Overhaul: Input-Driven Access Control for Better Privacy on Traditional Operating Systems

The prevailing security model for OSes focuses on isolating users from each other, however, the changing computing landscape has led to the extension of traditional access control models for single-user devices. Modern OSes for mobile devices such as iOS and Android have taken the opportunity provided by these new platforms to introduce permission systems in which users can manage access to sensitive resources during application installation or runtime. One drawback of similar efforts on desktop environments is that applications must be rewritten with this security model in mind, which hinders traditional OSes from enjoying the benefits of user-driven access control. We present a novel architecture for retrofitting a dynamic, input-driven access control model into traditional OSes. In this model, access to privacy-sensitive resources is mediated based on the temporal proximity of user interactions to access requests, and requests are communicated back to the user via visual alerts. We present a prototype implementation and demonstrate how input-driven access control can be realized for resources such as the microphone, camera, clipboard, and screen contents. Our approach is transparent to applications and users, and incurs no discernible performance overhead.

[1]  D. Rosenthal The inter-client communication conventions manual , 1993 .

[2]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[3]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[4]  Jamal Hadi Salim,et al.  Linux Netlink as an IP Services Protocol , 2003, RFC.

[5]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[6]  Randy H. Katz,et al.  Design and implementation of an extrusion-based break-in detector for personal computers , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[7]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[9]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[10]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[11]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.

[12]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[13]  Информатика Inter-Client Communication Conventions Manual , 2010 .

[14]  Kirstie Hawkey,et al.  Do windows users follow the principle of least privilege?: investigating user account control practices , 2010, SOUPS.

[15]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[16]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[17]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[18]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[19]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Wenke Lee,et al.  Gyrus: A Framework for User-Intent Monitoring of Text-based Networked Applications , 2014, NDSS.