Fine-grained Access Control Technologies to Protect Resources in Mobile and Cloud Applications

Operating system security has evolved to address numerous threats. Mitigating
these threats is crucial for mobile operating systems given their widespread use
and the sensitive data they handle. In Android, application components share
access to internal storage and system services. While this may not be an issue
when the developer trusts all the code, it introduces significant risks with
third-party code. We address this by proposing SEApp, a mechanism for
isolating Android app components and managing their permissions, thereby
enhancing user privacy and data protection.

Securing cloud applications that interact with mobile devices is equally
important. Modern cloud applications often involve complex service
interactions, and existing technologies lack the granularity needed for
effective resource access control. We address this by proposing a
resource-based approach to restrict file system access. We also examine
WebAssembly runtimes (e.g., Wasmtime and WasmEdge), highlighting the security
implications of the WebAssembly System Interface (WASI) and identifying areas
for improvement.

Furthermore, we explore the use of JavaScript (JS) and TypeScript (TS) for cloud
applications, utilizing JS runtimes (Node.js, Deno, and Bun). While these
runtimes offer sandboxed JS code execution, access to system resources and
native code introduces security risks by compromising application isolation. To
mitigate these risks, we introduce NatiSand, a component for JavaScript
runtimes that controls file system, Inter-Process Communication (IPC), and
network resources for binary programs and shared libraries.

The technologies detailed in this book advance fine-grained resource protection
in both mobile and cloud applications. The open-source prototypes demonstrate
integration with existing systems, effectiveness, and efficiency.