Runtime Monitoring Using Policy Based Approach to Control Information Flow for Mobile Apps

Mobile applications are verified to check the correctness or evaluated to check the performance with respect to specific security properties such as Availability, Integrity and Confidentiality. Where they are made available to the end users of the mobile application is achievable only to a limited degree using software engineering static verification techniques. The more sensitive the information, such as credit card data, personal medical information or personal emails being processed by mobile application, the more important it is to ensure the confidentiality of this information. Monitoring untrusted mobile application during execution in an environment where sensitive information is present is difficult and unnerving. The paper addresses the issue of monitoring and controlling the flow of confidential information during untrusted mobile application execution. The approach concentrates on providing a dynamic and usable information security solution by interacting with the mobile users during the runtime of mobile application in response to information flow events. Keywords—Mobile application, Run-time verification, Usable security, Direct information flow.

[1]  Len LaPadula,et al.  Secure Computer Systems: A Mathematical Model , 1996 .

[2]  Hussein Zedan,et al.  Analysis and Run-Time Verification of Dynamic Security Policies , 2005, DAMAS.

[3]  Hanêne Ben-Abdallah,et al.  MaC: A Framework for Run-Time Correctness Assurance of Real-Time Systems , 1998 .

[4]  Andrew C. Myers,et al.  Sharing Mobile Code Securely with Information Flow Control , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[6]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[7]  Muga Nishizawa,et al.  An Easy-to-Use Toolkit for Efficient Java Bytecode Translators , 2003, GPCE.

[8]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[9]  Instrumenting Java bytecode Seminar work for the Compilers-course , spring 2005 , 2005 .

[10]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[11]  Diego Cheda,et al.  Run-time Information Flow Monitoring based on Dynamic Dependence Graphs , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[12]  Insik Shin,et al.  Mobile code security by Java bytecode instrumentation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[13]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[14]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[15]  H. Janicke,et al.  Interactive Runtime Monitoring of Information Flow Policies , 2009 .

[16]  Anindya Banerjee,et al.  History-Based Access Control and Secure Information Flow , 2004, CASSIS.

[17]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[18]  Walter Binder,et al.  Advanced Java bytecode instrumentation , 2007, PPPJ.

[19]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[20]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[21]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[22]  Tzi-cker Chiueh,et al.  A General Dynamic Information Flow Tracking Framework for Security Applications , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[23]  Hanêne Ben-Abdallah,et al.  A Monitoring and Checking Framework for Run-time Correctness Assurance , 1998 .