More Web Proxy on the site http://driver.im/

research-article

A methodology for empirical analysis of permission-based security models and its application to android

Authors:

H. Güneş Kayacik,

Paul C. van Oorschot,

Anil SomayajiAuthors Info & Claims

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Pages 73 - 84

https://doi.org/10.1145/1866307.1866317

Published: 04 October 2010 Publication History

Abstract

Permission-based security models provide controlled access to various system resources. The expressiveness of the permission set plays an important role in providing the right level of granularity in access control. In this work, we present a methodology for the empirical analysis of permission-based security models which makes novel use of the Self-Organizing Map (SOM) algorithm of Kohonen (2001). While the proposed methodology may be applicable to a wide range of architectures, we analyze 1,100 Android applications as a case study. Our methodology is of independent interest for visualization of permission-based systems beyond our present Android-specific empirical analysis. We offer some discussion identifying potential points of improvement for the Android permission model attempting to increase expressiveness where needed without increasing the total number of permissions or overall complexity.

References

[1]

}}Android. http://www.android.com Retrieved February 6th, 2010.

[2]

}}Android Market Statistics from Androlib. http://www.androlib.com/appstats.aspx Retrieved July 7th, 2010.

[3]

}}BlackBerry APIs with controlled access. http://docs.blackberry.com/en/developers/ deliverables/5580/Java_APIs_with_controlled_ access_447163_11.jsp Retrieved April 9th, 2010.

[4]

}}Formats: Manifest Files - Google Chrome Extensions - Google Code. http://code.google.com/chrome/ extensions/manifest.html#permissions Retrieved April 9th, 2010.

[5]

}}How Android Security Stacks Up. http://www.technologyreview.com/ communications/24944/page1/ April 1st, 2010.

[6]

}}Independent Security Evaluators - Exploiting Android. http://securityevaluators.com/ content/case-studies/android/ Retrieved January 15th, 2010.

[7]

}}The Android Developer's Guide. http://developer.android.com/guide/index.html Retrieved January 29th, 2010.

[8]

}}The Android Developer's Guide - Android Manifest Permissions. http://developer.android.com/ reference/android/Manifest.permission.html Retrieved April 5th, 2010.

[9]

}}The Android Developer's Guide - Permission Groups. http://developer.android.com/guide/topics/ manifest/permission-group-element.html Retrieved April 7th, 2010.

[10]

}}A. Barth, A. P Felt, P Saxena, and A. Boodman. Protecting Browsers from Extension Vulnerabilities. In Proceedings of the 17th Network and Distributed System Security Symposium (NDSS 2010).

[11]

}}K. Beznosov, P Inglesant, J. Lobo, R. Reeder, and . M. E. Zurko. Usability meets access control: challenges and research opportunities. In SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologies, pages 73--74, New York, NY, USA, 2009. ACM.

Digital Library

[12]

}}D. Curry. UNIX System Security. Addison-Wesley, 1992.

[13]

}}W. Enck, M. Ongtang, and P D. McDaniel. On . Lightweight Mobile Phone Application Certification. In E. Al-Shaer, S. Jha, and A. D. Keromytis, editors, ACM Conference on Computer and Communications Security, pages 235--245. ACM, 2009.

Digital Library

[14]

}}W. Enck, M. Ongtang, and P D. McDaniel. Understanding Android Security. IEEE Security & Privacy, 7(1):50--57, 2009.

Digital Library

[15]

}}J. Han. Data Mining: Concepts and Techniques. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2005.

Digital Library

[16]

}}T. Kohonen. Self Organizing Maps. Springer, third edition, 2001.

Digital Library

[17]

}}B. W. Lampson. Protection. SIGOPS Oper. Syst. Rev., 8(1):18--24, 1974.

Digital Library

[18]

}}M. Ongtang, S. E. McLaughlin, W. Enck, and P D. McDaniel. Semantically rich application-centric security in android. In ACSAC, pages 340--349. IEEE Computer Society, 2009.

Digital Library

[19]

}}R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In CHI '08, pages 1473--1482, New York, NY, USA, 2008. ACM.

Digital Library

[20]

}}D. K. Smetters and N. Good. How users use access control. In SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1--12, New York, NY, USA, 2009. ACM.

Digital Library

[21]

}}A. Ultsch and H. Siemon. Kohonen's self-organizing feature maps for exploratory data analysis. In Proceedings of the International Neural Network Conference (INNC'90), Dordrecht, Netherlands, pages 305--308. Kluwer, 1990.

[22]

}}J. Vesanto. Data Mining Techniques Based on the Self-Organizing Map. Master's Thesis, Helsinki University of Technology, May 1997.

Cited By

Bemmann FStoll HMayer S(2024)Privacy Slider: Fine-Grain Privacy Control for SmartphonesProceedings of the ACM on Human-Computer Interaction10.1145/36765198:MHCI(1-31)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676519
Oishwee SCodabux ZStakhanova N(2024)Decoding Android Permissions: A Study of Developer Challenges and Solutions on Stack OverflowProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686676(143-153)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686676
Barzolevskaia ABranca EStakhanova N(2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: Apr-2024
https://doi.org/10.1109/TSE.2024.3362921
Show More Cited By

Index Terms

A methodology for empirical analysis of permission-based security models and its application to android
1. Computing methodologies
  1. Machine learning
    1. Machine learning approaches
      1. Neural networks
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Permission based granular access control pattern
PLoP '14: Proceedings of the 21st Conference on Pattern Languages of Programs

Enterprise applications are designed to address specific business needs and are generally run within the internal corporate networks. Access to enterprise applications is controlled by various corporate policies, based on numerous widely accepted ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

October 2010

782 pages

ISBN:9781450302456

DOI:10.1145/1866307

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Angelos D. Keromytis
Columbia University, USA
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4 - 8, 2010

Illinois, Chicago, USA

Acceptance Rates

CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

321
Total Citations
View Citations
4,534
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)3

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bemmann FStoll HMayer S(2024)Privacy Slider: Fine-Grain Privacy Control for SmartphonesProceedings of the ACM on Human-Computer Interaction10.1145/36765198:MHCI(1-31)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676519
Oishwee SCodabux ZStakhanova N(2024)Decoding Android Permissions: A Study of Developer Challenges and Solutions on Stack OverflowProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686676(143-153)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686676
Barzolevskaia ABranca EStakhanova N(2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: Apr-2024
https://doi.org/10.1109/TSE.2024.3362921
Yan JYang LYi Y(2024)Few-Shot Learning Based on CCGAN-CNN in Android Malware Classification2024 4th International Conference on Neural Networks, Information and Communication (NNICE)10.1109/NNICE61279.2024.10498589(38-43)Online publication date: 19-Jan-2024
https://doi.org/10.1109/NNICE61279.2024.10498589
Sharma YArora A(2024)A comprehensive review on permissions-based Android malware detectionInternational Journal of Information Security10.1007/s10207-024-00822-223:3(1877-1912)Online publication date: 4-Mar-2024
https://doi.org/10.1007/s10207-024-00822-2
Li SYang ZYang GZhang HHua NHuang YYang MCalandrino JTroncoso C(2023)Notice the imposter! a study on user tag spoofing attack in mobile appsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620544(5485-5501)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620544
Pimenta TCeschin FGregio A(2023)ANDROIDGYNY: Reviewing Clustering Techniques for Android Malware Family ClassificationDigital Threats: Research and Practice10.1145/35874715:1(1-35)Online publication date: 14-Mar-2023
https://dl.acm.org/doi/10.1145/3587471
Zhang YVardhan RChinprutthiwong PGu G(2023)Do Users Really Know Alexa? Understanding Alexa Skill Security IndicatorsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595795(870-883)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3595795
Wang YWang YWang SLiu YXu CCheung SYu HZhu Z(2023)Runtime Permission Issues in Android Apps: Taxonomy, Practices, and Ways ForwardIEEE Transactions on Software Engineering10.1109/TSE.2022.314825849:1(185-210)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TSE.2022.3148258
Tiwari P(2023)Data Extraction, Attacks and Protection on Android Clipboard2023 International Conference on Advances in Computation, Communication and Information Technology (ICAICCIT)10.1109/ICAICCIT60255.2023.10466166(696-700)Online publication date: 23-Nov-2023
https://doi.org/10.1109/ICAICCIT60255.2023.10466166
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents