Privilege escalation attacks on android
作者: Lucas Davi , Alexandra Dmitrienko , Ahmad-Reza Sadeghi , Marcel Winandy
DOI: 10.1007/978-3-642-18178-8_30
关键词:
摘要: Android is a modern and popular software platform for smartphones. Among its predominant features an advanced security model which based on application-oriented mandatory access control sandboxing. This allows developers users to restrict the execution of application privileges it has (mandatorily) assigned at installation time. The exploitation vulnerabilities in program code hence believed be confined within privilege boundaries application's sandbox. However, this paper we show that escalation attack possible. We genuine exploited runtime or malicious can escalate granted permissions. Our results immediately imply Android's cannot deal with transitive permission usage sandbox fails as last resort against malware sophisticated attacks.
springer.com
core.ac.uk
acm.org
tu-darmstadt.de
cased.de
researchgate.net 参考文章(23)
Sahin Albayrak, Seyit Camtepe, Jan Clausen, Aubrey-Derrick Schmidt, Kamer Ail Yuksel, Hans-Gunterh Schmidt, Kiraz Osman, Enhancing security of linux-based android devices School of Electrical Engineering & Computer Science; Information Security Institute; Science & Engineering Faculty. ,(2008)
Y Elovici, S Dolev, A Shabtai, U Kanonov, Y Fledel, Google Android: A State-of-the-Art Review of Security Mechanisms arXiv: Cryptography and Security. ,(2009)
William Enck, Patrick McDaniel, Jaeyeon Jung, Byung-Gon Chun, Peter Gilbert, Anmol N. Sheth, Landon P. Cox, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones operating systems design and implementation. pp. 393- 407 ,(2010) , 10.5555/1924943.1924971
Aubrey-Derrick Schmidt, Hans-Gunther Schmidt, Leonid Batyuk, Jan Hendrik Clausen, Seyit Ahmet Camtepe, Sahin Albayrak, Can Yildizli, Smartphone malware evolution revisited: Android next target? international conference on malicious and unwanted software. pp. 1- 7 ,(2009) , 10.1109/MALWARE.2009.5403026
Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy, ROPdefender Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS '11. pp. 40- 51 ,(2011) , 10.1145/1966913.1966920
David Barrera, H. G üne ş Kayacik, Paul C. van Oorschot, Anil Somayaji, A methodology for empirical analysis of permission-based security models and its application to android Proceedings of the 17th ACM conference on Computer and communications security - CCS '10. pp. 73- 84 ,(2010) , 10.1145/1866307.1866317
J. Pincus, B. Baker, Beyond stack smashing: recent advances in exploiting buffer overruns ieee symposium on security and privacy. ,vol. 2, pp. 20- 27 ,(2004) , 10.1109/MSP.2004.36
A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, C. Glezer, Google Android: A Comprehensive Security Assessment ieee symposium on security and privacy. ,vol. 8, pp. 35- 44 ,(2010) , 10.1109/MSP.2010.2
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy, Return-oriented programming without returns computer and communications security. pp. 559- 572 ,(2010) , 10.1145/1866307.1866370
William Enck, Machigar Ongtang, Patrick McDaniel, On lightweight mobile phone application certification computer and communications security. pp. 235- 245 ,(2009) , 10.1145/1653662.1653691