David Barrera
Paul C. van Oorschot
ABSTRACT
Permission-based security models provide controlled access to various system resources. The expressiveness of the permission set plays an important role in providing the right level of granularity in access control. In this work, we present a methodology for the empirical analysis of permission-based security models which makes novel use of the Self-Organizing Map (SOM) algorithm of Kohonen (2001). While the proposed methodology may be applicable to a wide range of architectures, we analyze 1,100 Android applications as a case study. Our methodology is of independent interest for visualization of permission-based systems beyond our present Android-specific empirical analysis. We offer some discussion identifying potential points of improvement for the Android permission model attempting to increase expressiveness where needed without increasing the total number of permissions or overall complexity.
- }}Android. http://www.android.com Retrieved February 6th, 2010.Google Scholar
- }}Android Market Statistics from Androlib. http://www.androlib.com/appstats.aspx Retrieved July 7th, 2010.Google Scholar
- }}BlackBerry APIs with controlled access. http://docs.blackberry.com/en/developers/ deliverables/5580/Java_APIs_with_controlled_ access_447163_11.jsp Retrieved April 9th, 2010.Google Scholar
- }}Formats: Manifest Files - Google Chrome Extensions - Google Code. http://code.google.com/chrome/ extensions/manifest.html#permissions Retrieved April 9th, 2010.Google Scholar
- }}How Android Security Stacks Up. http://www.technologyreview.com/ communications/24944/page1/ April 1st, 2010.Google Scholar
- }}Independent Security Evaluators - Exploiting Android. http://securityevaluators.com/ content/case-studies/android/ Retrieved January 15th, 2010.Google Scholar
- }}The Android Developer's Guide. http://developer.android.com/guide/index.html Retrieved January 29th, 2010.Google Scholar
- }}The Android Developer's Guide - Android Manifest Permissions. http://developer.android.com/ reference/android/Manifest.permission.html Retrieved April 5th, 2010.Google Scholar
- }}The Android Developer's Guide - Permission Groups. http://developer.android.com/guide/topics/ manifest/permission-group-element.html Retrieved April 7th, 2010.Google Scholar
- }}A. Barth, A. P Felt, P Saxena, and A. Boodman. Protecting Browsers from Extension Vulnerabilities. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS 2010).Google Scholar
- }}K. Beznosov, P Inglesant, J. Lobo, R. Reeder, and . M. E. Zurko. Usability meets access control: challenges and research opportunities. In SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies, pages 73--74, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- }}D. Curry. UNIX System Security. Addison-Wesley, 1992.Google Scholar
- }}W. Enck, M. Ongtang, and P D. McDaniel. On . Lightweight Mobile Phone Application Certification. In E. Al-Shaer, S. Jha, and A. D. Keromytis, editors, ACM Conference on Computer and Communications Security, pages 235--245. ACM, 2009. Google ScholarDigital Library
- }}W. Enck, M. Ongtang, and P D. McDaniel. Understanding Android Security. IEEE Security & Privacy, 7(1):50--57, 2009. Google ScholarDigital Library
- }}J. Han. Data Mining: Concepts and Techniques. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2005. Google ScholarDigital Library
- }}T. Kohonen. Self Organizing Maps. Springer, third edition, 2001. Google ScholarDigital Library
- }}B. W. Lampson. Protection. SIGOPS Oper. Syst. Rev., 8(1):18--24, 1974. Google ScholarDigital Library
- }}M. Ongtang, S. E. McLaughlin, W. Enck, and P D. McDaniel. Semantically rich application-centric security in android. In ACSAC, pages 340--349. IEEE Computer Society, 2009. Google ScholarDigital Library
- }}R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In CHI '08, pages 1473--1482, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- }}D. K. Smetters and N. Good. How users use access control. In SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1--12, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- }}A. Ultsch and H. Siemon. Kohonen's self-organizing feature maps for exploratory data analysis. In Proceedings of the International Neural Network Conference (INNC'90), Dordrecht, Netherlands, pages 305--308. Kluwer, 1990.Google Scholar
- }}J. Vesanto. Data Mining Techniques Based on the Self-Organizing Map. Master's Thesis, Helsinki University of Technology, May 1997.Google Scholar
Index Terms
- A methodology for empirical analysis of permission-based security models and its application to android
Recommendations
Permission evolution in the Android ecosystem
ACSAC '12: Proceedings of the 28th Annual Computer Security Applications ConferenceAndroid uses a system of permissions to control how apps access sensitive devices and data stores. Unfortunately, we have little understanding of the evolution of Android permissions since their inception (2008). Is the permission model allowing the ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Permission based granular access control pattern
PLoP '14: Proceedings of the 21st Conference on Pattern Languages of ProgramsEnterprise applications are designed to address specific business needs and are generally run within the internal corporate networks. Access to enterprise applications is controlled by various corporate policies, based on numerous widely accepted ...
Comments