Advertisement

Introducing Probabilities in Contract-Based Approaches for Mobile Application Security

  • Gianluca Dini
  • Fabio Martinelli
  • Ilaria Matteucci
  • Andrea Saracino
  • Daniele Sgandurra
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8247)

Abstract

Security for mobile devices is a problem of capital importance, especially due to new threats coming from malicious applications. This has been proved by the increasing interest of the research community on the topic of security on mobile devices. Several security solutions have been recently proposed, to address the uprising threats coming from malicious applications. However, several mechanisms may result not flexible enough, hard to apply, or too coarse grained, e.g. several critics have been raised against the Android permission system.

We argue that, it is possible to obtain more flexible security tools and finer grained security requirements by introducing probability measurements.

In this paper we discuss how to introduce probabilistic clauses into the Security-by-Contract and the Security-by-Contract-with-Trust frameworks, revising the main building blocks and providing tools to write probabilistic contracts and policies. A proof-of-concept implementation on Android system has also been presented.

Keywords

Probabilistic contract Probabilistic policy compliance Contract-based security approaches Run-time enforcement 

References

  1. 1.
    Dragoni, N., Martinelli, F., Massacci, F., Mori, P., Schaefer, C., Walter, T., Vetillard, E.: Security-by-contract (\({\text{ S } \times \text{ C }}\)) for software and services of mobile systems. In: At Your Service - Service-Oriented Computing from an EU Perspective. MIT Press, Cambridge (2008)Google Scholar
  2. 2.
    Costa, G., Dragoni, N., Lazouski, A., Martinelli, F., Massacci, F., Matteucci, I.: Extending Security-by-Contract with quantitative trust on mobile devices. In: Proceeding of the Fourth International Conference on Complex, Intelligent and Software Intensive Systems, pp. 872–877. IEEE Computer Society (2010)Google Scholar
  3. 3.
    Costa, G., Dragoni, N., Issarny, V., Lazouski, A., Martinelli, F., Massacci, F., Matteucci, I., Saadi, R.: Security-by-Contract-with-Trust for mobile devices. JOWUA 1(4), 75–91 (2010)Google Scholar
  4. 4.
    Greci, P., Martinelli, F., Matteucci, I.: A framework for contract-policy matching based on symbolic simulations for securing mobile device application. In: Margaria, T., Steffen, B. (eds.) ISoLA 2008. CCIS, vol. 17, pp. 221–236. Springer, Heidelberg (2008)Google Scholar
  5. 5.
    Necula, G.C.: Proof-carrying code. In: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’97), pp. 106–119 (1997)Google Scholar
  6. 6.
    Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-carrying code: a practical approach for safe execution of untrusted applications. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 15–28 (2003)Google Scholar
  7. 7.
    Hermanns, H., Parma, A., Segala, R., Wachter, B., Zhang, L.: Probabilistic logical characterization. Inf. Comput. 209(2), 154–172 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Baier, C., Engelen, B., Majster-Cederbaum, M.: Deciding bisimilarity and similarity for probabilistic processes. J. Comput. Syst. Sci. 60(1), 187–231 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Sharkey, M.I.: Probabilistic proof-carrying code. Ph.D. thesis, Carleton University (2012)Google Scholar
  10. 10.
    Tsukada, Y.: Interactive and probabilistic proof of mobile code safety. Autom. Software Eng. 12(2), 237–257 (2005)CrossRefGoogle Scholar
  11. 11.
    Desharnais, J., Laviolette, F., Tracol, M.: Approximate analysis of probabilistic processes: logic, simulation and games. In: Proceedings of the 2008 Fifth International Conference on Quantitative Evaluation of Systems, QEST ’08, pp. 264–273. IEEE Computer Society, Washington DC (2008)Google Scholar
  12. 12.
    Aldini, A., Martinelli, F., Saracino, A., Sgandurra, D.: A collaborative framework for generating probabilistic contracts. In: Smari, W.W., Fox, G.C. (eds.) Proceedings of the 2013 IEEE International Conference on Collaboration Technologies and Systems, SECOTS 2013, pp. 139–143. IEEE Computer Society, San Diego (2013)Google Scholar
  13. 13.
    Juniper Networks Global Threat Center: Malicious Mobile Threats Report 2010/2011 (2011)Google Scholar
  14. 14.
    Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) TRUST 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)Google Scholar
  15. 15.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. Technical report, Electrical Engineering and Computer Sciences, University of California at Berkeley (2012) http://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-26.html
  16. 16.
    Dragoni, N., Massacci, F.: Security-by-contract for web services. In: SWS, pp. 90–98 (2007)Google Scholar
  17. 17.
    Gadyatskaya, O., Massacci, F., Philippov, A.: Security-by-Contract for the OSGi platform. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 364–375. Springer, Heidelberg (2012)Google Scholar
  18. 18.
    Easwaran, A., Kannan, S., Lee, I.: Optimal control of software ensuring safety and functionality. Technical Report MS-CIS-05-20, University of Pennsylvania (2005)Google Scholar
  19. 19.
    Martinelli, F., Morisset, C.: Quantitative access control with partially-observable markov decision processes. In: Proceedings of CODASPY ’12, pp. 169–180. ACM (2012)Google Scholar
  20. 20.
    Bielova, N., Massacci, F.: Predictability of enforcement. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 73–86. Springer, Heidelberg (2011)Google Scholar
  21. 21.
    Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for android malware. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 240–253. Springer, Heidelberg (2012)Google Scholar
  22. 22.
    Delahaye, B., Caillaud, B., Legay, A.: Probabilistic contracts: a compositional reasoning methodology for the design of stochastic systems. In: 10th International Conference on Application of Concurrency to System Design (ACSD), 2010, IEEE (2010)Google Scholar
  23. 23.
    Hoang, X.A., Hu, J.: An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: 12th IEEE International Conferecence on Networks, ICON 2004. vol. 2, pp. 470–474. IEEE (2004)Google Scholar
  24. 24.
    Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secure Comput. 7(4), 381–395 (2010)CrossRefGoogle Scholar
  25. 25.
    Koresow, A.P.: Intrusion detection via system call traces. Software 14(5), 35–42 (1997)CrossRefGoogle Scholar
  26. 26.
    Briffaut, J., Lefebvre, E., Rouzaud-Cornabas, J., Toinard, C.: PIGA-Virt: an advanced distributed MAC protection of virtual systems. In: Alexander, M., et al. (eds.) Euro-Par 2011, Part II. LNCS, vol. 7156, pp. 416–425. Springer, Heidelberg (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Gianluca Dini
    • 1
  • Fabio Martinelli
    • 2
  • Ilaria Matteucci
    • 2
  • Andrea Saracino
    • 1
    • 2
  • Daniele Sgandurra
    • 2
  1. 1.Dipartimento di Ingegneria dell’InformazioneUniversità di PisaPisaItaly
  2. 2.Istituto di Informatica e TelematicaConsiglio Nazionale delle RicerchePisaItaly

Personalised recommendations