Permission Re-Delegation: Attacks and Defenses
نویسندگان
چکیده
Modern browsers and smartphone operating systems treat applications as mutually untrusting, potentially malicious principals. Applications are (1) isolated except for explicit IPC or inter-application communication channels and (2) unprivileged by default, requiring user permission for additional privileges. Although inter-application communication supports useful collaboration, it also introduces the risk of permission redelegation. Permission re-delegation occurs when an application with permissions performs a privileged task for an application without permissions. This undermines the requirement that the user approve each application’s access to privileged devices and data. We discuss permission re-delegation and demonstrate its risk by launching real-world attacks on Android system applications; several of the vulnerabilities have been confirmed as bugs. We discuss possible ways to address permission redelegation and present IPC Inspection, a new OS mechanism for defending against permission re-delegation. IPC Inspection prevents opportunities for permission redelegation by reducing an application’s permissions after it receives communication from a less privileged application. We have implemented IPC Inspection for a browser and Android, and we show that it prevents the attacks we found in the Android system applications.
منابع مشابه
Avoiding Delegation Subterfuge Using Linked Local Permission Names
Trust Management systems are typically explicit in their assumption that principals are uniquely identifiable. However, the literature has not been as prescriptive concerning the uniqueness of the permissions delegated by principals. Delegation subterfuge may arise when there is ambiguity concerning the uniqueness and interpretation of a permission. As a consequence, delegation chains that are ...
متن کاملConditional Proxy Broadcast Re-Encryption
A proxy re-encryption (PRE) scheme supports the delegation of decryption rights via a proxy, who makes the ciphertexts decryptable by the delegatee. PRE is useful in various applications such as encrypted email forwarding. In this paper, we introduce a more generalized notion of conditional proxy broadcast re-encryption (CPBRE). A CPBRE scheme allows Alice to generate a re-encryption key for so...
متن کاملCompartmentation Policies for Android Apps: A Combinatorial Optimization Approach
Some smartphone platforms such as Android have a distinctive message passing system that allows for sophisticated interactions among app components, both within and across app boundaries. This gives rise to various security and privacy risks, including not only intentional collusion attacks via permission re-delegation but also inadvertent disclosure of information and service misuse through co...
متن کاملMulti-class Traffic Morphing for Encrypted VoIP Communication
In a re-identification attack, an adversary analyzes the sizes of intercepted encrypted VoIP packets to infer characteristics of the underlying audio— for example, the language or individual phrases spoken on the encrypted VoIP call. Traffic morphing has been proposed as a general solution for defending against such attacks. In traffic morphing, the sender pads ciphertext to obfuscate the distr...
متن کاملROP is Still Dangerous: Breaking Modern Defenses
Return Oriented Programming (ROP) has become the exploitation technique of choice for modern memory-safety vulnerability attacks. Recently, there have been multiple attempts at defenses to prevent ROP attacks. In this paper, we introduce three new attack methods that break many existing ROP defenses. Then we show how to break kBouncer and ROPecker, two recent low-overhead defenses that can be a...
متن کامل