TreeDroid: a tree automaton based approach to enforcing data processing policies

Current approaches to security policy monitoring are based on linear control flow constraints such as 'runQuery' may be evaluated only after 'sanitize'. However, realistic security policies must be able to conveniently capture data flow constraints as well. An example is a policy stating that arguments to the function 'runQuery' must be either constants, outputs of a function 'sanitize', or concatenations of any such values. We present a novel approach to security policy monitoring that uses tree automata to capture constraints on the way data is processed along an execution. We present a »-calculus based model of the framework, investigate some of the models meta-properties, and show how it can be implemented using labels corresponding to automaton states to reflect the computational histories of each data item. We show how a standard denotational semantics induces the expected monitoring regime on a simple "while" language. Finally we implement the framework for the Dalvik VM using TaintDroid as the underlying data flow tracking mechanism, and evaluate its functionality and performance on five case studies.

[1]  Kevin W. Hamlen,et al.  Certified In-lined Reference Monitoring on .NET , 2006, PLAS '06.

[2]  Amitabha Sanyal,et al.  Labeled Lambda-Calculus and a Generalized Notion of Strictness (An Extended Abstract) , 1995, ASIAN.

[3]  Hubert Comon,et al.  Tree automata techniques and applications , 1997 .

[4]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[5]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[6]  Frank Piessens,et al.  Security Monitor Inlining for Multithreaded Java , 2009, ECOOP.

[7]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[8]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[9]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[10]  Kevin W. Hamlen,et al.  Aspect-oriented in-lined reference monitors , 2008, PLAS '08.

[11]  Koushik Sen,et al.  Generating Optimal Linear Temporal Logic Monitors by Coinduction , 2003, ASIAN.

[12]  Jay Ligatti,et al.  A Theory of Runtime Enforcement, with Results , 2010, ESORICS.

[13]  Robert DeLine,et al.  Typestates for Objects , 2004, ECOOP.

[14]  Dilian Gurov,et al.  Provably correct runtime monitoring , 2008, J. Log. Algebraic Methods Program..

[15]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[16]  Daniel Le Métayer,et al.  FLAVOR: A Formal Language for a Posteriori Verification of Legal Rules , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[17]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[18]  Gerardo Schneider,et al.  From Contracts in Structured English to CL Specifications , 2011, FLACOS.

[19]  Gheorghe Stefanescu,et al.  Monitoring IVHM Systems using a Monitor-Oriented Programming Framework , 2008 .

[20]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[21]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[22]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[23]  Grigore Rosu,et al.  Allen Linear (Interval) Temporal Logic - Translation to LTL and Monitor Synthesis , 2006, CAV.

[24]  Jonathan Aldrich,et al.  PLURAL: checking protocol compliance under aliasing , 2008, ICSE Companion '08.

[25]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[26]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[27]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[28]  Jonathan Aldrich,et al.  Practical API Protocol Checking with Access Permissions , 2009, ECOOP.

[29]  Grigore Rosu,et al.  Efficient monitoring of parametric context-free patterns , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[30]  Frank Piessens,et al.  Provably correct inline monitoring for multithreaded Java-like programs , 2010, J. Comput. Secur..