Conference Paper

User-Aware Privacy Control via Extended Static-Information-Flow Analysis

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Applications in mobile-marketplaces may leak private user infor-mation without notification. Existing mobile platforms provide lit-tle information on how applications use private user data, making it difficult for experts to validate applications and for users to grant applications access to their private data. We propose a user-aware privacy control approach, which reveals how private information is used inside applications. We compute static information flows and classify them as safe/unsafe based on a tamper analysis that tracks whether private data is obscured before escaping through output channels. This flow information enables platforms to provide de-fault settings that expose private data only for safe flows, thereby preserving privacy and minimizing decisions required from users. We built our approach into TouchDevelop, an application-creation environment that allows users to write scripts on mobile devices and install scripts published by other users. We evaluate our ap-proach by studying 546 scripts published by 194 users.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... We identify a number of shortcomings with the systems mentioned above. Most frequently, the declarations are no more than a list of permissions checked at run-time, leaving the user guessing about the actual behaviour of the application [23]. The fact that these checks are dynamic also leads to the application halting on Android if a developer tries to access a forbidden resource. ...
... This naturally incurs its own privacy concerns, as well as dependence on a connection to the VM. Another approach which bears similarity to our aim, is the work by Xiao et al. [23], which restrains developers of mobile applications to a limited external DSL based on TouchDevelop [14], from which they extract information flow via static analysis. This information is then presented to the user, to decide if the resource usage seems reasonable. ...
Article
Writing a platform for reactive applications which enforces operational constraints is difficult, and has been approached in various ways. In this experience report, we detail an approach using an embedded DSL which can be used to specify the structure and permissions of a program in a given application domain. Once the developer has specified which components an application will consist of, and which permissions each one needs, the specification itself evaluates to a new, tailored, language. The final implementation of the application is then written in this specialised environment where precisely the API calls associated with the permissions which have been granted, are made available. Our prototype platform targets the domain of mobile computing, and is implemented using Racket. It demonstrates resource access control (e.g., camera, address book, etc.) and tries to prevent leaking of private data. Racket is shown to be an extremely effective platform for designing new programming languages and their run-time libraries. We demonstrate that this approach allows reuse of an inter-component communication layer, is convenient for the application developer because it provides high-level building blocks to structure the application, and provides increased control to the platform owner, preventing certain classes of errors by the developer.
... To further assist user perceptions of application behaviors, we have developed an approach of user-aware privacy control [12]. This approach allows users to perform inspection of the outgoing information at runtime to decide whether the functionality offered by a particular application is worth the cost of giving up sensitive information. ...
... To enhance user perceptions of application behaviors and improve the privacy control mechanism of mobile platforms, we developed an approach of user-aware privacy control [12]. The approach (1) notifies users of potential information leak via presenting information flows that show what private data type flows to what output channels, and (2) allows users to perform inspection of the outgoing information at runtime. ...
Article
Full-text available
To keep malware out of mobile application markets, existing techniques analyze the security aspects of application behaviors and summarize patterns of these security aspects to determine what applications do. However, user expectations (reflected via user perception in combination with user judgment) are often not incorporated into such analysis to determine whether application behaviors are within user expectations. This poster presents our recent work on bridging the semantic gap between user perceptions of the application behaviors and the actual application behaviors.
... Xiao et al. present an application creation environment which aims to restrict sensitive data usage by construction. 4 The main aim of their approach is to give 4 Xusheng Xiao et al. (2012). 'Useraware privacy control via extended static information-flow analysis'. ...
... That chapter already discusses general static analysis techniques, so we do not repeat those here. The TouchDevelop approach by X. Xiao et al. 2012 is probably closest in spirit to our own, since they offer a methodology for developing applications using a simplified DSL (as opposed to writing the mobile application in a general-purpose programming language like Java). This approach makes static analysis feasible, since their language lacks many features which make analysis of a general-purpose language a hard problem, such as aliasing, hidden control flows, etc. 3 After a developer has submitted an application 3 Atanas Rountev, Scott Kagan and Michael Gibas (2004). ...
Thesis
Dans le domaine des plates-formes ouvertes, l'utilisation descadriciels (\textit{frameworks}) enrichis par des déclarations pourexprimer les permissions de l'application est de plus en plusrépandue. Ceci est une réaction logique au fait qu'il y a uneexplosion d'adoption des appareils embarqués et mobiles. Leuromniprésence dans notre vie quotidienne engendre des craintes liées àla sécurité et à la vie privée, car l'usager partage de plus en plusses données et ressources privées avec des tiers qui développent desapplications auxquelles on n'a pas de raison de faire confiance.Malheureusement, la manière dont ces langages de spécification ainsique ces cadres d'applications sont développés est généralement assez\emph{ad hoc} et repose sur un domaine d'application et un langage deprogrammation fixes. De plus, ces cadriciels ne sont pas assezrestrictifs pour régler le problème de la fuite de données privées etne donnent souvent pas non plus assez d’informations à l'usager sur lecomportement attendu de l'application.Cette thèse présente une méthodologie généraliste pour développer descadriciels dirigés par des déclarations, qui cible un spectre large delangages de programmation. Nous montrons comment des langages dedéclaration expressifs permettent de spécifier avec modularité lesdroits d'accès aux ressources ainsi que le flux de contrôle d'unetelle application. Ces langages peuvent ensuite être compilés en uncadriciel garantissant à l'usager final le respect de ces permissions.Par rapport aux cadriciels existants, notre méthodologie permet deguider la personne qui développe des applications à partir desspécifications ainsi que d'informer l'usager final sur l'usage desressources sensibles. Contrairement aux travaux existants, laméthodologie présentée dans cette thèse ne repose par sur un langagede programmation particulier. Nous montrons comment mettre en œuvre detels cadriciels dans un spectre de langages: des langages avec typagestatique ou dynamique, et suivant le paradigme objet ou fonctionnel.L'efficacité de l'approche est montrée à travers des prototypes dansle domaine des applications mobiles dans deux langages trèsdifférents, à savoir \textsc{Java} et \textsc{Racket}, ce qui montrela généralité de notre approche.
... Various approaches have been proposed for detection and mitigation of vulnerabilities in Android apps. Some works use static analysis, like JoDroid (Graf and Hecker 2015), Chex (Lu et al. 2012), DidFail (Bhosale 2014), User-aware control project (Xiao et al. 2012), FlowDroid (Arzt et al. 2014), COVERT Bagheri et al. 2015), Mud-Flow (Avdiienko et al. 2015), Chabada (Gorla et al. 2014), Kirin (Enck et al. 2009) and Permission-based profiles (Morales and Rueda 2015). Other works use techniques based on dynamic behavior, like TaintDroid (Enck et al. 2010), Q-Floid (Castellanos et al. 2016), CopperDroid (Fattori et al. 2014), AppInspector (Gilbert et al. 2011), and Malware detection based on system calls (Dimjaševic et al. 2015;Park and Reeves 2013). ...
Article
Full-text available
The wide and rapid adoption of Android-based devices in the last years has motivated the usage of Android apps to support a broad range of daily activities. In that sense, being the most popular mobile platform makes it an attractive target for security attacks. In fact, 1,489 security vulnerabilities have been reported in the last three years (2015-2017) for the Android OS (which is the underlying platform for Android-based devices). While there is a plethora of approaches and tools for detecting malware and security issues in Android apps, few research has been done to identify, categorize, or detect vulnerabilities in the Android OS. In this paper we present the largest study so far aimed at analyzing software vulnerabilities in the Android OS. In particular, we analyzed a total of 1,235 vulnerabilities from four different perspectives: vulnerability types and their evolution, CVSS vectors that describe the vulnerabilities, impacted Android OS layers, and their survivability across the Android OS history. Based on our findings, we propose a list of future actions that could be performed by researchers and practitioners to reduce the number of vulnerabilities in the Android OS as well as their impact and survivability.
... Besides the preceding studies, there was some other work related to TouchDevelop on security and programming language. Xiao et al. [12] used static information-flow analysis to reveal how private information was used inside apps so as to assist users in granting permissions to apps. Burckhardt et al. [13] designed specialized cloud types at the programming language level to achieve consistent data storage for mobile devices. ...
Conference Paper
Full-text available
TouchDevelop represents a new programming environment that enables users to develop mobile applications directly on mobile devices. TouchDevelop has successfully drawn a huge number of end users, who have published thousands of TouchDevelop scripts online. To enhance end-user programming on mobile devices, we conduct a comprehensive field study of 17322 TouchDevelop scripts and 4275 users. Our study consists of an overall study on the characteristics of scripts (e.g., structural features, code reuse) and users (e.g., expertise), and a longitudinal study on how they evolve over time. Our study results show important characteristics of scripts such as dense external method calls, high code-reuse ratio, and also reveal interesting evolution patterns of users. The findings and implications in our study provide valuable guidelines for improving tool support or services for end users and increasing the popularity of end-user programming on mobile devices.
... Our approach complements existing malware-detection analysis by identifying contexts that indicates the intentions of data uses. There are various approaches that perform analysis to detect malicious behaviors, such as dynamic taint analysis [7], [43], language-based information flow [44]- [47], static analysis [33], [48]- [50], and Bayesian classification [51]. However, these approaches are concerned about how privacy-sensitive data protected by permissions are used, while our approach provides the contexts under which the permissions are triggered. ...
Conference Paper
Full-text available
Mobile malware attempts to evade detection during app analysis by mimicking security-sensitive behaviors of benign apps that provide similar functionality (e.g., sending SMS messages), and suppressing their payload to reduce the chance of being observed (e.g., executing only its payload at night). Since current approaches focus their analyses on the types of security-sensitive resources being accessed (e.g., network), these evasive techniques in malware make differentiating between malicious and benign app behaviors a difficult task during app analysis. We propose that the malicious and benign behaviors within apps can be differentiated based on the contexts that trigger security-sensitive behaviors, i.e., the events and conditions that cause the security-sensitive behaviors to occur. In this work, we introduce AppContext, an approach of static program analysis that extracts the contexts of security-sensitive behaviors to assist app analysis in differentiating between malicious and benign behaviors. We implement a prototype of AppContext and evaluate AppContext on 202 malicious apps from various malware datasets, and 633 benign apps from the Google Play Store. AppContext correctly identifies 192 malicious apps with 87.7% precision and 95% recall. Our evaluation results suggest that the maliciousness of a security-sensitive behavior is more closely related to the intention of the behavior (reflected via contexts) than the type of the security-sensitive resources that the behavior accesses.
... CHABADA [38] compares an application's static API usage against its description on application markets to detect API "outliers". TouchDevelop [39] statically identifies leaked or tampered information flows to suggest privacy settings for end users. However, malware with dynamic external code loading [40] could easily evade static analysis, rendering all existing static assessment mechanisms ineffective. ...
Article
Full-text available
Mobile operating systems, such as Apple's iOS and Google's Android, have supported a ballooning market of feature-rich mobile applications. However, helping users understand and mitigate security risks of mobile applications is still an ongoing challenge. While recent work has developed various techniques to reveal suspicious behaviors of mobile applications, there exists little work to answer the following question: are those behaviors necessarily inappropriate? In this paper, we seek an approach to cope with such a challenge and present a continuous and automated risk assessment framework called RISKMON that uses machine-learned ranking to assess risks incurred by users' mobile applications, especially Android applications. RISKMON combines users' coarse expectations and runtime behaviors of trusted applications to generate a risk assessment baseline that captures appropriate behaviors of applications. With the baseline, RISKMON assigns a risk score on every access attempt on sensitive information and ranks applications by their cumulative risk scores. Furthermore, we demonstrate how RISKMON supports risk mitigation with automated permission revocation. We also discuss a proof-of-concept implementation of RISKMON as an extension of the Android mobile platform and provide both system evaluation and usability study of our methodology.
... Information flow tracking has been investigated for several languages and paradigms [18,48,36,25,60]. These approaches are largely complementary to our work as they are theoretical or do not employ type systems to achieve static guarantees of information flow properties. ...
Conference Paper
Full-text available
Current app stores distribute some malware to unsuspecting users, even though the app approval process may be costly and time-consuming. High-integrity app stores must provide stronger guarantees that their apps are not malicious. We propose a verification model for use in such app stores to guarantee that the apps are free of malicious information flows. In our model, the software vendor and the app store auditor collaborate -- each does tasks that are easy for her/him, reducing overall verification cost. The software vendor provides a behavioral specification of information flow (at a finer granularity than used by current app stores) and source code annotated with information-flow type qualifiers. A flow-sensitive, context-sensitive information-flow type system checks the information flow type qualifiers in the source code and proves that only information flows in the specification can occur at run time. The app store auditor uses the vendor-provided source code to manually verify declassifications. We have implemented the information-flow type system for Android apps written in Java, and we evaluated both its effectiveness at detecting information-flow violations and its usability in practice. In an adversarial Red Team evaluation, we analyzed 72 apps (576,000 LOC) for malware. The 57 Trojans among these had been written specifically to defeat a malware analysis such as ours. Nonetheless, our information-flow type system was effective: it detected 96% of malware whose malicious behavior was related to information flow and 82% of all malware. In addition to the adversarial evaluation, we evaluated the practicality of using the collaborative model. The programmer annotation burden is low: 6 annotations per 100 LOC. Every sound analysis requires a human to review potential false alarms, and in our experiments, this took 30 minutes per 1,000 LOC for an auditor unfamiliar with the app.
... The enhanced concrete semantics and the generic abstract domain we presented provide a workbench for (static) analysis of mobile apps that can be tuned by setting a few parameters: the domain representing values, the domain representing data locations, and the confidentiality and obfuscation values for data and operators. This data-centric approach may be utilized to refine existing tools like [15,41,40] aimed at enforcing privacy policies, providing the user with more accurate privacy control. ...
... The enhanced concrete semantics and the generic abstract domain we presented provide a workbench for (static) analysis of mobile apps that can be tuned by setting a few parameters: the domain representing values, the domain representing data locations, and the confidentiality and obfuscation values for data and operators. This data-centric approach may be utilized to refine existing tools like [15,41,40] aimed at enforcing privacy policies, providing the user with more accurate privacy control. ...
Conference Paper
Full-text available
We introduce an enhanced information-flow analysis for tracking the amount of confidential data that is possibly released to third parties by a mobile application. The main novelty of our solution is that it can explicitly keep track of the footprint of data sources in the expressions formed and manipulated by the program, as well as of transformations over them, yielding a lazy approach with finer granularity, which may reduce false positives with respect to state-of-the-art information-flow analyses.
... Xiao et al. [33] proposed a semi-automatic approach to analyze TouchDevelop mobile app scripts for privacy. Their workflow is similar to ours: users annotate APIs and code, and the analyzer uses a dataflow analysis to check conformance of inferred flows against a specification of the app. ...
Conference Paper
Full-text available
Implicit or indirect control flow is a transfer of control between procedures using some mechanism other than an explicit procedure call. Implicit control flow is a staple design pattern that adds flexibility to system design. However, it is challenging for a static analysis to compute or verify properties about a system that uses implicit control flow. This paper presents static analyses for two types of implicit control flow that frequently appear in Android apps: Java reflection and Android intents. Our analyses help to resolve where control flows and what data is passed. This information improves the precision of downstream analyses, which no longer need to make conservative assumptions about implicit control flow. We have implemented our techniques for Java. We enhanced an existing security analysis with a more precise treatment of reflection and intents. In a case study involving ten real-world Android apps that use both intents and reflection, the precision of the security analysis was increased on average by two orders of magnitude. The precision of two other downstream analyses was also improved.
... Users are only prompted for consent to install the app if these invariants are violated. Xiao et al. proposed a user-ware privacy control approach to reveal how private information is used inside applications [6]. They use static information flows and classify them as safe or unsafe based on a tamper analysis that tracked whether private data is obscured before escaping through output channels. ...
... App-store concepts. The approach closest to Cassandra is a prototypical extension of TouchDevelop [30], a platform for developing, distributing, and running apps on different operating systems for mobile devices. The extension supports the static detection of information flows in TouchDevelop apps and the limitation of these flows during runtime. ...
Conference Paper
Modern mobile devices store and process an abundance of data. Although many users consider some of this data as private, they do not yet obtain satisfactory support for controlling what applications might do with their data. In this article, we propose Cassandra, a tool that enables users of mobile devices to check whether Android apps comply with their personal privacy requirements before installing these apps. Beyond this, Cassandra implements the core functionality of a conventional app store, including the browsing of available apps and the delivery of apps for installation. Cassandra performs the security analysis of apps on a server. However, a user does not need to trust this server because Cassandra employs the proof-carrying code paradigm such that the server's analysis result can be validated on the client. We have proven that Cassandra's security analysis soundly detects all potential information leaks, i.e., all flows of information that violate a user's privacy policy.
... TouchDevelop as well has been the target of an information flow [31] and a data flow [2] analysis to detect leaking of confidential data and cloned apps, respectively. These analyses do not need to precisely abstract the mobile environment and the event semantics. ...
Conference Paper
Full-text available
Mobile app markets have lowered the barrier to market entry for software producers. As a consequence, an increasing number of independent app developers offer their products, and recent platforms such as the MIT App Inventor and Microsoft's TouchDevelop enable even lay programmers to develop apps and distribute them in app markets. A major challenge in this distribution model is to ensure the quality of apps. Besides the usual sources of software errors, mobile apps are susceptible to errors caused by the non-determinism of an event-based execution model, a volatile environment, diverse hardware, and others. Many of these errors are difficult to detect during testing, especially for independent app developers, who are not supported by test teams and elaborate test infrastructures. To address this problem, we propose a static program analysis that captures the specifics of mobile apps and is efficient enough to provide feedback during the development process. Experiments involving 51,456 published TouchDevelop scripts show that our analysis analyzes 98% of the scripts in under a minute, and five seconds on average. Manual inspection of the analysis results for a selection of all scripts shows that most of the alarms are real errors.
Conference Paper
Cloud usage has become a reality in users’ everyday habits (even if sometimes unconsciously), and security and privacy issues in this context have already been subject of consideration by scientific, business and policy-makers communities. However, the increasing use of mobile phones, and, generally speaking mobile smart devices, to access the Cloud, introduced recently in the area the concept of Mobile Cloud. Scope of this paper is to address the security and privacy aspects of the mobile cloud phenomenon, under the citizen perspective, taking as driving example the context of commercial mobile transactions.
Article
Mobile applications build part of their security and privacy on a declarative permission model. In this approach mobile applications, to get access to sensitive resources, have to define the corresponding permissions in a manifest. However, mobile applications may request access to permissions that they do not require for their execution (over-privileges) and offer opportunities to malicious software to gain access to otherwise inaccessible resources. In this paper, we investigate on the declarative permissions model on which security and privacy services of Android rely upon. We propose a practical and efficient permission certification technique, in the direction of risk management assessment. We combine both runtime information and static analysis to profile mobile applications and identify if they are over-privileged or follow the least privilege principle. We demonstrate a transparent solution that neither requires modification to the underlying framework, nor access to the applications’ original source code. We assess the effectiveness of our approach, using a randomly selected varied set of mobile applications. Results show that our approach can accurately identify whether an application is over-privileged or not, whilst at the same time guaranteeing the need of declaring specific permissions in the manifest.
Article
Inter-process communication (IPC) provides a message passing mechanism for information exchange between applications. It has been long believed that IPCs can be abused by malware writers to launch collusive information leak using two or more applications. Much work on privacy protection focuses on the simple information leak caused by the individual applications and lacks effective approaches to preventing the collusive information leak caused by IPCs between multiple processes. In this paper, we propose a hybrid approach to prevent the collusive information leak based on information flow control. Our approach combines static information flow analysis and dynamic runtime checking together. Information leak caused by individual processes is prevented through static information flow control, and dynamic checking is done at runtime to prevent the collusive information leak. Such a combination may effectively reduce the runtime overhead of pure dynamic checking, and reduce false-alarms in pure static analysis. We develop this approach based on an abstract and simplified programming model, and formalize a novel definition of the leak-freedom property as our target security property. A simulation-based proof technique is used to prove that our approach is able to guarantee leak-freedom. All proofs are mechanized in Coq.
Article
The rapid evolution of media services has having a strong impact on the way users process and share their data. At the same time, users are becoming every day more aware of the risks that might arise while exchanging or processing video data through the net. The need for frameworks enabling processing and sharing of the content under user control is becoming a very important issue since adequate level of security and privacy must be provided to the final users. After reviewing the state of the art in the area of media processing and sharing under user control, this paper presents a framework aiming at ensuring user control over his data while minimizing the user intervention needed for enabling the control functionalities.
Article
This paper proposes Flow Permissions, an extension to the Android permission mechanism. Unlike the existing permission mechanism, our permission mechanism contains semantic information based on information flows. Flow Permissions allow users to examine and grant per-app information flows within an application (e.g., a permission for reading the phone number and sending it over the network) as well as cross-app information flows across multiple applications (e.g., a permission for reading the phone number and sending it to another application already installed on the user's phone). Our goal with Flow Permissions is to provide visibility into the holistic behavior of the applications installed on a user's phone. In order to support Flow Permissions on Android, we have developed a static analysis engine that detects flows within an Android application. We have also modified Android's existing permission mechanism and installation procedure to support Flow Permissions. We evaluate our prototype with 2,992 popular applications and 1,047 malicious applications and show that our design is practical and effective in deriving Flow Permissions. We validate our cross-app flow generation and installation procedure on a Galaxy Nexus smartphone.
Article
In smart city, all kinds of users' data are stored in electronic devices to make everything intelligent. A smartphone is the most widely used electronic device and it is the pivot of all smart systems. However, current smartphones are not competent to manage users' sensitive data, and they are facing the privacy leakage caused by data over-collection. Data over-collection, which means smartphones apps collect users' data more than its original function while within the permission scope, is rapidly becoming one of the most serious potential security hazards in smart city. In this paper, we study the current state of data over-collection and study some most frequent data over-collected cases. We present a mobile-cloud framework, which is an active approach to eradicate the data over-collection. By putting all users' data into a cloud, the security of users' data can be greatly improved. We have done extensive experiments and the experimental results have demonstrated the effectiveness of our approach.
Article
Aconitum species have long been used in key traditional medicines in China, but cases of fatal aconite poisoning have also been reported. This paper presents a review of 40 single and multi-person cases of fatal aconite poisoning. The cases involved 53 victims in mainland China described in 27 case reports published between January 2004 and September 2015. We summarize the details of the case reports in order to highlight the features of fatal aconite-poisoning cases in China, including victims' sex and age, route of intoxication, clinical symptoms, medicolegal autopsy findings, and results of toxicological analysis. Our results indicate a need for legal medical experts encountering cases of fatal aconite poisoning to pay increased attention to the methods used for collecting biological samples. In addition, prevention strategies should focus on increasing public awareness regarding the potential toxicity of Aconitum, harm caused by medicinal liquors containing aconitine, and possibility of Aconitum alkaloids accumulating in the body.
Article
Programming frameworks are an accepted fixture in the object-oriented world, motivated by the need for code reuse, developer guidance and restriction. A new trend is emerging where frameworks require domain experts to provide declarations using a domain-specific language, influencing the structure and behaviour of the resulting application. These mechanisms address concerns such as user privacy. Although many popular open platforms such as Android are based on declaration-driven frameworks, current implementations provide ad hoc and narrow solutions to concerns raised by their openness to non-certified developers. Most widely used frameworks fail to address serious privacy leaks and provide the user with little insight into application behaviour. To address these shortcomings, we show that declaration-driven frameworks can limit privacy leaks, as well as guide developers, independently from the underlying programming paradigm. To do so, we identify concepts that underlie declaration-driven frameworks and apply them systematically to an object-oriented language, Java and a dynamic functional language, Racket. The resulting programming framework generators are used to develop a prototype mobile application, illustrating how we mitigate a common class of privacy leaks. Finally, we explore the possible design choices and propose development principles for developing domain-specific language compilers to produce frameworks, applicable across a spectrum of programming paradigms.
Article
In parallel with the meteoric rise of mobile software, we are witnessing an alarming escalation in the number and sophistication of the security threats targeted at mobile platforms, particularly Android, as the dominant platform. While existing research has made significant progress towards detection and mitigation of Android security, gaps and challenges remain. This paper contributes a comprehensive taxonomy to classify and characterize the state-of-the-art research in this area. We have carefully followed the systematic literature review process, and analyzed the results of more than 300 research papers, resulting in the most comprehensive and elaborate investigation of the literature in this area of research. The systematic analysis of the research literature has revealed patterns, trends, and gaps in the existing literature, and underlined key challenges and opportunities that will shape the focus of future research efforts.
Article
The security research community has invested significant effort in improving the security of Android applications over the past half decade. This effort has addressed a wide range of problems and resulted in the creation of many tools for application analysis. In this article, we perform the first systematization of Android security research that analyzes applications, characterizing the work published in more than 17 top venues since 2010. We categorize each paper by the types of problems they solve, highlight areas that have received the most attention, and note whether tools were ever publicly released for each effort. Of the released tools, we then evaluate a representative sample to determine how well application developers can apply the results of our community's efforts to improve their products. We find not only that significant work remains to be done in terms of research coverage but also that the tools suffer from significant issues ranging from lack of maintenance to the inability to produce functional output for applications with known vulnerabilities.We close by offering suggestions on how the community can more successfully move forward.
Article
Android stores and users need mechanisms to evaluate whether their applications are secure or not. Although various previous works use data and control flow techniques to evaluate security features of Android applications, this paper extends those works by using Jif to verify compliance of information flow policies. To do so, the authors addressed some challenges that emerge in Android environments, like automatizing generation of Jif labels for Android applications, and defining translations for Java instructions that are not currently supported by the Jif compiler. Results show that a Jif-based analysis is faster and has a better recall than other available mechanisms, but it also has a slightly lower precision. Jif also provides an open source compiler, generates executable code for an application only if such application meets a defined policy, and checks implicit flows which may be relevant for highly sensitive applications.
Article
As many people carry their own smart phones and use them for various purposes, hackers’ interests move on toward developing smart phone hacking techniques. Among them, private information stealing becomes one of main topics because the information can be used for subsequent attacks such as smishing. For detecting such smart phone applications, some tainting analysis techniques are proposed to tag important information for tracking the tagged information. One of such evading techniques is to use a screen capture. In this paper, we showed how traditional steganography does not work for this purpose.
Conference Paper
Android phones often carry sensitive personal information such as contact books or physical locations. Such private data can be easily leaked by buggy applications by accident or by malicious applications intentionally. Much work has been proposed for privacy protection in Android systems, but there still lacks effective approaches to prevent information leak caused by Inter-Component Communication (ICC). We present AndroidLeaker, a new hybrid analysis tool of privacy protection based on taint analysis for Android applications to prevent the privacy leak caused by multiple application cooperation. Our approach combines static analysis and dynamic checking. Static analysis is used to check the information leak in the individual applications and dynamic checking at runtime is responsible for preventing the information leak caused by cooperation of multiple applications. Such a combination may effectively reduce the runtime overhead of pure dynamic checking, and reduce false alarms in pure static analysis.
Article
The dramatic rise of Android application (app) marketplaces has significantly gained the success of convenience for mobile users. Consequently, with the advantage of numerous Android apps, Android malware seizes the opportunity to steal privacy-sensitive data by pretending to provide functionalities as benign apps do. To distinguish malware from millions of Android apps, researchers have proposed sophisticated static and dynamic analysis tools to automatically detect and classify malicious apps. Most of these tools, however, rely on manual configuration of lists of features based on permissions, sensitive resources, intents, etc., which are difficult to come by. To address this problem, we study real-world Android apps to mine hidden patterns of malware and are able to extract highly sensitive APIs that are widely used in Android malware. We also implement an automated malware detection system, MalPat, to fight against malware and assist Android app marketplaces to address unknown malicious apps. Comprehensive experiments are conducted on our dataset consisting of 31 185 benign apps and 15 336 malware samples. Experimental results show that MalPat is capable of detecting malware with a high $F_1$ score (98.24%) comparing with the state-of-the-art approaches.
Article
Hybrid applications (apps) are becoming more and more popular due to their cross-platform capabilities and high performance. These apps use the JavaScript bridge communication scheme to interoperate between native code and Web code. Although greatly extending the functionalities of hybrid apps by enabling cross-language invocations and making them more powerful, the bridge communication scheme might also cause some new security issues, e.g., crosslanguage code injection attacks and privacy leaks. In this paper, we propose BRIDGETAINT, a bi-directional dynamic taint tracking method that can detect bridge security issues in hybrid apps. BRIDGETAINT uses a method different from existing ones to track tainted data: it records the taint information of sensitive data when the data are transmitted through the bridge, and uses a cross-language taint mapping method to restore the taint tags of corresponding data. Such a novel design enables BRIDGETAINT to dynamically track tainted data during the execution of the app and analyze hybrid apps developed using frameworks, which cannot be done with existing solutions based on static code analyses. Based on BRIDGETAINT, we implement the BRIDGEINSPECTOR tool to detect cross-language privacy leaks and code injection attacks in hybrid apps using JavaScript bridges. A benchmark called BRIDGEBENCH is also developed for bridge communication security test. The experimental results on BRIDGEBENCH and 1172 apps from Android market demonstrate that, BRIDGEINSPECTOR can effectively detect potential privacy leaks and cross-language code injection attacks in hybrid apps using bridge communications. IEEE
Conference Paper
Nowadays, many important applications are performed through mobile phones. It is essential to ensure that users’ private information is not leaked through those applications. In this paper, we perform a comparison on privacy control methods implemented on the Android and iOS platforms based on the Bellotti and Sellen’s framework. The comparison helps understand the discrepancies existent between the users’ expectations for privacy and the privacy control methods currently implemented in Android and iOS. To better address users’ privacy concerns, we propose a programming model for platform designers to improve privacy. Our initial study on 60 privacy bugs show that using the proposed programming models, 14 Android and 5 iOS privacy bugs can be eliminated.
Article
Full-text available
The Android platform has about 130 application level permissions that govern access to resources. The determi-nation of which permissions to request is left solely to the appli-cation developer. Users are prompted to approve all application permissions at install time, and permissions are silently enforced at execution time. Although many applications make use of a wide range of permissions, we have observed that some applications request permissions that are not required for the application to execute, and that existing developer APIs make it difficult for developers to align their permission requests with application functionality. In this paper we describe a tool we developed to assist developers in utilizing least privilege.
Article
Full-text available
Users of Web and mobile apps must often decide whether to give the apps access to personal information without knowing what they will do with it. We argue that users could better manage their privacy and privacy standards would rise if the operating system simply revealed to users how their apps spread personal information. However, for this strategy to be effective, the research community must go well beyond today's low-level monitoring techniques to develop predictive, user-facing descriptions of information exposure that are grounded in measurement and analysis.
Article
Full-text available
Mobile malware is rapidly becoming a serious threat. In this paper, we survey the current state of mobile malware in the wild. We analyze the incentives behind 46 pieces of iOS, Android, and Symbian malware that spread in the wild from 2009 to 2011. We also use this data set to evaluate the effectiveness of techniques for preventing and identifying mobile malware. After observing that 4 pieces of malware use root exploits to mount sophisticated attacks on Android phones, we also examine the incentives that cause non-malicious smartphone tinkerers to publish root exploits and survey the availability of root exploits.
Article
Full-text available
Smartphones and "app" markets are raising concerns about how third-party applications may misuse or improperly handle users' privacy-sensitive data. Fortunately, unlike in the PC world, we have a unique opportunity to improve the security of mobile applications thanks to the centralized nature of app distribution through popu-lar app markets. Thorough validation of apps applied as part of the app market admission process has the potential to significantly enhance mobile device security. In this paper, we propose AppIn-spector, an automated security validation system that analyzes apps and generates reports of potential security and privacy violations. We describe our vision for making smartphone apps more secure through automated validation and outline key challenges such as detecting and analyzing security and privacy violations, ensuring thorough test coverage, and scaling to large numbers of apps.
Article
Full-text available
The world is experiencing a technology shift. In 2011, more touchscreen-based mobile devices like smartphones and tablets will be sold than desktops, laptops, and netbooks combined. In fact, in many cases incredibly powerful and easy-to-use smart phones are going to be the first and, in less developed countries, possibly the only computing devices which virtually all people will own, and carry with them at all times. Furthermore, mobile devices do not only have touchscreens, but they are also equipped with a multitude of sensors, such as location information and acceleration, and they are always connected to the cloud. TouchDevelop is a novel application creation environment for anyone to script their smartphones anywhere -- you do not need a separate PC. TouchDevelop allows you to develop mobile device applications that can access your data, your media, your sensors and allows using cloud services including storage, computing, and social networks. TouchDevelop targets students, and hobbyists, not necessarily the professional developer. Typical TouchDevelop applications are written for fun, or for personalizing the phone. TouchDevelop's typed, structured programming language is built around the idea of only using a touchscreen as the input device to author code. It has built-in primitives which make it easy to access the rich sensor data available on a mobile device. In our vision, the state of the program is automatically distributed between mobile clients and the cloud, with automatic synchronization of data and execution between clients and cloud, liberating the programmer from worrying (or even having to know about) the details. We report on our experience with our first prototype implementation for the Windows Phone 7 platform, which already realizes a large portion of our vision. It is available on the Windows Phone Marketplace.
Article
Full-text available
The fluidity of application markets complicate smart-phone security. Although recent efforts have shed light on particular security issues, there remains little insight into broader security characteristics of smartphone ap-plications. This paper seeks to better understand smart-phone application security by studying 1,100 popular free Android applications. We introduce the ded decom-piler, which recovers Android application source code directly from its installation image. We design and exe-cute a horizontal study of smartphone applications based on static analysis of 21 million lines of recovered code. Our analysis uncovered pervasive use/misuse of person-al/phone identifiers, and deep penetration of advertising and analytics networks. However, we did not find ev-idence of malware or exploitable vulnerabilities in the studied applications. We conclude by considering the implications of these preliminary findings and offer di-rections for future analysis.
Conference Paper
Full-text available
We examine two privacy controls for Android smartphones that empower users to run permission-hungry applications while protecting private data from being exfiltrated: (1) covertly substituting shadow data in place of data that the user wants to keep private, and (2) blocking network transmissions that contain data the user made available to the application for on-device use only. We retrofit the Android operating system to implement these two controls for use with unmodified applications. A key challenge of imposing shadowing and exfiltration blocking on existing applications is that these controls could cause side effects that interfere with user-desired functionality. To measure the impact of side effects, we develop an automated testing methodology that records screenshots of application executions both with and without privacy controls, then automatically highlights the visual differences between the different executions. We evaluate our privacy controls on 50 applications from the Android Market, selected from those that were both popular and permission-hungry. We find that our privacy controls can successfully reduce the effective permissions of the application without causing side effects for 66% of the tested applications. The remaining 34% of applications implemented user-desired functionality that required violating the privacy requirements our controls were designed to enforce; there was an unavoidable choice between privacy and user-desired functionality.
Conference Paper
Full-text available
Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with their permission requests. We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API in order to build the permission map that is necessary for detecting overprivilege. We apply Stowaway to a set of 940 applications and find that about one-third are overprivileged. We investigate the causes of overprivilege and find evidence that developers are trying to follow least privilege but sometimes fail due to insufficient API documentation.
Conference Paper
Full-text available
ABSTRACT Users have begun downloading,an increasingly large number,of mobile phone applications in response to advancements,in hand- sets and wireless networks. The increased number,of applications results in a greater chance of installing Trojans and similar mal- ware. In this paper, we propose the Kirin security service for An- droid, which performs lightweight certification of applications to mitigate malware,at install time. Kirin certification uses security rules, which are templates designed to conservatively match unde- sirable properties in security configuration bundled with applica- tions. We use a variant of security requirements engineering tech- niques to perform an in-depth security analysis of Android to pro- duce a set of rules that match malware,characteristics. In a sam- ple of 311 of the most popular applications downloaded,from the official Android Market, Kirin and our rules found 5 applications that implement,dangerous functionality and therefore should be in- stalled with extreme caution. Upon close inspection, another five applications asserted dangerous rights, but were within the scope of reasonable functional needs. These results indicate that security configuration bundled with Android applications provides practical means of detecting malware. Categories and Subject Descriptors D.4.6 [Operating Systems]: Security and Protection General Terms Security Keywords mobile phone security, malware, Android
Conference Paper
Full-text available
Database-centric applications (DCAs) are common in enterprise computing, and they use nontrivial databases. Testing of DCAs is increasingly outsourced to test centers in order to achieve lower cost and higher quality. When proprietary DCAs are released, their databases should also be made available to test engineers. However, different data privacy laws prevent organizations from sharing this data with test centers because databases contain sensitive information. Currently, testing is performed with anonymized data, which often leads to worse test coverage (such as code coverage) and fewer uncovered faults, thereby reducing the quality of DCAs and obliterating benefits of test outsourcing. To address this issue, we offer a novel approach that combines program analysis with a new data privacy framework that we design to address constraints of software testing. With our approach, organizations can balance the level of privacy with needs of testing. We have built a tool for our approach and applied it to nontrivial Java DCAs. Our results show that test coverage can be preserved at a higher level by anonymizing data based on their effect on corresponding DCAs.
Conference Paper
Full-text available
Database-centric applications (DCAs) are common in enterprise computing, and they use nontrivial databases. Testing of DCAs is increasingly outsourced to test centers in order to achieve lower cost and higher quality. When releasing proprietary DCAs, its databases should also be made available to test engineers, so that they can test using real data. Testing with real data is important, since fake data lacks many of the intricate semantic connections among the original data elements. However, different data privacy laws prevent organizations from sharing these data with test centers because databases contain sensitive information. Currently, testing is performed with fake data that often leads to worse code coverage and fewer uncovered bugs, thereby reducing the quality of DCAs and obliterating benefits of test outsourcing. We show that a popular data anonymization algorithm called k-anonymity seriously degrades test coverage of DCAs. We propose an approach that uses program analysis to guide selective application of k-anonymity. This approach helps protect sensitive data in databases while retaining testing efficacy. Our results show that for small values of k = 7, test coverage drops to less than 30% from the original coverage of more than 70%, thus making it difficult to achieve good quality when testing DCAs while applying data privacy.
Conference Paper
Full-text available
In this paper we present an intermediate program representation, called the program dependence graph (PDG), that makes explicit both the data and control dependence5 for each operation in a program. Data dependences have been used to represent only the relevant data flow relationships of a program. Control dependence5 are introduced to analogously represent only the essential control flow relationships of a program. Control dependences are derived from the usual control flow graph. Many traditional optimizations operate more efficiently on the PDG. Since dependences in the PDG connect computationally related parts of the program, a single walk of these dependences is sufficient to perform many optimizations. The PDG allows transformations such as vectorization, that previ- ously required special treatment of control dependence, to be performed in a manner that is uniform for both control and data dependences. Program transformations that require interaction of the two dependence types can also be easily handled with our representation. As an example, an incremental approach to modifying data dependences resulting from branch deletion or loop unrolling is intro- duced. The PDG supports incremental optimization, permitting transformations to be triggered by one another and applied only to affected dependences.
Conference Paper
Full-text available
A program denotes computations in some universe of objects. Abstract interpretation of programs consists in using that denotation to describe computations in another universe of abstract objects, so that the results of abstract execution give some information on the actual computations. An intuitive example (which we borrow from Sintzoff [72]) is the rule of signs. The text -1515 * 17 may be understood to denote computations on the abstract universe {(+), (-), (±)} where the semantics of arithmetic operators is defined by the rule of signs. The abstract execution -1515 * 17 → -(+) * (+) → (-) * (+) → (-), proves that -1515 * 17 is a negative number. Abstract interpretation is concerned by a particular underlying structure of the usual universe of computations (the sign, in our example). It gives a summary of some facets of the actual executions of a program. In general this summary is simple to obtain but inaccurate (e.g. -1515 + 17 → -(+) + (+) → (-) + (+) → (±)). Despite its fundamentally incomplete results abstract interpretation allows the programmer or the compiler to answer questions which do not need full knowledge of program executions or which tolerate an imprecise answer, (e.g. partial correctness proofs of programs ignoring the termination problems, type checking, program optimizations which are not carried in the absence of certainty about their feasibility, …).
Conference Paper
Full-text available
Software vendors collect bug reports from customers to improve the quality of their software. These reports should include the inputs that make the software fail, to enable vendors to reproduce the bug. However, vendors rarely include these inputs in reports because they may contain private user data. We describe a solution to this problem that provides software vendors with new input values that satisfy the conditions required to make the software follow the same execution path until it fails, but are otherwise unrelated with the original inputs. These new inputs allow vendors to reproduce the bug while revealing less private information than existing approaches. Additionally, we provide a mechanism to measure the amount of information revealed in an error report. This mechanism allows users to perform informed decisions on whether or not to submit reports. We implemented a prototype of our solution and evaluated it with real errors in real programs. The results show that we can produce error reports that allow software vendors to reproduce bugs while revealing almost no private information.
Conference Paper
Full-text available
Today's smartphone operating systems frequently fail to provide users with adequate control over and visibility into how third-party applications use their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid provides realtime analysis by leveraging Android's virtualized execution environment. TaintDroid incurs only 14% performance overhead on a CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users' private information across 20 applications. Monitoring sensitive data with TaintDroid provides informed use of third-party applications for phone users and valuable input for smartphone security service firms seeking to identify misbehaving applications.
Conference Paper
Full-text available
This paper describes Laminar, the first system to implement decen- tralized information flow control (DIFC) using a single set of ab- stractions for OS resources and heap-allocated objects. Program- mers express security policies by labeling data with secrecy and integrity labels, and then accessing this labeled data in lexically scoped security regions. Laminar enforces the security policies specified by the labels at run time. Laminar is implemented using a modified Java virtual machine and a new Linux security mod- ule. This paper shows that security regions ease incremental de- ployment and limit dynamic security checks, allowing us to retrofit DIFC policies on four application case studies. Replacing the ap- plications' ad-hoc policies changes less than 10% of the code, and incurs performance overheads from 4% to 84%. Whereas prior sys- tems only supported limited types of multithreaded programs, Lam- inar supports a more general class of multithreaded DIFC programs that can access heterogeneously labeled data.
Article
Full-text available
We present TaintEraser, a new tool that tracks the movement of sensitive user data as it flows through off-the-shelf applications. TaintEraser uses application-level dynamic taint analysis to let users run applications in their own environment while preventing unwanted information exposure. It is made possible by techniques we developed for accurate and efficient tainting: (1) Semantic-aware instruction-level tainting is critical to track taint accurately, without explosion or loss. (2) Function summaries provide an interface to handle taint propagation within the kernel and reduce the overhead of instruction-level tracking. (3) On-demand instrumentation enables fast loading of large applications. Together, these techniques let us analyze large, multi-threaded, networked applications in near real-time. In tests on Internet Explorer, Yahoo! Messenger, and Windows Notepad, Taint- Eraser generated no false positives and instrumented fewer than 5% of the executed instructions while precisely scrubbing user-defined sensitive data that would otherwise have been exposed to restricted output channels. Our research provides the first evidence that it is viable to track taint accurately and efficiently for real, interactive applications running on commodity hardware.
Article
Full-text available
In this paper we present an intermediate program representation, called the program dependence graph (PDG), that makes explicit both the data and control dependences for each operation in a program. Data dependences have been used to represent only the relevant data flow relationships of a program. Control dependences are introduced to analogously represent only the essential control flow relationships of a program. Control dependences are derived from the usual control flow graph. Many traditional optimizations operate more efficiently on the PDG. Since dependences in the PDG connect computationally related parts of the program, a single walk of these dependences is sufficient to perform many optimizations. The PDG allows transformations such as vectorization, that previously required special treatment of control dependence, to be performed in a manner that is uniform for both control and data dependences. Program transformations that require interaction of the two dependence types can also be easily handled with our representation. As an example, an incremental approach to modifying data dependences resulting from branch deletion or loop unrolling is introduced. The PDG supports incremental optimization, permitting transformations to be triggered by one another and applied only to affected dependences.
Article
Full-text available
Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow. Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies. Recently, a promising new approach has been developed: the use of programming-language techniques for specifying and enforcing information-flow policies. In this paper, we survey the past three decades of research on information-flow security, particularly focusing on work that uses static program analysis to enforce information-flow policies. We give a structured view of recent work in the area and identify some important open challenges.
Article
We present TaintEraser, a new tool that tracks the movement of sensitive user data as it flows through off-the-shelf applications. TaintEraser uses application-level dynamic taint analysis to let users run applications in their own environment while preventing unwanted information exposure. It is made possible by techniques we developed for accurate and efficient tainting: (1) Semantic-aware instruction-level tainting is critical to track taint accurately, without explosion or loss. (2) Function summaries provide an interface to handle taint propagation within the kernel and reduce the overhead of instruction-level tracking. (3) On-demand instrumentation enables fast loading of large applications. Together, these techniques let us analyze large, multi-threaded, networked applications in near real-time. In tests on Internet Explorer, Yahoo! Messenger, and Windows Notepad, Taint- Eraser generated no false positives and instrumented fewer than 5% of the executed instructions while precisely scrubbing user-defined sensitive data that would otherwise have been exposed to restricted output channels. Our research provides the first evidence that it is viable to track taint accurately and efficiently for real, interactive applications running on commodity hardware.
Article
Modern client platforms, such as iOS, Android, and web browsers, run each application in an isolated en-vironment with limited privileges. A pressing open problem in such systems is how to allow users to grant applications access to user-owned resources, e.g., to privacy-and cost-sensitive devices like the camera or to the user's data that resides with various applications. A key challenge is to enable such access in a way that is non-disruptive to users while still maintaining least-privilege restrictions on applications. In this paper, we propose user-driven access control, whereby permission-granting is built into existing user actions, rather than added as an afterthought via manifests or prompts. To this end, we introduce two OS-level techniques, access control gadgets and kernel-recognized gestures, for controlling access to user-owned resources. Our prototyping and evaluation experience indicates that user-driven access control is a promising solution for the problem of granting permissions for user-owned resources on modern client platforms.
Conference Paper
Traditional user-based permission systems assign the user's full privileges to all applications. Modern platforms are transitioning to a new model, in which each application has a different set of permissions based on its requirements. Application permissions offer several advantages over traditional user-based permissions, but these benefits rely on the assumption that applications generally require less than full privileges. We explore whether that assumption is realistic, which provides insight into the value of application permissions. We perform case studies on two platforms with application permissions, the Google Chrome extension system and the Android OS. We collect the permission requirements of a large set of Google Chrome extensions and Android applications. From this data, we evaluate whether application permissions are effective at protecting users. Our results indicate that application permissions can have a positive impact on system security when applications' permission requirements are declared up-front by the developer, but can be improved.
Article
We present a static analysis algorithm for detecting secu- rity vulnerabilities in PHP, a popular server-side script- ing language for building web applications. Our analysis employs a novel three-tier architecture to capture infor- mation at decreasing levels of granularity at the intra- block, intraprocedural, and interprocedural level. This architecture enables us to handle dynamic features of scripting languages that have not been adequately ad- dressed by previous techniques. We demonstrate the effectiveness of our approach on six popular open source PHP code bases, finding 105 pre- viously unknown security vulnerabilities, most of which we believe are remotely exploitable.
Article
It is often very expensive and practically infeasible to generate test cases that can exercise all possible program states in a program. This is especially true for a medium or large industrial system. In practice, industrial clients of the system often have a set of input data collected either before the system is built or after the deployment of a previous version of the system. Such data are highly valuable as they represent the operations that matter in a client's daily business and may be used to extensively test the system. However, such data often carries sensitive information and cannot be released to third-party development houses. For example, a healthcare provider may have a set of patient records that are strictly confidential and cannot be used by any third party. Simply masking sensitive values alone may not be sufficient, as the correlation among fields in the data can reveal the masked information. Also, masked data may exhibit different behavior in the system and become less useful than the original data for testing and debugging. For the purpose of releasing private data for testing and debugging, this paper proposes the kb-anonymity model, which combines the k-anonymity model commonly used in the data mining and database areas with the concept of program behavior preservation. Like k-anonymity, kb-anonymity replaces some information in the original data to ensure privacy preservation so that the replaced data can be released to third-party developers. Unlike k-anonymity, kb-anonymity ensures that the replaced data exhibits the same kind of program behavior exhibited by the original data so that the replaced data may still be useful for the purposes of testing and debugging. We also provide a concrete version of the model under three particular configurations and have successfully applied our prototype implementation to three open source programs, demonstrating the utility and scalability of our prototype.
Conference Paper
Language-based information flow methods offer a principled way to enforce strong security properties, but enforcing noninterference is too inflexible for realistic applications. Security-typed languages have therefore introduced declassification mechanisms for relaxing confidentiality policies, and endorsement mechanisms for relaxing integrity policies. However, a continuing challenge has been to define what security is guaranteed when such mechanisms are used. This paper presents a new semantic framework for expressing security policies for declassification and endorsement in a language-based setting. The key insight is that security can be described in terms of the power that declassification and endorsement give the attacker. The new framework specifies how attacker controlled code affects program execution and what the attacker is able to learn from observable effects of this code. This approach yields novel security conditions for checked endorsements and robust integrity. The framework is flexible enough to recover and to improve on the previously introduced notions of robustness and qualified robustness. Further, the new security conditions can be soundly enforced by a security type system. The applicability and enforcement of the new policies is illustrated through various examples, including data sanitization and authentication.
Conference Paper
Privacy and security concerns have adversely aected the usefulness of many types of techniques that leverage information gathered from deployed applications. To address this issue, we present an approach for automatically anonymizing failure-inducing inputs that builds on a previously developed technique. Given an input I that causes a failure f, our approach generates an anonymized input I 0 that is dierent from I but still causes f. I 0 can thus be sent to developers to enable them to debug f without having to know I. We implemented our approach in a prototype tool, camouflage, and performed an extensive empirical evaluation where we applied camouflage to a large set of failure-inducing inputs for several real applications. The results of the evaluation are promising, as they show that camouflage is both practical and eective at generating anonymized inputs; for the inputs that we considered, I and I 0 shared no sensitive information. The results also show that our approach can outperform the general technique it extends.
Article
ertification mechanism for verifying the secure flow of information through a program. Because it exploits the properties of a lattice structure among security classes, the procedure is sufficiently simple that it can easily be included in the analysis phase of most existing compilers. Appropriate semantics are presented and proved correct. An important application is the confinement problem: The mechanism can prove that a program cannot cause supposedly nonconfidential results to depend on confidential input data.
Article
This paper investigates mechanisms that guarantee secure information flow in a computer system. These mechanisms are examined within a mathematical framework suitable for formulating the requirements of secure information flow among security classes. The central component of the model is a lattice structure derived from the security classes and justified by the semantics of information flow. The lattice properties permit concise formulations of the security requirements of different existing systems and facilitate the construction of mechanisms that enforce security. The model provides a unifying view of all systems that restrict information flow, enables a classification of them according to security objectives, and suggests some new approaches. It also leads to the construction of automatic program certification mechanisms for verifying the secure flow of information through a program.
Conference Paper
Stronger protection is needed for the confidentiality and integrity of data, because programs containing untrusted code are the rule rather than the exception. Information flow control allows the enforcement of end-to-end security policies, but has been difficult to put into practice. This article describes the decentralized label model, a new label model for control of information flow in systems with mutual distrust and decentralized authority. The model improves on existing multilevel security models by allowing users to declassify information in a decentralized way, and by improving support for fine-grained data sharing. It supports static program analysis of information flow, so that programs can be certified to permit only acceptable information flows, while largely avoiding the overhead of run-time checking. The article introduces the language Jif, an extension to Java that provides static checking of information flow using the decentralized label model.
Conference Paper
Requirements for auditing covert storage channels are defined, and some fundamental problems which appear in most computer systems are illustrated. It is argued that audit subsystems designed to minimally satisfy the TCSEC (the DoD Trusted Computer System Evaluation Criteria) requirement are unable to detect many instances of covert channel use, and hence require major design and implementation changes before they are able to detect all use of covert storage channels. The design of the Secure Xenix tool for covert-channel audit that has been in operation since July 1989 is presented. Results of experiments indicate that the tool is able to detect all use of covert storage channels without raising false alarms
Article
This tutorial paper explores the mechanics of protecting computer-stored information from unauthorized use or modification. It concentrates on those architectural structures-whether hardware or software-that are necessary to support information protection. The paper develops in three main sections. Section I describes desired functions, design principles, and examples of elementary protection and authentication mechanisms. Any reader familiar with computers should find the first section to be reasonably accessible. Section II requires some familiarity with descriptor-based computer architecture. It examines in depth the principles of modern protection architectures and the relation between capability systems and access control list systems, and ends with a brief analysts of protected subsystems and protected objects. The reader who is dismayed by either the prerequisites or the level of detail in the second section may wish to skip to Section III, which reviews the state of the art and current research projects and provides suggestions for further reading.
Article
Stronger protection is needed for the confidentiality and integrity of data, because programs containing untrusted code are the rule rather than the exception. Informa tion flow control allows the enforcement of end-to-end security policies but has been difficult to put into practice. This paper describes the decentralized label mode l, a new label model for control of information flow in systems with mutual distrust and decentralized authority. The model improves on existing multilevel security mo dels by allowing users to declassify information in a decentralized way, and by improving support for fine-grained data sharing. It supports static program analysis of information flow, so that programs can be certified to permit only acceptable information flows, while largely avoiding the overhead of run-time checking. The paper i ntroduces the language Jif, an extension to Java that provides static checking of information flow using the decentralized label model.
Article
A promising technique for protecting privacy and integrity of sensitive data is to statically check information flow within programs that manipulate the data. While previous work has proposed programming language extensions to allow this static checking, the resulting languages are too restrictive for practical use and have not been implemented. In this paper, we describe the new language JFlow, an extension to the Java language that adds statically-checked information flow annotations. JFlow provides several new features that make information flow checking more flexible and convenient than in previous models: a decentralized label model, label polymorphism, run-time label checking, and automatic label inference. JFlow also supports many language features that have never been integrated successfully with static information flow control, including objects, subclassing, dynamic type tests, access control, and exceptions. This paper defines the JFlow language and presents formal rules tha...
Article
The SLam calculus is a typed lambda-calculus that maintains security information as well as type information. The type system propagates security information for each object in four forms: the object's creators and readers, and the object's indirect creators and readers (i.e., those agents who, through flow-of-control or the actions of other agents, can influence or be influenced by the content of the object). We prove that the type system prevents security violations and give some examples of its power.
Malware with your mocha: Obfuscation and anti-emulation tricks inmalicious JavaScript
  • Fraser Howard