Transcript User ACG - Franziska Roesner
User-Driven Access Control
Rethinking Permission Granting in Modern OSes
Franziska Roesner, Tadayoshi Kohno
University of Washington
Alexander Moshchuk, Bryan Parno, Helen J. Wang
Microsoft Research
Crispin Cowan
Microsoft
Modern Client Platforms
• iOS, Android, WP, Win8, browsers – Applications isolated from one another.
– Limited global sharing.
– Cannot access user-owned resources by default: • Cross-application data • Devices (camera, GPS, …) • Resources (clipboard, autocomplete data)
Problem:
How should platforms grant applications access to user-owned resources?
Challenge:
Users are in the loop to grant permissions.
May 21, 2012 Franziska Roesner 2
Manifests (Android, Windows Phone)
State of the Art
Prompts (iOS, browsers)
Out of context:
Checked at time of install, not time of use.
Disruptive: In practice, only prompted at first use to avoid prompt-fatigue.
Both are not least-privilege: Once granted permissions, apps can use them, even if not necessary for application functionality.
May 21, 2012 Franziska Roesner 3
Permission Granting Goals
Let this application access my location now.
• • • In context – Unlike manifests Non-disruptive – Unlike prompts Least privilege – Unlike manifests and prompts May 21, 2012 Franziska Roesner 4
Outline
• • • • • Motivation and Setup User-Driven Access Control – via Access Control Gadgets (ACGs) Capturing Authentic User Intent Implementation Evaluation May 21, 2012 Franziska Roesner 5
User-Driven Access Control
• • Observation: A user’s natural UI actions in the context of an application carry permission-granting semantics. See also EWS Qubes , Polaris [SVNC ‘04], NitPicker [SKYCM ’06], UIBAC [FH ‘05], CapDesk [SE ‘08], BLADE [M ‘06], [LYPL ‘10].
Challenge: How can the system understand generalized in-app permission-granting behaviors?
May 21, 2012 Franziska Roesner 6
Access Control Gadgets (ACGs)
• • Approach: Let the system control these UI elements (ACGs) to capture a user’s permission granting intent.
Challenges:
– How can system capture authentic user intent?
– How to prevent disruption of application context ?
– Can this model support necessary app functionality ?
– …?
May 21, 2012 Franziska Roesner 7
User’s View
Photo Editor App
Camera ACG
1) User clicks on camera ACG
System’s View
Camera Resource Monitor
Isolation container
Photo Editor App Policy: Which app can access camera in what fashion ACG 2) Take picture Kernel 3) Receive picture May 21, 2012 Franziska Roesner 8
Design Challenges
• • • • What are appropriate access semantics ?
How to accurately capture user intent ?
How can we support: – customized access control gadgets?
– ACGs composing multiple resources?
– shortcuts and gestures instead of visual gadgets?
How can we generalize to application controlled resource monitors ?
– e.g., Facebook contacts, Flickr photos May 21, 2012 Franziska Roesner 9
Least privilege
Access Semantics
One time: Session: Scheduled: Permanent:
Permanent Access
UI-coupled UI decoupled Few applications (5% of top 100 Android apps) legitimately require permanent access.
May 21, 2012 Franziska Roesner 10
Outline
• • • • • Motivation and Setup User-Driven Access Control – via Access Control Gadgets (ACGs) Capturing Authentic User Intent Implementation Evaluation May 21, 2012 Franziska Roesner 11
Threats by Malicious Applications
• • • Manipulate access control gadget display – Directly or by strategic obstruction Clickjacking (trick users into clicking on ACG) – Visual or timing-based Programmatically click on ACG
Requirements:
1. ACG 2. User User: Authentic display of ACG to user.
ACG: Authentic user actions to ACG.
May 21, 2012 Franziska Roesner 12
ACG
User: Display Integrity
(1) Display isolation: Apps can’t set ACG’s pixels.
(2) Complete visibility: ACGs are active only when completely visible.
(3) Sufficient display duration: (4) Limited customization by applications.
May 21, 2012 Franziska Roesner 13
User
ACG: Authentic Input
(1) Input event isolation: – Input events dispatched only from user input devices to ACGs.
(2) The kernel controls the cursor over ACGs.
(3) Handling nested applications – e.g., iGoogle embeds ad which embeds camera ACG – Must grant permissions to correct application.
May 21, 2012 Franziska Roesner 14
Outline
• • • • • Motivation and Setup User-Driven Access Control – via Access Control Gadgets (ACGs) Capturing Authentic User Intent Implementation Evaluation May 21, 2012 Franziska Roesner 15
Implementation
• • • Implemented as part of the ServiceOS system with 2500 lines of C# code.
System support for: – Access control gadgets • Resources: camera, GPS, clipboard, autocomplete – • Our experience shows that the Access semantics: one-time, session ACG composition : camera+GPS – Input sequences : copy-and-paste, drag-and-drop – – Nested applications Content picking and application-specific ACGs ACGs in applications: browser and MS Word May 21, 2012 Franziska Roesner 16
Outline
• • • • • Motivation and Setup User-Driven Access Control – via Access Control Gadgets (ACGs) Capturing Authentic User Intent Implementation Evaluation May 21, 2012 Franziska Roesner 17
Discussion: Security Analysis
Our User prevent ACG and ACG applications from User properties do not gaining unauthorized access by social engineering attacks .
X X Location access granted
•
Social engineering risk:
moderate (high effort/risk for attacker) • •
Usability:
high
Least-privilege guarantees:
high May 21, 2012 Franziska Roesner 18
Evaluation Highlights
• •
Vulnerability Study
– User-driven access control addresses most published vulnerabilities related to resource access : 36 of 44 in Chrome (82%), and 25 of 26 in Firefox (96%).
User Expectations
– Based on survey showing Android screenshots, most users already believe (52% of 186) – and/or desire (68%) – that resource access follows the user-driven access control model .
May 21, 2012 Franziska Roesner 19
Summary
• • • User-driven access control captures a user’s permission-granting intent from natural interactions with the system and applications.
Access control gadgets enable user-driven permission granting.
– In-context, non-disruptive, and least-privilege.
ACGs match user expectations .
May 21, 2012 Franziska Roesner 20