Abstract
Local policies have been proposed in [6] as a formalism for efficient and effective policy verification and enforcement. The basic approach consists of an enriched syntax of a programming language with a scope operator that the developer uses to apply a local policy to a specific portion of her code. Due to their fair expressiveness and modularity, they have been successfully applied also to object-orienter languages and web services. In this paper we apply the existing approach to the Android application framework. To this aim, we present a novel programming language, namely
, which includes both the Android IPC logic and local policies.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
For brevity, we write a.p instead of android.permission.
- 3.
More precisely, it is the interpreter of the intermediate language obtained from the compilation of the high level one. As far as the compilation process is semantic-preserving, the argument holds.
- 4.
We assume an evaluation function \(\mathcal {B}\) to be defined.
- 5.
- 6.
Notice that here we use a simplified version of the \(\Cup \) operator. For the detailed version see [8].
- 7.
In this section we generally refer to local policies without distinguishing between safety and liveness.
- 8.
Notice that, although acceptance is only defined for \(\omega \)-traces, we can extend finite traces with \(\tau ^\omega \) where \(\tau \in \mathrm {\mathsf {Act}}\) is a special event denoting the termination.
- 9.
- 10.
Here \(\alpha _{cam}\) stands for the Android API CameraManager.openCamera(\(\ldots \)).
References
Armando, A., Carbone, R., Costa, G., Merlo, A.: Android permissions unleashed. In: Proceedings of the 28th IEEE Computer Security Foundations Symposium, CSF 2015, Italy, Verona (2015)
Armando, A., Costa, G., Merlo, A.: Bring your own device, securely. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, SAC 2013, Coimbra, Portugal, 18–22 March 2013, pp. 1852–1858 (2013)
Armando, A., Merlo, A., Migliardi, M., Verderame, L.: Would you mind forking this process? a denial of service attack on android (and some countermeasures). In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 13–24. Springer, Heidelberg (2012)
Bartoletti, M., Costa, G., Degano, P., Martinelli, F., Zunino, R.: Securing java with local policies. J. Object Technol. 8(4), 5–32 (2009)
Bartoletti, M., Costa, G., Zunino, R.: Jalapa: Securing java with local policies: Tool demonstration. Electr. Notes Theor. Comput. Sci. 253(5), 145–151 (2009)
Bartoletti, M., Degano, P., Ferrari, G.L.: Enforcing secure service composition. In: Proceedings of the 18th Computer Security Foundations Workshop (CSFW) (2005)
Bartolett, M., Degano, P., Ferrari, G.-L.: History-based access control with local policies. In: Sassone, V. (ed.) FOSSACS 2005. LNCS, vol. 3441, pp. 316–332. Springer, Heidelberg (2005)
Bartoletti, M., Degano, P., Ferrari, G.L.: Planning and verifying service composition. J. Comput. Secur. 17(5), 799–837 (2009)
Bartoletti, M., Degano, P., Ferrari, G.-L., Zunino, R.: Types and effects for resource usage analysis. In: Seidl, H. (ed.) FOSSACS 2007. LNCS, vol. 4423, pp. 32–47. Springer, Heidelberg (2007)
Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Model checking usage policies. Math. Struct. Comput. Sci. 25(3), 710–763 (2015)
Bartoletti, M., Zunino, R.: LocUsT: a tool for checking usage policies. Technical report TR-08-07, Dip. Informatica, Univ. Pisa (2008)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R.: Xmandroid: a new android evolution to mitigate privilege escalation attacks. Technical report TR-2011-04, Technische Univ. Darmstadt, April 2011
Burguera, I., Zurutuza, U., Nadjm-Therani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2011) (2011)
Chaudhuri, A.: Language-based security on android. In: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS 2009, pp. 1–7. ACM, New York (2009)
Costa, G., Martinelli, F., Mori, P., Schaefer, C., Walter, T.: Runtime monitoring for next generation java ME platform. Comput. Secur. 29(1), 74–87 (2010)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 21. USENIX Association, Berkeley (2011)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. ACM, New York (2011)
Felt, A.P., Hanna, S., Chin, E., Wang, H.J., Moshchuk, E.: Permission re-delegation: attacks and defenses. In: 20th Usenix Security Symposium (2011)
Furia, C.A., Mandrioli, D., Morzenti, A., Rossi, M.: Modeling Time in Computing. Monographs in Theoretical Computer Science. An EATCS Series. Springer, Heidelberg (2012)
Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 328–332. ACM, New York (2010)
Necula, G.C.: Proof-carrying code. In: Twenty-Fourth ACM Symposium on Principles of Programming Languages (1997)
Ongtang, M., Mclaughlin, S., Enck, W., Mcdaniel, P.: Semantically rich application-centric security in android. In: ACSAC 2009: Annual Computer Security Applications Conference (2009)
Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: Proceedings of the 18th Annual Network & Distributed System Security Symposium (2011)
Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google android: a comprehensive security assessment. IEEE Secur. Priv. 8(2), 35–44 (2010)
Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the android framework. In: Proceedings of the 2010 IEEE Second International Conference on Social Computing, SOCIALCOM 2010, pp. 944–951. IEEE Computer Society, Washington, DC (2010)
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: Beres, Y., Balacheff, B., Sadeghi, A.-R., Sasse, A., McCune, J.M., Perrig, A. (eds.) TRUST 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Costa, G. (2015). Securing Android with Local Policies. In: Bodei, C., Ferrari, G., Priami, C. (eds) Programming Languages with Applications to Biology and Security. Lecture Notes in Computer Science(), vol 9465. Springer, Cham. https://doi.org/10.1007/978-3-319-25527-9_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-25527-9_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25526-2
Online ISBN: 978-3-319-25527-9
eBook Packages: Computer ScienceComputer Science (R0)