東華大學圖書館 |

Language: English

Help

回圖書館首頁

手機版館藏查詢

Back

Switch To: Labeled | MARC Mode | ISBD

Non-invasive Privilege Escalation th...

Zhang, Nan.

Linked to FindBook

Google Book

Amazon

博客來

Non-invasive Privilege Escalation through Mobile and IoT System Interface: Threats and Mitigation.

Record Type:	Electronic resources : Monograph/item
Title/Author:	Non-invasive Privilege Escalation through Mobile and IoT System Interface: Threats and Mitigation./
Author:	Zhang, Nan.
Published:	Ann Arbor : ProQuest Dissertations & Theses, : 2018,
Description:	165 p.
Notes:	Source: Dissertations Abstracts International, Volume: 79-11, Section: B.
Contained By:	Dissertations Abstracts International79-11B.
Subject:	Computer science. -
Online resource:	http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=10812052
ISBN:	9780355931952

Non-invasive Privilege Escalation through Mobile and IoT System Interface: Threats and Mitigation.
Zhang, Nan.

Non-invasive Privilege Escalation through Mobile and IoT System Interface: Threats and Mitigation. - Ann Arbor : ProQuest Dissertations & Theses, 2018 - 165 p.

Source: Dissertations Abstracts International, Volume: 79-11, Section: B.

Thesis (Ph.D.)--Indiana University, 2018.

This item must not be sold to any third party vendors.

With the proliferation of mobile and IoT devices, malicious application developers seize the opportunity to spread malicious applications threatening the security and privacy of users' information assets. In this dissertation, we work towards understanding and mitigating a unique type of threat, non-invasive privilege escalation attacks, posed by malicious applications to vulnerable mobile and IoT system interfaces. Unlike more invasive attacks that usually gain elevated access through altering the memory or files belonging to the system or other applications, a non-invasive attack leverages legitimate yet vulnerable system interfaces to gain access to system resources, other application resources or to infer sensitive user information, which is usually difficult to detect without in-depth understanding of the vulnerable systems. In particular, this dissertation reports a systematic study on this understudied type of threat, from the hidden weaknesses inside the operating system, to the risks introduced by the mobile ecosystem and to a new user-computing interfaces. Specifically, we studied a runtime-information-gathering (RIG) threat which exploits design weaknesses of the operating system, e.g., shared communication channels such as Bluetooth, and side channels such as memory and network-data usages, on Android and Android-based IoT devices. To defend against this new category of attacks, we propose a novel approach, App Guardian, that changes neither the operating system nor the target apps, and provides immediate protection as soon as an ordinary app is installed. Our experimental studies show that this new technique defeated all known RIG attacks, with small impacts on the utility of legitimate apps and the performance of the operating system. Then we discover hanging attribute references (Hares), a type of vulnerabilities never investigated before, which often have serious security implications: when an attribute is used on a device but the party defining it has been removed during vendor customization, a malicious app can fill the gap to acquire critical system capabilities, by simply disguising as the owner of the attribute. We further design and implement Harehunter , a new tool for automatic detection of Hares. By using it, we discover 21,557 likely Hare flaws on the factory images of 97 most popular Android devices, demonstrating the significant impacts of the problem. Finally, we conduct the first security analysis on Voice Personal Assistant (VPA) ecosystems and related popular IoT devices, which leads to the discovery of serious security weaknesses in their Voice User Interfaces (VUIs) and skill vetting. We present two new attacks, voice squatting and voice masquerading, both of which are demonstrated to pose realistic threats to a large number of VPA users from remote and both have serious security and privacy implications. We also design and implement new techniques that make the first step towards protecting VPA users from these voice-based attacks.

ISBN: 9780355931952Subjects--Topical Terms:

523869
Computer science.

Non-invasive Privilege Escalation through Mobile and IoT System Interface: Threats and Mitigation.
LDR:04096nmm a2200313 4500 001 2209612
005 20191104073750.5
008 201008s2018 ||||||||||||||||| ||eng d
020 $a 9780355931952
035 $a (MiAaPQ)AAI10812052
035 $a (MiAaPQ)indiana:15207
035 $a AAI10812052
040 $a MiAaPQ $c MiAaPQ
100 1 $a Zhang, Nan. $3 1296856
245 1 0 $a Non-invasive Privilege Escalation through Mobile and IoT System Interface: Threats and Mitigation.
260 1 $a Ann Arbor : $b ProQuest Dissertations & Theses, $c 2018
300 $a 165 p.
500 $a Source: Dissertations Abstracts International, Volume: 79-11, Section: B.
500 $a Publisher info.: Dissertation/Thesis.
500 $a Advisor: Wang, XiaoFeng.
502 $a Thesis (Ph.D.)--Indiana University, 2018.
506 $a This item must not be sold to any third party vendors.
520 $a With the proliferation of mobile and IoT devices, malicious application developers seize the opportunity to spread malicious applications threatening the security and privacy of users' information assets. In this dissertation, we work towards understanding and mitigating a unique type of threat, non-invasive privilege escalation attacks, posed by malicious applications to vulnerable mobile and IoT system interfaces. Unlike more invasive attacks that usually gain elevated access through altering the memory or files belonging to the system or other applications, a non-invasive attack leverages legitimate yet vulnerable system interfaces to gain access to system resources, other application resources or to infer sensitive user information, which is usually difficult to detect without in-depth understanding of the vulnerable systems. In particular, this dissertation reports a systematic study on this understudied type of threat, from the hidden weaknesses inside the operating system, to the risks introduced by the mobile ecosystem and to a new user-computing interfaces. Specifically, we studied a runtime-information-gathering (RIG) threat which exploits design weaknesses of the operating system, e.g., shared communication channels such as Bluetooth, and side channels such as memory and network-data usages, on Android and Android-based IoT devices. To defend against this new category of attacks, we propose a novel approach, App Guardian, that changes neither the operating system nor the target apps, and provides immediate protection as soon as an ordinary app is installed. Our experimental studies show that this new technique defeated all known RIG attacks, with small impacts on the utility of legitimate apps and the performance of the operating system. Then we discover hanging attribute references (Hares), a type of vulnerabilities never investigated before, which often have serious security implications: when an attribute is used on a device but the party defining it has been removed during vendor customization, a malicious app can fill the gap to acquire critical system capabilities, by simply disguising as the owner of the attribute. We further design and implement Harehunter , a new tool for automatic detection of Hares. By using it, we discover 21,557 likely Hare flaws on the factory images of 97 most popular Android devices, demonstrating the significant impacts of the problem. Finally, we conduct the first security analysis on Voice Personal Assistant (VPA) ecosystems and related popular IoT devices, which leads to the discovery of serious security weaknesses in their Voice User Interfaces (VUIs) and skill vetting. We present two new attacks, voice squatting and voice masquerading, both of which are demonstrated to pose realistic threats to a large number of VPA users from remote and both have serious security and privacy implications. We also design and implement new techniques that make the first step towards protecting VPA users from these voice-based attacks.
590 $a School code: 0093.
650 4 $a Computer science. $3 523869
690 $a 0984
710 2 $a Indiana University. $b Computer Sciences. $3 1018516
773 0 $t Dissertations Abstracts International $g 79-11B.
790 $a 0093
791 $a Ph.D.
792 $a 2018
793 $a English
856 4 0 $u http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=10812052