Fine-grained Access Control Technologies to Protect Resources in Mobile and Cloud Applications

Operating system security has evolved to address numerous threats. Mitigating these threats is crucial for mobile operating systems given their widespread use and the sensitive data they handle. In Android, application components share access to internal storage and system services. While this may not be an issue when the developer trusts all the code, it introduces significant risks with third-party code. We address this by proposing SEApp, a mechanism for isolating Android app components and managing their permissions, thereby enhancing user privacy and data protection. Securing cloud applications that interact with mobile devices is equally important. Modern cloud applications often involve complex service interactions, and existing technologies lack the granularity needed for effective resource access control. We address this by proposing a resource-based approach to restrict file system access. We also examine WebAssembly runtimes (e.g., Wasmtime and WasmEdge), highlighting the security implications of the WebAssembly System Interface (WASI) and identifying areas for improvement. Furthermore, we explore the use of JavaScript (JS) and TypeScript (TS) for cloud applications, utilizing JS runtimes (Node.js, Deno, and Bun). While these runtimes offer sandboxed JS code execution, access to system resources and native code introduces security risks by compromising application isolation. To mitigate these risks, we introduce NatiSand, a component for JavaScript runtimes that controls file system, Inter-Process Communication (IPC), and network resources for binary programs and shared libraries. The technologies detailed in this book advance fine-grained resource protection in both mobile and cloud applications. The open-source prototypes demonstrate integration with existing systems, effectiveness, and efficiency.