The modern world places great reliance on computer systems. As the cost of processing power drops, many aspects of our daily life are now becoming “smart.” Computers used to take up a room, then an expensive piece of hardware upon a desk, and now are carried in the pockets of most people. This evolution obviously owes much to advances in hardware, but software has also played an important role: as additional layers of abstraction have been built up, it is easier than ever to develop software to do sophisticated tasks. Since computer systems today are networked, always-on, and contain valuable data, attackers are eager to use any gaps in their architecture to gain access to them. In this dissertation, we examine the ways in which privilege can be leaked through such architectural gaps in practical systems.
First, we deal with a class of memory safety issues within the Linux kernel. Most modern processor architectures use the concept of memory pages to manage memory, both to support virtual addressing and to enable page-level protection bits to describe the context in which each page should be used. Due to improper memory layouts within commodity kernels, a single page sometimes contains both executable code and writable data. An attacker can therefore use a memory write to inject their own code directly into kernel space, gaining its privilege. To address this problem, we propose using a security hypervisor to manage the kernel’s memory and enforce the W⊕X property, which states that a given memory page can be either executable or writable, but not both at the same time. By efficiently emulating the older Harvard architecture, we can enforce a strict separation between code and data accesses even when pages contain both.
We then turn our focus to Android, a relatively new operating system that relies heavily on inter-process communication and a rich framework, where privilege is represented by a permission model. Unfortunately, such permission models can be subverted by classical “confused deputy” attacks. Such attacks can occur when a trusted party, such as an app that has a sensitive permission, performs operations on behalf of an untrusted entity. We call such vulnerabilities capability leaks, and further classify them into two broad categories. External capability leaks cross app boundaries, allowing malicious apps to either collude with or dupe trusted apps to expand their privilege; conversely, internal capability leaks leak privilege within a single app that contains components written by multiple parties. We identify two major sources of such vulnerabilities in the platform as it stands today: firmware customizations and embedded advertisement libraries. By conducting systematic surveys of these subjects, we discover several new problems and measure their prevalence, providing a solid foundation upon which to build defensive solutions or motivate architectural changes.
|Advisor:||Jiang, Xuxian, Enck, William|
|Commitee:||Enck, William, Jiang, Xuxian|
|School:||North Carolina State University|
|School Location:||United States -- North Carolina|
|Source:||DAI-B 79/12(E), Dissertation Abstracts International|
|Keywords:||Android, Capability Leak, Confused Deputy, Harvard Architecture, Memory Safety, Virtualization|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be