ABSTRACT
We introduce Constroid, a data-centric security policy management framework for Android. It defines a new middleware which allows the developer to specify well defined data items of fine granularity. For these data items, Constroid administrates security policies which are based on the usage control model. They can only be modified by the user of an application not by the applications itself. We use Con-stroid's middle-ware to protect the security policies, ensure consistency between a data item and its corresponding security policy, and describe how our prototype implementation can enforce a subset of possible usage control policies. In this way, our contribution shows how we overcome the rigid API-driven approach to security in Android. The structure and implementation of our framework is presented and discussed in terms of security, performance, and usability.
- Apple Inc. Core Data Tutorial for iOS. Available at: http://developer.apple.com/library/ios/. June 2011.Google Scholar
- Apple Inc. Security Overview. Technical report, Cupertino, CA, USA, July 2010.Google Scholar
- A. Castrucci, F. Martinelli, P. Mori, and F. Roperti. Enhancing Java ME Security Support with Resource Usage Monitoring. In 10th International Conference on Information and Communications Security, volume 5308, pages 256--266, Birmingham, UK, October 2008. Springer-Verlag Berlin Heidelberg. Google ScholarDigital Library
- G. Costa, A. Lazouski, N. Dragoni, R. Saadi, and D. Ingegneria. Security-by-Contract-with-Trust for Mobile Devices. Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications (JoWUA), 1(4): 75--91, December 2010.Google Scholar
- L. Desmet, W. Joosen, F. Massacci, P. Philippaerts, F. Piessens, I. Siahaan, and D. Vanoverberghe. Security-by-contract on the .NET platform. Information Security Technical Report, 13(1): 25--32, January 2008. Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of OSDI 2010, pages 1--6, Vancouver, BC, USA, October 2010. USENIX Association. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, pages 235--245, New York, NY, USA, 2009. ACM Press. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. Understanding Android Security. IEEE Security & Privacy Magazine, 7(1): 50--57, January 2009. Google ScholarDigital Library
- C. Heath. Symbian OS Platform Security, Software Development Using the Symbian OS Security Architecture. John Wiley & Sons Ltd., 2006. Google ScholarDigital Library
- J. Liu, M. D. George, K. Vikram, L. Waye, and A. C. Myers. Fabric: A Platform for Secure Distributed Computation and Storage. In 22nd ACM Symposium on Operating Systems Principles, pages 312--334, Big Sky, MT, USA, October 2009. ACM Press. Google ScholarDigital Library
- Microsoft Corporation. Windows Phone 7 Security Model. Technical report, December 2010.Google Scholar
- S. Nair, P. Simpson, B. Crispo, and A. Tanenbaum. A Virtual Machine Based Information Flow Control System for Policy Enforcement. Electronic Notes in Theoretical Computer Science, 197(1): 3--16, February 2008. Google ScholarDigital Library
- S. Nair, P. Simpson, B. Crispo, and A. Tanenbaum. Trishul: A Policy Enforcement Architecture for Java Virtual Machines. Technical report, Vrije Universiteit, Amsterdam, Netherlands, 2008.Google Scholar
- S. Nair, A. Tanenbaum, G. Gheorghe, and B. Crispo. Enforcing DRM policies across applications. In Proceedings of the 8th ACM workshop on Digital rights management - DRM '08, page 87, New York, New York, USA, 2008. ACM Press. Google ScholarDigital Library
- M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332, Beijing, China, 2010. ACM Press. Google ScholarDigital Library
- M. Ongtang, K. Butler, and P. McDaniel. Porscha: Policy Oriented Secure Content Handling in Android. In Proceedings of the 26th Annual Computer Security Applications Conference, New York, NY, USA, December 2010. ACM Press. Google ScholarDigital Library
- M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically Rich Application-Centric Security in Android. In 2009 Annual Computer Security Applications Conference, pages 340--349. IEEE Computer Society, December 2009. Google ScholarDigital Library
- J. Park and R. Sandhu. The UCONABC usage control model. ACM Transactions on Information and System Security, 7(1): 128--174, February 2004. Google ScholarDigital Library
- P. Philippaerts. Security of Software on Mobile Devices. PhD thesis, Department of Computer Science, Faculty of Engineering, Leuven, Belgium, October 2010.Google Scholar
- Research in Motion Ltd. BlackBerry Enterprise Solution, Security Technical Overview for BlackBerry Enterprise Server Version 4.1 Service Pack 6 and BlackBerry Device Software Version 4.6. Technical report, Canada, March 2009.Google Scholar
- R. Rogers, J. Lombardo, Z. Mednieks, and B. Meike. Android Application Development: Programming with the Google SDK. O'Reilly, Beijing, China, 2009. Google ScholarDigital Library
- C. Schaefer. Usage Control Reference Monitor Architecture. In Third International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU 2007), pages 13--18. Ieee, July 2007.Google Scholar
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 116--127, New York, NY, USA, 2007. ACM Press. Google ScholarDigital Library
Index Terms
- Constroid: data-centric access control for android
Recommendations
The UCONABC usage control model
In this paper, we introduce the family of UCONABC models for usage control (UCON), which integrate Authorizations (A), oBligations (B), and Conditions (C). We call these core models because they address the essence of UCON, leaving administration, ...
Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development LifecycleSmart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is ...
Dynamic Security Policies Enforcement and Adaptation Using Aspects
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01Enforcing access and usage control requirements, like permissions and obligations, to govern distributed systems is a complex and error-prone task and notably hard to implement. In this paper, we claim that various enforcement modes are needed to obtain ...
Comments