TWC: Small: Develop Fine-Grained Access Control for Third-Party Components in Mobile Systems

TWC：小型：为移动系统中的第三方组件开发细粒度的访问控制

• 批准号: 1318814
• 负责人: Wenliang Du
• 金额: $ 50万
• 依托单位: Syracuse University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-08-01 至 2017-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1318814&HistoricalAwards=false
• 关键词: TWC; Small; Develop; Fine; Grained

Smartphones and tablets are being used widely, and with such a pervasive use, protecting mobile systems is of critical importance. One of the unique features in mobile systems is that many applications incorporate third-party components, such as advertisement, social-network APIs, and the WebView component (that runs third-party JavaScript code). With third-party components, the code developed by application developers and the code from third parties are executed within the same context and with the same privilege. No access control system is developed to separate the privilege of the first-party application code from that of third-party components. This has resulted in over-privilege issues. The objective of this project is to develop adequate access control systems to remedy the risks introduced by third-party components. The development is based on a systematic study of various third-party components, how they interact with applications, what features are desirable, and what their protection needs are. The project meets this objective using a three-pronged approach: (1) add new access controls to WebView to control the interactions with third-party code; (2) add package-level access controls within apps to prevent over-privilege; and (3) isolate third-party components with visual elements. This project can offer mobile system developers a deeper understanding of the security problems in the systems, suggest to them how better to design into mobile systems desired security properties, and eventually improve the security of mobile systems.

智能手机和平板电脑正在被广泛使用，随着这种普遍使用，保护移动的系统至关重要。移动的系统中的独特特征之一是许多应用程序合并第三方组件，例如广告、社交网络API和WebView组件（其运行第三方JavaScript代码）。对于第三方组件，应用程序开发人员开发的代码和第三方的代码在相同的上下文中执行，并具有相同的权限。 没有开发访问控制系统来将第一方应用程序代码的权限与第三方组件的权限分开。这导致了特权问题。 该项目的目标是开发适当的出入控制系统，以消除第三方组件带来的风险。开发基于对各种第三方组件的系统研究，它们如何与应用程序交互，需要哪些功能以及它们的保护需求是什么。 该项目使用三管齐下的方法来实现这一目标：（1）向WebView添加新的访问控制，以控制与第三方代码的交互;（2）在应用程序中添加包级访问控制，以防止过度特权;（3）隔离具有视觉元素的第三方组件。 该项目可以为移动的系统开发人员提供更深入的了解系统中的安全问题，建议他们如何更好地设计成移动的系统所需的安全属性，并最终提高移动的系统的安全性。