research-article

Android security framework: extensible multi-layered access control on Android

Authors:

Michael Backes,

Sebastian Gerling,

Philipp von Styp-RekowskyAuthors Info & Claims

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

Pages 46 - 55

https://doi.org/10.1145/2664243.2664265

Published: 08 December 2014 Publication History

Abstract

We introduce the Android Security Framework (ASF), a generic, extensible security framework for Android that enables the development and integration of a wide spectrum of security models in form of code-based security modules. The design of ASF reflects lessons learned from the literature on established security frameworks (such as Linux Security Modules or the BSD MAC Framework) and intertwines them with the particular requirements and challenges from the design of Android's software stack. ASF provides a novel security API that supports authors of Android security extensions in developing their modules. This overcomes the current unsatisfactory situation to provide security solutions as separate patches to the Android software stack or to embed them into Android's mainline codebase. This system security extensibility is of particular benefit for enterprise or government solutions that require deployment of advanced security models, not supported by vanilla Android. We present a prototypical implementation of ASF and demonstrate its effectiveness and efficiency by modularizing different security models from related work, such as dynamic permissions, inlined reference monitoring, and type enforcement.

References

[1]

M. D. Abrams, K. W. Eggers, L. J. LaPadula, and I. M. Olson. A generalized framework for access control: An informal description. In NIST NCSC'90, 1990.

[2]

M. Backes, S. Bugiel, S. Gerling, and P. von Styp-Rekowsky. Android security framework: Enabling generic and extensible access control on android. Technical Report A/01/2014, Saarland University, April 2014.

[3]

M. Backes, S. Gerling, C. Hammer, M. Maffei, and P. von Styp-Rekowsky. Appguard - enforcing user requirements on Android apps. In TACAS'13, 2013.

Digital Library

[4]

L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A. Haghighat. Practical domain and type enforcement for UNIX. In IEEE SP'95. IEEE, 1995.

Digital Library

[5]

D. B. Baker. Fortresses built upon sand. In NSPW'96. ACM, 1996.

Digital Library

[6]

S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on Android. In NDSS'12. The Internet Society, 2012.

[7]

S. Bugiel, L. Davi, A. Dmitrienko, S. Heuser, A.-R. Sadeghi, and B. Shastry. Practical and lightweight domain isolation on Android. In SPSM '11. ACM, 2011.

Digital Library

[8]

S. Bugiel, S. Heuser, and A.-R. Sadeghi. Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies. In USENIX Security'13. USENIX, 2013.

Digital Library

[9]

E. Chin, A. Porter Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In MobiSys'11. ACM, 2011.

Digital Library

[10]

M. Conti, V. T. N. Nguyen, and B. Crispo. CRePE: Context-related policy enforcement for android. In ISC'10. Springer, 2010.

Digital Library

[11]

J. Edge. The return of loadable security modules? Online: http://lwn.net/Articles/526983/, Nov. 2012.

[12]

A. Edwards, T. Jaeger, and X. Zhang. Runtime verification of authorization hook placement for the Linux security modules framework. In CCS'02. ACM, 2002.

Digital Library

[13]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI'10. USENIX, 2010.

Digital Library

[14]

Ú. Erlingsson and F. B. Schneider. IRM enforcement of Java stack inspection. In IEEE SP'00. IEEE, 2000.

Digital Library

[15]

T. Fraser. LOMAC: MAC you can live with. In USENIX ATC'01. USENIX, 2001.

Digital Library

[16]

T. Fraser, L. Badger, and M. Feldman. Hardening COTS software with generic software wrappers. In IEEE SP'99, 1999.

[17]

V. Ganapathy, T. Jaeger, and S. Jha. Automatic placement of authorization hooks in the Linux Security Modules framework. In CCS'05. ACM, 2005.

Digital Library

[18]

V. Gligor, S. Gavrila, and D. Ferraiolo. On the formal definition of separation-of-duty policies and their composition. In IEEE SP'98. IEEE, 1998.

[19]

M. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In WISEC'12. ACM, 2012.

Digital Library

[20]

S. Heuser, A. Nadkarni, W. Enck, and A.-R. Sadeghi. Asm: A programmable interface for extending android security. Technical Report TUD-CS-2014-0063, Intel CRI-SC at TU Darmstadt, North Carolina State University, CASED/TU Darmstadt, Mar. 2014. To appear at USENIX Security'14.

[21]

J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-grained security policies on unmodified Android. In SPSM '12. ACM, 2012.

Digital Library

[22]

B. W. Lampson. Protection. ACM SIGOPS Operating Systems Review, 8(1):18--24, Jan. 1974.

Digital Library

[23]

J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(1--2):2--16, 2005.

Digital Library

[24]

T. A. Linden. Operating system structures to support security and reliable software. ACM Computer Surveys, 8(4):409--445, Dec. 1976.

Digital Library

[25]

Linux Cross Reference. Linux Security Module framework. Online: http://lxr.free-electrons.com/source/Documentation/security/LSM.txt.

[26]

P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The inevitability of failure: The flawed assumption of security in modern computing environments. In NISSC'98, 1998.

[27]

P. McDaniel and A. Prakash. Methods and limitations of security policy reconciliation. In IEEE SP'02. IEEE, 2002.

Digital Library

[28]

M. Ongtang, S. E. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in Android. In ACSAC'09. ACM, 2009.

Digital Library

[29]

A. Porter Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security'11. USENIX, 2011.

Digital Library

[30]

N. Provos. Improving host security with system call policies. In USENIX Security'03. USENIX, 2003.

Digital Library

[31]

N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In USENIX Security'03. USENIX, 2003.

Digital Library

[32]

V. Rao and T. Jaeger. Dynamic mandatory access control for multiple stakeholders. In SACMAT'09. ACM, 2009.

Digital Library

[33]

G. Russello, M. Conti, B. Crispo, and E. Fernandes. MOSES: supporting operation modes on smartphones. In SACMAT'12. ACM, 2012.

Digital Library

[34]

J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, 1975.

[35]

S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In USENIX Security'12. USENIX, 2012.

Digital Library

[36]

S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In NDSS'13. The Internet Society, 2013.

[37]

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In USENIX Security'99. USENIX, 1999.

Digital Library

[38]

Y. Wang, S. Hariharan, C. Zhao, J. Liu, and W. Du. Compac: Enforce component-level access control in Android. In CODASPY'14. ACM, 2014.

Digital Library

[39]

R. Watson, W. Morrison, C. Vance, and B. Feldman. The TrustedBSD MAC Framework: Extensible kernel access control for FreeBSD 5.0. In USENIX ATC'03. USENIX, 2003.

[40]

C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux Security Modules: General security support for the Linux kernel. In USENIX Security'02. USENIX, 2002.

Digital Library

[41]

Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. In IEEE SP'12, 2012.

Digital Library

[42]

Y. Zhou, X. Zhang, X. Jiang, and V. Freeh. Taming information-stealing smartphone applications (on Android). In TRUST'11. Springer, 2011.

Digital Library

Cited By

Lian KZhang LYang GMao SWang XZhang YYang M(2024)Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile ApplicationsProceedings of the ACM on Software Engineering10.1145/36437301:FSE(70-91)Online publication date: 12-Jul-2024
https://doi.org/10.1145/3643730
Mathur A(2024)Improving Privacy and Security Using Android Accessibility Framework2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT)10.1109/IC2PCT60090.2024.10486352(1675-1680)Online publication date: 9-Feb-2024
https://doi.org/10.1109/IC2PCT60090.2024.10486352
Salles-Loustau GSadhu VGarcia LJoshi KPompili DZonouz S(2022)Don't Just BYOD, Bring-Your-Own-App Too! Protection via Virtual Micro Security PerimetersIEEE Transactions on Mobile Computing10.1109/TMC.2020.300085221:1(76-92)Online publication date: 1-Jan-2022
https://doi.org/10.1109/TMC.2020.3000852
Show More Cited By

Android security framework: extensible multi-layered access control on Android
1. Security and privacy
  1. Security services
  2. Systems security
2. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

December 2014

492 pages

ISBN:9781450330053

DOI:10.1145/2664243

Conference Chairs:
Charles N. Payne
Adventium Labs
,
Adam Hahn
Washington State University
,
Program Chairs:
Kevin Butler
University of Florida
,
Micah Sherr
Georgetown University

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung

Conference

ACSAC '14

Sponsor:

ACSA

ACSAC '14: Annual Computer Security Applications Conference

December 8 - 12, 2014

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
943
Total Downloads

Downloads (Last 12 months)56
Downloads (Last 6 weeks)3

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lian KZhang LYang GMao SWang XZhang YYang M(2024)Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile ApplicationsProceedings of the ACM on Software Engineering10.1145/36437301:FSE(70-91)Online publication date: 12-Jul-2024
https://doi.org/10.1145/3643730
Mathur A(2024)Improving Privacy and Security Using Android Accessibility Framework2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT)10.1109/IC2PCT60090.2024.10486352(1675-1680)Online publication date: 9-Feb-2024
https://doi.org/10.1109/IC2PCT60090.2024.10486352
Salles-Loustau GSadhu VGarcia LJoshi KPompili DZonouz S(2022)Don't Just BYOD, Bring-Your-Own-App Too! Protection via Virtual Micro Security PerimetersIEEE Transactions on Mobile Computing10.1109/TMC.2020.300085221:1(76-92)Online publication date: 1-Jan-2022
https://doi.org/10.1109/TMC.2020.3000852
Mishra BAgarwal AGoel AAnsari AGaur PSingh DLee H(2022)Privacy Protection Framework for AndroidIEEE Access10.1109/ACCESS.2022.314234510(7973-7988)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3142345
Kang QXue LMorrison ATang YChen ALuo XCapkun SRoesner F(2020)Programmable in-network security for context-aware BYOD policiesProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489246(595-612)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489246
Liang SWang YLei LJing JZhou Q(2020)SecureESFS: Sharing Android External Storage Files in a Securer Way2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00180(1339-1347)Online publication date: Dec-2020
https://doi.org/10.1109/TrustCom50675.2020.00180
Luo L(2020)Heap Memory Snapshot Assisted Program Analysis for Android Permission Specification2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER48275.2020.9054795(435-446)Online publication date: Feb-2020
https://doi.org/10.1109/SANER48275.2020.9054795
Raval NRazeen AMachanavajjhala ACox LWarfield ASong JKim MLane NBalan R(2019)Permissions Plugins as Android AppsProceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services10.1145/3307334.3326095(180-192)Online publication date: 12-Jun-2019
https://dl.acm.org/doi/10.1145/3307334.3326095
Liao LChuang CGer TWang YTsao YWang IJhang DChu TTsao CTsai CChen S(2019)Design and Validation of a Multifunctional Android-Based Smart Home Control and Monitoring SystemIEEE Access10.1109/ACCESS.2019.29506847(163313-163322)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2950684
Qiu JNepal SLuo WPan LTai YZhang JXiang Y(2019)Data-Driven Android Malware Intelligence: A SurveyMachine Learning for Cyber Security10.1007/978-3-030-30619-9_14(183-202)Online publication date: 9-Sep-2019
https://doi.org/10.1007/978-3-030-30619-9_14
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents