Flexible and Fine-Grained Mandatory Access Control on Android for Diverse Security and Privacy Policies

Bugiel, Sven and Heuser, Stephan and Sadeghi, Ahmad-Reza
(2013) Flexible and Fine-Grained Mandatory Access Control on Android for Diverse Security and Privacy Policies.
In: 22nd USENIX Security Symposium (USENIX Security '13).
Conference: USENIX-Security Usenix Security Symposium

[img]
Preview
Text
bugiel13-usenix.pdf - Published Version

Download (1MB) | Preview

Abstract

In this paper we tackle the challenge of providing a generic security architecture for the Android OS that can serve as a flexible and effective ecosystem to instantiate different security solutions. In contrast to prior work our security architecture, termed FlaskDroid, provides mandatory access control simultaneously on both Android’s middleware and kernel layers. The alignment of policy enforcement on these two layers is non-trivial due to their completely different semantics. We present an efficient policy language (inspired by SELinux) tailored to the specifics of Android’s middleware semantics. We show the flexibility of our architecture by policy-driven instantiations of selected security models such as the existing work Saint as well as a new privacy-protecting, user-defined and fine-grained per-app access control model. Other possible instantiations include phone booth mode, or dual persona phone. Finally we evaluate our implementation on SE Android 4.0.4 illustrating its efficiency and effectiveness.

Actions

Actions (login required)

View Item View Item