APPLICATION’S CONTROL SUPPLY TO SYSTEM SECURITY METHOD BASED ON EMBEDDED THREAT MODELS

Author:

Kazymyr Volodymyr, Chernihiv National University of Technology (95 Shevchenka Str., 14027 Chernihiv, Ukraine)

Karpachev Igor, Chernihiv National University of Technology (95 Shevchenka Str., 14027 Chernihiv, Ukraine)

Language: ukrainian

Annotation:

Urgency of the research. In modern terms the use of applications on mobile devices, there is a problem of using sensitive user data with unlawful purposes by developers. To prevent unwanted actions execution in applications across operating systems, there are different ways of control over the privileges of individual applications. Their comparison makes it possible to combine the most successful ways to control the privileges by users.

Target setting. For the first operating systems with inherent architecture there is sufficient primitive control system of rights and access levels. Over the years the programs ` functionality expanded and the need for distributed control permits increased. Modern systems began to support the various control methods and levels of access rights applications. Despite this, a large number of applications for modern operating systems increases the risk of compromising users` personal data.

Actual scientific researches and issues analysis. UNIX, VAX/VMS, and Multics are three prominent examples of time-sharing operating systems. They were built with the threat of a malicious user in mind. UNIX associates protection bits with each file that specify which users may read, write, and execute a given file; when a program executes, it typically can only access the files that the invoking user can access. In VAX/VMS, users are assigned to one of seven privilege levels, and processes run with their invoking users’ privilege levels unless otherwise specified by a system administrator. Multics processes similarly run on behalf of human users. Indeed, an external evaluation of Multics by U.S. Air Force officers found that Multics had the potential to enforce user isolation well enough to store the military’s classified files. Modern desktop operating systems (e.g., Windows, Mac OS X) inherited UNIX’s access control model; as a result, these platforms still typically grant all of a user’s permissions to the user’s applications.

Uninvestigated parts of general matters defining. The main unresolved statement in the general problem is the static nature of the permits review during the initial application installation. With further use there is no guarantee that the application will not use an access to any device resource with malicious purpose. Such deficiency gives grounds to mask intentions application in a wide range of permits, such as is done in the manifest file on Android.

The research objective. Comparison and further improvement of applications access control methods in modern operating systems, studying opportunities using special methods to solve issues related to functional safety and formulation of the basic principles of safe applications use.

The statement of basic materials. Android is a smartphone and tablet operating system that supports third-party applications. By default, Android applications cannot access sensitive user data or phone settings. If an application needs such privileges, the developer must specify the list of permissions that the application requires. Android informs users of the application’s desired permissions during installation

Conclusions. If system permits static approach is not replaced, the user remains open to external and internal attacks. The solution may be a partial transfer decision about the level of application hazard to a remote server and allowing the user to take a final decision based on the results obtained by analysis.

Key words:

safety, safe application methods to control access rights, Android, operating systems, secure use of applications

References:

1. Cross-Platform Application Development on Symbian (2016). Retrieved from http://www.theseus.fi/bitstream/handle/10024/14566/Thesis_John_Mathew.pdf.

2. Content Security Policy (CSP) (2016). Retrieved from http://code.google.com/chrome/extensions/trunk/-contentSecurityPolicy.html.

3. Cross-Origin XMLHttpRequest (2016). Retrieved from http://code.google.com/chrome/extensions/xhr.html.

4. Intents and Intent Filters (2016). Retrieved from http://developer.android.com/guide/components/intents-filters.html.

5. Manifest.permission (2016). Retrieved from http://developer.android.com/reference/android/-Manifest.permission.html.

6. Npapi plugins. (2016). Retrieved from http://code.google.com/chrome/extensions/npapi.html.

7. Permissions reference (2016). Retrieved from https://developers.facebook.com/docs/authentication/permissions/.

8. SELinux Project Wiki. (2016). Retrieved from http://selinuxproject.org/page/Main Page.

9. Fundamentals of Symbian OS (2016). Retrieved from http://neo.dmcs.pl/symos/-wyklady/01aIntroduction.pdf .

10. Tabs (2016). Retrieved from http://code.google.com/chrome/extensions/tabs.html.

11. The Add-on Review Process and You (2016). Retrieved from http://blog.mozilla.com/addons/2010/02/15/the-add-on-review-process-and-you.

12. Vvedenie v API-interfejsy Facebook [Introduction to the Facebook API interfaces] (2016). Retrieved from http://www.ibm.com/developerworks/ru/library/x-androidfacebookapi/.

13. Analysis and Comparison with Android and iPhone Operating System (2016). Retrieved from http://www.eecs.ucf.edu/~dcm/Teaching/COP5611Spring2010/Project/AmberChang-Project.pdf.

14. Trusted computer system evaluation criteria (orange book) (1985) Department of Defense, Tech. Rep. DOD 5200.28-STD, December, pp. 23–31.

15. Device APIs Requirements: W3C Working Group Note 15 October 2009 (2016). Retrieved from http://www.w3.org/TR/2009/NOTE-dap-api-reqs-20091015/.

16. How Consumers Interact with Mobile App Advertising (2016). Retrieved from http://www.pontiflex.com/download/harrisinteractive.Pdf.

17. US Smartphone Owners by Age (2016). Retrieved from http://www.comscoredatamine.com/2011/06/us-smartphone-owners-by-age.

18. Ackerman, M., Cranor, L., Reagle, J. (1999). Privacy in e-commerce: examining user scenarios and privacy preferences, in Proceedings of the ACM Conference on Electronic Commerce, pp. 72-86.

19. Obfuscation of Abstract Data-Types (2016). Retrieved from http://www.cs.ox.ac.uk/stephen.drape/papers/thesis.pdf.

Download