Authors: M. Sarrab, H. Bourdoucen

Abstract:

Mobile applications are verified to check the correctness or evaluated to check the performance with respect to specific security properties such as Availability, Integrity and Confidentiality. Where they are made available to the end users of the mobile application is achievable only to a limited degree using software engineering static verification techniques. The more sensitive the information, such as credit card data, personal medical information or personal emails being processed by mobile application, the more important it is to ensure the confidentiality of this information. Monitoring untrusted mobile application during execution in an environment where sensitive information is present is difficult and unnerving. The paper addresses the issue of monitoring and controlling the flow of confidential information during untrusted mobile application execution. The approach concentrates on providing a dynamic and usable information security solution by interacting with the mobile users during the runtime of mobile application in response to information flow events.

Keywords: Mobile application, Run-time verification, Usable security, Direct information flow.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1089429

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1908

References:

[1] O. Arden, M. George, J. Liu, K. Vikram, A, Askarov, and A. Myers, "Sharing Mobile Code Securely With Information Flow Control” Proc of the 2012 IEEE Symposium on Security and Privacy, May 2012.
[2] S. Cavadini and D. Cheda. "Run-time information flow monitoring based on dynamic dependence graph,” Third International Conference on Availability Reliability and Security, 2008.
[3] N. Vachharajani, M. Bridges, J. Chang, R. Rangan, G. Ottoni, J. Blome, G. Reis, M. Vachharajani and D. August. An Architectural Framework for User-Centric Information-Flow Security,” In Proc of the 37th annual IEEE/ACM International Symposium on Microarchitecture, 2004.
[4] M. Sarrab, H. Janicke and A. Cau. "Interactive Runtime Monitoring of Information Flow Policies,” In Second international conference of Creativity and Innovation in software Engineering, Ravda (Nessebar), Bulgaria, 2009.
[5] H. Janicke, F. Siewe, K. Jones, A. Cau and H. Zedan. "Analysis and Run-time Verification of Dynamic Security Policies,” Proc of the Workshop on Defence Applications & Multi-Agent Systems (DAMAS05), at 4th international joint conference on Autonomous Agents & Multi Agent Systems (AAMAS05), July 2005.
[6] H. Ben-abdallah, S. Kannan, L. Insup, O. Sokolsky, M. Kim and M. Viswanathan, "Mac: A framework for run-time correctness assurance of real-time systems,” Tech. Rep. MS-CIS-98-37. In Philadelphia, PA, Department of computer and Information Science University of Pennsylvania., 1999.
[7] I. Lee, H. Ben-Abdallah, S. Kannan, M. Kim, O. Sokolsky, and M. Viswanathan, "A Monitoring and Checking Framework for Run-time Correctness Assurance,” In Korea-US Technical Conference on Strategic Technologies, Vienna, VA, October 22-24 1998.
[8] A. Banerjee and D. Naumann, "History-based access control and secure information flow,” In Construction And Analysis of Safe, Secure, And Interoperable Smart Devices (CASSIS 2004), vol 3362 of LNCS, Springer, 2005a.
[9] D. Denning and P. Denning, "Certification of programs for secure information flow,” ACM Communications, vol. 20, No. 7, July 1977.
[10] D. Volpano, G. Smith, and C. Irvine, "A sound type system for secure flow analysis,” Journal of Computer Security, vol. 4, No. 3, 1996.
[11] G. Smith and D. Volpano, "Secure information flow in a multi-threaded imperative language,” In Proc. ACM Symp. Principles Programming Languages, pp. 355–364. Jan. 1998.
[12] F. Pottier and V. Simonet, "Information flow inference for ML,” In ACM Symposium on Principles of Programming Languages (POPL), 2002.
[13] A. Myers, "Jflow: Practical mostly-static information flow control,” Proc of 26th ACM Symposium on Principles of Programming Language. 1999.
[14] J. Fenton, "Memory less subsystems,” The Computer Journal, vol. 17, No. 2, May 1974.
[15] J. Brown and J. Knight, "A minimal trusted computing base for dynamically ensuring secure information flow,” Technical Report ARIES-TM-015, MIT. Nov, 2001.
[16] L. Lam and T. Chiueh, "A General Dynamic Information Flow Tracking Framework for Security Applications,” In 22nd Annual Computer Security Applications Conference, Washington, DC, USA. December 2006.
[17] G. Birznieks, "Perl taint mode version 1.0”, june 3, 1998 http://gunther.web66.com/faqs/taintmode.html. 1988.
[18] L. LaPadula and D. Bell, "Secure Computer Systems: A Mathematical Model,” MITRE Corp., Bedford, MA, MTR-2547, vol. 2, 1973. Reprinted in Jornal of Computer Security, vol. 4, No. 2–3, 1996.
[19] J. Aarniala, "Instrumenting java bytecode,” Seminar work for the compilers course, Department of Computer Science University of Helsinki, Finland, 2005.
[20] K. O’Hair, "Bytecode Instrumentation (BCI),” java. net The source for java technology collaboration, 2005.
[21] W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel and A. Sheth, "Taintdroid: An information-Flow tracking system for realtime privacy monitoring on smartphones,” In 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2010.
[22] A. Chander, J. Mitchell, and I. Shin, "Mobile code security by Java bytecode instrumentation,” DARPA Information Survivability Conference and Exposition (DISCEX II’01),vol. 2. 2001.
[23] W. Binder, J. Hulaas, and P. Moret, "Advanced java bytecode instrumentation,” In Proceeding of the International Symposium on Principles and Practice of Programming in Java (PPPJ), New York, NY, USA, ACM. 2007.
[24] ASM Java bytecode manipulation framework. http://asm.objectweb.org/.
[25] SERP. http://serp.sourceforge.net/.
[26] BCEL. The byte code engineering library. http://jakarta.apache.org/bcel/ 2002-2006, Apache Software Foundation.
[27] S. Chiba and M. Nishizawa, "An Easy-to-Use Toolkit for Efficient Java Bytecode Translators,” In Proc of the 2nd International Conference on Generative Programming and Component Engineering (GPCE ’03), Springer-Verlag, September 2003.
[28] S. Chiba. "Class loader,” Available from http://www.csg.is.titech.ac.jp/ chiba/javassist/tutorial/tutorial.html load (Accessed 15/06/09), 2007.
[29] J. Liu, M. George, K. Vikram, X. Qi, L. Waye, and A. Myers, " Fabric: a platform for secure distributed computation and storage,” In Proc of 22nd ACM Symp on Operating System Principles (SOSP), 2009.