Cloud Security and Mobile Applica4on Security

(1)

Cloud Security and Mobile

Applica4on Security

SBA Research &

Vienna University of Technology

Edgar R. Weippl

Target Audience

Graduate students in computer science

• 

Some knowledge in in security but no focus

on informa8on security

(2)

Trust

• 

Humans interact with humans.

• 

Computer and communica8on security as a

mechanism to implement trust.

Bruce Schneier, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, John Wiley & Sons, 2012.

(3)

Apps, Mobile Devices, Cloud Services

• 

So many new opportuni8es

• 

Building on experience of previous decades

• 

Things can only get beQer

• 

Really?

Mar8n Mulazzani, Sebas8an SchriQwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as aQack vector and online slack space. USENIX Security, 8/2011.

Data Deduplica8on

• 

At the server

– Same ﬁle only stored once

– Save storage space at server

• 

At the client

– Calculate hash or other digest

(4)

AQacks

• 

Hash manipula8on

• 

Stolen Host ID

• 

Direct Up-‐/Download

– 

Uploading without linking

– 

Simple HTTPS request

hQps://dl-‐clientXX.dropbox.com/store

Evalua8on

Time un8l (hidden) chunks get

deleted:

•  Random data in mul8ple ﬁles

•  Hidden upload: at least 4 weeks

•  Regular upload: unlimited undelete possible (> 6 months)

Popular ﬁles on Dropbox:

•  thepiratebay.org Top 100 Torrent ﬁles •  Downloaded copyright-‐free

content (.sfv, .nfo, ...) •  97 % (n = 368) were

retrievable

•  20 % of torrents were less than 24 hours old

Interpreta4on:

•  At least one of the seeders uses Dropbox

(5)

Solu8ons

• 

Afermath – Dropbox ﬁxed the ﬂaws

– 

HTTPS Up-‐/Download AQack

– 

Host ID is now encrypted

– 

No more client-‐side

deduplica8on

• Proof of ownership • Take down no8ce

Victim using Dropbox

Attackers PC 1. Steal hashes _{2. Se}nd hashes

to Attacker 3. Lin_{k ha} shes with fake_clie nt 4. D_own load all fi_les of th_{e vic} tim

Underlying Problems

• 

Access Control

(6)

Access Control Structures

• 

Requirements on access control structures:

–

The access control structure should help to

express your desired access control policy.

–

You should be able to check that your policy

has been captured correctly.

• 

Access rights can be deﬁned individually for each

combina8on of subject and object.

• 

For large numbers of subjects and objects, such

structures are cumbersome to manage.

Intermediate levels of control are preferable.

Access Control Matrix

•  Nota8on

– S … set of subjects

– O … set of objects

– A … set of access opera8ons

• 

Access control matrix: M = (M

_so

)

_s_∈_S,o_∈_O

, M

_so

⊆A.

•  The entry M_so speciﬁes the opera8ons subject s may perform on object o.

Alice Bob - {read,write} bill.doc {exec} {exec} edit.exe {exec,read} {exec,read,write} fun.com

(7)

Access Control Matrix ctd.

• 

The access control matrix is

– 

an abstract concept

– 

not very suitable for direct implementa8on

– 

not very convenient for managing security

• 

How do you answer the ques8on: Has your security

policy been implemented correctly?

• 

Bell LaPadula (and Orange Book): access control

matrix deﬁnes discre8onary access control (DAC).

•

Warning:

‘

discre-onary

’

is not always used in

this par-cular meaning.

Capabili8es

•  Focus on the subject

– access rights are stored with the subject

– capabili8es ≡ rows of the access control matrix

•  Subjects may grant rights to other subjects. Subjects may grant the right to grant rights.

•  Problems:

– How to check who may access a speciﬁc object? – How to revoke a capability?

•  Distributed system security has created renewed interest in capabili8es.

(8)

Access Control Lists (ACLs)

•  Focus on the object

– access rights are stored with the object

– ACLs ≡ columns of the access control matrix

•  Access rights are ofen deﬁned for groups of users. – Unix: owner, group, others

– VMS: owner, group, world, system

•  Problem: How to check access rights of a speciﬁc subject?

•  ACLs are typical for secure opera8ng systems of Orange Book class C2.

fun.com Alice: {exec} Bill: {exec,read,write}

Intermediate Controls

•  Intermediate controls facilitate beQer security management.

•  To deal with complexity, introduce more levels of indirec-on.

users

roles

procedures

data types

(9)

Groups and Nega8ve Permissions

•  Groups are an

intermediate layer between users and objects.

•  To deal with special

cases, nega8ve permissions withdraw rights users groups objects users groups objects

Role Based Access Control (RBAC)

• 

Several intermediate concepts can be inserted

between subjects and objects

– Roles: collec8on of procedures assigned to users; a user can have more than one role and more than one user can have the same role.

– Procedures: ‘high level’ access control methods with a more complex seman8c than read or write; procedures can only be applied to objects of certain data types; example: funds transfer between bank accounts.

– Data types: each object is of a certain data type and can be accessed only through procedures deﬁned for this data type.

(10)

RBAC con8nued

• 

RBAC itself does not have a generally accepted

meaning, and it is used in diﬀerent ways by

diﬀerent vendors and users.

• 

Controlling access to an object by restric8ng

the procedures that may access this object is a

general programming prac8ce. It is a

fundamental concept in the theory of abstract

data types and object-‐oriented programming.

• 

Examples: user proﬁles in IBM’s OS/400; global

groups and local groups in Windows NT.

RBAC

• 

NIST model of RBAC (shown in Sandhu et

al., 2000) is organized into four levels of

increasing func8onal capabili8es

• 

ﬂat RBAC

• 

hierarchical RBAC

• 

constrained RBAC

• 

symmetric RBAC.

(11)

Flat RBAC

Hierarchical RBAC

User Role Permission

* * membership authorization * * * Session * * activation User:Session: 1:n +super-role 1* +sub-role

(12)

Constrained RBAC

Sebas8an SchriQwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Mar8n Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is tex4ng you? evalua8ng the security of smartphone messaging applica8ons. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.

(13)

Man-‐in-‐the-‐Middle

(14)

(15)

(16)

In Reality

Even Worse

(17)

Completely Stealthy

(18)

(19)

• 

https://s.whatsapp.net/client/

iphone/u.php?

cc=

countrycode

&me=

phonenumber

&

(20)

Enumera8on AQack

(21)

Enumera8on AQack

On vacation

Sleeping

at work but not doing shit Nicaragua in 4 days!! Heartbroken Missing my love! At work ... Bleh. On my way to Ireland! I’m never drinking again

(22)

WhatsApp WowTalk Viber Forfone Tango EasyTalk Voypi eBuddy XMS HeyTell

(23)

Results

Summary

• 

Authen8ca8on protocols: 6 out of 9 similar

applica8ons had the same problems

• 

Unintended use (reverse hash in Dropbox)

• 

Trust in client applica8on

• 

Missing input valida8on

• 

Everything you should learn in Security 101

• 

Sofware Obfusca8on as possible temporary

(24)

Ques8ons?

Trust 2013

hQp://trust2013.sba-‐research.org/

ARES 2013 Submission Deadline – March 1

hQp://www.ares-‐conference.eu/conf/

IPICS Summerschool – contact me personally

hQp://ipics2012.sba-‐research.org/

Cloud Security and Mobile Applica4on Security