Entrust: Regulating sensor access by cooperating programs via delegation graphs

Giuseppe Petracca, Patrick McDaniel, Yuqiong Sun, Jens Grossklags, Ahmad Atamli Reineh, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Modern operating systems support a cooperating program abstraction that, instead of placing all functionality into a single program, allows diverse programs to cooperate to complete tasks requested by users. However, untrusted programs may exploit such interactions to spy on users through device sensors by causing privileged system services to misuse their permissions, or to forward user requests to malicious programs inadvertently. Researchers have previously explored methods to restrict access to device sensors based on the state of the user interface that elicited the user input or based on the set of cooperating programs, but the former approach does not consider cooperating programs and the latter approach has been found to be too restrictive for many cases. In this paper, we propose EnTrust, an authorization system that tracks the processing of input events across programs for eliciting approvals from users for sensor operations. EnTrust constructs delegation graphs by linking input events to cooperation events among programs that lead to sensor operation requests, then uses such delegation graphs for eliciting authorization decisions from users. To demonstrate this approach, we implement the EnTrust authorization system for Android OS. In a laboratory study, we show that attacks can be prevented at a much higher rate (47-67% improvement) compared to the first-use approach. Our field study reveals that EnTrust only requires a user effort comparable to the first-use approach while incurring negligible performance (<1% slowdown) and memory overheads (5.5 KB per program).

Original languageEnglish (US)
Title of host publicationProceedings of the 28th USENIX Security Symposium
PublisherUSENIX Association
Pages567-584
Number of pages18
ISBN (Electronic)9781939133069
StatePublished - Jan 1 2019
Event28th USENIX Security Symposium - Santa Clara, United States
Duration: Aug 14 2019Aug 16 2019

Publication series

NameProceedings of the 28th USENIX Security Symposium

Conference

Conference28th USENIX Security Symposium
CountryUnited States
CitySanta Clara
Period8/14/198/16/19

Fingerprint

Sensors
User interfaces
Data storage equipment
Processing

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Petracca, G., McDaniel, P., Sun, Y., Grossklags, J., Reineh, A. A., & Jaeger, T. (2019). Entrust: Regulating sensor access by cooperating programs via delegation graphs. In Proceedings of the 28th USENIX Security Symposium (pp. 567-584). (Proceedings of the 28th USENIX Security Symposium). USENIX Association.
Petracca, Giuseppe ; McDaniel, Patrick ; Sun, Yuqiong ; Grossklags, Jens ; Reineh, Ahmad Atamli ; Jaeger, Trent. / Entrust : Regulating sensor access by cooperating programs via delegation graphs. Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. pp. 567-584 (Proceedings of the 28th USENIX Security Symposium).
@inproceedings{763122d2833b4aad9060e2e8e53c5504,
title = "Entrust: Regulating sensor access by cooperating programs via delegation graphs",
abstract = "Modern operating systems support a cooperating program abstraction that, instead of placing all functionality into a single program, allows diverse programs to cooperate to complete tasks requested by users. However, untrusted programs may exploit such interactions to spy on users through device sensors by causing privileged system services to misuse their permissions, or to forward user requests to malicious programs inadvertently. Researchers have previously explored methods to restrict access to device sensors based on the state of the user interface that elicited the user input or based on the set of cooperating programs, but the former approach does not consider cooperating programs and the latter approach has been found to be too restrictive for many cases. In this paper, we propose EnTrust, an authorization system that tracks the processing of input events across programs for eliciting approvals from users for sensor operations. EnTrust constructs delegation graphs by linking input events to cooperation events among programs that lead to sensor operation requests, then uses such delegation graphs for eliciting authorization decisions from users. To demonstrate this approach, we implement the EnTrust authorization system for Android OS. In a laboratory study, we show that attacks can be prevented at a much higher rate (47-67{\%} improvement) compared to the first-use approach. Our field study reveals that EnTrust only requires a user effort comparable to the first-use approach while incurring negligible performance (<1{\%} slowdown) and memory overheads (5.5 KB per program).",
author = "Giuseppe Petracca and Patrick McDaniel and Yuqiong Sun and Jens Grossklags and Reineh, {Ahmad Atamli} and Trent Jaeger",
year = "2019",
month = "1",
day = "1",
language = "English (US)",
series = "Proceedings of the 28th USENIX Security Symposium",
publisher = "USENIX Association",
pages = "567--584",
booktitle = "Proceedings of the 28th USENIX Security Symposium",

}

Petracca, G, McDaniel, P, Sun, Y, Grossklags, J, Reineh, AA & Jaeger, T 2019, Entrust: Regulating sensor access by cooperating programs via delegation graphs. in Proceedings of the 28th USENIX Security Symposium. Proceedings of the 28th USENIX Security Symposium, USENIX Association, pp. 567-584, 28th USENIX Security Symposium, Santa Clara, United States, 8/14/19.

Entrust : Regulating sensor access by cooperating programs via delegation graphs. / Petracca, Giuseppe; McDaniel, Patrick; Sun, Yuqiong; Grossklags, Jens; Reineh, Ahmad Atamli; Jaeger, Trent.

Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. p. 567-584 (Proceedings of the 28th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Entrust

T2 - Regulating sensor access by cooperating programs via delegation graphs

AU - Petracca, Giuseppe

AU - McDaniel, Patrick

AU - Sun, Yuqiong

AU - Grossklags, Jens

AU - Reineh, Ahmad Atamli

AU - Jaeger, Trent

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Modern operating systems support a cooperating program abstraction that, instead of placing all functionality into a single program, allows diverse programs to cooperate to complete tasks requested by users. However, untrusted programs may exploit such interactions to spy on users through device sensors by causing privileged system services to misuse their permissions, or to forward user requests to malicious programs inadvertently. Researchers have previously explored methods to restrict access to device sensors based on the state of the user interface that elicited the user input or based on the set of cooperating programs, but the former approach does not consider cooperating programs and the latter approach has been found to be too restrictive for many cases. In this paper, we propose EnTrust, an authorization system that tracks the processing of input events across programs for eliciting approvals from users for sensor operations. EnTrust constructs delegation graphs by linking input events to cooperation events among programs that lead to sensor operation requests, then uses such delegation graphs for eliciting authorization decisions from users. To demonstrate this approach, we implement the EnTrust authorization system for Android OS. In a laboratory study, we show that attacks can be prevented at a much higher rate (47-67% improvement) compared to the first-use approach. Our field study reveals that EnTrust only requires a user effort comparable to the first-use approach while incurring negligible performance (<1% slowdown) and memory overheads (5.5 KB per program).

AB - Modern operating systems support a cooperating program abstraction that, instead of placing all functionality into a single program, allows diverse programs to cooperate to complete tasks requested by users. However, untrusted programs may exploit such interactions to spy on users through device sensors by causing privileged system services to misuse their permissions, or to forward user requests to malicious programs inadvertently. Researchers have previously explored methods to restrict access to device sensors based on the state of the user interface that elicited the user input or based on the set of cooperating programs, but the former approach does not consider cooperating programs and the latter approach has been found to be too restrictive for many cases. In this paper, we propose EnTrust, an authorization system that tracks the processing of input events across programs for eliciting approvals from users for sensor operations. EnTrust constructs delegation graphs by linking input events to cooperation events among programs that lead to sensor operation requests, then uses such delegation graphs for eliciting authorization decisions from users. To demonstrate this approach, we implement the EnTrust authorization system for Android OS. In a laboratory study, we show that attacks can be prevented at a much higher rate (47-67% improvement) compared to the first-use approach. Our field study reveals that EnTrust only requires a user effort comparable to the first-use approach while incurring negligible performance (<1% slowdown) and memory overheads (5.5 KB per program).

UR - http://www.scopus.com/inward/record.url?scp=85076361179&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85076361179&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85076361179

T3 - Proceedings of the 28th USENIX Security Symposium

SP - 567

EP - 584

BT - Proceedings of the 28th USENIX Security Symposium

PB - USENIX Association

ER -

Petracca G, McDaniel P, Sun Y, Grossklags J, Reineh AA, Jaeger T. Entrust: Regulating sensor access by cooperating programs via delegation graphs. In Proceedings of the 28th USENIX Security Symposium. USENIX Association. 2019. p. 567-584. (Proceedings of the 28th USENIX Security Symposium).