User  ACG - Franziska Roesner

Report
User-Driven Access Control
Rethinking Permission Granting in Modern OSes
Franziska Roesner, Tadayoshi Kohno
University of Washington
Alexander Moshchuk, Bryan Parno, Helen J. Wang
Microsoft Research
Crispin Cowan
Microsoft
Modern Client Platforms
• iOS, Android, WP, Win8, browsers
– Applications isolated from one another.
– Limited global sharing.
– Cannot access user-owned resources by default:
• Cross-application data
• Devices (camera, GPS, …)
• Resources (clipboard, autocomplete data)
Problem:
How should platforms grant applications
access to user-owned resources?
May 21, 2012
Franziska Roesner
Challenge:
Users are in the loop to
grant permissions.
2
Manifests
State of the Art
Prompts
(iOS, browsers)
(Android, Windows Phone)
Out of context:
Checked at time
of install, not
time of use.
Disruptive:
In practice, only
prompted at first use to
avoid prompt-fatigue.
Both are not least-privilege:
Once granted permissions, apps can use them,
even if not necessary for application functionality.
May 21, 2012
Franziska Roesner
3
Permission Granting Goals
Let this application
access my location now.
• In context
– Unlike manifests
• Non-disruptive
– Unlike prompts
• Least privilege
– Unlike manifests and prompts
May 21, 2012
Franziska Roesner
4
Outline
• Motivation and Setup
• User-Driven Access Control
– via Access Control Gadgets (ACGs)
• Capturing Authentic User Intent
• Implementation
• Evaluation
May 21, 2012
Franziska Roesner
5
User-Driven Access Control
• Observation: A user’s natural UI actions in the
context of an application carry permission-granting
semantics.
See also EWS [SVNC ‘04], NitPicker [FH ‘05], CapDesk [M ‘06],
Qubes, Polaris [SKYCM ’06], UIBAC [SE ‘08], BLADE [LYPL ‘10].
• Challenge: How can the system understand
generalized in-app permission-granting behaviors?
May 21, 2012
Franziska Roesner
6
Access Control Gadgets (ACGs)
• Approach: Let the system control these UI elements
(ACGs) to capture a user’s permission granting intent.
• Challenges:
– How can system capture authentic user intent?
– How to prevent disruption of application context?
– Can this model support necessary app functionality?
– …?
May 21, 2012
Franziska Roesner
7
User’s View
Photo Editor App
Camera ACG
System’s View
Camera
Resource Monitor
Isolation
container
Policy: Which
app can access
camera in what
fashion
Photo Editor App
<object src=
“rm://camera/take
Picture”/>
ACG
2) Take
picture
1) User clicks on
camera ACG
3) Receive
picture
Kernel
May 21, 2012
Franziska Roesner
8
Design Challenges
• What are appropriate access semantics?
• How to accurately capture user intent?
• How can we support:
– customized access control gadgets?
– ACGs composing multiple resources?
– shortcuts and gestures instead of visual gadgets?
• How can we generalize to applicationcontrolled resource monitors?
– e.g., Facebook contacts, Flickr photos
May 21, 2012
Franziska Roesner
9
Access Semantics
One time:
Least
privilege
UI-coupled
Session:
Scheduled:
Permanent:
Permanent
Access
UIdecoupled
Few applications (5% of top 100 Android
apps) legitimately require permanent access.
May 21, 2012
Franziska Roesner
10
Outline
• Motivation and Setup
• User-Driven Access Control
– via Access Control Gadgets (ACGs)
• Capturing Authentic User Intent
• Implementation
• Evaluation
May 21, 2012
Franziska Roesner
11
Threats by Malicious Applications
• Manipulate access control gadget display
– Directly or by strategic obstruction
• Clickjacking (trick users into clicking on ACG)
– Visual or timing-based
• Programmatically click on ACG
Requirements:
1. ACG  User: Authentic display of ACG to user.
2. User  ACG: Authentic user actions to ACG.
May 21, 2012
Franziska Roesner
12
ACG  User: Display Integrity
(1) Display isolation:
Apps can’t set ACG’s pixels.
(2) Complete visibility:
ACGs are active only when completely visible.
(3) Sufficient display duration:
73%
of top
Androidonly
apps need
limited customization.
ACGs
activate
afteronly
a reaction
delay.
(4) Limited customization by applications.
May 21, 2012
Franziska Roesner
13
User  ACG: Authentic Input
(1) Input event isolation:
– Input events dispatched only from user input
devices to ACGs.
(2) The kernel controls the cursor over ACGs.
(3) Handling nested applications
– e.g., iGoogle embeds ad which embeds camera ACG
– Must grant permissions to correct application.
May 21, 2012
Franziska Roesner
14
Outline
• Motivation and Setup
• User-Driven Access Control
– via Access Control Gadgets (ACGs)
• Capturing Authentic User Intent
• Implementation
• Evaluation
May 21, 2012
Franziska Roesner
15
Implementation
• Implemented as part of the ServiceOS system
with 2500 lines of C# code.
• System support for:
– Access control gadgets
• Resources: camera, GPS, clipboard, autocomplete
Our experience shows that the
• Access semantics: one-time, session
implementation effort is modest
– ACG composition: camera+GPS
for both system developers and
– Input sequences:
copy-and-paste,
application
developers. drag-and-drop
– Nested applications
– Content picking and application-specific ACGs
• ACGs in applications: browser and MS Word
May 21, 2012
Franziska Roesner
16
Outline
• Motivation and Setup
• User-Driven Access Control
– via Access Control Gadgets (ACGs)
• Capturing Authentic User Intent
• Implementation
• Evaluation
May 21, 2012
Franziska Roesner
17
Discussion: Security Analysis
Our User  ACG and ACG  User properties do not
prevent applications from gaining unauthorized access
by social engineering attacks.
X
X
Location
access granted
• Social engineering risk: moderate
(high effort/risk for attacker)
• Usability: high
• Least-privilege guarantees: high
May 21, 2012
Franziska Roesner
18
Evaluation Highlights
• Vulnerability Study
– User-driven access control addresses most
published vulnerabilities related to resource
access: 36 of 44 in Chrome (82%), and 25 of 26 in
Firefox (96%).
• User Expectations
– Based on survey showing Android screenshots,
most users already believe (52% of 186) – and/or
desire (68%) – that resource access follows the
user-driven access control model.
May 21, 2012
Franziska Roesner
19
Summary
• User-driven access control captures a user’s
permission-granting intent from natural
interactions with the system and applications.
• Access control gadgets enable user-driven
permission granting.
– In-context, non-disruptive, and least-privilege.
• ACGs match user expectations.
May 21, 2012
Franziska Roesner
20

similar documents