User-Driven Access ControlRethinking Permission Granting in Modern OSes

Franziska Roesner, Tadayoshi KohnoUniversity of Washington

Alexander Moshchuk, Bryan Parno, Helen J. WangMicrosoft Research

Crispin CowanMicrosoft

Modern Client Platforms

2May 21, 2012

Franziska Roesner

• iOS, Android, WP, Win8, browsers– Applications isolated from one another.– Limited global sharing.– Cannot access user-owned resources by default:• Cross-application data• Devices (camera, GPS, …)• Resources (clipboard, autocomplete data)

Problem: How should platforms grant applications

access to user-owned resources?

Challenge: Users are in the loop to

grant permissions.

State of the Art

3May 21, 2012

Franziska Roesner

Manifests(Android, Windows Phone)

Prompts(iOS, browsers)

Out of context:Checked at time

of install, not time of use.

Disruptive: In practice, only

prompted at first use to avoid prompt-fatigue.

Both are not least-privilege:Once granted permissions, apps can use them,

even if not necessary for application functionality.

Permission Granting Goals

4May 21, 2012

Franziska Roesner

• In context – Unlike manifests

• Non-disruptive– Unlike prompts

• Least privilege – Unlike manifests and prompts

Let this application access my location now.

Outline

• Motivation and Setup• User-Driven Access Control– via Access Control Gadgets (ACGs)

• Capturing Authentic User Intent• Implementation • Evaluation

5May 21, 2012

Franziska Roesner

User-Driven Access Control

• Observation: A user’s natural UI actions in the context of an application carry permission-granting semantics. See also EWS [SVNC ‘04], NitPicker [FH ‘05], CapDesk [M ‘06], Qubes, Polaris [SKYCM ’06], UIBAC [SE ‘08], BLADE [LYPL ‘10].

• Challenge: How can the system understand generalized in-app permission-granting behaviors?

6May 21, 2012

Franziska Roesner

Access Control Gadgets (ACGs)

7May 21, 2012

Franziska Roesner

• Approach: Let the system control these UI elements (ACGs) to capture a user’s permission granting intent.

• Challenges:– How can system capture authentic user intent?– How to prevent disruption of application context?– Can this model support necessary app functionality?– …?

8May 21, 2012

Franziska Roesner

Photo Editor App

Camera ACG

User’s View System’s View

Kernel

Camera Resource Monitor

Policy: Which app can access camera in what fashion

ACG

Photo Editor App

<object src=“rm://camera/takePicture”/>

1) User clicks on camera ACG

2) Take picture

3) Receive picture

Isolationcontainer

Design Challenges

• What are appropriate access semantics?• How to accurately capture user intent?• How can we support:– customized access control gadgets?– ACGs composing multiple resources?– shortcuts and gestures instead of visual gadgets?

• How can we generalize to application-controlled resource monitors?– e.g., Facebook contacts, Flickr photos

9May 21, 2012

Franziska Roesner

Access Semantics

10May 21, 2012

Franziska Roesner

One time:

Session:

Scheduled:

Permanent:

UI-coupled

UI-decoupled

Least privilege

PermanentAccess

Few applications (5% of top 100 Android apps) legitimately require permanent access.

Outline

• Motivation and Setup• User-Driven Access Control– via Access Control Gadgets (ACGs)

• Capturing Authentic User Intent• Implementation • Evaluation

11May 21, 2012

Franziska Roesner

Threats by Malicious Applications

• Manipulate access control gadget display– Directly or by strategic obstruction

• Clickjacking (trick users into clicking on ACG)

– Visual or timing-based• Programmatically click on ACG

12May 21, 2012

Franziska Roesner

Requirements:1. ACG User: Authentic display of ACG to user.2. User ACG: Authentic user actions to ACG.

ACG User: Display Integrity

(1) Display isolation: Apps can’t set ACG’s pixels.

(2) Complete visibility:ACGs are active only when completely

visible.(3) Sufficient display duration:

ACGs activate only after a reaction delay.(4) Limited customization by applications.

13May 21, 2012

Franziska Roesner

73% of top Android apps need only limited customization.

User ACG: Authentic Input

(1) Input event isolation: – Input events dispatched only from user input devices

to ACGs.

(2) The kernel controls the cursor over ACGs.(3) Handling nested applications– e.g., iGoogle embeds ad which embeds camera ACG– Must grant permissions to correct application.

14May 21, 2012

Franziska Roesner

Outline

• Motivation and Setup• User-Driven Access Control– via Access Control Gadgets (ACGs)

• Capturing Authentic User Intent• Implementation • Evaluation

15May 21, 2012

Franziska Roesner

Implementation

• Implemented as part of the ServiceOS system with 2500 lines of C# code.

• System support for:– Access control gadgets

• Resources: camera, GPS, clipboard, autocomplete• Access semantics: one-time, session

– ACG composition: camera+GPS– Input sequences: copy-and-paste, drag-and-drop– Nested applications– Content picking and application-specific ACGs

• ACGs in applications: browser and MS Word16

May 21, 2012Franziska Roesner

Our experience shows that the implementation effort is modest for both system developers and

application developers.

Outline

• Motivation and Setup• User-Driven Access Control– via Access Control Gadgets (ACGs)

• Capturing Authentic User Intent• Implementation • Evaluation

17May 21, 2012

Franziska Roesner

18May 21, 2012

Franziska Roesner

XX

Location access granted

• Social engineering risk: moderate(high effort/risk for attacker)

• Usability: high• Least-privilege guarantees: high

Discussion: Security AnalysisOur User ACG and ACG User properties do not prevent applications from gaining unauthorized access by social engineering attacks.

19May 21, 2012

Franziska Roesner

Evaluation Highlights

• Vulnerability Study– User-driven access control addresses most

published vulnerabilities related to resource access: 36 of 44 in Chrome (82%), and 25 of 26 in Firefox (96%).

• User Expectations– Based on survey showing Android screenshots,

most users already believe (52% of 186) – and/or desire (68%) – that resource access follows the user-driven access control model.

Summary

• User-driven access control captures a user’s permission-granting intent from natural interactions with the system and applications.

• Access control gadgets enable user-driven permission granting.– In-context, non-disruptive, and least-privilege.

• ACGs match user expectations.

20May 21, 2012

Franziska Roesner