Mobile Applications and Cloud Computing Mobile Applications and - - PowerPoint PPT Presentation

mobile applications and
SMART_READER_LITE
LIVE PREVIEW

Mobile Applications and Cloud Computing Mobile Applications and - - PowerPoint PPT Presentation

Oct 09, 2022 143 likes •462 views

Security aspects in Mobile Applications and Cloud Computing Mobile Applications and Cloud Computing 2015 Leonardo Aniello, Ph.D. aniello@dis.uniroma1.it Outline Security aspects in mobile applications Current situation Security

slide-1
SLIDE 1

Security aspects in Mobile Applications and Cloud Computing

Mobile Applications and Cloud Computing 2015 Leonardo Aniello, Ph.D. aniello@dis.uniroma1.it

slide-2
SLIDE 2

Outline

  • Security aspects in mobile applications
  • Current situation
  • Security measures
  • Security weaknesses
  • Ongoing theses
  • Security aspects in cloud computing
  • Security categories
  • Some known attacks
  • Case study: SUNFISH
  • Topics for theses
slide-3
SLIDE 3

Outline

  • Security aspects in mobile applications
  • Current situation
  • Security measures
  • Security weaknesses
  • Ongoing theses

Sufatrio, Darell J. J. Tan, Tong-Wei Chua, Vrizlynn L. L. Thing “Securing Android: A Survey, Taxonomy, and Challenges” ACM Comput. Surv. 47(4): 58 (2015)

slide-4
SLIDE 4

Security aspects in mobile applications

Current situation

  • Pervasive spread of smart mobile devices (i.e.,

smartphones and tablets)

  • Still growing, 5.6 billion devices expected in 2019
  • Android holds about 80% of global market share
  • This is why Android became the best target of

malware attacks

  • High convenience for attackers
  • ROI
slide-5
SLIDE 5

Security aspects in mobile applications

Current situation

Symantec, Internet Security Threat Report, April 2015

slide-6
SLIDE 6

Security aspects in mobile applications

Current situation

Symantec, Internet Security Threat Report, April 2015

slide-7
SLIDE 7

Security aspects in mobile applications

Current situation

Symantec, Internet Security Threat Report, April 2015

slide-8
SLIDE 8

Security aspects in mobile applications

Current situation

Programs and files that are created to do harm Programs not obviously malicious but can be annoying

  • r even harmful

Aggressive techniques to place advertising in your device Symantec, Internet Security Threat Report, April 2015

slide-9
SLIDE 9

Security aspects in mobile applications

Android Security Measures

  • Sandboxing
  • Provides app isolation and containment
  • Each app runs in its own VM and is assigned a unique

Linux user ID

– Permissions for all the files of the app are set so that only the user ID assigned to that app can access them – Principle of least privilege: each app has access only to the components it actually requires

  • Anyway it is possible to share data and services with
  • ther apps

– Linux user ID sharing – Permissions

slide-10
SLIDE 10

Security aspects in mobile applications

Android Security Measures

  • Permission model
  • Regulate sensitive API calls that access protected

resources (i.e., camera, SD card, ...)

  • Each app requests a set of permissions at install time
  • The user has to grant either all or none of such

permissions

  • App signing to verify and certify the developer
  • Component encapsulation to restrict access to it
slide-11
SLIDE 11

Security aspects in mobile applications

Android Security Measures

  • Permission model - improved in Marshmallow
  • Permissions granted at runtime immediately before an

app needs it

http://www.androidcentral.com/ http://www.phonearena.com/

slide-12
SLIDE 12

Security aspects in mobile applications

Security Weaknesses

  • Open market model
  • Apps easy to reverse-engineer
  • facilitate repackaging for malware injection
  • Lack of isolation for third-party libraries, such

as advertisement and analytics (A&A)

  • Such libs may abuse granted permissions
  • Conversely host apps may tamper with them
slide-13
SLIDE 13

Security aspects in mobile applications

Security Weaknesses

  • Vulnerabilities of Inter component

communication

  • Apps may unintentionally expose sensitive

interfaces

  • Malware may intercept broadcasts to stop their

propagation or to steal sensitive info

  • Malicious apps may invoke native code

through JNI to leverage memory corruption bugs

slide-14
SLIDE 14

Security aspects in mobile applications

Ongoing Theses

  • Malware detection by searching for inconsistencies

between distinct features

  • WHYPER: towards automating risk assessment of mobile applications
  • R. Pandita, X. Xiao, W. Yang, W. Enck, T. Xie, USENIX conference on Security 2013

– Inconsistencies between app description and requested permissions

  • Work in progress…

– Monitor consistency between correlated metrics (i.e., battery consumption and CPU usage) - invariants – When such invariants break, an anomaly occurs - malware? – Detection based on machine learning techniques – Adaptive monitoring: vary frequency and granularity of the monitoring with the aim of saving battery

slide-15
SLIDE 15

Security aspects in mobile applications

Ongoing Theses

  • Obfuscation techniques for Android malware
  • Used by malware developers to evade detection
  • Trivial techniques (repackaging, disassembly & reassembly,

changing package name)

  • Identifier renaming, Call indirection, Code reordering, Junk

code insertion

  • Reflection, Encryption of bytecode, strings, classes
  • Experimental evaluation

– Apply combinations of obfuscation techniques to known malware – Verify detection accuracy of main antivirus (i.e., VirusTotal)

slide-16
SLIDE 16

Outline

  • Security aspects in mobile applications
  • Current situation
  • Security measures
  • Security weaknesses
  • Ongoing theses
  • Security aspects in cloud computing
  • Security categories
  • Some known attacks
  • Case study: SUNFISH
  • Topics for theses
  • I. M. Khalil, A. Khreishah, M. Azeem

“Cloud Computing Security: A Survey” Computers journal 2014, 3, 1-35

slide-17
SLIDE 17

Security aspects in cloud computing

Security categories

Category Description

Security Standards

Describes the standards required to take precaution measures in cloud computing in order to prevent attacks. It governs the policies of cloud computing for security without compromising reliability and performance.

Network

Involves network attacks such as Connection Availability, Denial of Service, DDoS, flooding attack, internet protocol vulnerabilities, etc.

Access Control

Covers authentication and access control. It captures issues that affect privacy of user information and data storage.

Cloud Infrastructure

Covers attacks that are specific to the cloud infrastructure (IaaS, PaaS and SaaS) such tampered binaries and privileged insiders.

Data

Covers data related security issues including data migration, integrity, confidentiality, and data warehousing.

Table 1 in I. M. Khalil, A. Khreishah, M. Azeem: “Cloud Computing Security: A Survey”, Computers journal 2014, 3, 1-35

slide-18
SLIDE 18

Security aspects in mobile applications

Some known attacks

  • Theft of service
  • Denial of service
  • Cloud malware
  • Targeted shared memory
  • Phishing
  • Botnets
slide-19
SLIDE 19

Security aspects in mobile applications

Case Study: SUNFISH

  • SecUre iNFormatIon SHaring in

federated heterogeneous private clouds

  • Horizon2020 EU Project

http://www.sunfishproject.eu/

  • Problem addressed:

lack of infrastructure and technology allowing Public Sector Players to federate their private clouds

slide-20
SLIDE 20

Security aspects in mobile applications

Case Study: SUNFISH

  • Cloud Federation
  • Interconnection of more private/public clouds
  • On-demand resource provisioning

– Face load spikes – Monetize unused resources

  • Data sharing among clouds

– Information sharing allows to have richer datasets

  • Federated identity management

– Single-sign-on

slide-21
SLIDE 21

Security aspects in mobile applications

Case Study: SUNFISH

Information Sharing Governance Model Policy evaluation flows

PRP: Policy Retrieval Point PDP: Policy Decision Point PEP: Policy Enforcement Point PIP: Policy Information Point

sensitive data data requester data transformation service

Each piece of data is attached to an access policy which defines who can access it and how

slide-22
SLIDE 22

Security aspects in mobile applications

Case Study: SUNFISH

Threat Model

  • Altering of deployed

computational logic

  • Altering of policy

evaluation

  • Alter policy enforcement

infrastructure

slide-23
SLIDE 23

Security aspects in mobile applications

Case Study: SUNFISH

Threat Model

  • Altering of deployed

computational logic

  • Altering of policy

evaluation

  • Alter policy enforcement

infrastructure The PEP may retrieve data without enforcing access policies

slide-24
SLIDE 24

Security aspects in mobile applications

Case Study: SUNFISH

Runtime Monitoring Infrastructure

slide-25
SLIDE 25

Security aspects in mobile applications

Case Study: SUNFISH

  • Other threat: data manipulation by privileged user
  • What if stored logs get compromised? How to secure Log DB?
  • An attacker could remove some entries from log DB to hide a certain

data access

  • Need to guarantee consensus among participants about what

happened so far for what concerns data accesses

– What interactions took place? – In which order?

  • Viable solutions (impact on the deployment)

– Replicated log DB, vulnerable to collusion – Also store hashes of log entries to a blockchain to overcome collusion » interesting research direction...

slide-26
SLIDE 26

Security aspects in mobile applications

Case Study: SUNFISH

The blockchain is a distributed public record of transaction, available to everyone to view and verify

  • A chain of blocks, where

each block

  • consists of a header, hash of

the previous block and transactions

  • generated every 10 minute
  • Once a block is part of the

chain, transactions inside it are practically irreversible

  • One of the most popular

disruptive technologies

  • Bitcoin is a protocol that

relies on blockchain

https://bitcoin.org

slide-27
SLIDE 27

Security aspects in mobile applications

Case Study: SUNFISH

http://www.economist.com/

Very promising technology, but… …today Bitcoin can handle a transaction rate

  • f 7 tps…
slide-28
SLIDE 28

Security aspects in mobile applications

Topics for theses

  • Address the scalability issues of the blockchain
  • Very active research topic
  • I. Eyal, A. E. Gencer, E. G. Sirer, R. van Renesse

Bitcoin-NG: A Scalable Blockchain Protocol available at http://arxiv.org/abs/1510.02037

slide-29
SLIDE 29

Security aspects in mobile applications

Topics for theses

  • Smart contracts
  • A smart contracts is code (or programs) deployed into

blockchain as part of a transaction

– almost works as a function in a programming language – must be invoked with data to “release” the transaction, and it will execute specified operations on the transaction data

  • Since smart contracts are transaction in a blockchain

– irreversible once part of a blockchain

slide-30
SLIDE 30

Security aspects in mobile applications

Topics for theses

  • Smart contracts
  • A smart contracts is code (or programs) deployed into blockchain

as part of a transaction

– almost works as a function in a programming language – must be invoked with data to “release” the transaction, and it will execute specified operations on the transaction data

  • Since smart contracts are transaction in a blockchain

– irreversible once part of a blockchain

  • Ethereum project [https://www.ethereum.org/]
  • 4° most funded project in the history through crowdfunding

[https://en.wikipedia.org/wiki/List_of_highest_funded_crowdfunding_projects]

  • Technology still evolving