mobile platform security finish fall 2016 ada adam lerner
play

Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner - PowerPoint PPT Presentation

Apr 06, 2023 •27 likes •807 views

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Security Mindset: Customs • Exchange on Reddit comment thread • Started with an observation about the world: – “I tried to ship something to Venezuela, but it would have cost $80 shipping and $1420 in taxes and duty import fees!” 11/30/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. Security Mindset: Customs • Problem: Extremely high customs fees. • Solution? Lie about the value of the item, or, better, claim it’s broken! 11/30/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. “That won’t make it past the customs inspection. They snatch it up in a heartbeat then throw the recipient in jail for fraud.” 11/30/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. “That can’t be right. Otherwise I could just send packages of people I don’t like in other countries with fake packing slips to have them arrested.” 11/30/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. Mobile Malware Attack Vectors • Unique to phones: – Premium SMS messages – Identify location – Record phone calls – Log SMS • Similar to desktop/PCs: – Connects to botmasters – Steal data – Phishing – Malvertising 11/30/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. Mobile Malware Examples “ikee is never going to give you up” 11/30/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. [Zhou et al.] (Android) Malware in the Wild What does it do? Root Remote Control Financial Charges Information Stealing Exploit Net SMS Phone SMS Block SMS Phone # User Call SMS Account # 20 27 1 4 28 17 13 15 3 Families # 1204 1171 1 256 571 315 138 563 43 Samples 11/30/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. What’s Different about Mobile Platforms? • Applications are isolated – Each runs in a separate execution context – No default access to file system, devices, etc. – Different than traditional OSes where multiple applications run with the same user permissions! • App Store: approval process for applications – Market: Vendor controlled/Open – App signing: Vendor-issued/self-signed – User approval of permissions 11/30/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. Two Types of App We Want to Defend Against • Malware • Legit, but privacy invasive 11/30/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. (1) Permission Granting Problem Smartphones (and other modern OSes) try to prevent such attacks by limiting applications’ access to: – System Resources (clipboard, file system). – Devices (camera, GPS, phone, …). How should operating system grant permissions to applications? 11/30/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. State of the Art Prompts (time-of-use) 11/30/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. State of the Art Prompts (time-of-use) Manifests (install-time) Disruptive , which leads to prompt-fatigue. 11/30/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. State of the Art Prompts (time-of-use) Manifests (install-time) Disruptive , which leads to Out of context ; not prompt-fatigue. understood by users. In practice, both are overly permissive : Once granted permissions, apps can misuse them. 11/30/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. [Felt et al.] Are Manifests Usable? Do users pay attention to permissions? … but 88% of users looked at reviews. 11/30/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. [Felt et al.] Are Manifests Usable? Do users understand the warnings? 11/30/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. [Felt et al.] Are Manifests Usable? Do users act on permission information? “Have you ever not installed an app because of permissions?” 11/30/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. [Felt et al.] Over-Permissioning • Android permissions are badly documented. • Researchers have mapped APIs à permissions. www.android-permissions.org (Felt et al.), http://pscout.csl.toronto.edu (Au et al.) 11/30/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. Why is Over-Permissioning Bad? • Over-permissioning: app has permission to access resources but never accesses them. • If the app never uses the extra permissions, why is it bad that it has them? 11/30/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. Manifests rely on the user to make good choices at install time • It’s not clear that users know how to make the right choice – or that there IS a right choice. • I don’t want ANY app to access my camera at all times. I just want apps to access my camera when they need to for legitimate purposes! 11/30/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Android 6.0: Prompts! • First-use prompts for sensitive permission (like iOS). • Big change! Now app developers need to check for permissions or catch exceptions. 11/30/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. Promps rely on the user to make good choices at use time • It’s not clear that users know how to make the right choice at use time either. • Still only checks on first use – the app can still use the resource for any reason it wants, at any time now or in the future. 11/30/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. [Hornyack et al.] Improving Permissions: AppFence 11/30/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. [Roesner et al.] Improving Permissions: User-Driven Access Control Let this application access my location now . Insight: A user’s natural UI actions within an application implicitly carry permission-granting semantics. 11/30/16 CSE 484 / CSE M 584 - Fall 2016 24

  25. [Roesner et al.] Improving Permissions: User-Driven Access Control Let this application access my location now . Study shows: Insight: Many users already believe (52% of 186) A user’s natural UI actions – and/or desire (68%) – that resource within an application implicitly access follows the user-driven access carry permission-granting control model. semantics. 11/30/16 CSE 484 / CSE M 584 - Fall 2016 25

  26. New OS Primitive: Access Control Gadgets (ACGs) Approach: Make resource-related UI elements first-class operating system objects (access control gadgets). • To receive resource access, applications must embed a system-provided ACG. • ACGs allow the OS to capture the user’s permission granting intent in application-agnostic way. 11/30/16 CSE 484 / CSE M 584 - Fall 2016 26

  27. Misc Thoughts From Mobile Security 11/30/16 CSE 484 / CSE M 584 - Fall 2016 27

  28. [Felt et al.] Permission Re-Delegation • An application without a permission gains additional privileges through another application. • Settings application is Demo pressButton(0) deputy: has permissions, malware and accidentally exposes Settings APIs that use those toggleWifi() permissions. toggleWifi() Permission System API 11/30/16 CSE 484 / CSE M 584 - Fall 2016 28

  29. Android Fragmentation • Many different variants of Android (unlike iOS) – Motorola, HTC, Samsung, … • Less secure ecosystem – Inconsistent or incorrect implementations – Slow to propagate kernel updates and new versions [https://developer.android.com/about/ dashboards/index.html] 11/30/16 CSE 484 / CSE M 584 - Fall 2016 29

  30. USABLE SECURITY 11/30/16 CSE 484 / CSE M 584 - Fall 2016 30

  31. Poor Usability Causes Problems si.ed u 11/30/16 CSE 484 / CSE M 584 - Spring 2016 31

  32. Importance in Security • Why is usability important? – People are the critical element of any computer system • People are the real reason computers exist in the first place – Even if it is possible for a system to protect against an adversary, people may use the system in other, less secure ways 11/30/16 CSE 484 / CSE M 584 - Spring 2016 32

  33. Today • 3 case studies – Phishing – SSL warnings – Password managers • Step back: root causes of usability problems, and how to address 11/30/16 CSE 484 / CSE M 584 - Spring 2016 33

  34. Case Study #1: Phishing 11/30/16 CSE 484 / CSE M 584 - Spring 2016 34

  35. A Typical Phishing Page Weird URL http instead of https 11/30/16 CSE 484 / CSE M 584 - Spring 2016 35

  36. Safe to Type Your Password? 11/30/16 CSE 484 / CSE M 584 - Spring 2016 36

  37. Safe to Type Your Password? 11/30/16 CSE 484 / CSE M 584 - Spring 2016 37

  38. Safe to Type Your Password? 11/30/16 CSE 484 / CSE M 584 - Spring 2016 38

  39. Safe to Type Your Password? “Picture-in-picture attacks” Trained users are more likely to fall victim to this! 11/30/16 CSE 484 / CSE M 584 - Spring 2016 39

  40. Experiments at Indiana University • Reconstructed the social network by crawling sites like Facebook, MySpace, LinkedIn and Friendster • Sent 921 Indiana University students a spoofed email that appeared to come from their friend • Email redirected to a spoofed site inviting the user to enter his/her secure university credentials – Domain name clearly distinct from indiana.edu • 72% of students entered their real credentials into the spoofed site 11/30/16 CSE 484 / CSE M 584 - Spring 2016 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam)

Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam)

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan

567 views • 38 slides
Software Security: Miscellaneous Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to

Software Security: Miscellaneous Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Miscellaneous Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

1.29k views • 42 slides
Crypto meets Web Security: Certificates and SSL/TLS Fall 2016 Ada (Adam) Lerner

Crypto meets Web Security: Certificates and SSL/TLS Fall 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

917 views • 55 slides
Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu

Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

559 views • 41 slides
Certificate Authorities and SSL/TLS/HTTPS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu

Certificate Authorities and SSL/TLS/HTTPS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu

CSE 484 / CSE M 584: Computer Security and Privacy Certificate Authorities and SSL/TLS/HTTPS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

622 views • 44 slides
Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,

577 views • 43 slides
Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to

Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to

CSE 484 / CSE M 584: Computer Security and Privacy Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

699 views • 54 slides
Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to

Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to

CSE 484 / CSE M 584: Computer Security and Privacy Anonymity and Secure Messaging Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

779 views • 30 slides
Cryptography: Symmetric Encryption Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks

Cryptography: Symmetric Encryption Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

633 views • 47 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter

813 views • 43 slides
Admin Project checkpoint #2 due tonight Keep letting us know of any fuzzing issues with

Admin Project checkpoint #2 due tonight Keep letting us know of any fuzzing issues with

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli,

847 views • 62 slides
The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

870 views • 76 slides
Admin Today/Friday: mobile platform security Wednesday: Guest lecture: Christoph Kern,

Admin Today/Friday: mobile platform security Wednesday: Guest lecture: Christoph Kern,

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [start] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John

638 views • 26 slides
Administrative Lab 2 is out please form groups of 1-3 and get to work, its due Nov 21!

Administrative Lab 2 is out please form groups of 1-3 and get to work, its due Nov 21!

CSE 484 / CSE M 584: Computer Security and Privacy XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly

940 views • 48 slides
Web Security! Big Picture: Browser and Network request website Browser reply OS Network

Web Security! Big Picture: Browser and Network request website Browser reply OS Network

CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

1.29k views • 59 slides
Expanding Metadata Reuse with an Islandora Metadata Extraction Utility Serhiy Polyakov and

Expanding Metadata Reuse with an Islandora Metadata Extraction Utility Serhiy Polyakov and

Expanding Metadata Reuse with an Islandora Metadata Extraction Utility Serhiy Polyakov and William E. Moen University of North Texas International conference Open Repositories 2013 Charlottetown, Prince Edward Island, Canada Paper presented at

474 views • 25 slides
Wood Pellets: Clean, Efficient Heating with Renewable Energy from New Yorks Forest Resources

Wood Pellets: Clean, Efficient Heating with Renewable Energy from New Yorks Forest Resources

Wood Pellets: Clean, Efficient Heating with Renewable Energy from New Yorks Forest Resources Charlie Niebling, General Manager Adirondack Research Consortium Renewable Energy Conference Saratoga Springs NY February 17, 2010 New England Wood

479 views • 33 slides
Overview Topics Packages collections of classes Static CSE 143 Java Final

Overview Topics Packages collections of classes Static CSE 143 Java Final

Overview Topics Packages collections of classes Static CSE 143 Java Final Scope Packages and Scope Reading: Sec. 10.5, 10.6 10/7/2004 (c) 2001-4, University of Washington 05-1 10/7/2004 (c) 2001-4, University of

80 views • 6 slides
Math 121 10 >>>(4 + 2) * 3 18 >>>4 / 16 .25 >>>.1 + .2

Math 121 10 >>>(4 + 2) * 3 18 >>>4 / 16 .25 >>>.1 + .2

11/29/2015 Python can do math! >>>3 + 7 10 >>>4 + 2 * 3 Math 121 10 >>>(4 + 2) * 3 18 >>>4 / 16 .25 >>>.1 + .2 0.30000000000000004 Python has two types of numbers Python has two more

601 views • 36 slides
DC/Win Compensation 11/15/2007 Compensation in DC/Win Presented by: Kristina Kananen, QPA

DC/Win Compensation 11/15/2007 Compensation in DC/Win Presented by: Kristina Kananen, QPA

DC/Win Compensation 11/15/2007 Compensation in DC/Win Presented by: Kristina Kananen, QPA QKA APA Compensation in DC/Win What we will cover: Compensation Definitions Where Compensation is found in DC/Win Compensation

107 views • 8 slides
Quantum neural networksa practical approach Piotr Gawron AstroCeNTParticle Astrophysics

Quantum neural networksa practical approach Piotr Gawron AstroCeNTParticle Astrophysics

Quantum neural networksa practical approach Piotr Gawron AstroCeNTParticle Astrophysics Science and Technology Centre International Research Agenda Nicolaus Copernicus Astronomical Center, Polish Academy of Sciences Agenda Quantum

539 views • 31 slides
Testinfra test your salt infrastructure Philippe Pepiot <phil@philpep.org> Author and

Testinfra test your salt infrastructure Philippe Pepiot <phil@philpep.org> Author and

Testinfra test your salt infrastructure Philippe Pepiot <phil@philpep.org> Author and maintainer of testinfra Software engineer and devops @ 1 #cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab Testinfra Test the actual

766 views • 31 slides
and NineML Andrew Davison UNIC, CNRS BrainScaleS CodeJam #5 Edinburgh, 16 th March 2012 This

and NineML Andrew Davison UNIC, CNRS BrainScaleS CodeJam #5 Edinburgh, 16 th March 2012 This

and NineML Andrew Davison UNIC, CNRS BrainScaleS CodeJam #5 Edinburgh, 16 th March 2012 This presentation is licenced under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 licence http://creativecommons.org/licenses/by-nc-sa/3.0/

713 views • 33 slides

More recommend