Topics and Readings
- Boxify
- Android Permissions
Notes
Midterm Discussion
• Midterms almost all marked
• Midterms will be returned on Thursday (April 7th), on average people did badly, we will discuss them in Thursday’s class
• Question 1 was answered best overall, Anil had issues believing people had actually used the system before when they failed to supply enough detail
• Question 2, most people just did not address all aspects of the question. Or argued for things that just were not true.
o Ex. Very few OS are verified, but lots of people claimed they were.
• Question 3 also had several problems, he was extremely lenient with what qualified as a system (nowhere did the question say it had to be a computer system)
• Example System: A Man carrying a suitcase full of cash
o Threat #1: Someone will steal the case
Defense: Get a bodyguard
• Vulnerability: Guard could be bribed or could abandon you
o Threat #2: Hyperinflation reduces value of case contents to nothing
Defense: Banks/Mints
• Vulnerability: Currency minting plates get stolen
• General Comment: FOLLOW THE FULL INSTRUCTIONS, BE SPECIFIC.
• Concerns of time pressure leading to Anil thinking of 4 questions for the final
Paper: Boxify
• Sandboxes applications
• It builds a reference monitor for individual applications
o This makes up for issues in the base Android monitor
• Paper discusses OS and Application Modifications:
o OS Modifications:
- Requires flashing the OS, not very accessible or easy for users
o Application Modifications:
- No boundary between reference monitor and application at base
• Full mediation and tamp reproofing not possible
• Uses a new(ish) Android mechanism for loading an application in a fully isolated process, then slowly implementing functionality/permissions using a reference monitor in a different process
o This grants (mostly) full mediation (misses Kernel Interface) and a decent amount of tamper proofing
• Android is based on system calls and intents
• Boxify shows several hallmarks of secure OS architecture; the reference monitor implementing a security policy
• Trusting only a small portion of the system to be secure, vs. trusting the entire system to be secure
• Is the chosen strategy a good one?
o Assuming Boxify is the very first app you install, sure.
• Boxify re-implements the entire Android permission model
• Ideally a reference monitor has little to no functionality
• Boxify “fails” safely, if it is forced to close the instances in the sandbox “starve” and die, since they only mechanism to interact with them (Boxify reference monitor) has been closed.
Paper: Android Permissions Remystified
- Placeholder
Anil: "Where the research is"
- Placeholder