Abstract
The emerging Bring Your Own Device (BYOD) paradigm is pushing the adoption of employees’ personal mobile devices (e.g., smartphones and tablets) inside organizations for professional usage. However, allowing private, general purpose devices to interact with proprietary, possibly critical infrastructures enables obvious threats. Unfortunately, current mobile OSes do not seem to provide adequate security support for dealing with them. In this paper, we present a formal modeling and assessment of the security of mobile applications. In particular, we propose a security framework for verifying and enforcing BYOD security policies on Android devices. Interestingly, our approach is noninvasive and only requires minor platform modifications at application level. Finally, we provide empirical evidence of the practical feasibility of the approach by means of a prototype which we used to validate a set of real Android applications.
This is a preview of subscription content, log in to check access.
Notes
 1.
 2.
Resources belong to the class \(\mathtt{Uri }\) and we can use specially formatted strings, e.g., “http://site.com” or “\(\mathtt{file://dir/file.txt }\),” to uniquely identify them.
 3.
Since this guard is irrelevant for our purposes, we avoid using a more realistic implementation, e.g., via set/get methods.
 4.
For a class \(C \mathtt{<: } \mathtt{Receiver }\), we write \(msign(\mathtt{receive },C) = \mathcal {I}_{\alpha } \rightarrow \mathbf{1}\).
 5.
Proofs of this and following results can be found in “Appendix.”
 6.
Real Android devices natively install some receivers of this kind.
 7.
Tools capable to automatically build a CFG of any given APK application already exist and are publicly available. In our implementation, we use Androguard (https://code.google.com/p/androguard/) to this end.
 8.
Since the graph is built by iteratively adding nodes to an existing graph, being \(\langle \{r\},r,A,\emptyset \rangle \) the starting one, we can always assume a node \(n \ne r\) to have a parent.
 9.
Where abstract action names, e.g., \(\mathtt{openSSL(\ldots ) }\), have been mapped into corresponding, concrete Java/Android APIs, e.g., \(\mathtt{SSLSocketFactory.generateSocket(\ldots ) }\).
 10.
The complete list of experimental results is available at: http://www.ailab.it/byodroid/experiments_IJIS.html.
 11.
Empty CFGs arise when an application contains no securityrelevant operations/invocations.
References
 1.
Abadi, M., Fournet, C.: Access control based on execution history. In: Proceedings of the 10th Annual Network and Distributed System Security Symposium, pp. 107–121 (2003)
 2.
Andersen, H., LindNielsen, J.: MuDiv: a tool for partial model checking. In: CONCUR (1996)
 3.
Andersen, H.R.: Partial model checking (extended abstract). In: Proceedings of the Tenth Annual IEEE Symposium on Logic in Computer Science, pp. 398–407. IEEE Computer Society Press (1995)
 4.
Armando, A., Costa, G., Merlo, A.: Formal modeling and reasoning about the Android security framework. In: Proceedings of Seventh International Symposium on Trustworthy Global Computing (2012a)
 5.
Armando, A., Merlo, A., Migliardi, M., Verderame, L.: Would you mind forking this process? A denial of service attack on Android (and some countermeasures). In: Proceedings of the 27th IFIP International Information Security and Privacy Conference (SEC 2012), pp. 13–24 (2012b)
 6.
Armando, A., Costa, G., Merlo, A.: Bring your own device, securely. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1852–1858. ACM, New York, NY, USA, SAC ’13 (2013). doi:10.1145/2480362.2480707
 7.
Bartoletti, M., Degano, P., Ferrari, G.L.: Historybased access control with local policies. In: FoSSaCS, pp. 316–332 (2005)
 8.
Bartoletti, M., Costa, G., Degano, P., Martinelli, F., Zunino, R.: Securing Java with local policies. J. Object Technol. 8(4), 5–32 (2009)
 9.
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R.: Xmandroid: a new Android evolution to mitigate privilege escalation attacks. Technical Report TR201104, Technische Univ. Darmstadt http://wwwinfsec.cs.unisaarland.de/bugiel/publications/pdfs/XManDroidtr201104.pdf (2011)
 10.
Burguera, I., Zurutuza, U., NadjmTherani, S.: Crowdroid: behaviorbased malware detection system for Android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’11) (2011)
 11.
Chaudhuri, A.: Languagebased security on Android. In: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pp. 1–7. ACM, New York, NY, USA, PLAS ’09 (2009)
 12.
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing interapplication communication in Android. In: Proceedings of the 9th International Conference on Mobile Systems, applications, and services, pp. 239–252. ACM, New York, NY, USA, MobiSys ’11 (2011). doi:10.1145/1999995.2000018
 13.
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of Android applications. Tech. rep. http://www.cs.umd.edu/avik/projects/scandroidascaa/ (2011)
 14.
Hennessy, M., Milner, R.: On observing nondeterminism and concurrency. In: Proceedings of the 7th Colloquium on Automata, Languages and Programming, pp. 299–309. Springer, London (1980)
 15.
Holzmann, G.: The Spin Model Checker: Primer and Reference Manual, 1st edn. AddisonWesley Professional, Reading, MA (2003)
 16.
Igarashi, A., Pierce, B.C., Wadler, P.: Featherweight Java: a minimal core calculus for Java and GJ. In: ACM Transactions on Programming Languages and Systems, pp. 132–146 (1999)
 17.
Janin, D., Walukiewicz, I.: (1995) Automata for the modal mucalculus and related results. In: Wiedermann, J., Hájek, P. (eds) MFCS, Springer, Lecture Notes in Computer Science, vol. 969, pp. 552–562
 18.
Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. 3(2), 125–143 (1977). doi:10.1109/TSE.1977.229904
 19.
Larsen, K.G.: Proof system for Hennessy–Milner logic with recursion. In: Dauchet, M., Nivat, M. (eds) CAAP, Springer, Lecture Notes in Computer Science, vol. 299, pp. 215–230 (1988)
 20.
Martinelli, F., Matteucci, I.: Through modeling to synthesis of security automata. Electron. Notes Theor. Comput. Sci. 179, 31–46 (2007)
 21.
Nauman, M., Khan, S., Zhang, X.: Apex: extending Android permission model and enforcement with userdefined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 328–332. ACM, New York, NY, USA, ASIACCS ’10. (2010) doi:10.1145/1755688.1755732
 22.
Ongtang, M., Mclaughlin, S., Enck, W., Mcdaniel, P.: Semantically rich applicationcentric security in Android. In: ACSAC ’09: Annual Computer Security Applications Conference (2009)
 23.
Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: a Stealthy and ContextAware Sound Trojan for Smartphones. In: Proceedings of the 18th Annual Network & Distributed System Security Symposium (2011)
 24.
Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: a comprehensive security assessment. Secur. Priv. IEEE 8(2), 35–44 (2010). doi:10.1109/MSP.2010.2
 25.
Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the Android framework. In: Proceedings of the 2010 IEEE Second International Conference on Social Computing, pp. 944–951. IEEE Computer Society, Washington, DC, USA, SOCIALCOM ’10 (2010)
 26.
Skalka, C., Smith, S.: History effects and verification. In: Second ASIAN Symposium on Programming Languages and Systems (APLAS), pp. 107–128. Springer, Berlin (2004)
 27.
Skalka, C., Smith, S., Van Horn, D.: A Type and effect system for flexible abstract interpretation of Java. Electron. Notes Theor. Comput. Sci. 131, 111–124 (2005)
 28.
Streett, R.S., Emerson, E.A.: An automata theoretic decision procedure for the propositional mucalculus. Inf. Comput. 81(3), 249–264 (1989)
 29.
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming informationstealing smartphone applications (on Android). In: Proceedings of the 4th International Conference on Trust and Trustworthy Computing, TRUST’11, pp. 93–107 (2011)
 30.
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, Get Off of My Market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)
Author information
Affiliations
Corresponding author
Appendix: Proofs
Appendix: Proofs
Lemma 1
For each closed (i.e., without free variables) expression \(E\), environment \(\varGamma \), history expression \(H\), type \(\tau \) and trace \(\omega \), if \({\varGamma } \vdash {E} : {\tau } \triangleright {H}\) then either \(E\) is a value or \(\omega ,E \rightarrow _{} \omega ',E'\) (for some \(\omega ',E'\)).
Proof
By induction over the structure of \(E\).

Case \(\mathtt{null }\), \(u\), \(x\). Trivial.

Case \(\mathtt{new\,C }(\bar{E})\). If each \(E_i = v_i\) then \(E\) is a value and the property holds. Otherwise it suffices to apply the inductive hypothesis to the first \(E_i \ne v\).

Case \(E'\mathtt{.f }\). If \(E' \ne v\) we apply the inductive hypothesis. Otherwise, by \(\mathtt{T{}FLD }\) we know that \(E' = \mathtt{new }\,\mathtt{C }(\bar{v})\) and we can conclude by applying \(\mathtt{FLD }_\mathtt{2 }\).

Case \(E'\mathtt{.m }(E'')\). If both \(E'=v'\) and \(E''=v''\) we assume the premises of \(\mathtt{T{}METH }\) and we can apply \(\mathtt{METH }_\mathtt{3 }\). Instead if either \(E' \ne v'\) or \(E'' \ne v''\) we can directly apply the inductive hypothesis to \(\mathtt{METH }_\mathtt{1 }\) and \(\mathtt{METH }_\mathtt{2 }\).

Case \(\mathtt{system }_\sigma \,E'\). If \(E'\) is not a value, we apply the inductive hypothesis and rule \(\mathtt{SYS }_\mathtt{1 }\). Otherwise, by \(\mathtt{T{}SYS }\) we know that \({\varGamma } \vdash {E'} : {\mathcal {U}} \triangleright {H'}\) and the only suitable value for \(E'\) is a resource \(u\). Thus, we conclude by applying \(\mathtt{SYS }_\mathtt{2 }\).

Case \(\mathtt{icast }\,E'\) and \(\mathtt{ecast\,C }\,E'\). Similar to the previous step.

Case \(I_\alpha (E')\). If \(E' = v\) then \(E\) is also a value. Instead, if \(E'\) is not a value, we apply the inductive hypothesis and rule \(\mathtt{INT }\).

Case \(E'\mathtt{.data }\). If \(E'\) is a value, by \(\mathtt{T{}DATA }\) it must be \(E' = I_\alpha (v)\). Hence, we conclude by applying rule \(\mathtt{DATA }_\mathtt{2 }\). Otherwise, we simply apply the inductive hypothesis and rule \(\mathtt{DATA }_\mathtt{1 }\).

Case \(\mathtt{if\, }(E' = E'')\mathtt{\,then\, }\{E_{ tt}\}\mathtt{\,else\, }\{E_{ ff}\}\). If one between \(E'\) and \(E''\) is not a value, we conclude by applying the inductive hypothesis. Otherwise, we can apply either \(\mathtt{IF }_\mathtt{3 }\) or \(\mathtt{IF }_\mathtt{4 }\). In both cases, the property holds.

Case \(E';E''\). Here, we have two possibilities: either \(E'\) is a value or not. In both cases, \(E\) admits reduction (through \(\mathtt{SEQ }_\mathtt{1 }\) and \(\mathtt{SEQ }_\mathtt{2 }\), respectively).

Case \(\mathtt{(C)E' }\). If \(E'\) is not a value, it suffices to apply the inductive hypothesis and rule \(\mathtt{CAST }_\mathtt{1 }\). On the other hand, by rule \(\mathtt{T{}CAST }\) we know that \(E' = \mathtt{new\,D }(\cdots )\) and \(D \,\mathtt{<: }\, C\). Thus, we can apply \(\mathtt{CAST }_\mathtt{2 }\) and conclude.

Case \(\mathtt{thread\, }\{E'\}\mathtt{\,in\, }\{E''\}\). Again, if either \(E'\) or \(E''\) are not values, we use the inductive hypothesis and rule \(\mathtt{PAR }_\mathtt{1 }\) or \(\mathtt{PAR }_\mathtt{2 }\). Instead, if \(E' = v'\) and \(E'' = v''\) we conclude by applying rule \(\mathtt{PAR }_\mathtt{3 }\).\(\square \)
Definition 4
Lemma 2
For each closed expression \(E\), environment \(\varGamma \), history expression \(H\), type \(\tau \) and trace \(\omega \), if \({\varGamma } \vdash {E} : {\tau } \triangleright {H}\) and \(\omega ,E \rightarrow _{}^*{\omega }',E'\) then \({\varGamma } \vdash {E'} : {\tau } \triangleright {H'}\) and for all \(\dot{\omega }' \in [\![H' ]\!]_{}^{}\) there exists \(\dot{\omega } \in [\![H ]\!]\) such that \(\omega \dot{\omega } = {\omega }'\dot{\omega }'\).
Proof
We first (1) prove the property for a single step and then we (2) extend it to arbitrary long derivations.

1.
By induction on the structure of \(E\).

Case \(\mathtt{null }\), \(u,\, x\). Trivial.

Case \(\mathtt{new\,C }(\bar{E})\). If each \(E_i = v_i\) then \(E\) is a value and the property holds. Otherwise we type \(E\) in this way
$$\begin{aligned} \frac{{\varGamma } \vdash {E_i} : {\tau _i} \triangleright {H_i}}{{\varGamma } \vdash {\mathtt{new\,C }(\bar{E})} : {\tau } \triangleright {\varepsilon \cdots H_j \cdots }} \end{aligned}$$where \(E_j\) is the first nonvalue in \(\bar{E}\). Applying Lemma 1, we know that \(\omega , E_j \rightarrow _{} \omega ', E'_j\). Hence, we apply the inductive hypothesis obtaining \({\varGamma } \vdash {E'_j} : {\tau _j} \triangleright {H'_j}\) and \(\forall \omega '_j \in [\![H'_j ]\!]_{}^{}.\exists \omega _j \in [\![H_j ]\!]_{}^{}.\omega \omega _j = \omega '\omega '_j\). Then, by instantiating rule \(\mathtt{NEW }\), we have
$$\begin{aligned} \omega , \mathtt{new\,C }(\bar{v}, E_j, \ldots ) \rightarrow _{} \omega ', \mathtt{new\,C }(\bar{v}, E'_j, \ldots ) \end{aligned}$$Since \(A \!\!=\!\! [\![\varepsilon \cdots H_j \cdots ]\!]_{}^{} \!\!=\!\! \{ \omega _j \omega _{j+1} \cdots \mid \omega _j \in [\![H_j ]\!]_{}^{} \wedge \omega _{j+1} \in [\![H_{j+1} ]\!]_{}^{} \wedge \cdots \}\) and \(B \!\!=\!\! [\![\varepsilon \cdots H'_j \cdots ]\!]_{}^{}= \{ \omega '_j \omega _{j+1} \cdots \mid \omega '_j \in [\![H'_j ]\!]_{}^{} \wedge \omega _{j+1} \in [\![H_{j+1} ]\!]_{}^{} \wedge \cdots \}\) (where the \(\cdots \) parts are equal) we can conclude by observing that \(\forall \dot{\omega }' = \omega '_j \cdots \in B\) we can find a trace \(\dot{\omega } = \omega _j \cdots \in B\) such that \(\omega \dot{\omega } = \omega '\dot{\omega }'\)

Case \(E'\mathtt{.f }\). If \(E' \ne v\), we just apply the inductive hypothesis. Otherwise, by \(\mathtt{T{}FLD }\) we know that \(E' = \mathtt{new\,C }(\bar{v})\) and by applying \(\mathtt{FLD }_\mathtt{2 }\) we obtain \(\omega , \mathtt{new\,C }(\bar{v})\mathtt{.f } \rightarrow _{} \omega ,v_f\) which trivially satisfies the property.

Case \(E'\mathtt{.m }(E'')\). If either \(E'=v'\) or \(E''=v''\), we assume the premises of \(\mathtt{T{}METH }\) and we can apply the inductive hypothesis and \(\mathtt{METH }_\mathtt{1 }/\mathtt{METH }_\mathtt{2 }\). Instead if both \(E' = \mathtt{new\, C }(\bar{v})\) and \(E'' = v'\), we apply \(\mathtt{METH }_\mathtt{3 }\) and we have
$$\begin{aligned} \frac{mbody(\mathtt{m, C }) = \mathtt{x, }E_m }{\omega , \mathtt{(new\, C( }\bar{v}\mathtt{)).m( }v'\mathtt{) } \rightarrow _{} \omega ,E_m[{v'}/{x},{\mathtt{(new\, C( }\bar{v}\mathtt{)) }}/{\mathtt{this }}]} \end{aligned}$$However, typing the two sides of this transition we obtain the same history expression. Indeed, for each history expression \(H_m\) produced by typing the right side, we have for the left part \(\varepsilon \cdot \varepsilon \cdot H_m\) which is trivially equivalent.

Case \(\mathtt{system }_\sigma \,E'\). If \(E'\) is not a value, we apply the inductive hypothesis and rule \(\mathtt{SYS }_\mathtt{1 }\). Otherwise, by \(\mathtt{SYS }_\mathtt{2 }\) we have \(\omega , \mathtt{system }_\sigma \,u \rightarrow _{} \omega \cdot \sigma (u), \mathtt{null }\). Also by \(\mathtt{T{}SYS }\) we have \({\varGamma } \vdash {E} : {\mathbf{1}} \triangleright {\sigma (u)}\). Since \({\varGamma } \vdash {\mathtt{null }} : {\mathbf{1}} \triangleright {\varepsilon }\), we have to show that \(\exists \dot{\omega } \in \{\sigma (u)\}.\omega \sigma (u) = \omega \dot{\omega }\) which trivially holds.

Case \(\mathtt{icast }\,E'\). Similarly to the previous step, if \(E'\) is not a value, we can simply apply the inductive hypothesis. Otherwise, by \(\mathtt{T{}IMPC }\) we must have \(E' = I_\alpha (u)\) and \(H = \alpha _?(u)\). Also, by \(\mathtt{IMPC }_\mathtt{2 }\), we have
$$\begin{aligned} \frac{\mathtt{new\, }C(\bar{v}) \in receiver(\alpha )}{\omega , \mathtt{icast }\,I_\alpha (u) \rightarrow _{} \omega ,\mathtt{new\, }C(\bar{v}).\mathtt{receive( }I_\alpha (u)\mathtt{) }} \end{aligned}$$and we type \({\varGamma } \vdash {\mathtt{new\, }C(\bar{v}).\mathtt{receive }(I_\alpha (u))} : {\mathbf{1}} \triangleright {\tilde{H}}\). Hence, we must prove that \(\forall \dot{\omega }' \in [\![\tilde{H} ]\!]_{}^{}.\exists \dot{\omega } \in [\![\alpha _?(u) ]\!]_{}^{}\) such that \(\omega \dot{\omega } = \omega \dot{\omega }'\). However, by the semantics of history expressions we have
$$\begin{aligned} \frac{\begin{array}{c}\alpha _?(u) \xrightarrow {\alpha _?(u)} \varepsilon \\ \dot{H} = \sum H'\{{\alpha _?(u)}/{h}\} s.t. \bar{\alpha }_C h.H' \in \rho (\alpha ) \, \hbox {and}\, \chi \succcurlyeq C \end{array}}{H \xrightarrow {\cdot } \dot{H}} \end{aligned}$$Then, by definition of \(\rho \), we have that \(\tilde{H} \sqsubseteq \dot{H}\) which suffices to conclude.

Case \(\mathtt{ecast\,C }\,E'\). Analogous to the previous case.

Case \(I_\alpha (E')\). If \(E' = v\) then \(E\) is also a value. Instead, if \(E'\) is not a value, we apply the inductive hypothesis and rule \(\mathtt{INT }\).

Case \(E'\mathtt{.data }\). If \(E'\) is a value, by \(\mathtt{T{}DATA }\) it must be \(E' = I_\alpha (v)\). Hence, we conclude by applying rule \(\mathtt{DATA }_\mathtt{2 }\). Otherwise, we simply apply the inductive hypothesis and rule \(\mathtt{DATA }_\mathtt{1 }\).

Case \(\mathtt{if\, }(E' = E'')\mathtt{\,then\, }\{E_{ tt}\}\mathtt{\,else\, }\{E_{ ff}\}\). If either \(E'\) or \(E''\) are not values, we conclude by applying the inductive hypothesis. Otherwise, we can apply either \(\mathtt{IF }_\mathtt{3 }\) or \(\mathtt{IF }_\mathtt{4 }\) and the inductive hypothesis to \(E_{ tt}\) and \(E_{ ff}\), respectively.

Case \(E';E''\). Here, we have two possibilities: either \(E'\) is a value or not. In both cases, \(E\) admits reduction (through \(\mathtt{SEQ }_\mathtt{1 }\) and \(\mathtt{SEQ }_\mathtt{2 }\), respectively). The property holds by the inductive hypothesis.

Case \(\mathtt{(C)E' }\). If \(E'\) is not a value, it suffices to apply the inductive hypothesis and rule \(\mathtt{CAST }_\mathtt{1 }\). On the other hand, by rule \(\mathtt{T{}CAST }\) we know that \(E' = \mathtt{new\,D }(\cdots )\) and \(D \,\mathtt{<: }\, C\). Thus, we can apply \(\mathtt{CAST }_\mathtt{2 }\) and conclude.

Case \(\mathtt{thread\, }\{E'\}\mathtt{\,in\, }\{E''\}\). If either \(E'\) or \(E''\) are not values, we use the inductive hypothesis and rule \(\mathtt{PAR }_\mathtt{1 }\) or \(\mathtt{PAR }_\mathtt{2 }\). Instead, if \(E' = v'\) and \(E'' = v''\) we conclude by applying rule \(\mathtt{PAR }_\mathtt{3 }\).


2.
By induction on the derivation length.

Base case. For zerolong derivations, the property is trivially satisfied by the identity \(\omega \dot{\omega } = \omega \dot{\omega }\).

Induction. We assume the property holds for \(n\)long derivations and we apply (1) to prove that the property is preserved by a further step.

\(\square \)
Theorem 1
For each closed expression \(E\), history expression \(H\), type \(\tau \) and trace \(\omega \), if \({\emptyset } \vdash {E} : {\tau } \triangleright {H}\) and \(\cdot , E \rightarrow ^*\omega , E'\) then there exist \(H'\) and \(\omega '\) such that \(H \xrightarrow {\omega '}{\!\!}^*H'\), \({\emptyset } \vdash {E'} : {\tau } \triangleright {H'}\) and \(\omega = \omega '\).
Proof
A corollary of Lemma 2.\(\square \)
Theorem 2
\(H \models \varphi \Longleftrightarrow H \Vdash \varphi \)
Proof
We prove the two directions \(\Leftarrow \) (soundness) and \(\Rightarrow \) (completeness) separately.
 (\(\Leftarrow \)):

By induction over the definition of \(\Vdash \).

Case (true). Trivial.

Case (\(\wedge \)). We simply assume the premises of the rule and apply the inductive hypothesis to them.

Cases (\(\vee _L\)) and (\(\vee _R\)). In both cases, we assume the rule premise and apply the inductive hypothesis.

Case (\(\langle u \rangle \)). We assume the premises of the rule and we apply the inductive hypothesis to \(H' \Vdash \varphi \). Hence, there exists \(H'\) such that \(H \xrightarrow {\sigma (u)} H'\) and \(H' \models \varphi \) which allows us to apply rule (cdiamond).

Case (\(\langle x \rangle \)). We apply a similar reasoning and we obtain that there exist \(u\) and \(H'\) such that \(H \xrightarrow {\sigma (u)} H'\) and \(H' \models \varphi \{{u}/{x}\}\) so that we can apply (adiamond) and conclude.

Case (\([ u ]\)). We assume the premises of the rule and apply the inductive hypothesis to them. By definition, if \(H \xrightarrow {\sigma (u)} H'\) then \(H'\) appears in one of the premises of the rule. This suffices to conclude by applying (cbox).

Case (\([ x ]\)). As in the previous step, we assume the premises and we apply to them the inductive hypothesis. Again, if we have \(H \xrightarrow {\sigma (u)} H'\) (for some \(u\) and \(H'\)), then \(H' \Vdash \varphi \{{u}/{x}\}\) is among the rule premises. Hence, we obtain the righthand side of (abox).

Case (Rec). We assume the premise of the rule and apply the inductive hypothesis to obtain \(H \models \mathcal {D}(F)\). Also we can write \(H \models \mathcal {D}(F) = F\{{\mathcal {D}(F)}/{F}\}\). Then, by rule (identifier) we have \(H \models \bigvee _{n \geqslant 0} f^n({ ff})\) where
$$\begin{aligned} f(\varphi ) = \mathcal {D}(F)\left\{ {\mathcal {D}(F)}/{F}\right\} \left\{ {\varphi }/{F}\right\} \end{aligned}$$We rewrite and we apply rule (identifier) to obtain \(H \models F\).
 (\(\Rightarrow \)):

By induction over the definition of \(\models \).

Case (true). Trivial.

Case (conjunction). By inductive hypothesis, we have \(H \Vdash \varphi \) and \(H \Vdash \varphi '\) which suffice to apply rule \((\wedge )\).

Case (disjunction). We have two symmetric cases. If \(H \models \varphi \), then we obtain \(H \Vdash \varphi \) and apply (\(\vee _L\)). Otherwise, we follow the same reasoning with \(\varphi '\).

Case (cdiamond). \(\langle \sigma (u) \rangle .\varphi \) implies that \(\exists H'.H \xrightarrow {\sigma (u)} H'\) and \(H' \models \varphi \). Hence, we apply the inductive hypothesis and rule (\(\langle u \rangle \)).

Case (adiamond). We proceed similarly to the previous case. The only difference is that we apply the inductive hypothesis to \(\varphi \{{u}/{x}\}\) and we use rule (\(\langle x \rangle \)).

Case (cbox). Here, we have that (*) \(\forall H' \cdot H \xrightarrow {\sigma (u)} H'\) implies \(H' \models \varphi \). We then consider the set \(\{H'\) s.t. \(H \xrightarrow {\sigma (u)} H'\}\) and its elements \(H_i\). Hence, the premise (*) can be applied to every \(H_i\) which suffices to apply the inductive hypothesis to all of them and conclude with (\([ u ]\)).

Case (abox). We proceed in a similar way. We build the set \(\{H' s.t. H \xrightarrow {\sigma (u)} H'\}\) and apply the inductive hypothesis to each of its elements \(H_i\). Then, we conclude by applying the inductive hypothesis and (\([ x ]\)).

Case (identifier). We have \(H \models \bigvee \nolimits _{n \geqslant 0} f^n ({ ff})\,\,\) where \(f(\varphi ) = \mathcal {D}(F)\{{\varphi }/{F}\}\). This implies that there exists \(\varphi ^*\) such that \(H \models \varphi ^*\), \(\varphi ^*\) is equivalent to \(\mathcal {D}(F)\). Then, we apply the inductive hypothesis to \(\varphi ^*\) to obtain \(H \Vdash \varphi ^*\) and, by logical equivalence, \(H \Vdash \mathcal {D}(F)\). Thus, we conclude by applying (Rec).\(\square \)
Theorem 3
Proof
(\(\Rightarrow \)) By induction over the structure of \(\varphi \).

Cases \({ tt}\) and \({ ff}\). Trivial.

Case \(\varphi _1 \wedge \varphi _2\). By PMC rules, we have \(H \models {\varphi _1}_{//{H'}} \wedge {\varphi _2}_{//{H'}}\) then we apply the inductive hypothesis to both \(H \models {\varphi _1}_{//{H'}}\) and \(H \models {\varphi _2}_{//{H'}}\) so as to obtain \({H}\parallel {H'} \models \varphi _1\) and \({H}\parallel {H'} \models \varphi _2\) and, by rule (conjunction), \({H}\parallel {H'} \models \varphi _1 \wedge \varphi _2\).

Case \(\varphi _1 \vee \varphi _2\). By PMC rules, we have \(H \models {\varphi _1}_{//{H'}} \vee {\varphi _2}_{//{H'}}\) and, by (disjunction), we can assume either \(H \models {\varphi _1}_{//{H'}}\) or \(H \models {\varphi _2}_{//{H'}}\). In both cases, we apply the inductive hypothesis and the (disjunction) rule.

Case \(\langle \sigma (u) \rangle .\varphi \). By PMC rule, we have
$$\begin{aligned} H \models \mathop {\overbrace{\langle \sigma (u) \rangle .{\varphi }_{//{H'}}}}\limits ^{A} \vee \mathop {\overbrace{\bigvee \limits _{H' \xrightarrow {\sigma (u)} H''} {\varphi }_{//{H''}}}}\limits ^{B} \end{aligned}$$If \(A\) holds then by (cdiamond) rule both \((i) \; H \xrightarrow {\sigma (u)} \dot{H}\) and \((ii)\;\dot{H} \models {\varphi }_{//{H'}}\) hold. Hence, by inductive hypothesis on \((ii)\) we have that \({\dot{H}}\parallel {H'} \models \varphi \) and by concurrency rule using \((i)\) premise we have that \({H}\parallel {H'} \xrightarrow {\sigma (u)} {\dot{H}}\parallel {H'}\). These two facts suffice to conclude that \({H}\parallel {H'} \models \langle \sigma (u) \rangle .\varphi \). Instead, if \(B\) holds, there must exist at least one \(H''\) such that \(H' \xrightarrow {\sigma (u)} H''\) and \(H \models {\varphi }_{//{H''}}\). The latter implies (by inductive hypothesis) that \({H}\parallel {H''} \models \varphi \), the former implies \({H}\parallel {H'} \xrightarrow {\sigma (u)} {H}\parallel {H''}\). These two facts imply (cdiamond) \({H}\parallel {H'} \models \langle \sigma (u) \rangle .\varphi \).

Case \(\langle \sigma (x) \rangle . \varphi \). We proceed similarly to the previous case. Applying the PMC rule to \(H \models {(\langle \sigma (x) \rangle . \varphi )}_{//{H'}}\) we have
$$\begin{aligned} H \models \mathop {\overbrace{\langle \sigma (x) \rangle .{\varphi }_{//{H'}}}}\limits ^{A} \vee \mathop {\overbrace{\bigvee \limits _{H' \xrightarrow {\sigma (u)} H''} {\varphi \{{x}/{u}\}}_{//{H''}}}}\limits ^{B} \end{aligned}$$If \(A\) holds then by adiamond rule there exists \(u\) such that \((i) \; H \xrightarrow {\sigma (u)} \dot{H}\) and \((ii)\;\dot{H} \models {\varphi \{{x}/{u}\}}_{//{H'}}\). Hence, by inductive hypothesis on \((ii)\) we have that \({\dot{H}}\parallel {H'} \models \varphi \{{x}/{u}\}\) and by concurrency rule using \((i)\) premise we have that \({H}\parallel {H'} \xrightarrow {\sigma (u)} {\dot{H}}\parallel {H'}\). These two facts suffice to conclude that \({H}\parallel {H'} \models \langle \sigma (x) \rangle .\varphi \). Instead, if \(B\) holds, there exist \(H''\) and \(u\) such that \(H' \xrightarrow {\sigma (u)} H''\) and \(H \models {\varphi \{{x}/{u}\}}_{//{H''}}\). The latter implies (by inductive hypothesis) that \({H}\parallel {H''} \models \varphi \{{x}/{u}\}\), the former implies that \({H}\parallel {H'} \xrightarrow {\sigma (u)} {H}\parallel {H''}\). Applying (adiamond) to these two facts, we obtain \({H}\parallel {H'} \models \langle \sigma (u) \rangle .\varphi \), that is, the thesis.

Case \([ \sigma (u) ].\varphi \). By PMC rule, we have
$$\begin{aligned} H \models \mathop {\overbrace{[ \sigma (u) ].{\varphi }_{//{H'}}}}\limits ^{A} \wedge \mathop {\overbrace{\bigwedge \limits _{H' \xrightarrow {\sigma (u)} H''} {\varphi }_{//{H''}}}}\limits ^{B} \end{aligned}$$By rule (cbox), we must prove that \({H}\parallel {H'} \models [\sigma (u)].\varphi \) iff \(\forall H''.{H}\parallel {H'} \xrightarrow {\sigma (u)} H''\) implies \(H'' \models \varphi \). By history expressions semantics, we know that either \({H}\parallel {H'} \xrightarrow {\sigma (u)} {\dot{H}}\parallel {H'}\) or \({H}\parallel {H'} \xrightarrow {\sigma (u)} {H}\parallel {\dot{H}'}\). In the first case, we apply the inductive hypothesis so obtaining \({\dot{H}}\parallel {H'} \models \varphi \). In the second case, we use \(B\) to show that for each \(\dot{H}''\) such that \(H' \xrightarrow {\sigma (u)} \dot{H}''\) holds that \(H \models {\varphi }_{//{\dot{H}''}}\). By inductive hypothesis, this implies that for each \(\dot{H}''\) \({H}\parallel {\dot{H}''} \models \varphi \). By composing the two cases, we obtain that for each \(\sigma (u)\) transition \({H}\parallel {H'} \models \varphi \) which suffices to conclude.

Case \(F\). Here, we have \(H \models {F}_{//{H'}}\). Hence, by rule identifier and PMC, we infer that \(H \models \bigvee \nolimits _{n \geqslant 0} f^n({ ff})\) with \(f(X) = {\mathcal {D}(F)}_{//{H'}} \{{X}/{F}\}\). However, we can easily check that \(F\) does not appear as a free identifier in \({\mathcal {D}(F)}_{//{H'}}\). Thus, we can say that \(H \models {\mathcal {D}(F)}_{//{H'}}\). By inductive hypothesis, \({H}\parallel {H'} \models \mathcal {D}(F)\) which is equivalent to \({H}\parallel {H'} \models F \{{F}/{\mathcal {D}(F)}\}\) and \({H}\parallel {H'} \models F\), that is, the thesis.
 (\(\Leftarrow \)):

By induction over the structure of \(\varphi \).

Cases \({ tt}\) and \({ ff}\). Trivial.

Case \(\varphi _1 \wedge \varphi _2\). By (conjunction) rule, we have \({H}\parallel {H'} \models \varphi _1\) and \({H}\parallel {H'} \models \varphi _2\). Thus, by inductive hypothesis we have \(H \models {\varphi _1}_{//{H'}}\) and \(H \models {\varphi _2}_{//{H'}}\) which suffice to conclude.

Case \(\varphi _1 \vee \varphi _2\). Similarly to the previous case, we apply (disjunction) and obtain that either \({H}\parallel {H'} \models \varphi _1\) or \({H}\parallel {H'} \models \varphi _2\) hold. In both cases, we apply the inductive hypothesis and conclude.

Case \(\langle \sigma (u) \rangle .\varphi \). We have \({H}\parallel {H'} \models \langle \sigma (u) \rangle .\varphi \). By applying the rule for parallel history expressions and (cdiamond), we obtain that either
$$\begin{aligned} (A) \exists \dot{H} . H \xrightarrow {\sigma (u)} \dot{H} \wedge {\dot{H}}\parallel {H'} \models \varphi \end{aligned}$$or
$$\begin{aligned} (B) \exists \dot{H}' . H' \xrightarrow {\sigma (u)} \dot{H}' \wedge {H}\parallel {\dot{H}'} \models \varphi \end{aligned}$$If \((A)\) holds then by inductive hypothesis \(\exists \dot{H}.\dot{H} \models {\varphi }_{//{\dot{H}'}}\) and, by (cdiamond), \(H \models \langle \sigma (u) \rangle . {\varphi }_{//{H'}}\) Instead, if \((B)\) holds, \(\exists \dot{H}'.H' \xrightarrow {\sigma (u)} \dot{H}'\) and \(H \models {\varphi }_{//{\dot{H}'}}\). This implies that \(H \models \bigvee \nolimits _{H' \xrightarrow {\sigma (u)} \dot{H}'} {\varphi }_{//{\dot{H}'}}\). Composing the two cases, we obtain the thesis.

Case \(\langle \sigma (x) \rangle .\varphi \). The premise is \({H}\parallel {H'} \models \langle \sigma (x) \rangle .\varphi \). By applying the rule for parallel history expressions and (adiamond), we obtain that either
$$\begin{aligned} (A) \exists u,\dot{H} . H \xrightarrow {\sigma (u)} \dot{H} \wedge {\dot{H}}\parallel {H'} \models \varphi \{{u}/{x}\} \end{aligned}$$or
$$\begin{aligned} (B) \exists u, \dot{H}'.H' \xrightarrow {\sigma (u)} \dot{H}' \wedge {H}\parallel {\dot{H}'} \models \varphi \{{u}/{x}\} \end{aligned}$$If \((A)\) holds, by inductive hypothesis we know that \(\exists u.\dot{H} \models {\varphi \{{u}/{x}\}}_{//{H'}}\) which implies \(H \models \langle \sigma (x) \rangle . {\varphi }_{//{H'}}\). Otherwise, applying the inductive hypothesis to \((B)\) we have that (there exist \(u\) and \(\dot{H}'\) s.t.) \(H \models {\varphi \{\{{u}/{x}\}\}}_{//{\dot{H}'}}\) which implies that \(H \models \bigvee \nolimits _{H' \xrightarrow {\sigma (u)} \dot{H}'} {\varphi \{\{{u}/{x}\}\}}_{//{\dot{H}'}}\). Then, by rule (disjunction) we obtain the thesis.

Case \([ \sigma (u) ].\varphi \). Here, we can assume that
$$\begin{aligned} (A) \forall \dot{H}.H \xrightarrow {\sigma (u)} \dot{H} \Longrightarrow {\dot{H}}\parallel {H'} \models \varphi \end{aligned}$$and
$$\begin{aligned} (B) \forall \dot{H}'.H' \xrightarrow {\sigma (u)} \dot{H}' \Longrightarrow {H}\parallel {\dot{H}'} \models \varphi \end{aligned}$$Applying the inductive hypothesis to \((A)\) we have that \(\dot{H} \models {\varphi }_{//{H'}}\) which implies \(H \models [\sigma (u)].{\varphi }_{//{H'}}\). From \((B)\), by inductive hypothesis, we have that (for each \(\dot{H}'\)) \(H \models {\varphi }_{//{\dot{H}'}}\). Hence, we can infer that \(H \models \bigwedge \nolimits _{H' \xrightarrow {\sigma (u)} \dot{H}'} {\varphi }_{//{\dot{H}'}}\). We conclude by applying rule (conjunction) and the PMC definition.

Case \([ \sigma (x) ].\varphi \). Here we can assume that
$$\begin{aligned} (A) \forall u,\dot{H}.H \xrightarrow {\sigma (u)} \dot{H} \Longrightarrow {\dot{H}}\parallel {H'} \models \varphi \{{u}/{x}\} \end{aligned}$$and
$$\begin{aligned} (B) \forall u,\dot{H}'.H' \xrightarrow {\sigma (u)} \dot{H}' \Longrightarrow {H}\parallel {\dot{H}'} \models \varphi \{{u}/{x}\} \end{aligned}$$Applying the inductive hypothesis to \((A)\) we have that \(\dot{H} \models {\varphi \{{u}/{x}\}}_{//{H'}}\) and then \(H \models [\sigma (x)].{\varphi }_{//{H'}}\). From \((B)\), by inductive hypothesis, we have that (for each \(u\) and \(\dot{H}'\)) \(H \models {\varphi \{{u}/{x}\}}_{//{\dot{H}'}}\). Then, we obtain that
$$\begin{aligned} H \models \bigwedge \limits _{H' \xrightarrow {\sigma (u)} \dot{H}'} {\varphi \{{u}/{x}\}}_{//{\dot{H}'}} \end{aligned}$$By applying (conjunction), we reduce to the definition of PMC applied to abstract box.

Case \(F\). In this case, we have \({H}\parallel {H'} \models F\) which implies \({H}\parallel {H'} \models \mathcal {D}(F)\). Then, we apply the inductive hypothesis and we obtain \({H}\parallel {H'} \models {\mathcal {D}(F)}_{//{H'}}\) which is by definition equivalent to \({H}\parallel {H'} \models F_{H'}\) where \(F_{H'} = {F}_{//{H'}}\).\(\square \)
Rights and permissions
About this article
Cite this article
Armando, A., Costa, G., Merlo, A. et al. Formal modeling and automatic enforcement of Bring Your Own Device policies. Int. J. Inf. Secur. 14, 123–140 (2015). https://doi.org/10.1007/s102070140252y
Published:
Issue Date:
Keywords
 Bring Your Own Device
 History expressions
 Hennessy–Milner logic
 Type and effect systems
 Partial model checking
 Android