

Charlie Garrod Bogdan Vasilescu School of Computer Science 17-214 1 Lambdas and streams GUIs

Principles of Software Construction: Objects, Design, and Concurrency Managing change Charlie Garrod Bogdan Vasilescu School of Computer Science 17-214 1 Lambdas and streams GUIs UML More Git Intro to Java Static Analysis DevOps Git,

986 views • 53 slides
SipDown Red A SipDown | Product Vision Promote safe drinking Active feedback through real-time

SipDown Red A SipDown | Product Vision Promote safe drinking Active feedback through real-time

SipDown Red A SipDown | Product Vision Promote safe drinking Active feedback through real-time tracking Vision Initial Design Product Contract Risks Next Steps SipDown | Initial Design Wristband Breathalyzer Cumbersome to use Image of

328 views • 11 slides
NDN Testbed Status Update March 2017 John DeHart Washington University jdd@wustl.edu NDN

NDN Testbed Status Update March 2017 John DeHart Washington University jdd@wustl.edu NDN

NDN Testbed Status Update March 2017 John DeHart Washington University jdd@wustl.edu NDN Testbed Shared resource for running NDN experim ents Each node runs an NDN softw are router: nfd : NDN Forw arding Daem on NLSR : NDN

593 views • 15 slides
Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City

Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City

UC Non-Interactive, Proactive, Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City College, CUNY), Steven Goldfeder (Cornell Tech), Nikolaos Makriyannis (Fireblocks), Udi Peled (Fireblocks) To appear

1.18k views • 41 slides
Distributed Systems Rik Sarkar James Cheney University

Distributed Systems Rik Sarkar James Cheney University

Distributed Systems Rik Sarkar James Cheney University of Edinburgh Spring 2014 Shortest (least weight) paths with BFS tree and edge weights

526 views • 37 slides
The Wonderful World of Services By: Stefanja What Is a Service? Make the computer world go

The Wonderful World of Services By: Stefanja What Is a Service? Make the computer world go

The Wonderful World of Services By: Stefanja What Is a Service? Make the computer world go round Without Services wed have nothing A service is an application that runs in the background to enable a computer to do certain thing.

698 views • 22 slides
Freeing Programmers from the Shackles of Sequentiality Thesis Proposal Talk Sven Stork

Freeing Programmers from the Shackles of Sequentiality Thesis Proposal Talk Sven Stork

Freeing Programmers from the Shackles of Sequentiality Thesis Proposal Talk Sven Stork Committee Jonathan Aldrich (CMU) Paulo Marques (UC) Todd Mowry (CMU) Ernesto Costa (UC) William Scherlis (CMU) Marco Viera (UC) 1 2 2 2 2 2 How

1.65k views • 134 slides

More recommend