Regulating Access to System Sensors in Cooperating Programs

TL;DR

ENTRUST is a system that improves control over sensor access in cooperating programs by tracking user input and delegation events, preventing unauthorized sensor use while maintaining low overhead.

Contribution

The paper introduces ENTRUST, a novel authorization system that accurately tracks delegation paths to control sensor access based on user input in Android.

Findings

Prevents sensor access attacks with 54-64% higher success rate.

Requires no more than three additional authorizations per program.

Imposes modest performance and memory overheads.

Abstract

Modern operating systems such as Android, iOS, Windows Phone, and Chrome OS support a cooperating program abstraction. Instead of placing all functionality into a single program, programs cooperate to complete tasks requested by users. However, untrusted programs may exploit interactions with other programs to obtain unauthorized access to system sensors either directly or through privileged services. Researchers have proposed that programs should only be authorized to access system sensors on a user-approved input event, but these methods do not account for possible delegation done by the program receiving the user input event. Furthermore, proposed delegation methods do not enable users to control the use of their input events accurately. In this paper, we propose ENTRUST, a system that enables users to authorize sensor operations that follow their input events, even if the sensor operation is performed by a program different from the program receiving the input event. ENTRUST tracks user input as well as delegation events and restricts the execution of such events to compute unambiguous delegation paths to enable accurate and reusable authorization of sensor operations. To demonstrate this approach, we implement the ENTRUST authorization system for Android. We find, via a laboratory user study, that attacks can be prevented at a much higher rate (54-64% improvement); and via a field user study, that ENTRUST requires no more than three additional authorizations per program with respect to the first-use approach, while incurring modest performance (<1%) and memory overheads (5.5 KB per program).