mobile platform security spring 2016 franziska franzi
play

Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner - PowerPoint PPT Presentation

May 15, 2023 •418 likes •791 views

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • Today: finish biometrics, start mobile security • Friday: – Lab #2 due (8pm) – Guest lecture: Charlie Reis, Google Chrome Security (and UW PhD grad) • Interested in policy? – Thursdays @ 12:30pm, Tech Policy Lunch in the Tech Policy Lab (Law School, room 222) – emcr@u.washington.edu 5/18/16 CSE 484 / CSE M 584 - Spring 2016 2

  3. What About Biometrics? • Authentication: What you are • Unique identifying characteristics to authenticate user or create credentials – Biological and physiological: Fingerprints, iris scan – Behaviors characteristics - how perform actions: Handwriting, typing, gait • Advantages: – Nothing to remember – Passive – Can’t share (generally) – With perfect accuracy, could be fairly unique 5/18/16 CSE 484 / CSE M 584 - Spring 2016 3

  4. Issues with Biometrics • Private, but not secret – Maybe encoded on the back of an ID card? – Maybe encoded on your glass, door handle, ... – Sharing between multiple systems? • Revocation is difficult (impossible?) – Sorry, your iris has been compromised, please create a new one... • Physically identifying – Soda machine to cross-reference fingerprint with DMV? • Birthday paradox – With false accept rate of 1 in a million, probability of false match is above 50% with only 1609 samples 5/18/16 CSE 484 / CSE M 584 - Spring 2016 4

  5. Attacking Biometrics • An adversary might try to steal biometric info – Malicious fingerprint reader • Consider when biometric is used to derive a cryptographic key – Residual fingerprint on a glass • Ex: Apple’s TouchID 5/18/16 CSE 484 / CSE M 584 - Spring 2016 5

  6. [Starbug -- http://istouchidhackedyet.com/] Attacking Biometrics 5/18/16 CSE 484 / CSE M 584 - Spring 2016 6

  7. [Starbug -- http://istouchidhackedyet.com/] Attacking Biometrics 5/18/16 CSE 484 / CSE M 584 - Spring 2016 7

  8. [Starbug -- http://istouchidhackedyet.com/] Attacking Biometrics 5/18/16 CSE 484 / CSE M 584 - Spring 2016 8

  9. [Starbug -- http://istouchidhackedyet.com/] Attacking Biometrics 5/18/16 CSE 484 / CSE M 584 - Spring 2016 9

  10. MOBILE PLATFORM SECURITY 5/18/16 CSE 484 / CSE M 584 - Spring 2016 10

  11. Roadmap • Mobile malware • Mobile platforms vs. traditional platforms • Deep dive into Android – Continued next Monday – Background for Lab #3 5/18/16 CSE 484 / CSE M 584 - Spring 2016 11

  12. Questions: Mobile Malware Q1: How might malware authors get malware onto phones? Q2: What are some goals that mobile device malware authors might have? Q3: What technical things might malware authors do? 5/18/16 CSE 484 / CSE M 584 - Spring 2016 12

  13. Smartphone (In)Security Users accidentally install malicious applications. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 13

  14. Smartphone (In)Security Even legitimate applications exhibit questionable behavior. Hornyack et al. : 43 of 110 Android applications sent location or phone ID to third-party advertising/analytics servers. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 14

  15. Malware in the Wild Android malware is growing. Today (2016): millions of samples. [Zhou et al.] 5/18/16 CSE 484 / CSE M 584 - Spring 2016 15

  16. Mobile Malware Attack Vectors • Unique to phones: – Premium SMS messages – Identify location – Record phone calls – Log SMS • Similar to desktop/PCs: – Connects to botmasters – Steal data – Phishing – Malvertising 5/18/16 CSE 484 / CSE M 584 - Spring 2016 16

  17. Mobile Malware Examples • DroidDream (Android) – Over 58 apps uploaded to Google app market – Conducts data theft; send credentials to attackers • Zitmo (Symbian,BlackBerry,Windows,Android) – Poses as mobile banking application – Captures info from SMS – steal banking 2 nd factors – Works with Zeus botnet • Ikee (iOS) – Worm capabilities (targeted default ssh password) – Worked only on jailbroken phones with ssh installed 5/18/16 CSE 484 / CSE M 584 - Spring 2016 17

  18. Mobile Malware Examples “ikee is never going to give you up” 5/18/16 CSE 484 / CSE M 584 - Spring 2016 18

  19. [Zhou et al.] (Android) Malware in the Wild What does it do? Root Remote Control Financial Charges Information Stealing Exploit Net SMS Phone SMS Block SMS Phone # User Call SMS Account # 20 27 1 4 28 17 13 15 3 Families # 1204 1171 1 256 571 315 138 563 43 Samples Why all these problems with mobile malware? 5/18/16 CSE 484 / CSE M 584 - Spring 2016 19

  20. Background: Before Mobile Platforms Assumptions in traditional OS (e.g., Linux) design: 1. There may be multiple users who don’t trust each other. Once an application is installed, it’s (more or less) trusted. 2. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 20

  21. Background: Before Mobile Platforms Assumptions in traditional OS (e.g., Linux) design: 1. There may be multiple users who don’t trust each other. Once an application is installed, it’s (more or less) trusted. 2. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 21

  22. Background: Before Mobile Platforms Assumptions in traditional OS (e.g., Linux) design: 1. There may be multiple users who don’t trust each other. Once an application is installed, it’s (more or less) trusted. 2. Apps can do anything the UID they’re running under can do. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 22

  23. What’s Different about Mobile Platforms? • Applications are isolated – Each runs in a separate execution context – No default access to file system, devices, etc. – Different than traditional OSes where multiple applications run with the same user permissions! • App Store: approval process for applications – Market: Vendor controlled/Open – App signing: Vendor-issued/self-signed – User approval of permissions 5/18/16 CSE 484 / CSE M 584 - Spring 2016 23

  24. More Details: Android [Enck et al.] • Based on Linux • Application sandboxes – Applications run as separate UIDs, in separate processes. – Memory corruption errors only lead to arbitrary code execution in the context of the particular application, not complete system compromise! – (Can still escape sandbox – but must compromise Linux kernel to do so.) ß allows rooting 5/18/16 CSE 484 / CSE M 584 - Spring 2016 24

  25. Android Applications • Activities provide user interfaces. • Services run in the background. • BroadcastReceivers receive messages sent to multiple applications (e.g., BOOT_COMPLETED) . • ContentProviders are databases addressable by their application-defined URIs. • AndroidManifest.xml – Specifies application components – Specifies required permissions 5/18/16 CSE 484 / CSE M 584 - Spring 2016 25

  26. Rooting and Jailbreaking • Allows user to run applications with root privileges – e.g., modify/delete system files, app management, CPU management, network management, etc. • Done by exploiting vulnerability in firmware to install su binary. • Double-edged sword… • Note: iOS is more restrictive than Android – Doesn’t allow “side-loading” apps, etc. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 26

  27. Challenges with Isolated Apps So mobile platforms isolate applications for security, but… 1. Permissions: How can applications access sensitive resources? 2. Communication: How can applications communicate with each other? 5/18/16 CSE 484 / CSE M 584 - Spring 2016 27

  28. (1) Permission Granting Problem Smartphones (and other modern OSes) try to prevent such attacks by limiting applications’ access to: – System Resources (clipboard, file system). – Devices (camera, GPS, phone, …). How should operating system grant permissions to applications? Standard approach: Ask the user. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 28

  29. State of the Art Prompts (time-of-use) 5/18/16 CSE 484 / CSE M 584 - Spring 2016 29

  30. State of the Art Prompts (time-of-use) Manifests (install-time) Disruptive , which leads to prompt-fatigue. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 30

  31. State of the Art Prompts (time-of-use) Manifests (install-time) Disruptive , which leads to Out of context ; not prompt-fatigue. understood by users. In practice, both are overly permissive : Once granted permissions, apps can misuse them. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 31

  32. [Felt et al.] Are Manifests Usable? Do users pay attention to permissions? … but 88% of users looked at reviews. 5/18/16 CSE 484 / CSE M 584 - Spring 2016 32

  33. [Felt et al.] Are Manifests Usable? Do users understand the warnings? 5/18/16 CSE 484 / CSE M 584 - Spring 2016 33

  34. [Felt et al.] Are Manifests Usable? Do users act on permission information? “Have you ever not installed an app because of permissions?” 5/18/16 CSE 484 / CSE M 584 - Spring 2016 34

  35. [Felt et al.] Over-Permissioning • Android permissions are badly documented. • Researchers have mapped APIs à permissions. www.android-permissions.org (Felt et al.), http://pscout.csl.toronto.edu (Au et al.) 5/18/16 CSE 484 / CSE M 584 - Spring 2016 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada

764 views • 48 slides
Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

874 views • 34 slides
Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner

Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

498 views • 31 slides
Admin Today/Friday: mobile platform security Wednesday: Guest lecture: Christoph Kern,

Admin Today/Friday: mobile platform security Wednesday: Guest lecture: Christoph Kern,

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [start] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John

638 views • 26 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner

Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

848 views • 29 slides
Software Security: Miscellaneous Spring 2016 Franziska (Franzi)

Software Security: Miscellaneous Spring 2016 Franziska (Franzi)

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Miscellaneous Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu

778 views • 39 slides
Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner

Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

540 views • 29 slides
Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

810 views • 24 slides
Crypto meets Web Security: Certificates and SSL/TLS Spring 2017 Franziska (Franzi) Roesner

Crypto meets Web Security: Certificates and SSL/TLS Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

532 views • 36 slides
Admin Project checkpoint #2 due tonight Keep letting us know of any fuzzing issues with

Admin Project checkpoint #2 due tonight Keep letting us know of any fuzzing issues with

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli,

847 views • 62 slides
CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,

735 views • 36 slides
CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov,

419 views • 37 slides
Web Security: SSL/TLS Spring 2015 Franziska (Franzi) Roesner

Web Security: SSL/TLS Spring 2015 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: SSL/TLS Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks

661 views • 27 slides
Anonymity Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh,

Anonymity Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh,

CSE 484 / CSE M 584: Computer Security and Privacy Anonymity Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov,

421 views • 38 slides
Multiple inheritance Aside: how to safely read data Execute /hw4/array enter junk

Multiple inheritance Aside: how to safely read data Execute /hw4/array enter junk

Multiple inheritance Aside: how to safely read data Execute /hw4/array enter junk (after 1 st iteration) Can derive a class from more than one base class Use ctrl-C to stop the infinite loop, because that e.g., class

261 views • 3 slides
Introduction to Computing Principles

Introduction to Computing Principles

Introduction to Computing Principles Computer = hardware + software The computer is an amazingly useful general-purpose technology, to the point that now cameras,

429 views • 23 slides
18. Java Input/Output e.g. reading a number: int i = In.readInt(); Our class In provides various

18. Java Input/Output e.g. reading a number: int i = In.readInt(); Our class In provides various

User Input (half the truth) 18. Java Input/Output e.g. reading a number: int i = In.readInt(); Our class In provides various such methods. Some of those methods have to deal with wrong inputs: User Input/Console Output, File Input and Output

114 views • 9 slides
Perturbations of L-systems Sergey Belyi Troy University (USA) Operator Theory and Krein Spaces

Perturbations of L-systems Sergey Belyi Troy University (USA) Operator Theory and Krein Spaces

L-systems L-systems with 1-D input-output Donoghue classes and L-systems Realization of perturbed classes Perturbation of L-systems Perturbations of L-systems Sergey Belyi Troy University (USA) Operator Theory and Krein Spaces Vienna,

1.07k views • 102 slides
Identity in the Information Society: Exploring Legal Approaches to the Use of Biometric Data

Identity in the Information Society: Exploring Legal Approaches to the Use of Biometric Data

Identity in the Information Society: Exploring Legal Approaches to the Use of Biometric Data Annemarie Sprokkereef ICS - University of Leeds TILT- University of Tilburg What is Biometrics? Biometric technology identifies individuals by

614 views • 12 slides
Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

Radboud University Nijmegen Radboud University Nijmegen Authentication and Identity Management Authentication and Identity Management Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

405 views • 5 slides
Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work

Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work

Orr Dunkelman, Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work with Mahmood Sharif and Margarita Keeps Your Privacy Osadchy Overview Motivation Background : The Fuzziness Problem

810 views • 53 slides
Secure Sketch for Set Distance on Noisy Data KMS Annual Meeting 2014 Jung Hee Cheon and Yongsoo

Secure Sketch for Set Distance on Noisy Data KMS Annual Meeting 2014 Jung Hee Cheon and Yongsoo

Secure Sketch for Set Distance on Noisy Data KMS Annual Meeting 2014 Jung Hee Cheon and Yongsoo Song Seoul National University Oct 25, 2014 1 / 14 Noisy information in cryptography Classical cryptographic applications Lack of error-tolerance

166 views • 14 slides

More recommend