Abstract
Security-by-contract is a paradigm proposed for the secure installation, usage, and monitoring of apps into mobile devices, with the aim of establishing, controlling, and, if necessary, enforcing security-critical behaviors. In this paper, we extend this paradigm with new functionalities allowing for a quantitative estimation of such behaviors, in order to reveal in real time the more and more challenging subtleties of new-generation malware and repackaged apps. The novel paradigm is based on formal means and techniques ranging from statistical analysis to probabilistic model checking. The framework, deployed in the Android environment, is evaluated by examining both its effectiveness with respect to a benchmark of real-world malware and its effect on the execution of genuine, secure apps.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Aldini A, Bernardo M (2007) A formal approach to the integrated analysis of security and QoS. Reliab. Eng. Syst. Saf. 92(11):1503–1520
Aldini A, Martinelli F, Saracino A, Sgandurra D (2015) Detection of repackaged mobile applications through a collaborative approach. Concurr. Comput.: Pract. Exp. 27(11):2818–2838
Aldini A, Seigneur JM, Lafuente C, Titi X, Guislain J (2017) Design and validation of a trust-based opportunity-enabled risk management system. Inf. Comput. Secur. 25(1):2–25. https://doi.org/10.1108/ICS-05-2016-0037
Aldini A, Bravetti M, Di Pierro A, Gorrieri R, Hankin C, Wiklicky H (2004) Two formal approaches for approximating noninterference properties. In: Foundations of security analysis and design II, LNCS, Springer, Berlin, vol 2946, pp 1–43
Aldini A, Di Pierro A (2004) A quantitative approach to noninterference for probabilistic systems. In: Proceedings of formal methods for security and time, ENTCS. vol 99, pp 155–182
Aldini A, Martinelli F, Saracino A, Sgandurra D (2013) A collaborative framework for generating probabilistic contracts. In: Proceedings of the 2013 IEEE international conference on collaboration technologies and systems, pp 139–143. 978-1-4763-6404-1/13
Backes M, Bugiel S, Derr E, Gerling S, Hammer C (2016) R-droid: leveraging android app analysis with static slice optimization. In: Proceedings of the 11th ACM on Asia conference on computer and communications security, ASIA CCS’16, pp 129–140. ACM, New York, NY, USA. https://doi.org/10.1145/2897845.2897927
Baier C, Katoen JP (2008) Principles of model checking. MIT Press, Cambridge
Bergstra J, Ponse A, Smolka S (2001) Handbook of process algebra. Elsevier, Amsterdam
Bielova N, Massacci F (2011) Predictability of enforcement. In: Proceedings of the international symposium on engineering secure software and systems, ESSoS’11, LNCS, Springer, Berlin. vol 6542, pp 73–86
BusinessOfApps: App statistic report. Tech. rep. (2016). Available at: http://www.businessofapps.com/data/app-statistics/
Cha SH (2007) Comprehensive survey on distance/similarity measures between probability density functions. Int. J. Math. Models Methods Appl. Sci. 1(4):300–307
Chen T, Forejt V, Kwiatkowska M, Parker D, Simaitis A (2013) PRISM-games: a model checker for stochastic multi-player games. In: Proceedings of the 19th international conference on tools and algorithms for the construction and analysis of systems (TACAS’13), LNCS. Springer, Berlin, vol 7795, pp 185–191
Costa G, Dragoni N, Lazouski A, Martinelli F, Massacci F, Matteucci I (2010) Extending Security-by-Contract with quantitative trust on mobile devices. In: Proceeding of the 4th international conference on complex, intelligent and software intensive systems, pp 872–877. IEEE CS
Delahaye B, Caillaud B, Legay A (2010) Probabilistic contracts: a compositional reasoning methodology for the design of stochastic systems. In: Procs. of 10th Int. Conf. on Application of Concurrency to System Design, ACSD’10, pp. 223–232. IEEE
Desharnais J, Gupta V, Jagadeesan R, Panangaden P (2004) Metrics for labelled Markov processes. Theoret Comput Sci 318:323–354
Dini G, Martinelli F, Matteucci I, Petrocchi M, Saracino A, Sgandurra D (2016) Risk analysis of android applications: a user-centric solution. Future Gener Comput Syst. https://doi.org/10.1016/j.future.2016.05.035
Dini G, Martinelli F, Matteucci I, Petrocchi M, Saracino A, Sgandurra D (2012a) A multi-criteria-based evaluation of Android applications. In: Proceedings of the 4th international conference on trusted systems (INTRUST’12), LNCS. Springer, Berlin, pp. 67–82
Dini G, Martinelli F, Saracino A, Sgandurra D (2012b) Madam: A multi-level anomaly detector for android malware. In: Kotenko I, Skormin V (eds.) Computer Network Security, LNCS, Springer, Berlin. vol 7531, pp 240–253
Dragoni N, Martinelli F, Massacci F, Mori P, Schaefer C, Walter T, Vetillard E (2008) Security-by-contract (SxC) for software and services of mobile systems. In: Di Nitto E, Sassen AM, Traverso P, Zwegers A (eds) At your service—service-oriented computing from an EU Perspective. MIT Press, Cambridge, pp 429–456
Easwaran A, Kannan S, Lee I (2005) Optimal control of software ensuring safety and functionality. Tech. Rep. MS-CIS-05-20, University of Pennsylvania
Enck W, Gilbert P, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN (2014) TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun ACM 57(3):99–106. https://doi.org/10.1145/2494522
Felt AP, Ha E, Egelman S, Haney A, Chin E, Wagner D (2012) Android permissions: user attention, comprehension, and behavior. In: Symposium on usable privacy and security, SOUPS ’12, Washington, DC, USA - July 11–13, 2012, p 3
Funk C, Garnaeva M (2013) Kaspersky security bullettin 2013. Tech. rep. http://media.kaspersky.com/pdf/KSB_2013_EN.pdf
Gascon H, Yamaguchi F, Arp D, Rieck K (2013) Structural detection of Android malware using embedded call graphs. In: Proceedings of the 2013 ACM workshop on artificial intelligence and security, AISec’13, pp 45–54. ACM. https://doi.org/10.1145/2517312.2517315
Grinstead C, Snell J (2012) Introduction to probability. American Mathematical Society, Providence
Hoang X, Hu J (2004) An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: Proceedings of 12th IEEE international conference on networks, ICON’04, vol 2, pp 470–474. IEEE
Kosoresow A, Hofmeyer S (1997) Intrusion detection via system call traces. Software 14(5):35–42
Kwiatkowska M, Norman G, Parker D (2011) PRISM 4.0: verification of probabilistic real-time systems. In: Gopalakrishnan G, Qadeer S (eds.) Proceedings of the 23rd international conference on computer aided verification (CAV’11), LNCS, vol 6806, pp 585–591. Springer, Berlin
Larsen R, Marx M (2011) An introduction to mathematical statistics and its applications. Pearson, London
Maggi F, Matteucci M, Zanero S (2010) Detecting intrusions through system call sequence and argument analysis. IEEE Trans Dependable Secur Comput 7(4):381–395
Marra AL, Martinelli F, Saracino A, Aldini A (2016) On probabilistic application compliance. In: 2016 IEEE Conference Trustcom/BigDataSE/ISPA, Tianjin, China, pp 1848–1855. https://doi.org/10.1109/TrustCom.2016.0283
Martinelli F, Matteucci I (2007) Through modeling to synthesis of security automata. In: ENTCS 179
Martinelli F, Mercaldo F, Saracino A, Visaggio CA (2016) I find your behavior disturbing: Static and dynamic app behavioral analysis for detection of android malware. In: 2016 14th Annual conference on privacy, security and trust (PST), pp 129–136. https://doi.org/10.1109/PST.2016.7906947
Martinelli F, Morisset C (2012) Quantitative access control with partially-observable Markov decision processes. In: Proceedings of 2nd ACM conference on data and application security and privacy, CODASPY’12, pp 169–180. ACM, Cambridge
Ponemon Institute: The state of mobile application insecurity. Tech. rep. (2015)
Russell S, Norvig P (2010) Artificial intelligence: a modern approach. Prentice Hall, Cambridge
Saracino A, Sgandurra D, Dini G, Martinelli F (2016) MADAM: effective and efficient behavior-based android malware detection and prevention. IEEE Trans Depend Secure Comput. https://doi.org/10.1109/TDSC.2016.2536605
Saracino A, Martinelli F, Alboreto G, Dini G (2016) Data-sluice: fine-grained traffic control for Android application. In: IEEE symposium on computers and communication, ISCC’16, pp 702–709. https://doi.org/10.1109/ISCC.2016.7543819
Suarez-Tangil G, Tapiador J, Lombardi F, Di Pietro R (2014) Thwarting obfuscated malware via differential fault analysis. Computer 47(6):24–31. https://doi.org/10.1109/MC.2014.169
Wang R, Azab AM, Enck W, Li N, Ning P, Chen X, Shen W, Cheng Y (2017) SPOKE: scalable knowledge collection and attack surface analysis of access control policy for security enhanced Android. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security, ASIA CCS ’17, pp 612–624. ACM, New York, NY, USA. https://doi.org/10.1145/3052973.3052991
Xposedbridge development tutorial (2012). https://github.com/rovo89/XposedBridge/wiki/Development-tutorial
Zhang M, Duan Y, Yin H, Zhao Z (2014) Semantics-aware Android malware classification using weighted contextual API dependency graphs. In: Proceedingss of the 2014 ACM SIGSAC conference on computer and communications security, CCS’14, pp 1105–1116. ACM. https://doi.org/10.1145/2660267.2660359
Acknowledgements
The activities of this paper have been partially Funded by H2020 Project C3ISP Grant Nos. 700264 and H2020 Project SPARTA Grant No. 830892.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Human participants or animals
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Communicated by V. Loia.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Aldini, A., La Marra, A., Martinelli, F. et al. Ask a(n)droid to tell you the odds: probabilistic security-by-contract for mobile devices. Soft Comput 25, 2295–2314 (2021). https://doi.org/10.1007/s00500-020-05299-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-020-05299-4