Run-Time Enforcement of Information-Flow Properties on Android - (Extended Abstract)

Recent years have seen a dramatic increase in the number and importance of mobile devices. The security properties that these devices provide to their applications, however, are inadequate to protect against many undesired behaviors. A broad class of such behaviors is violations of simple information-flow properties. This paper proposes an enforcement system that permits Android applications to be concisely annotated with information-flow policies, which the system enforces at run time. Information-flow constraints are enforced both between applications and between components within applications, aiding developers in implementing least privilege. We model our enforcement system in detail using a process calculus, and use the model to prove noninterference. Our system and model have a number of useful and novel features, including support for Android’s single- and multiple-instance components, floating labels, declassification and endorsement capabilities, and support for legacy applications. We have developed a prototype of our system on Android 4.0.4 and tested it on a Nexus S phone, verifying that it can enforce practically useful policies that can be implemented with minimal modification to off-the-shelf applications.

[1]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[2]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[3]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[4]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[5]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[6]  Lujo Bauer,et al.  Modeling and Enhancing Android's Permission System , 2012, ESORICS.

[7]  Lujo Bauer,et al.  Run-Time Enforcement of Information-Flow Properties on Android (CMU-CyLab-12-015) , 2012 .

[8]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[9]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[10]  Scott Moore,et al.  Static Analysis for Efficient Hybrid Information-Flow Control , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[11]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[12]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[13]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 2001 .

[14]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[15]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[16]  Andrei Sabelfeld,et al.  Limiting information leakage in event-based communication , 2011, PLAS '11.

[17]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[18]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[19]  Avik Chaudhuri,et al.  Language-based security on Android , 2009, PLAS '09.

[20]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[21]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[22]  Toshiaki Tanaka,et al.  A Small But Non-negligible Flaw in the Android Permission Scheme , 2010, 2010 IEEE International Symposium on Policies for Distributed Systems and Networks.

[23]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[24]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[25]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[26]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[27]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[28]  David A. Naumann,et al.  Information Flow Monitor Inlining , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[29]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[30]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[31]  Andrew C. Myers,et al.  Sharing Mobile Code Securely with Information Flow Control , 2012, 2012 IEEE Symposium on Security and Privacy.

[32]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[33]  Moti Yung,et al.  Computer Security – ESORICS 2012 , 2012, Lecture Notes in Computer Science.

[34]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[35]  Srdjan Capkun,et al.  Application Collusion Attack on the Permission-Based Security Model and its Implications for Modern Smartphone Systems , 2010 .

[36]  Toshiaki Tanaka,et al.  A Formal Model to Analyze the Permission Authorization and Enforcement in the Android Framework , 2010, 2010 IEEE Second International Conference on Social Computing.

[37]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[38]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[39]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.