Preventing accidental data disclosure in modern operating systems

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 1029-1041

  Nadkarni, Adwait ^a   Enck, William ^a  

^a NORTH CAROLINA STATE UNIVERSITY   (United States)

Author keywords

access control; information flow control; os security

Indexed keywords

APPLICATION DEVELOPERS; BAR-CODE READER; CLOUD SERVICES; COMPUTING DEVICES; INFORMATION DISCLOSURE; INFORMATION FLOW CONTROL; POLICY FRAMEWORK; TARGET APPLICATION;

ACCESS CONTROL; AQUIFERS; USER INTERFACES;

SECURITY OF DATA;

EID: 84888985223     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2508859.2516677     Document Type: Conference Paper

References (48)

1. A Capability Based Client: The DarpaBrowser. http://www.combex.com/ papers/darpa-report/html/.
2. O. Arden, M. D. George, J. Liu, K. Vikram, A. Askarov, and A. C. Myers. Sharing Mobile Code Securely With Information Flow Control. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.
3. D. Barrera, H. G. Kayacik, P. C. van Oorshot, and A. Somayaji. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In Proceedings of the ACM Conference on Computer and Communications Security, Oct. 2010.
4. D. E. Bell and L. J. LaPadula. Secure Computer Systems: Mathematical Foundations. Technical Report MTR-2547, Vol. 1, MITRE Corp., Bedford, MA, 1973.
5. K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE, Apr. 1977.
6. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Toward Taming Privilege-Escalation Attacks on Android. In Proceedings of Network and Distributed System Security Symposium, 2012.
7. M. Conti, V. T. N. Nguyen, and B. Crispo. CRePE: Context-Related Policy Enforcement for Android. In Proceedings Information Security Conference, 2010.
8. P. T. Cummings, D. A. Fullam, M. J. Goldstein, M. J. Gosselin, J. Picciotto, J. P. Woodward, and J. Wynn. Compartimented Mode Workstation: Results Through Prototyping. In In the IEEE Symposium on Security and Privacy. IEEE, 1987.
9. L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege Escalation Attacks on Android. In Proceedings of the 13th Information Security Conference (ISC), Oct. 2010.
10. D. E. Denning. A Lattice Model of Secure Information Flow. Comm. of the ACM, 19(5):236-243, May 1976.
11. M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, August 2011.
12. E and CapDesk. http://www.combex.com/tech/edesk.html.
13. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Oct. 2010.
14. W. Enck, P. McDaniel, and T. Jaeger. PinUP: Pinning User Files to Known Applications. In Proceedings of Annual Computer Security Applications Conference, 2008.
15. W. Enck, M. Ongtang, and P. McDaniel. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), Nov. 2009.
16. A. P. Felt, K. Greenwood, and D. Wagner. The Effectiveness of Application Permissions. In Proceedings of the USENIX Conference on Web Application Development (WebApps), 2011.
17. A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension and Behavior. In Proceedings of the Symposium on Usable Privacy and Security, 2012.
18. A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In Proceedings of USENIX Security Symposium, 2011.
19. I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker. In Proceedings of the USENIX Security Symposium, 1996.
20. M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2012.
21. P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011.
22. S. Ioannidis, S. Bellovin, and J. Smith. Sub-Operating Systems: A New Approach to Application Security. In Proceedings of ACM SIGOPS European workshop, 2002.
23. P. F. Klemperer, Y. Liang, M. L. Mazurek, M. Sleeper, B. Ur, L. Baur, L. F. Cranor, N. Gupta, and M. K. Reiter. Tag, You Can See It! Using Tags for Access Control in Photo Sharing. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems (CHI), 2012.
24. M. Krohn and E. Tromer. Noninterference for a Practical DIFC-Based Operating System. In Proceedings of the IEEE Symposium on Security and Privacy, 2009.
25. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information Flow Control for Standard OS Abstractions. In Proceedings of ACM Symposium on Operating Systems Principles, 2007.
26. J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye, and A. C. Myers. Fabric: A Platform for Secure Distributed Computation and Storage. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), 2009.
27. A. C. Myers and B. Liskov. A Decentralized Model for Information Flow Control. In Proceedings of the ACM Symposium on Operating Systems Principles, 1997.
28. M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In Proceedings of ASIACCS, 2010.
29. M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically Rich Application-Centric Security in Android. In Proceedings of the 25th Annual Computer Security Applications Conference, 2009.
30. Payment Card Industry (PCI). Data Security Standard: Requirements and Security Assessment Procedures, Version 2.0, Oct. 2010. Available at https://www.pcisecuritystandards.org/security-standards/documents.php.
31. J. Picciotto. Towards trusted cut and paste in the X Window System. In Proceedings of the Seventh Annual Computer Security Applications Conference. IEEE, 1991.
32. F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.
33. I. Roy, D. E. Porter, M. D. Bond, K. S. McKinley, and E. Witchel. Laminar: Practical Fine-Grained Decentralized Information Flow Control. In Proc. of the Conference on Programming Language Design and Implementation, 2009.
34. J. S. Shapiro, J. Vanderburgh, E. Northup, and D. Chizmadia. Design of the EROS trusted window system. In Proceedings of the USENIX Security Symposium, 2004.
35. P. Snowberger and D. Thain. Sub-Identities: Towards Operating System Support for Distributed System Security. Technical Report 2005-18, University of Notre Dame, Department of Computer Science and Engineering, 2005.
36. D. Stefan, A. Russo, D. Mazieres, and J. C. Mitchell. Disjunctive Category Labels. In Proc. of NordSec, 2011.
37. Y. Tang, P. Ames, S. Bhamidipati, A. Bijlani, R. Geambasu, and N. Sarda. CleanOS: Limiting Mobile Data Exposiure with Idle Eviction. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2012.
38. US Congress. Gramm-Leach-Bliley Act, Finiancial Privacy Rule. 15 USC §6801-§6809, Nov. 1999. Available at http://www.law.cornell.edu/ uscode/usc-sup-01-15-10-94-20-I.html.
39. US Congress. Health Insurance Portability and Accountability Act of 1996, Privacy Rule. 45 CFR 164, Aug. 2002. Available at http://www.access.gpo.gov/ nara/cfr/waisidx-07/45cfr164-07.html.
40. US Internal Revenue Service (IRS). Publication 1075: Safeguards for Protecting Federal Tax Returns and Return Information, 2010. Available at http://www.irs.gov/pub/irs-pdf/p1075.pdf.
41. S. Vandebogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazières. Labels and Event Processes in the Asbestos Operating System. ACM Transactions on Computer Systems (TOCS), 25(4), December 2007.
42. H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), 2007.
43. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principle OS Construction of the Gazelle Web Browser. In Proceedings of the USENIX Security Symposium, 2009.
44. B. Week. Company Overview of Liquid Machines, Inc. http://investing. businessweek.com/research/stocks/private/snapshot.asp?privcapId=3079632.
45. D. Wichers, D. Cook, R. Olsson, J. Crossley, P. Kerchen, K. Levitt, and R. Lo. PACL's: An Access Control List Approach to Anti-viral Security. In Proceedings of the 13th National Computer Security Conference, 1990.
46. A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, 2009.
47. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making Information Flow Explicit in HiStar. In Proceedings of the 7th symposium on Operating Systems Design and Implementation (OSDI), pages 263-278, 2006.
48. N. Zeldovich, S. Boyd-Wickizer, and D. Mazieres. Securing Distributed Systems with Information Flow Control. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation, 2008.