practical difc enforcement on android - usenix...c3. network declassification • the network is...
TRANSCRIPT
![Page 1: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/1.jpg)
Adwait Nadkarni1, Benjamin Andow1, William Enck1, SomeshJha2
1North Carolina State University2University of Wisconsin-Madison
Practical DIFC Enforcement on Android
![Page 2: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/2.jpg)
The “new” Modern Operating Systems
1. Applications are security principals.2. Applications share data.
![Page 3: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/3.jpg)
Example use case – Email
RemoteServer
How do we enable data sharing among apps, and also prevent unauthorized disclosure?
![Page 4: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/4.jpg)
The ProblemØ The problem stems from the loss of control over the
flow of shared data.• So the solution is …
• For data secrecy, the Bell-LaPadula model.• IFC models have only seen limited use (e.g., military).• Centrally administered policy – What about
application-specific user data (e.g., email attachment).
4
Information Flow Control (IFC)
![Page 5: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/5.jpg)
Decentralized Information Flow Control (DIFC)
• Secrecy for application-specific user data.• Applications are “Data Owners” that define the secrecy
policy for their own data.• Data Owners can
– create new labels (i.e., security classes)– define the policy for their labels– declassify their labels
• E.g., the Email app creates label {email}.5
![Page 6: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/6.jpg)
DIFC for Android• DLM-like DIFC policy (Aquifer) [Nadkarni & Enck, CCS 2013]
• Noninterference proof [Jia et al., ESORICS 2013]
• Storage-level enforcement primitives (Maxoid) [Xu & Witchel, EuroSys 2015].
Takeaway – Hard to make DIFC enforcement both secure and backwards compatible with unmodified legacy applications on Android.
![Page 7: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/7.jpg)
DIFC Enforcement Challenges on Android
1. Subject granularity / labeling precision.
2. Label change and propagation.
3. Network Declassification.
![Page 8: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/8.jpg)
C1. Subject Granularity1. Fine-grained PL variable (e.g., TaintDroid [Enck et al.],
Laminar [Roy et al.])– False Negatives (Implicit flows)
2. Coarse-grained OS Process(e.g., Aquifer, Jia et al.’13)– False positives:
(Multiple tasks in one process)
//'a'containsasecretb=false;if(a>10){
b=true;}
Is there a balance? 8
PDF Activity Create Notesecret.pdfUser
Task 1
Process Boundaries
secret.pdf
PDF Activity Print Activitypublic.pdf public.pdf
UserTask 2WPS Office WPS Office
WPS Office Evernote
![Page 9: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/9.jpg)
C2. Label PropagationA. Explicit flows (e.g., HiStar [Zeldovich et al.’06],
Flume [Krohn et al.’07])– Limitation: Unsuitable for ad-hoc communication
(e.g., unpredictable user-directed sharing).
B. Floating labels (e.g., Asbestos [Efstathopoulos et al.’05]).
– Communication is always enabled.– Are floating labels secure and practical?
9
P Q
{LP} {LQ}X
P Q
{LP} {LQ} --> {LPLQ}
A.Explicitlabels
B.Floatinglabels
![Page 10: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/10.jpg)
C2. Label Propagation• Limitations of floating labels:
1. Security: Implicit data leaks. [Krohn and Tromer’09]
10
P01
{L1}
Q
{}Q2
{}
Q1
{}
AttackSetup
PriorAgreement:1) Q1 andQ2 willcallQatapredefined time
• Unless,theygetcalledbyP.2) PwillcallQi ifith bitis0.Therefore,theQi thatcallsQbackmustindicate1!
Step1. PcallsQ1Step2. Q2 callsQStep3. Qguessesdata‘01’
01
{L1}
![Page 11: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/11.jpg)
{L1,L2,L3,L4,L5}{L1,L2,L3,L4,L5}
{L1,L2,L3,L4,L5}
C2. Label Propagation• Limitations of floating labels:
2. Practicality: Label Explosion.
11
P
{L1}
Scenario:Subject“A”reads/writestomanyothersubjects(withdifferentlabels)
Q
{L2}
R
{L3}
T
{L5}
A
{}
S
{L4}
“A”couldbe:1) anAndroid servicecomponent.2) anAndroid contentprovider component.3) asharedfile(e.g.,SharedPreferences).4) Ageneral-purposeapplication (e.g.,PDF
reader);duetoapplicationmulti-tasking.
{L1,L2,L3,L4,L5}
{L1,L2,L3,L4,L5}
{L1,L2,L3,L4,L5}
![Page 12: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/12.jpg)
C3. Network Declassification• The network is public.• Declassification is necessary before network export.• Existing DIFC policy allows
1. the data owner to declassify data, or 2. specify the security principal that can declassify data.
• This is not practical on Android, where1. The environment is network driven.2. The user may not ideally be limited to using a few
applications for export. 12
![Page 13: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/13.jpg)
Weir
• Secure and backwards compatible DIFC Enforcement for Android.
• Lazy Polyinstantiation – Making floating labels context sensitive. (C1, C2)
• Domain Declassification – Providing an alternate network declassification primitive. (C3)
13
![Page 14: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/14.jpg)
Lazy Polyinstantiation• Polyintantiation – Creating multiple (context-sensitive)
instances.
• What makes it Lazy ? 1. Event-driven –
• Caused by a call (i.e., Inter Component Communication).
2. Keeps track of existing instances –• Creates new instance only if one in a matching secrecy context is
unavailable. 14
P Q
{LP} {LQ}X
Explicit labels
P Q
{LP} {LQ} --> {LPLQ}
Floating labels
P Q
{LP} {LQ}Q'
{} --> {LP}
Floating labels w/polyinstantiation
![Page 15: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/15.jpg)
Polyinstantiation – Preventing implicit flows
• Recap: Floating labels, Q gets original data 01.
15
• With polyinstantiation:
P01
{L1}
Q
{}Q2
{}
Q1
{}1 1
{L1}
Q’1
P01
{L1}
Q
{}Q2
{}
Q1
01
{L1}
Q always gets 11.
![Page 16: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/16.jpg)
Practicality of Polyinstantiation
1. No label explosion:– In Weir, labels do not float in the traditional sense.– Context-specific instances of shared components
prevent label explosion.2. Process-level labeling:
– Context-sensitivity eliminates false positives.
16
![Page 17: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/17.jpg)
Design of Polyinstantiation on Android• Polyinstantiation in memory: Processes and components
1. Polyinstantiate if needed based on the caller’s label.2. Maintain process-component mapping (backwards
compatibility).• Polyinstantiation on storage: Context-specific layers.
– Transparent Storage access.– Copy-on-write
17
"procService_0"; label = {L1}
C
"procService"; label = {}
C
Layer (L1)
SharedPrefs
read/write read
"procService_0"; label = {L1}
C
"procService"; label = {}
C
Layer (L1)
SharedPrefs
read/write write
SharedPrefscopy
1. The labeled instance reads. 2. The labeled instance writes.
![Page 18: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/18.jpg)
Why this works?1. Component Model – Activity (UI), Service (Daemon),
Provider (Data Interface/Daemon), Receiver (Event handler).
2. Communication –a. Indirect – Activity Manager Service, predefined API
(e.g., startActivity, bindService). b. Direct – Binder; exchange Binder objects first (e.g.,
RPC to a service, first bound using bindService).
18
![Page 19: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/19.jpg)
Domain Declassification• Intuition: In a network driven environment, it may be
more practical to reason about where the data is being delivered, rather than who is performing the export.
• Data Owner (i.e., security class creator) associates a set of trusted network domains with the security class.– Set tD for a security class t.
• Enforcement– For export to a domain d, if d tD, t can be implicitly
declassified. 19
2
![Page 20: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/20.jpg)
Implementation & Performance• Implemented on Android v5.0.1, kernel v3.4• Policy Model – Flume [Krohn et al.]• Source code available at http://wspr.csc.ncsu.edu/weir/
Process & Component Assignment Logic
Weir Manager Service
Weir LSM
Activity Manager Service
Component 1 Component 2Application Layer
Android OS
Linux Kernel
Start Component 2
OverlayFS
![Page 21: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/21.jpg)
Evaluation: Microbenchmarks
0
20
40
60
80
StartActivity
StartProvider
FileRead FileWrite Internet
Averagetim
e(m
s)
Operations
AOSP
Weir(noLabel)
Weir(withLabel)
• Micro-benchmarks for common operations:
![Page 22: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/22.jpg)
Evaluation: Scalability• Start 0-100 instances of an already started component:
0
10
20
30
40
50
60
0 10 20 30 40 50 60 70 80 90 100
Averagetim
e(m
s)
Numberofsimultaneousinstances
![Page 23: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/23.jpg)
Case Study – K9 Email• Objective: Separation of the personal and work email.• Applications:
– BCloud app, allows the user to sync her work cloud data (e.g., contacts, documents) to the device.
– Unmodified K-9 Email app, used for both the personal (smtp.gmail.com) and work (smtp.bcloud.com) email.23
//Creatingatag‘t’domains={“www.bcloud.com”,“smtp.bcloud.com”,…};createTag(“t”,domains);
//Add‘‘t’’tothe intent’slabel.intent.addToLabel(‘‘t’’);//AdddatatotheintentstartActivity(intent);//Call
1. CreatingBCloud’s tag
2.UsingBCloud’s tag
![Page 24: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/24.jpg)
Case Study – K9 Email• Steps –
1. Share BCloud data with K9 Email (BCloud applies tag ‘t’).
2. Add contacts, attach a document3. Switch to home screen.4. Share unlabeled data with K9 Email, and repeat step
2 (now in the personal context).5. Send emails from both contexts.
24
![Page 25: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/25.jpg)
Case Study – K9 Email
• Observations– General: Instances of K9 Email existed simultaneously in
both contexts.– In enterprise context ‘t’:
• Files and Contacts: Data from personal context + the enterprise context ‘t’ is visible.
• Network Export: K-9 Email could only sync with the enterprise account’s servers.
25
![Page 26: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/26.jpg)
Caveats• Centralized perspective:
– Labeled + unlabeled files can only be seen in the specific labeled context (e.g., t).
– Files with different non-default labels can only be seen via a trusted OS application that can accumulate all labels.
• Updates to default layer:– Updates to contacts in the personal context are not
visible in other contexts, once copied.26
![Page 27: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/27.jpg)
Closing Remarks• Weir makes floating label enforcement possible on
Android via lazy polyinstantiation.• Some open challenges remain:
• Centralized perspective over labeled data.• Propagation of changes made to the default layer.• Instance explosion.• Defining trusted domains.
![Page 28: Practical DIFC Enforcement on Android - USENIX...C3. Network Declassification • The network is public. • Declassification is necessary before network export. • Existing DIFC](https://reader034.vdocuments.net/reader034/viewer/2022042312/5eda450cb3745412b5710f1f/html5/thumbnails/28.jpg)
Thank you!
Adwait [email protected]
http://wspr.csc.ncsu.edu/weir/
Looking for a position starting Fall 2017.