论文信息 - “TrustDroid™”: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking

“TrustDroid™”: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking

Over the last 12 years three important dates have marked the beginning of a major paradigm shift in computing and the security models applied to protect an emerging computing environment - March 1999, January 9th, 2007, and July 2007. These dates roughly correspond to the birth of SalesForce.com, the most successful Software as a Service (SaS) provider to date, Steve Jobs introduction of the Iphone,, and the discovery of the Zeus Botnet. These innovations have been instrumental in enabling a paradigm shift in computing, away from a corporate network centric model with Windows end-point devices to what we called in this manuscript the Circa 2020 Computing Model. In the circa 2020 Computing model applications and data reside in the Cloud, the concept of an extended Trust Domain (network) disappears - there is no corporate network, and finally the end-point device is a SmartPhone owned and operated by employees - Bring Your Own Device (BYOD). In such an environment, the end-point device is not “Trusted”, and there is a high likelihood that the BYOD can be used as a channel to leak sensitive data. In this manuscript, we present a new mechanism to prevent such a situation. We called this mechanism “TrustDroid™”. TrustDroid™ is a static analyzer based on taint tracking that can be used to prevent leakage of sensitive information by an un-trusted Android SmartPhone.

Fernando C. Colón Osorio | Zhibo Zhao

[1] Avik Chaudhuri,et al. SCanDroid: Automated Security Certification of Android , 2009 .

[2] Xinwen Zhang,et al. Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[3] Byung-Gon Chun,et al. TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[4] Heng Yin,et al. Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[5] Patrick D. McDaniel,et al. Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[6] Jean-Pierre Seifert,et al. Beyond Kernel-Level Integrity Measurement: Enabling Remote Attestation for the Android Platform , 2010, TRUST.

[7] Scott A. Rotondo. Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[8] Yajin Zhou,et al. Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[9] J. Foster,et al. SCanDroid: Automated Security Certification of Android , 2009 .

[10] Johannes Winter,et al. Trusted computing building blocks for embedded linux-based ARM trustzone platforms , 2008, STC '08.

[11] Byung-Gon Chun,et al. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.