No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
State of the Sandbox: Investigating macOS Application Security
Abstract
Sandboxing is a way to deliberately restrict applications accessing resources that they do not need to function properly. Sandboxing is intended to limit the effect of potential exploits and to mitigate overreach to personal data. Since June 1, 2012, sandboxing is a mandatory requirement for apps distributed through the Mac App Store (MAS). In addition, Apple has made it easier for developers to specify sandbox entitlements - capabilities that allow the app to access certain resources. However, sandboxing is still optional for macOS apps distributed outside Apple's official app store. This paper provides two contributions. First, the sandbox mechanism of macOS is analyzed and a critical sandbox-bypass is identified. Second, the general adoption of the sandbox mechanism, as well as app-specific sandbox configurations are evaluated. For that purpose all 8366 free apps of the MAS, making 25 % of all apps available on the MAS, as well as 4672 apps retrieved from MacUpdate (MU), a third-party app store, were analyzed dynamically. The dataset is over eight times larger than the second biggest study of macOS apps. It is shown that more than 94 % of apps on the MAS are sandboxed. However, more than 89 % of apps distributed through MU do not make use of sandboxing, putting users' data at risk.
Modern smartphone platforms have millions of apps, many of which request permissions to access private data and resources, like user accounts or location. While these smartphone platforms provide varying degrees of control over these permissions, the sheer number of decisions that users are expected to manage has been shown to be unrealistically high. Prior research has shown that users are often unaware of, if not uncomfortable with, many of their permission settings. Prior work also suggests that it is theoretically possible to predict many of the privacy settings a user would want by asking the user a small number of questions. However, this approach has neither been operationalized nor evaluated with actual users before. We report on a field study (n=72) in which we implemented and evaluated a Personalized Privacy Assistant (PPA) with participants using their own Android devices. The results of our study are encouraging. We find that 78.7% of the recommendations made by the PPA were adopted by users. Following initial recommendations on permission settings, participants were motivated to further review and modify their settings with daily "pri-vacy nudges." Despite showing substantial engagement with these nudges, participants only changed 5.1% of the settings previously adopted based on the PPA's recommendations. The PPA and its recommendations were perceived as useful and usable. We discuss the implications of our results for mobile permission management and the design of personalized privacy assistant solutions.
App Store Analysis studies information about applications obtained from app stores. App stores provide a wealth of information derived from users that would not exist had the applications been distributed via previous software deployment methods. App Store Analysis combines this non-technical information with technical information to learn trends and behaviours within these forms of software repositories. Findings from App Store Analysis have a direct and actionable impact on the software teams that develop software for app stores, and have led to techniques for requirements engineering, release planning, software design, security and testing. This survey describes and compares the areas of research that have been explored thus far, drawing out common aspects, trends and directions future research should take to address open problems and challenges.
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for preserving references in sandboxes. A system implementing the method receives a document for use in a sandbox environment and passes the document to a parser, via a coordinator. The parser finds references in the document to other resources and outputs a list of references. The system passes the list of references to a verifier that verifies each reference and outputs a list of verified references. The system passes the list of verified references to the sandboxed application which extends the sandbox to include the resources on the list of verified references. In one embodiment, the system preserves references in sandboxes without the use a coordinator.
Sandboxes are increasingly important building materials for secure software systems. In recognition of their potential to improve the security posture of many systems at various points in the development lifecycle, researchers have spent the last several decades developing, improving, and evaluating sandboxing techniques. What has been done in this space? Where are the barriers to advancement? What are the gaps in these efforts? We systematically analyze a decade of sandbox research from five top-tier security and systems conferences using qualitative content analysis, statistical clustering, and graph-based metrics to answer these questions and more. We find that the term “sandbox” currently has no widely accepted or acceptable definition. We use our broad scope to propose the first concise and comprehensive definition for “sandbox” that consistently encompasses research sandboxes. We learn that the sandboxing landscape covers a range of deployment options and policy enforcement techniques collectively capable of defending diverse sets of components while mitigating a wide range of vulnerabilities. Researchers consistently make security, performance, and applicability claims about their sandboxes and tend to narrowly define the claims to ensure they can be evaluated. Those claims are validated using multi-faceted strategies spanning proof, analytical analysis, benchmark suites, case studies, and argumentation. However, we find two cases for improvement: (1) the arguments researchers present are often
ad hoc
and (2) sandbox usability is mostly uncharted territory. We propose ways to structure arguments to ensure they fully support their corresponding claims and suggest lightweight means of evaluating sandbox usability.
On modern operating systems, applications under the same user are separated
from each other, for the purpose of protecting them against malware and
compromised programs. Given the complexity of today's OSes, less clear is
whether such isolation is effective against different kind of cross-app
resource access attacks (called XARA in our research). To better understand the
problem, on the less-studied Apple platforms, we conducted a systematic
security analysis on MAC OS~X and iOS. Our research leads to the discovery of a
series of high-impact security weaknesses, which enable a sandboxed malicious
app, approved by the Apple Stores, to gain unauthorized access to other apps'
sensitive data. More specifically, we found that the inter-app interaction
services, including the keychain, WebSocket and NSConnection on OS~X and URL
Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such
confidential information as the passwords for iCloud, email and bank, and the
secret token of Evernote. Further, the design of the app sandbox on OS~X was
found to be vulnerable, exposing an app's private directory to the sandboxed
malware that hijacks its Apple Bundle ID. As a result, sensitive user data,
like the notes and user contacts under Evernote and photos under WeChat, have
all been disclosed. Fundamentally, these problems are caused by the lack of
app-to-app and app-to-OS authentications. To better understand their impacts,
we developed a scanner that automatically analyzes the binaries of MAC OS and
iOS apps to determine whether proper protection is missing in their code.
Running it on hundreds of binaries, we confirmed the pervasiveness of the
weaknesses among high-impact Apple apps. Since the issues may not be easily
fixed, we built a simple program that detects exploit attempts on OS~X, helping
protect vulnerable apps before the problems can be fully addressed.
Due to the amount of data that smartphone applications can potentially
access, platforms enforce permission systems that allow users to regulate how
applications access protected resources. If users are asked to make security
decisions too frequently and in benign situations, they may become habituated
and approve all future requests without regard for the consequences. If they
are asked to make too few security decisions, they may become concerned that
the platform is revealing too much sensitive information. To explore this
tradeoff, we instrumented the Android platform to collect data regarding how
often and under what circumstances smartphone applications are accessing
protected resources regulated by permissions. We performed a 36-person field
study to explore the notion of "contextual integrity," that is, how often are
applications accessing protected resources when users are not expecting it?
Based on our collection of 27 million data points and exit interviews with
participants, we examine the situations in which users would like the ability
to deny applications access to protected resources. We found out that at least
80% of our participants would have preferred to prevent at least one permission
request, and overall, they thought that over a third of requests were invasive
and desired a mechanism to block them.
With the rapid prevalence of smart mobile devices, the number of mobile Apps available has exploded over the past few years. To facilitate the choice of mobile Apps, existing mobile App recommender systems typically recommend popular mobile Apps to mobile users. However, mobile Apps are highly varied and often poorly understood, particularly for their activities and functions related to privacy and security. Therefore, more and more mobile users are reluctant to adopt mobile Apps due to the risk of privacy invasion and other security concerns. To fill this crucial void, in this paper, we propose to develop a mobile App recommender system with privacy and security awareness. The design goal is to equip the recommender system with the functionality which allows to automatically detect and evaluate the security risk of mobile Apps. Then, the recommender system can provide App recommendations by considering both the Apps' popularity and the users' security preferences. Specifically, a mobile App can lead to security risk because insecure data access permissions have been implemented in this App. Therefore, we first develop the techniques to automatically detect the potential security risk for each mobile App by exploiting the requested permissions. Then, we propose a flexible approach based on modern portfolio theory for recommending Apps by striking a balance between the Apps' popularity and the users' security concerns, and build an App hash tree to efficiently recommend Apps. Finally, we evaluate our approach with extensive experiments on a large-scale data set collected from Google Play. The experimental results clearly validate the effectiveness of our approach.
Although millions of users download and use third-party Android applications from the Google Play store, little information is known on an aggregated level about these applications. We have built PlayDrone, the first scalable Google Play store crawler, and used it to index and analyze over 1,100,000 applications in the Google Play store on a daily basis, the largest such index of Android applications. PlayDrone leverages various hacking techniques to circumvent Google's roadblocks for indexing Google Play store content, and makes proprietary application sources available, including source code for over 880,000 free applications. We demonstrate the usefulness of PlayDrone in decompiling and analyzing application content by exploring four previously unaddressed issues: the characterization of Google Play application content at large scale and its evolution over time, library usage in applications and its impact on application portability, duplicative application content in Google Play, and the ineffectiveness of OAuth and related service authentication mechanisms resulting in malicious users being able to easily gain unauthorized access to user data and resources on Amazon Web Services and Facebook.
Apple adopts the mandatory app review and code signing mechanisms to ensure that only approved apps can run on iOS devices. In this paper, we present a novel attack method that fundamentally defeats both mechanisms. Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user's device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple's approval. We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.
Android's permission system is intended to inform users about the risks of installing applications. When a user installs an application, he or she has the opportunity to review the application's permission requests and cancel the installation if the permissions are excessive or objectionable. We examine whether the Android permission system is effective at warning users. In particular, we evaluate whether Android users pay attention to, understand, and act on permission information during installation. We performed two usability studies: an Internet survey of 308 Android users, and a laboratory study wherein we interviewed and observed 25 Android users. Study participants displayed low attention and comprehension rates: both the Internet survey and laboratory study found that 17% of participants paid attention to permissions during installation, and only 3% of Internet survey respondents could correctly answer all three permission comprehension questions. This indicates that current Android permission warnings do not help most users make correct security decisions. However, a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension. We present recommendations for improving user attention and comprehension, as well as identify open challenges.
This paper investigates changes over time in the behavior of Android ad
libraries. Taking a sample of 100,000 apps, we extract and classify the ad
libraries. By considering the release dates of the applications that use a
specific ad library version, we estimate the release date for the library, and
thus build a chronological map of the permissions used by various ad libraries
over time. We find that the use of most permissions has increased over the last
several years, and that more libraries are able to use permissions that pose
particular risks to user privacy and security.
Web users are shown an invalid certicate warning when their browser cannot validate the identity of the websites they are visiting. While these warn- ings often appear in benign situations, they can also signal a man-in-the-middle attack. We conducted a survey of over 400 Internet users to examine their reactions to and understanding of current SSL warn- ings. We then designed two new warnings using warn- ings science principles and lessons learned from the survey. We evaluated warnings used in three pop- ular web browsers and our two warnings in a 100- participant, between-subjects laboratory study. Our warnings performed signicantly better than exist- ing warnings, but far too many participants exhibited dangerous behavior in all warning conditions. Our re- sults suggest that, while warnings can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in be- nign situations.
Manypopular programs, suchasNetscape, use untrusted helper applications to process data from the network. Unfortunately,theunauthenticated networkdatathey interpret could well have been created byanadversary,andthehelper applications are usually too complex to be bug-free. This raises significant security concerns. Therefore, it is desirable to create a secure environmenttocontain untrusted helper applications. Wepropose toreduce therisk of a security breachby restrictingthe program's access totheoperating system. In particular, weintercept andfilter dangerous system calls via the Solaris process tracing facility. This enabled us to build a simple, clean, user-mode implementationofasecure environment for untrusted helper applications. Our implementationhas negligible performance impact, and can protect pre-existingapplications.
Modern operating systems, such as iOS, use multiple access control policies to define an overall protection system. However, the complexity of these policies and their interactions can hide policy flaws that compromise the security of the protection system. We propose iOracle, a framework that logically models the iOS protection system such that queries can be made to automatically detect policy flaws. iOracle models policies and runtime context extracted from iOS firmware images, developer resources, and jailbroken devices, and iOracle significantly reduces the complexity of queries by modeling policy semantics. We evaluate iOracle by using it to successfully triage executables likely to have policy flaws and comparing our results to the executables exploited in four recent jailbreaks. When applied to iOS 10, iOracle identifies previously unknown policy flaws that allow attackers to modify or bypass access control policies. For compromised system processes, consequences of these policy flaws include sandbox escapes (with respect to read/write file access) and changing the ownership of arbitrary files. By automating the evaluation of iOS access control policies, iOracle provides a practical approach to hardening iOS security by identifying policy flaws before they are exploited.
Enterprise Mac Security is a definitive, expert-driven update of the popular, slash-dotted first edition which was written in part as a companion to the SANS Institute course for Mac OS X. It contains detailed Mac OS X security information, and walkthroughs on securing systems, including the new 10.11 operating system.
A common misconception in the Mac community is that Mac’s operating system is more secure than others. While this might be have been true in certain cases, security on the Mac has always still been a crucial issue. With the release of OS X 10.11, the operating system is taking large strides in getting even more secure. Even still, when sharing is enabled or remote control applications are installed, Mac OS X faces a variety of security threats, whether these have been exploited or not.
This book caters to both the beginning home user and the seasoned security professional not accustomed to the Mac, establishing best practices for Mac OS X for a wide audience.
The authors of this book are seasoned Mac and security professionals, having built many of the largest network infrastructures for Apple and spoken at both DEFCON and Black Hat on OS X security.
What You Will Learn
• The newest security techniques on Mac OS X from the best and brightest
• Security details of Mac OS X for the desktop and server, and how to secure these systems
• The details of Mac forensics and Mac hacking
• How to tackle Apple wireless security
Who This Book Is For
This book is for new users, switchers, power users, and administrators that need to make sure their Mac systems are secure.
This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us understand how differences in app development/maintenance affect the vulnerabilities associated with libraries. We analyzed 30k free and paid apps collected from the official Android marketplace. Our extensive analyses revealed that approximately 70%/50% of vulnerabilities of free/paid apps stem from software libraries, particularly from third-party libraries. Somewhat paradoxically, we found that more expensive/popular paid apps tend to have more vulnerabilities. This comes from the fact that more expensive/popular paid apps tend to have more functionality, i.e., more code and libraries, which increases the probability of vulnerabilities. Based on our findings, we provide suggestions to stakeholders of mobile app distribution ecosystems.
Recent literature on iOS security has focused on the malicious potential of third-party applications, demonstrating how developers can bypass application vetting and code-level protections. In addition to these protections, iOS uses a generic sandbox profile called "container" to confine malicious or exploited third-party applications. In this paper, we present the first systematic analysis of the iOS container sandbox profile. We propose the SandScout framework to extract, decompile, formally model, and analyze iOS sandbox profiles as logic-based programs. We use our Prolog-based queries to evaluate file-based security properties of the container sandbox profile for iOS 9.0.2 and discover seven classes of exploitable vulnerabilities. These attacks affect non-jailbroken devices running later versions of iOS. We are working with Apple to resolve these attacks, and we expect that SandScout will play a significant role in the development of sandbox profiles for future versions of iOS.
Security isolation is a foundation of computing systems that enables resilience to different forms of attacks. This article seeks to understand existing security isolation techniques by systematically classifying different approaches and analyzing their properties. We provide a hierarchical classification structure for grouping different security isolation techniques. At the top level, we consider two principal aspects: mechanism and policy. Each aspect is broken down into salient dimensions that describe key properties. We break the mechanism into two dimensions, enforcement location and isolation granularity, and break the policy aspect down into three dimensions: policy generation, policy configurability, and policy lifetime. We apply our classification to a set of representative articles that cover a breadth of security isolation techniques and discuss tradeoffs among different design choices and limitations of existing approaches.
In order to limit the damage of malware on Mac OS X and iOS, Apple uses sandboxing, a kernel-level security layer that provides tight constraints for system calls. Particularly used for Apple iOS, sandboxing prevents apps from executing potentially dangerous actions, by defining rules in a sandbox profile. Investigating Apple's built-in sandbox profiles is difficult as they are compiled and stored in binary format. We present SandBlaster, a software bundle that is able to reverse/decompile Apple binary sandbox profiles to their original human readable SBPL (SandBox Profile Language) format. We use SandBlaster to reverse all built-in Apple iOS binary sandbox profiles for iOS 7, 8 and 9. Our tool is, to the best of our knowledge, the first to provide a full reversing of the Apple sandbox, shedding light into the inner workings of Apple sandbox profiles and providing essential support for security researchers and professionals interested in Apple security mechanisms.
With the booming sale of iOS devices, the number of iOS applications has increased significantly in recent years. To protect the security of iOS users, Apple requires every iOS application to go through a vetting process called App Review to detect uses of private APIs that provide access to sensitive user information. However, recent attacks have shown the feasibility of using private APIs without being detected during App Review. To counter such attacks, we propose a new iOS application vetting system, called iRiS, in this paper. iRiS first applies fast static analysis to resolve API calls. For those that cannot be statically resolved, iRiS uses a novel iterative dynamic analysis approach, which is slower but more powerful compared to static analysis. We have ported Valgrind to iOS and implemented a prototype of iRiS on top of it. We evaluated iRiS with 2019 applications from the official App Store. From these, iRiS identified 146 (7%) applications that use a total number of 150 different private APIs, including 25 security-critical APIs that access sensitive user information, such as device serial number. By analyzing iOS applications using iRiS, we also identified a suspicious advertisement service provider which collects user privacy information in its advertisement serving library. Our results show that, contrary to popular belief, a nontrivial number of iOS applications that violate Apple's terms of service exist in the App Store. iRiS is effective in detecting private API abuse missed by App Review.
This document describes systems and methods for restricting program process capabilities. In some implementations, the capabilities are restricted by limiting the rights or privileges granted to an application. A plurality of rules may be established for a program, or for a group of programs, denying that program the right to take actions which are outside of the actions needed to implement its intended functionality. A security policy is implemented to test actions initiated in response to an application against the rules to enable decisions restricting the possible actions of the program. Embodiments are disclosed which process the majority of decisions regarding actions against a security profile through use of a virtual machine. In some embodiments, the majority of decisions are resolved within the kernel space of an operating system.
On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS~X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps' sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS~X and URL Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the app sandbox on OS~X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of MAC OS and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS~X, helping protect vulnerable apps before the problems can be fully addressed.
Ready to start securing your Mac? Let’s get right into it. Keep in mind that this chapter is meant to be a quick-and-dirty start to securing your Mac, for the “I don’t have time to dive into the nitty-gritty, I need to get my Mac secured right away” readers. This chapter will give you just the basics to get your Mac secure quickly, and although it will leave you with a fairly secure system, it’s not as comprehensive as the subsequent chapters, where we’ll fine-tune your Mac’s settings. For a more thorough understanding of OS X security and the tools you can use to secure your Mac, we urge you to continue reading beyond the basics. Beginning in Chapter 2, you’ll be introduced to all the other intricacies surrounding securing the Mac OS, diving deeper into the larger concepts of what is covered here in this quick-start.
Mobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity in iOS appstores. What's more, the details about user downloads and app popularity, such as the composition of downloads traffic and the migration of user interests, are untouched yet. In this paper, we unreel these issues based on five-month measurements of four third-party appstores (two for Android and two for iOS respectively).
Our main results include: 1) The app popularity distributions of third-party Android appstores are different from those of iOS third-party appstores. There is an exponential cut-off observed besides the Zipf-like distribution in the app popularity distribution of Android appstores. 2) In both Android and iOS families of appstores, the major part of downloads traffic is contributed by the large-size apps, counting 80% or more in the volume of total downloads traffic. 3) There is less rank variance of the most popular apps in the iOS appstores than those in the Android appstores. About 52% of the top 100 iOS apps observed in one month are still in the rank of top 100 in the following four months.
User review is a crucial component of open mobile app markets such as the Google Play Store. How do we automatically summarize millions of user reviews and make sense out of them? Unfortunately, beyond simple summaries such as histograms of user ratings, there are few analytic tools that can provide insights into user reviews. In this paper, we propose Wiscom, a system that can analyze tens of millions user ratings and comments in mobile app markets at three different levels of detail. Our system is able to (a) discover inconsistencies in reviews; (b) identify reasons why users like or dislike a given app, and provide an interactive, zoomable view of how users' reviews evolve over time; and (c) provide valuable insights into the entire app market, identifying users' major concerns and preferences of different types of apps. Results using our techniques are reported on a 32GB dataset consisting of over 13 million user reviews of 171,493 Android apps in the Google Play Store. We discuss how the techniques presented herein can be deployed to help a mobile app market operator such as Google as well as individual app developers and end-users.
Android uses a system of permissions to control how apps access sensitive devices and data stores. Unfortunately, we have little understanding of the evolution of Android permissions since their inception (2008). Is the permission model allowing the Android platform and apps to become more secure? In this paper, we present arguably the first long-term study that is centered around both permission evolution and usage, of the entire Android ecosystem (platform, third-party apps, and pre-installed apps). First, we study the Android platform to see how the set of permissions has evolved; we find that this set tends to grow, and the growth is not aimed towards providing finer-grained permissions but rather towards offering access to new hardware features; a particular concern is that the set of Dangerous permissions is increasing. Second, we study Android third-party and pre-installed apps to examine whether they follow the principle of least privilege. We find that this is not the case, as an increasing percentage of the popular apps we study are overprivileged. In addition, the apps tend to use more permissions over time. Third, we highlight some concerns with pre-installed apps, e.g., apps that vendors distribute with the phone; these apps have access to, and use, a larger set of higher-privileged permissions which pose security and privacy risks. At the risk of oversimplification, we state that the Android ecosystem is not becoming more secure from the user's point of view. Our study derives four recommendations for improving the Android security and suggests the need to revisit the practices and policies of the ecosystem.
Traditional user-based permission systems assign the user's full privileges to all applications. Modern platforms are transitioning to a new model, in which each application has a different set of permissions based on its requirements. Application permissions offer several advantages over traditional user-based permissions, but these benefits rely on the assumption that applications generally require less than full privileges. We explore whether that assumption is realistic, which provides insight into the value of application permissions. We perform case studies on two platforms with application permissions, the Google Chrome extension system and the Android OS. We collect the permission requirements of a large set of Google Chrome extensions and Android applications. From this data, we evaluate whether application permissions are effective at protecting users. Our results indicate that application permissions can have a positive impact on system security when applications' permission requirements are declared up-front by the developer, but can be improved.
We empirically assess whether browser security warnings are as ineffective as suggested by popular opinion and previous literature. We used Mozilla Firefox and Google Chrome's in-browser telemetry to observe over 25 million warning impressions in situ. During our field study, users continued through a tenth of Mozilla Firefox's malware and phishing warnings, a quarter of Google Chrome's malware and phishing warnings, and a third of Mozilla Firefox's SSL warnings. This demonstrates that security warnings can be effective in practice; security experts and system architects should not dismiss the goal of communicating security information to end users. We also find that user behavior varies across warnings. In contrast to the other warnings, users continued through 70.2% of Google Chrome's SSL warnings. This indicates that the user experience of a warning can have a significant impact on user behavior. Based on our findings, we make recommendations for warning designers and researchers.
Under most widely-used security mechanisms the programs users run possess more authority than is strictly necessary, with each process typically capable of utilising all of the user's privileges. Consequently such security mechanisms often fail to protect against contemporary threats, such as previously unknown (‘zero-day’) malware and software vulnerabilities, as processes can misuse a user's privileges to behave maliciously. Application restrictions and sandboxes can mitigate threats that traditional approaches to access control fail to prevent by limiting the authority granted to each process. This developing field has become an active area of research, and a variety of solutions have been proposed. However, despite the seriousness of the problem and the security advantages these schemes provide, practical obstacles have restricted their adoption.This paper describes the motivation for application restrictions and sandboxes, presenting an in-depth review of the literature covering existing systems. This is the most comprehensive review of the field to date. The paper outlines the broad categories of existing application-oriented access control schemes, such as isolation and rule-based schemes, and discusses their limitations. Adoption of these schemes has arguably been impeded by workflow, policy complexity, and usability issues. The paper concludes with a discussion on areas for future work, and points a way forward within this developing field of research with recommendations for usability and abstraction to be considered to a further extent when designing application-oriented access controls.
Many operating system services require special privilege to execute their tasks. A programming error in a privileged service opens the door to system compromise in the form of unauthorized acquisition of privileges. In the worst case, a remote attacker may obtain superuser privileges. In this paper, we discuss the methodology and design of privilege separation, a generic approach that lets parts of an application run with di#erent levels of privilege. Programming errors occurring in the unprivileged parts can no longer be abused to gain unauthorized privileges. Privilege separation is orthogonal to capability systems or application confinement and enhances the security of such systems even further.
Creating xpc services
- Apple Inc
- Apple Inc
Apple Inc. 2016. Creating xpc services. Retrieved April 24, 2019 from https:
//developer.apple.com/library/content/documentation/MacOSX/Conceptual/
BPSystemStartup/Chapters/CreatingXPCServices.html.
App sandbox and the mac app store
- Apple Inc
Apple Inc. 2011. App sandbox and the mac app store. In WWDC. https : / /
developer.apple.com/videos/play/wwdc2011/204/.
macOS Security -Overview for IT
- Apple Inc
Apple Inc. 2018. macOS Security -Overview for IT. White paper. (November
2018). https://www.apple.com/business/resources/docs/macOS_Security_
Overview.pdf.
Apple developer documentation: app sandbox design guide
- Apple Inc
- Apple Inc
Apple Inc. 2016. Apple developer documentation: app sandbox design guide.
(September 13, 2016). Retrieved September 18, 2018 from https://developer.
apple.com/library/archive/documentation/Security/Conceptual/AppSandbox
DesignGuide.
Apple developer documentation: entitlement key reference
- Apple Inc
Apple Inc. 2017. Apple developer documentation: entitlement key reference.
(March 27, 2017). https://developer.apple.com/library/archive/documentation/
Miscellaneous/Reference/EntitlementKeyReference.
Ios 8: containers, sandboxes and entitlements
- Stefan Esser
- Esser Stefan
Stefan Esser. 2014. Ios 8: containers, sandboxes and entitlements. Retrieved
February 12, 2018 from https://www.slideshare.net/i0n1c/ruxcon-2014-stefanesser-ios8-containers-sandboxes-and-entitlements.
File system access for one or more sandboxed applications
- Ivan Krsti
- Love Hörnquist Åstrand
Ivan Krstić and Love Hörnquist Åstrand. 2016. File system access for one
or more sandboxed applications. (2016). Patent No. US Patent 9,342,689 B2.
https://patents.google.com/patent/US9342689B2.
Mustafa Emre Acer, Elisabeth Morant, and Sunny Consolvo. 2016. Rethinking connection security indicators
- Adrienne Porter Felt
- Robertw
- Alex Reeder
- Helen Ainslie
- Harris
- Christopher Maxwalker
- Thompson
Apple's latest sandboxing deadline delay signals moving goalposts for devs
- Chris Foresman
- Foresman Chris
Chris Foresman. 2012. Apple's latest sandboxing deadline delay signals moving
goalposts for devs. (February 22, 2012). Retrieved March 14, 2018 from https:
//arstechnica.com/?p=36730.
Your apps and the future of macos security
- Kelly Yancey
- Garrett Jacobson
Pierre-Olivier Martel, Kelly Yancey, and Garrett Jacobson. 2018. Your apps and
the future of macos security. In WWDC. https://developer.apple.com/videos/
play/wwdc2018/702/.
Mediated data exchange for sandboxed applications
- Toby C David Rahardja
- Anthony D' Paterson
- Auria
David Rahardja, Toby C. Paterson, and Anthony D'Auria. 2018. Mediated data
exchange for sandboxed applications. (2018). Patent No. US Patent 9,898,355
B2. https://patents.google.com/patent/US9898355B2.
Methods for restricting resources used by a program based on entitlements
- Ivan Krsti
- Austin G Jennings
- Richard L Hagy
Ivan Krstić, Austin G. Jennings, and Richard L. Hagy. 2016. Methods for restricting resources used by a program based on entitlements. (2016). Patent No. US
Patent App. 15/060,837. https://patents.google.com/patent/US20160321471A1.
Dynamic analysis and privacy implications of Apple iOS apps
- Andreas Kurtz
Andreas Kurtz. 2016. Dynamic analysis and privacy implications of Apple iOS
apps. Ph.D. Dissertation. University of Erlangen-Nuremberg, Germany.
The Mac Hacker's Handbook
- Charlie Miller
- Dino A Dai Zovi
Charlie Miller and Dino A. Dai Zovi. 2009. The Mac Hacker's Handbook. (1st ed.).
Wiley. isbn: 978-0-470-39536-3.
Apple's sandbox guide
- Pedro Vilaça
- Vilaça Pedro
Pedro Vilaça. 2011. Apple's sandbox guide. Version 0.1. (September 3, 2011).
Axelexic/sanboxinterposed
- Yogesh Swami
Yogesh Swami. 2012. Axelexic/sanboxinterposed. Retrieved April 1, 2019 from
https://github.com/axelexic/SanboxInterposed.
Jekyll on ios: when benign apps become evil
- Kangjie Tieleiwang
- Long Lu
- Simon P Lu
- Lee Chung