190 likes | 309 Views
An Example of an Android Security Extension. YAASE - Yet Another Android Security Extension . YAASE Main Features. A Policy-based System for Controlling Information Flow Fine-grained Data Filtering No modifications to Android API No trust on apps
E N D
An Example of an Android Security Extension YAASE - Yet Another Android Security Extension
YAASE Main Features • A Policy-based System for • Controlling Information Flow • Fine-grained Data Filtering • No modifications to Android API • No trust on apps • Control over IPC and system-level calls (internet) • Data filtering capabilities • Tuneable
YAASE Architecture • Grey = New components added • Dashed = Modified Android components
Policy-based AC Terms • A policy is a rule that governs the behaviour of a system • PEP stands for Policy Enforcement Point • It is responsible for intercepting the requests and enforcing the access control decisions • PDP stands for Policy Decision Point • It is responsible for evaluating policies and coming up with a decision • Policy Provider is the repository where policies are stored
YAASE Policy Language PolicyName: Requester can do operation on Resource [have to perform action] handle dataLabelExpression By default, if no policy is specified no action is granted!
Example of a Privilege Escalation • FeedMe: A news feed app requiring access to internet • NavApp: A navigation app requiring access to GPS
Policies for Apps PolFeedMe: FeedMEcan do send on Internet handle “NoLabels” PolNavApp: NavAppcan do access on GPS handle “FineLocation”
Restrict Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A Accessto NavApp PEP Policy Provider YAASE PDP
Restrict Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A PEP Policy Provider YAASE PDP
Restrict Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A PEP Policy Provider YAASE PDP
Restrict Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A NOACCESS PEP Policy Provider YAASE PDP
Relaxed Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A PEP PEP Policy Provider YAASE PDP
Relaxed Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe D:FL NavApp Android Apps C P1 GPS P2 NET S S A A PEP Policy Provider YAASE PDP
Relaxed Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A INTERNET D:FL PEP Policy Provider YAASE PDP
Enforced Policy PolFeedMe: FeedMEcan do send on Internet handle “NoLabels”
Relaxed Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A INTERNET D:FL PEP Policy Provider YAASE PDP
Final Thoughts • Standard Android Security framework is insufficient • Plethora of security extensions have been presented • Now it is time that Google starts to take some actions
Readings • Russello, Giovanni, et al. "Yaase: Yet another android security extension." Privacy, security, risk and trust (passat), 2011 ieee third international conference on and 2011 ieee third international conference on social computing (socialcom). IEEE, 2011.