Android’s security model utilizes a combination of low-level and high-level security mechanisms, such as the user-based protection model, SELinux, and permission system, to control access to system resources. However, this model has two limitations: First, it does not apply the principle of least privilege (PoLP) among app’s components and, second, it falls short in tracking transitive invocations. The first limitation introduces the problem of malicious 3rd -party libraries, whereas the second limitation enables the confused deputy attacks. To address the problems caused by both limitations, we extended Android’s security model with new security features borrowed from capability-based security model. Specifically, we introduced capabilities into Android’s middleware with kernel support. The goal is to come up with a functional prototype that enables different components of the same app to run with different access rights on the high-level system services, respecting the PoLP. Additionally, the prototype must provide a clear path to mitigate confused deputy attacks targeting system services through channels that have been deliberately exposed by the deputies. Along the line, we use the Binder framework, which is used for IPC in Android, as the building block for creating and communicating the capabilities of system services. We also rely on the kernel’s security guarantees to prevent forging capabilities. Additionally, we employ Android’s permission model to reflect the dynamic high-level security decisions made by end-users in order to encode the correct access rights into issued capabilities. As a result, we fulfill our goal without significantly increasing the attack surface or causing a performance degrade. In fact, our design shows a performance gain in specific places.
2018-01-03
2021-10-07 08:55:41