Zeqing Guo,Weili Han,Liangxing Liu,Wenyuan Xu,Ruiqi Bu,Minyue Ni

DOI: https://doi.org/10.1145/2752952.2752974

2015-01-01

Abstract:More and more powerful personal smart devices take users, especially the elder, into a disaster of policy administration where users are forced to set personal management policies in these devices. Considering a real case of this issue in the Android security, it is hard for users, even some programmers, to generally identify malicious permission requests when they install a third-party application. Motivated by the popularity of mutual assistance among friends (including family members) in the real world, we propose a novel framework for policy administration, referring to Socialized Policy Administration (SPA for short), to help users manage the policies in widely deployed personal devices. SPA leverages a basic idea that a user may invite his or her friends to help set the applications. Especially, when the size of invited friends increases, the setting result can be more resilient to a few malicious or unprofessional friends. We define the security properties of SPA, and propose an enforcement framework where users' friends can help users set applications without the leakage of friends' preferences with the supports of a privacy preserving mechanism. In our prototype, we only leverage partially homomorphic encryption cryptosystems to implement our framework, because the fully homomorphic encryption is not acceptable to be deployed in a practical service at the moment. Based on our prototype and performance evaluation, SPA is promising to support major types of policies in current popular applications with acceptable performance.

Jun Zhu,Bill Chu,Heather Richter Lipford

DOI: https://doi.org/10.1145/2914642.2914661

2016-01-01

Abstract:ABSTRACTPrivilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a successful breach of access control is achieved. This paper presents an approach to automatically instrument application source code to report events of failed access attempts that may indicate privilege escalation attacks to a run time application protection mechanism. The focus of this paper is primarily on the problem of instrumenting web application source code to detect access control attack events. We evaluated false positives and negatives of our approach using two open source web applications.

Xingqiu Zhong,Fanping Zeng,Zhichao Cheng,Niannian Xie,Xiaoxia Qin,Shuli Guo

DOI: https://doi.org/10.1109/bigcom.2017.21

2017-01-01

Abstract:As the most popular mobile operating system, there are large amount of applications developed for Android. Considering security issues, developers are forced to declare relative permissions in manifest file when they need to use sensitive APIs. With the ability of inter-component communication (ICC) provided by Android, malicious applications can indirectly call sensitive APIs through components exposed by other applications, leading to privilege escalation. To address this problem, we propose a method to detect this kind of privilege escalation between two applications. First, we compare the permission sets of both applications. Then, if necessary we identify call links between two applications and perform inter-application control flow analysis. Finally, according to the result of control flow analysis, we can judge whether the privilege escalation exists. As the experiment result shows, our method can accurately detect privilege escalation between two applications.

Safwat Hassan,Heng Li,Ahmed E. Hassan

DOI: https://doi.org/10.48550/arXiv.2204.03794

2022-04-08

Abstract:The competing nature of the app market motivates us to shift our focus on apps that provide similar functionalities and directly compete with each other (i.e., peer apps). In this work, we study the ratings and the review text of 100 Android apps across 10 peer app groups. We highlight the importance of performing peer-app analysis by showing that it can provide a unique perspective over performing a global analysis of apps (i.e., mixing apps from multiple categories). First, we observe that comparing user ratings within peer groups can provide very different results from comparing user ratings from a global perspective. Then, we show that peer-app analysis provides a different perspective to spot the dominant topics in the user reviews, and to understand the impact of the topics on user ratings. Our findings suggest that future efforts may pay more attention to performing and supporting app analysis from a peer group context. For example, app store owners may consider an additional rating mechanism that normalizes app ratings within peer groups, and future research may help developers understand the characteristics of specific peer groups and prioritize their efforts.

Software Engineering

Billoir, Eddie,Laborde, Romain,Rütschlé, Yves,Benzekri, Abdelmalek

DOI: https://doi.org/10.1007/s12243-024-01033-5

2024-05-17

Annals of Telecommunications

Abstract:With the new personal data protection or export control regulations, the principle of least privilege is mandatory and must be applied even for system administrators. This article explores the different approaches implemented by the main operating systems (namely Linux, Windows, FreeBSD, and Solaris) to control the privileges of system administrators in order to enforce the principle of least privilege. We define a set of requirements to manage these privileges properly, striving to balance adherence to the principle of least privilege and usability. We also present a deep analysis of each administrative privilege system based on these requirements and exhibit their benefits and limitations. This evaluation also covers the efficiency of the currently available solutions to assess the difficulty of performing administrative privileges management tasks. Following the results, the article presents the RootAsRole project, which aims to simplify Linux privilege management. We describe the new features introduced by the project and the difficulties we faced. This concrete experience allows us to highlight research challenges.

telecommunications

Tian Puyang,Qingni Shen,Yang Luo,Wu Luo,Zhonghai Wu

DOI: https://doi.org/10.1109/ICC.2017.7997107

2017-01-01

Abstract:Failing to promote the least privilege principle in administration can lead to substantial vulnerabilities in cloud computing. A malicious insider like a compromised cloud administrator can affect security of data and workloads belonging to cloud customers. Enforcing the least privilege principle in cloud administration can fairly restrict the permissions of administrators and reduce the attack surface. However, writing a least privilege policy can be hard and error prone for cloud service providers. In this paper, we propose a framework called Least Privilege for Cloud (LPCloud) to address these concerns. LPCloud automatically produces policies for minimization of administrators' privileges at the granularity of representational state transfer (REST) application program interfaces (API), and enforces the policies without affecting current systems. Specifically, we introduce a novel algorithm to partition privileges based on dependencies between API calls. This paper presents design of LPCloud, including a service called Policy Generator which produces partitioned policies and a component named Policy Enforcer to enforce the policies. We implement a prototype of our framework in OpenStack Mitaka. Experiments indicate that LPCloud can produce proper policies to enforce the least privilege principle. Meantime, the average performance overhead is 10.1% which is in acceptable level.

Xingmin Cui,Jingxuan Wang,Lucas Chi Kwong Hui,Zhongwei Xie,Tian Zeng,Siu-Ming Yiu

DOI: https://doi.org/10.1145/2766498.2766509

2015-01-01

Abstract:Due to the rapid increase of Android apps and their wide usage to handle personal data, a precise and large-scaling checker is in need to validate the apps' permission flow before they are listed on the market. Several tools have been proposed to detect sensitive data leaks in Android apps. But these tools are not applicable to large-scale analysis since they fail to deal with the arbitrary execution orders of different event handlers smartly. Event handlers are invoked by the framework based on the system state, therefore we cannot pre-determine their order of execution. Besides, since all exported components can be invoked by an external app, the execution orders of these components are also arbitrary. A naive way to simulate these two types of arbitrary execution orders yields a permutation of all event handlers in an app. The time complexity is O(n!) where n is the number of event handlers in an app. This leads to a high analysis overhead when n is big. To give an illustration, CHEX [10] found 50.73 entry points of 44 unique class types in an app on average. In this paper we propose an improved static taint analysis to deal with the challenge brought by the arbitrary execution orders without sacrificing the high precision. Our analysis does not need to make permutations and achieves a polynomial time complexity. We also propose to unify the array and map access with object reference by propagating access paths to reduce the number of false positives due to field-insensitivity and over approximation of array access and map access. We implement a tool, WeChecker, to detect privilege escalation vulnerabilities [7] in Android apps. WeChecker achieves 96% precision and 96% recall in the state-of-the-art test suite DriodBench (for compairson, the precision and recall of FlowDroid [1] are 86% and 93%, respectively). The evaluation of WeChecker on real apps shows that it is efficient (average analysis time of each app: 29.985s) and fits for large-scale checking.

Bin Liang,Heng Liu,Wenchang Shi,Yanjun Wu

DOI: https://doi.org/10.1007/978-3-540-31979-5_10

2005-01-01

Abstract:In order to provide effective support to the principle of least privilege, considering the limitation of traditional privilege mechanisms, this paper proposes a new privilege control model called State-Based Privilege Control (SBPC) and presents the design and implementation of a prototype system for SBPC called Controlled Privilege Framework (CPF) on the Linux operating system platform. SBPC decomposes the time space of a process' lifetime into a series of privilege states according to activities of the process and its need for special permissions. The privilege state is closely related to the application logic of a process. It is the privilege state transfer event that stimulates a process to transfer from one privilege state into another one. For a specified process, there is a specific set of privileges corresponding to every privilege state of the process. With the implementation of CPF, experiment results show that fine-grain and automatic privilege control can be exercised transparently to traditional applications, threats of intrusion to a system can be reduced greatly, and support to the principle of least privilege can therefore be achieved effectively.

Zhaoyi Meng,Yan Xiong,Wenchao Huang,Lei Qin,Xin Jin,Hongbing Yan

DOI: https://doi.org/10.1016/j.neucom.2019.01.105

IF: 6

2019-01-01

Neurocomputing

Abstract:Today’s Android users face a security dilemma: they want to grant permissions to apps for enjoying more abundant functionalities, but also worry that the apps may abuse these permissions to leak their private information without their grants. To optimize users’ benefits, we implement a novel privacy-preserving system named AppScalpel to prune undesirable usage of sensitive data in Android applications, on the top of static analysis and outlier detection results. We use static analysis to extract sufficient contextual features of data usage behaviors within applications. To precisely identify undesirable usage of sensitive data, we leverage outlier detection, which solves the problem of lacking labeled behavioral samples. To enforce the privacy-preserving rules within apps, AppScalpel instruments rule enforcers on each undesirable data-flow path respectively by the code instrumentation technique. We aim to block undesirable usage of sensitive data without affecting other user-desired functionalities. Our evaluation demonstrates that AppScalpel precisely identifies undesirable usage of sensitive data and effectively protects users’ private information in a fine-grained mode, and the robustness of the instrumented apps is also achieved. Moreover, for the instrumented apps, AppScalpel introduces little space and runtime overhead.

Sai Praveen Kadiyala,Akella Kartheek,Tram Truong-Huu

DOI: https://doi.org/10.48550/arXiv.2104.01518

2021-04-04

Abstract:Understanding the dynamic behavior of computer programs during normal working conditions is an important task, which has multiple security benefits such as the development of behavior-based anomaly detection, vulnerability discovery, and patching. Existing works achieved this goal by collecting and analyzing various data including network traffic, system calls, instruction traces, etc. In this paper, we explore the use of a new type of data, performance counters, to analyze the dynamic behavior of programs. Using existing primitives, we develop a tool named perfextract to capture data from different performance counters for a program during its startup time, thus forming multiple time series to represent the dynamic behavior of the program. We analyze the collected data and develop a semi-supervised clustering algorithm that allows us to classify each program using its performance counter time series into a specific group and to identify the intrinsic behavior of that group. We carry out extensive experiments with 18 real-world programs that belong to 4 groups including web browsers, text editors, image viewers, and audio players. The experimental results show that the examined programs can be accurately differentiated based on their performance counter data regardless of whether programs are run in physical or virtual environments.

Cryptography and Security

Hamza Harkous,Karl Aberer

DOI: https://doi.org/10.1145/3029806.3029837

2017-03-25

Abstract:Cloud storage services, like Dropbox and Google Drive, have growing ecosystems of 3rd party apps that are designed to work with users' cloud files. Such apps often request full access to users' files, including files shared with collaborators. Hence, whenever a user grants access to a new vendor, she is inflicting a privacy loss on herself and on her collaborators too. Based on analyzing a real dataset of 183 Google Drive users and 131 third party apps, we discover that collaborators inflict a privacy loss which is at least 39% higher than what users themselves cause. We take a step toward minimizing this loss by introducing the concept of History-based decisions. Simply put, users are informed at decision time about the vendors which have been previously granted access to their data. Thus, they can reduce their privacy loss by not installing apps from new vendors whenever possible. Next, we realize this concept by introducing a new privacy indicator, which can be integrated within the cloud apps' authorization interface. Via a web experiment with 141 participants recruited from CrowdFlower, we show that our privacy indicator can significantly increase the user's likelihood of choosing the app that minimizes her privacy loss. Finally, we explore the network effect of History-based decisions via a simulation on top of large collaboration networks. We demonstrate that adopting such a decision-making process is capable of reducing the growth of users' privacy loss by 70% in a Google Drive-based network and by 40% in an author collaboration network. This is despite the fact that we neither assume that users cooperate nor that they exhibit altruistic behavior. To our knowledge, our work is the first to provide quantifiable evidence of the privacy risk that collaborators pose in cloud apps. We are also the first to mitigate this problem via a usable privacy approach.

Cryptography and Security,Human-Computer Interaction

Andrea Di Sorbo,Sebastiano Panichella

DOI: https://doi.org/10.1007/s10664-021-09978-0

IF: 3.762

2021-06-08

Empirical Software Engineering

Abstract:Mobile applications are used for accomplishing everyday life activities, such as shopping, banking, and social communications. To leverage the features of mobile apps, users often need to share sensitive information. However, recent research demonstrated that most of such apps present critical security and privacy defects. In this context, we define as <i>vulnerability-proneness</i> the risk level(s) that users meet in downloading specific apps, to better understand whether (1) users select apps with lower risk levels and if (2) vulnerability-proneness of an app might affect its success. We use as proxy to measure such risk level the <i>"number of different types of potential security issues exhibited by the app"</i>. We conjecture that the vulnerability-proneness levels may vary based on (i) the types of data handled by the app, and (ii) the operations for which the app is supposed to be used. Hence, we investigate how the vulnerability-proneness of apps varies when observing (i) different app categories, and (ii) apps with different success levels. Finally, to increase the awareness of both users and developers on the vulnerability-proneness of apps, we evaluate the extent to which contextual information provided by the app market can be exploited to estimate the vulnerability-proneness levels of mobile apps. Results of our study show that apps in the Medical category exhibit the lowest levels of vulnerability-proneness. Besides, while no strong relations between vulnerability-proneness and average rating are observed, apps with a higher number of downloads tend to have higher vulnerability-proneness levels, but lower vulnerability-proneness density. Finally, we found that apps' contextual information can be used to predict, in the early stages, the vulnerability-proneness levels of mobile apps.

computer science, software engineering

Yin Wang,Ming Fan,Hao Zhou,Haijun Wang,Wuxia Jin,Jiajia Li,Wenbo Chen,Shijie Li,Yu Zhang,Deqiang Han,Ting Liu

DOI: https://doi.org/10.1145/3691620.3695534

2024-01-01

Abstract:The rising popularity of mini-programs deployed on super-app platforms has drawn significant attention due to their convenience. However, developers' improper handling of data permission application in mini-programs has raised concerns about non-compliance and violations. Unfortunately, existing tools lack the capability to support the construction of a universal function call graph for the mini-program and the literature lacks a comprehensive and systematic study of the abusive issues. To bridge this gap, this paper introduces an automated tool, MiniChecker, to uncover the abusive permission request behavior in mini-programs. It defines five primary categories of abusive issues, namely homepage pop-up, overlaying pop-up, bothering pop-up, repeating pop-up, and looping pop-up, based on the request behavior features. MiniChecker achieves a detection precision rate of 82.4% and a recall rate of 95.3% on our benchmark, and identifies 3,866 risky mini-programs out of 20,000 real-world mini-programs. Our analysis reveals inherent design flaws in the mini-program permission mechanism, and we have shared our findings with several mini-program platforms.

Xusheng Xiao,Nikolai Tillmann,Manuel Fahndrich,Jonathan de Halleux,Michal Moskal,Tao Xie

DOI: https://doi.org/10.1007/s10515-014-0166-y

IF: 1.677

2014-01-01

Automated Software Engineering

Abstract:Applications in mobile-marketplaces may leak private user information without notification. Existing mobile platforms provide little information on how applications use private user data, making it difficult for experts to validate applications and for users to grant applications access to their private data. We propose a user-aware privacy control approach, which reveals how private information is used inside applications. We compute static information flows and classify them as safe/unsafe based on a tamper analysis that tracks whether private data is obscured before escaping through output channels. This flow information enables platforms to provide default settings that expose private data only for safe flows, thereby preserving privacy and minimizing decisions required from users. We built our approach into TouchDevelop, an application-creation environment that allows users to write scripts on mobile devices and install scripts published by other users. We evaluate our approach by studying 546 scripts published by 194 users.

Jorge Blasco,Thomas M. Chen,Igor Muttik,Markus Roggenbach

DOI: https://doi.org/10.48550/arXiv.1706.02387

2017-06-08

Abstract:Android is designed with a number of built-in security features such as app sandboxing and permission-based access controls. Android supports multiple communication methods for apps to cooperate. This creates a security risk of app collusion. For instance, a sandboxed app with permission to access sensitive data might leak that data to another sandboxed app with access to the internet. In this paper, we present a method to detect potential collusion between apps. First, we extract from apps all information about their accesses to protected resources and communications. Then we identify sets of apps that might be colluding by using rules in first order logic codified in Prolog. After these, more computationally demanding approaches like taint analysis can focus on the identified sets that show collusion potential. This "filtering" approach is validated against a dataset of manually crafted colluding apps. We also demonstrate that our tool scales by running it on a set of more than 50,000 apps collected in the wild. Our tool allowed us to detect a large set of real apps that used collusion as a synchronization method to maximize the effects of a payload that was injected into all of them via the same SDK.

Cryptography and Security

Cong WANG,Ren-bin ZHANG,Gang LI

DOI: https://doi.org/10.13873/J.1000-9787(2017)01-0146-03

2017-01-01

Abstract:Privilege mechanism is the core of Android security mechanism.On the basis of analysis on principle of privilege escalation,a scheme of privilege escalation attack detection is presented.The scheme makes full use of characteristics of permission transfer and communication connection between components,realize from dynamic and static states,detection rate based on defect is 78.7 ％,and based on component is more than 50 ％.Experimental results show that the detection method can effectively detect privilege escalation attack,which provides a feasible solution for solving problems of reliability of privilege escalation attack detection model.

Ming-Hsun Yang,Y. -W. Peter Hong,Tsang-Yi Wang,Jwo-Yuh Wu

DOI: https://doi.org/10.1109/icc.2019.8761925

2019-01-01

Abstract:This work proposes efficient methods for the detection of malicious crowdsourcing workers using only privacy-aware group queries. In the proposed system, the crowdsourcing platform first issues a series of standard tasks to the workers, and allows users (i.e., data owners) to access aggregate responses from the workers through group queries that can be described by sparse encoding vectors. The identities of workers associated with individual responses are not explicitly revealed. By exploiting the sparse nature of the encoding vectors, we first propose an approximate maximum a posteriori probability (Approx. MAP) detector to perform the detection. Then, to further reduce computational complexity, we devise a generalized likelihood ratio test (GLRT) where probable malicious workers are first identified before a simple hypothesis test is performed. The identification of malicious workers is performed by a low-complexity probability-based rule that exploits a certain sparse structure inherent in the crowd data as well as the associated statistical assumptions. Computer simulations show that the proposed methods outperform the conventional energy detector.

Mengwei Xu,Yun Ma,Xuanzhe Liu,Felix Xiaozhu Lin,Yunxin Liu

DOI: https://doi.org/10.1145/3038912.3052645

2017-01-01

Abstract:Background activities on smartphones are essential to today's \"always-on\" mobile device experience. Yet, there lacks a clear understanding of the cooperative behaviors among background activities as well as a quantification of the consequences. In this paper, we present the first in-depth study of app collusion, in which one app surreptitiously launches others in the background without user's awareness. To enable the study, we develop AppHolmes, a static analysis tool for detecting app collusion by examining the app binaries. By analyzing 10,000 apps from top third-party app markets, we found that i) covert, cooperative behaviors in background app launch are surprisingly pervasive, ii) most collusion is caused by shared services, libraries, or common interest among apps, and iii) collusion has serious impact on performance, efficiency, and security. Overall, our work presents a strong implication on future mobile system design.

YANG Bo,TANG Zhu-shou,ZHU Hao-jin,SHEN Bei-jun,LIN Jiu-chuan

DOI: https://doi.org/10.3969/j.issn.1002-137X.2012.z3.005

2012-01-01

Computer Science

Abstract:Android applications that have access to crucial system resources are the targets of attackers.An application applies the access rights when it is installed,and users always ignore that.This paper proposes a new method to detect overprivilege in compiled Android applications,which leverages dataflow analysis to get the parameters of an API call.A static detection tool "Brox" is implemented based on this method.And Brox is tested using multiply Android applications.The test results on the accuracy and performance are quite encouraging.

Iwona Hawryluk,Henrique Hoeltgebaum,Cole Sodja,Tyler Lalicker,Joshua Neil

DOI: https://doi.org/10.48550/arXiv.2209.09769

2022-09-27

Abstract:Cyber-security analysts face an increasingly large number of alerts received on any given day. This is mainly due to the low precision of many existing methods to detect threats, producing a substantial number of false positives. Usually, several signature-based and statistical anomaly detectors are implemented within a computer network to detect threats. Recent efforts in User and Entity Behaviour Analytics modelling shed a light on how to reduce the burden on Security Operations Centre analysts through a better understanding of peer-group behaviour. Statistically, the challenge consists of accurately grouping users with similar behaviour, and then identifying those who deviate from their peers. This work proposes a new approach for peer-group behaviour modelling of Windows authentication events, using principles from hierarchical Bayesian models. This is a two-stage approach where in the first stage, peer-groups are formed based on a data-driven method, given the user's individual authentication pattern. In the second stage, the counts of users authenticating to different entities are aggregated by an hour and modelled by a Poisson distribution, taking into account seasonality components and hierarchical principles. Finally, we compare grouping users based on their human resources records against the data-driven methods and provide empirical evidence about alert reduction on a real-world authentication data set from a large enterprise network.

Cryptography and Security,Applications