Abstract
To protect sensitive resources from unauthorized use, modern mobile systems, such as Android and iOS, design a permission-based access control model. However, current model could not enforce fine-grained control over the dynamic permission use contexts, causing two severe security problems. First, any code package in an application could use the granted permissions, inducing attackers to embed malicious payloads into benign apps. Second, the permissions granted to a benign application may be utilized by an attacker through vulnerable application interactions. Although ad hoc solutions have been proposed, none could systematically solve these two issues within a unified framework.
This paper presents the first such framework to provide context-sensitive permission enforcement that regulates permission use policies according to system-wide application contexts, which cover both intra-application context and inter-application context. We build a prototype system on Android, named FineDroid, to track such context during the application execution. To flexibly regulate context-sensitive permission rules, FineDroid features a policy framework that could express generic application contexts. We demonstrate the benefits of FineDroid by instantiating several security extensions based on the policy framework, for two potential users: administrators and developers. Furthermore, FineDroid is showed to introduce a minor overhead.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Ad vulna: A vulnaggressive (vulnerable & aggressive) adware threatening millions. http://www.fireeye.com/blog/technical/2013/10/ad-vulna-a-vulnaggressive-vulnerable-aggressive-adware-threatening-millions.html
Android asynctask class. http://developer.android.com/reference/android/os/AsyncTask.html
Android handler class. http://developer.android.com/reference/android/os/Handler.html
Android message class. http://developer.android.com/reference/android/os/Message.html
Android remains the leader in the smartphone operating system market. http://www.idc.com/getdoc.jsp?containerId=prUS24108913
Proguard. http://developer.android.com/tools/help/proguard.html
Send\(\_\)sms capability leak in android open source project. http://www.csc.ncsu.edu/faculty/jiang/send_sms_leak.html
Smishing vulnerability in multiple android platforms. http://www.csc.ncsu.edu/faculty/jiang/smishing.html
Sophos security threat report (2013). http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/android-malware.aspx
Backes, M., Bugiel, S., Gerling, S.: Scippa: System-centric ipc provenance on android. In: Proc. ACSAC 2014 (2014)
Bond, M.D., Mckinley, K.S.: Probabilistic calling context. In: Proc. of OOPSLA 2007 (2007)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R.: Xmandroid: A new android evolution to mitigate privilege escalation attacks. In: Technical report TR-2011-04, Technische Universität Darmstadt (2011)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proc. of NDSS 2012 (2012)
Bugiel, S., Davi, L., Dmitrienko, A., Heuser, S., Sadeghi, A.-R., Shastry, B.: Practical and lightweight domain isolation on android. In: Proc. of SPSM 2011 (2011)
Bugiel, S., Heuser, S., Sadeghi, A.-R.: Flexible and fine-grained mandatoryaccess control on android for diverse security and privacy policies. In: Proc. of USENIXSecurity 2013 (2013)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-applicationcommunication in android. In: Proc. of MobiSys 2011 (2011)
Conti, M., Nguyen, V.T.N., Crispo, B.: Crepe: context-related policy enforcement for android. In: Proc. of ISC 2010 (2010)
Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire:lightweight provenance for smart phone operating systems. In: Proc. of Security 2011 (2011)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., Mcdaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proc. of OSDI 2010 (2010)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission redelegation: attacks and defenses. In: Proc. of USENIX Security 2011 (2011)
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capabilityleaks in stock android smartphones. In: Proc. of NDSS 2012 (2012)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proc. of CCS 2011 (2011)
Jeon, J., Micinski, K.K., Vaughan, J.A., Fogel, A., Reddy, N., Foster, J.S., Millstein, T.: Dr. android and mr. hide: fine-grained permissions in androidapplications. In: Proc. of SPSM 2012 (2012)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proc. of CCS 2012 (2012)
Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission modeland enforcement with user-defined runtime constraints. In: Proc. of AsiaCCS 2010 (2010)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. In: Proc. of ACSAC 2009 (2009)
Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: Addroid: privilege separation forapplications and advertisers in android. In: Proc. of AsiaCCS 2012 (2012)
Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Executethis! analyzing unsafe and malicious dynamic code loading in android applications. In: Proc. of NDSS 2014 (2014)
Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H., Cowan, C.: User-driven access control: rethinking permission granting in modern operating systems. In: Proc. of SP 2012 (2012)
Rohrer, F., Zhang, Y., Chitkushev, L., Zlateva, T.: Dr baca: dynamic role based access control for android. In: Prof. of ACSAC 2013 (2013)
Shekhar, S., Dietz, M., Wallach, D.S.: Adsplit: separating smartphoneadvertising from applications. In: Proc. of USENIX Security 2012 (2012)
Singh, K.: Practical context-aware permission control for hybrid mobile applications. In: Proc. of RAID 2013 (2013)
Smalley, S., Craig, R.: Security enhanced (se) android: bringing flexible mac toandroid. In: Proc. of NDSS 2013 (2013)
Sun, M., Tan, G.: Nativeguard: protecting android applications from third-party nativelibraries. In: Proc. of WiSec 2014 (2014)
Wang, Y., Hariharan, S., Zhao, C., Liu, J., Du, W.: Compac: enforcecomponent-level access control in android. In: Proc. of CODASPY 2014 (2014)
Wu, L., Grace, M., Zhou, Y., Wu, C., Jiang, X.: The impact of vendor customizations on android security. In: Proc. of CCS 2013 (2013)
Xu, R., Saidi, H., Anderson, R.: Aurasium: practical policy enforcement forandroid applications. In: Proc. of USENIX Security 2012 (2012)
Zhang, M., Yin, H.: AppSealer: automatic generation of vulnerability-specificpatches for preventing component hijacking attacks in android applications. In: Proc. ofNDSS 2014 (2014)
Zhang, X., Ahlawat, A., Du, W.: Aframe: isolating advertisements from mobile applications in android. In: Proc. of ACSAC 2013 (2013)
Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proc. of CCS 2013 (2013)
Zhou, Y., Jiang, X.: Detecting passive content leaks and pollution in androidapplications. In: Proc. of NDSS 2013 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Zhang, Y., Yang, M., Gu, G., Chen, H. (2015). FineDroid: Enforcing Permissions with System-Wide Application Execution Context. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-28865-9_1
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28864-2
Online ISBN: 978-3-319-28865-9
eBook Packages: Computer ScienceComputer Science (R0)