Inferring Required Permissions for Statically Composed Programs Tero Hasu Anya Helene Bagge Magne Haveraaen {tero,anya,magne}@ii.uib.no Bergen Language Design Laboratory University of Bergen Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions
Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions
smartphones—a security risk for users Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ privacy and usage cost concerns ▶ natively third-party programmable ▶ ”app stores” have programs in large numbers ▶ including malware and ”grayware”
permission-based security models implications? Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ similar to VAX/VMS ”privileges” introduced in late 70’s ▶ popularized by smartphone OSes ▶ primarily: access control for sensitive APIs ▶ user approval of permissions → security and usability
permissions—a concern for app developers declaring permissions Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ too small a set � runtime errors ▶ too large a set � worried users ▶ optimal set � maintenance hassle
hassle compounds in a cross-platform setting of permission Hasu, Bagge, Haveraaen (BLDL) channel distribution restrictions multiple variants releases documented between platform requirements vary Inferring Required Permissions ▶ permission ▶ often inadequately ▶ an app may come in ▶ sometimes because ▶ can differ per
permission analysis tools availability bada API and Privilege Checker BB10 none Harmattan aegis-manifest (automatically generates a declaration) Symbian Capability Scanner Tizen API and Privilege Checker WP7 Store Test Kit (managed code only in WP7 apps) WP8 none Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions Android Stowaway, Permission Check Tool (both 3rd party)
vendor-supported permission inference analysis difficult/impossible Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ infer required permissions from a program’s platform API use ▶ examine either binaries or source code ▶ current tools for scanning native programs rely on heuristics ▶ dynamic loading and invocation (when allowed) make accurate
baseline requirements for a cross-platform permission management solution Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ the same solution must work for all platforms ▶ must make it cheaper to deal with app variants ▶ since there can easily be many in a cross-platform setting ▶ we want to request an optimal permission set for each variant ▶ we do not want an app to crash due to runtime permission errors
many differences, many things beyond our control operation, manufacturer grants, … Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions download source, user grants on install or at launch or per ▶ How do we get permissions? ▶ just ask, system policy grants according to certificate or ▶ Are there permissions we cannot ask for? ▶ Does platform release affect what we can ask for? ▶ Is our running app guaranteed to have requested permissions? ▶ Can granted permissions be queried at runtime? ▶ Can we specify install time hardware requirements? ▶ Can we do install time adaptation (e.g., which binary)? ▶ Is app submission process arduous? ▶ In app store, can we specify which devices are supported? ▶ Will a build only be deployable to specific devices (IMEI codes)? ▶ etc.
how we might manage permissions on a uniform, platform-independent basis with tools Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ app variant specific permission manifests ▶ automate manifest file generation ▶ ungrantable permissions ▶ automatically leave them out ▶ ungranted permissions ▶ support portable implementation of error handling code ▶ hardware requirements ▶ treat uniformly to permissions ▶ both are access capabilities
how we might manage permissions on an ad hoc, platform-specific basis by developers and user preferences (e.g., denied permissions) Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ compose software configurations that make sense ▶ leave out functionality that is never accessible on a platform ▶ perhaps find workarounds ▶ dynamic (or install time) adaptation to specific device models ▶ particularly desirable if app submission process is arduous ▶ useful if granted permissions can be queried at runtime ▶ e.g., consider UI adaptation
portable permission-aware programming 1. interfaces for Hasu, Bagge, Haveraaen (BLDL) handling permission error for portable runtime 2. language abstraction components implementations of platform-specific abstracting over Inferring Required Permissions portable program contains contains on NoPermission call readAll(w, dat); in readAll call writeAll(w, dat); dat = emptyColl; uses uses uses NoPermission DataSrc API DataTgt API runtime error declared as speci fi es speci fi es readAll writeAll alert NoPermission; declared as procedure readAll (upd sys : System, out coll : Coll);
permission-aware product line 1. multiple implementations of components, reusable in different Hasu, Bagge, Haveraaen (BLDL) compositions Inferring Required Permissions BlackBerry 10 Symbian Symbian ownCloud Edition con fi guration con fi guration con fi guration contains program SymbianOwnCloud = { BB10 fi le exporter Symbian ownCloud use ExporterEngine; contacts writer engine contacts uploader use SymbianContactsSrc; (C++) (C++) (portable) (C++) (C++) use OwnCloudUploadTgt; }; models models uses uses models models implements writeAll: DataSrc API DataTgt API requires NetworkServices, KErrPermissionDenied -> NoPermission
permission-aware compilation 1. abstract-to-concrete permission error handling translation Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions exporter exporter ownCloud Symbian engine main uploader contacts (portable) (portable) (C++) (C++) compiles compiles uses implements uses implements on NoPermission program SymbianOwnCloud = { writeAll: readAll: in readAll use ExporterEngine; compiler KErrPermissionDenied KErrPermissionDenied dat = emptyColl; use SymbianContactsSrc; -> NoPermission -> NoPermission call readAll(w, dat); use OwnCloudUploadTgt; call writeAll(w, dat); }; generates generates exporter program engine main (C++) (C++) TRAPD(err, readAll(w, dat)); if (err == KErrPermissionDenied) dat = emptyColl;
permission inference 1. program analysis for determining reachable invocations of Hasu, Bagge, Haveraaen (BLDL) operations, and associated permissions Inferring Required Permissions exporter exporter ownCloud Symbian engine main uploader contacts implements implements on NoPermission program SymbianOwnCloud = { writeAll: readAll: in readAll use ExporterEngine; compiler requires requires dat = emptyColl; use SymbianContactsSrc; NetworkServices ReadUserData call readAll(w, dat); use OwnCloudUploadTgt; call writeAll(w, dat); }; generates inferred permissions NetworkServices && ReadUserData
permission resolution 1. automated decision making on permission requests Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions con fi guration recipe Symbian policy inferred permissions uses uses compiles distribution = side-loaded, certi fi cate = self-signed, manifest writer NetworkServices && ReadUserData platform = S60 3.0+ generates manifest CAPABILITIES NetworkServices ReadUserData ▶ configuration recipes may require additional information
vendor-specific permission inference Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ infer required permissions from a program’s platform API use
cross-platform permission inference API use determine API use Can reuse the same API: Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ infer required permissions from a program’s platform-agnostic ▶ implementations encapsulate platform API use ▶ and: declare permissions for each implementation of said APIs ▶ and: program against said APIs in a language you can analyze to ▶ for multiple platforms (if can implement) ▶ in multiple apps (if suitably general)
favorable language characteristics interface-based abstraction static analysis friendliness Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ to support organizing cross-platform codebases ▶ to allow for accurate inference
adopting the approach assumptions may help otherwise in-source permission annotations Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ adopt a favorable language, preferably ▶ coding conventions or explicit information about programmer ▶ as an extra-language feature (probably within comments) ▶ using any language-provided annotation support ▶ by extending the language
errors) our proof of concept: based on Magnolia reporting—Bagge: Separating exceptional concerns (2012) handling mechanisms should be configurable (2012) Hasu, Bagge, Haveraaen (BLDL) Inferring Required Permissions ▶ general-purpose research programming language Magnolia ▶ http://magnolia-lang.org/ ▶ its implementation provides the required language infrastructure ▶ permission management is just one application for Magnolia ▶ perhaps: address error handling in general (not just permission ▶ separate idea of partiality from concrete details of error ▶ abstract over different mechanisms—Hasu: Concrete error
Recommend
More recommend
