Abstract
Android embodies security mechanisms at both OS and application level. In this platform application security is built primarily upon a system of permissions which specify restrictions on the operations a particular process can perform. The critical role of these security mechanisms makes them a prime target for (formal) verification. We present an idealized model of a reference monitor of the novel mechanisms of Android 6 (and further), where it is possible to grant permissions at run time. Using the programming language of the proof-assistant Coq we have developed a functional implementation of the reference validation mechanism and certified its correctness with respect to the specified reference monitor. Several properties concerning the permission model of Android 6 and its security mechanisms have been formally formulated and proved. Applying the program extraction mechanism provided by Coq we have also derived a certified Haskell prototype of the reference validation mechanism.
Partially funded by project ANII-FCE_1_2014_1_103803: Mecanismos autónomos de seguridad certificados para sistemas computacionales móviles, Uruguay, and by the EU H2020 project Elastest under num. 731535.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
A permanent delegated permission represents that an app has delegated permission to perform an operation on the resource identified by an URI. A temporary delegated permission refers to a permission that has been delegated to a component instance.
- 2.
Given a state s, an action a and an error code ec, \( ErrorMsg (s,a,ec)\) holds iff error ec is an acceptable response when the execution of a is requested on state s.
- 3.
Mechanism to trigger actions, on a state, according to the type of event considered.
- 4.
We omit here the formal definition of these functions due to space constraints.
- 5.
We implement the sets in the model with lists of Coq.
References
Anderson, J.P.: Computer Security technology planning study. Technical report, Deputy for Command and Management System, USA (1972)
Android Developers: Application Fundamentals. http://developer.android.com/guide/components/fundamentals.html. Accessed Feb 2018
Android Developers: Requesting Permissions at Run Time. https://developer.android.com/intl/es/training/permissions/requesting.html. Accessed Feb 2018
Android Developers: R.styleable. http://developer.android.com/reference/android/R.styleable.html. Accessed Feb 2018
Armando, A., Carbone, R., Costa, G., Merlo, A.: Android permissions unleashed. In: Fournet, C., Hicks, M., Viganò, L. (eds.) IEEE 28th Computer Security Foundations Symposium, pp. 320–333. IEEE Computer Society (2015)
Balaa, A., Bertot, Y.: Fix-point equations for well-founded recursion in type theory. In: Aagaard, M., Harrison, J. (eds.) TPHOLs 2000. LNCS, vol. 1869, pp. 1–16. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44659-1_1
Barthe, G., Forest, J., Pichardie, D., Rusu, V.: Defining and reasoning about recursive functions: a practical tool for the Coq proof assistant. In: Hagiya, M., Wadler, P. (eds.) FLOPS 2006. LNCS, vol. 3945, pp. 114–129. Springer, Heidelberg (2006). https://doi.org/10.1007/11737414_9
Berghofer, S., Bulwahn, L., Haftmann, F.: Turning inductive into equational specifications. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 131–146. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03359-9_11
Betarte, G., Campo, J.D., Luna, C., Romano, A.: Verifying Android’s permission model. In: Leucker, M., Rueda, C., Valencia, F.D. (eds.) ICTAC 2015. LNCS, vol. 9399, pp. 485–504. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25150-9_28
Betarte, G., Campo, J.D., Luna, C., Romano, A.: Formal analysis of Android’s permission-based security model. Sci. Ann. Comp. Sci. 26(1), 27–68 (2016)
Bugliesi, M., Calzavara, S., Spanò, A.: Lintent: towards security type-checking of Android applications. In: Beyer, D., Boreale, M. (eds.) FMOODS/FORTE 2013. LNCS, vol. 7892, pp. 289–304. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38592-6_20
Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_29
De Angelis, E., Fioravanti, F., Pettorossi, A., Proietti, M.: Program verification via iterated specialization. Sci. Comput. Program. 95, 149–175 (2014)
Felt, A., Wang, H., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: USENIX Security Symposium. USENIX Association (2011)
Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_1
Gartner: Gartner says worldwide sales of smartphones grew 9 percent in first quarter of 2017. Technical report. Gartner Inc. (2017)
GSI: Formal verification of the security model of Android: Coq code. http://www.fing.edu.uy/inco/grupos/gsi/documentos/proyectos/Android6-Coq-model.tar.gz. Accessed Feb 2018
Letouzey, P.: Programmation fonctionnelle certifiée - L’extraction de programmes dans l’assistant Coq. Ph.D. thesis, Université Paris-Sud, July 2004
Letouzey, P.: A new extraction for Coq. In: Geuvers, H., Wiedijk, F. (eds.) TYPES 2002. LNCS, vol. 2646, pp. 200–219. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39185-1_12
Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of ASIACCS 2010 (2011)
Open Handset Alliance: Android project. https://source.android.com/. Accessed Feb 2018
Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the android framework. In: SocialCom 2010, pp. 944–951. IEEE Computer Society, Washington, DC (2010)
Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A first step towards automated permission-enforcement analysis of the android framework. In: SAM 2010, pp. 323–329. CSREA Press (2010)
The Coq Team: The Coq Proof Assistant Reference Manual - Version V8.6 (2016)
Tollitte, P.-N., Delahaye, D., Dubois, C.: Producing certified functional code from inductive specifications. In: Hawblitzel, C., Miller, D. (eds.) CPP 2012. LNCS, vol. 7679, pp. 76–91. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35308-6_9
Utting, M., Legeard, B.: Practical Model-Based Testing: A Tools Approach. Morgan Kaufmann Publishers Inc., San Francisco (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Betarte, G., Campo, J., Gorostiaga, F., Luna, C. (2018). A Certified Reference Validation Mechanism for the Permission Model of Android. In: Fioravanti, F., Gallagher, J. (eds) Logic-Based Program Synthesis and Transformation. LOPSTR 2017. Lecture Notes in Computer Science(), vol 10855. Springer, Cham. https://doi.org/10.1007/978-3-319-94460-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-94460-9_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94459-3
Online ISBN: 978-3-319-94460-9
eBook Packages: Computer ScienceComputer Science (R0)