Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Inferring Required Permissions for Statically Composed Programs

  • Conference paper
Secure IT Systems (NordSec 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8208))

Included in the following conference series:

  • 1422 Accesses

Abstract

Permission-based security models are common in smartphone operating systems. Such models implement access control for sensitive APIs, introducing an additional concern for application developers. It is important for the correct set of permissions to be declared for an application, as too small a set is likely to result in runtime errors, whereas too large a set may needlessly worry users. Unfortunately, not all platform vendors provide tools support to assist in determining the set of permissions that an application requires.

We present a language-based solution for permission management. It entails the specification of permission information within a collection of source code, and allows for the inference of permission requirements for a chosen program composition. Our implementation is based on Magnolia, a programming language demonstrating characteristics that are favorable for this use case. A language with a suitable component system supports permission management also in a cross-platform codebase, allowing abstraction over different platform-specific implementations and concrete permission requirements. When the language also requires any “wiring” of components to be known at compile time, and otherwise makes design tradeoffs that favor ease of static analysis, then accurate inference of permission requirements becomes possible.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Android Open Source Project: Android Developers, https://developer.android.com/ (retrieved May 2013)

  2. Au, K.W.Y., Zhou, Y.F., Huang, Z., Gill, P., Lie, D.: Short paper: A look at smartphone permission models. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 63–68 (2011)

    Google Scholar 

  3. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 217–228 (2012)

    Google Scholar 

  4. Bagge, A.H.: Separating exceptional concerns. In: Proceedings of the 5th International Workshop on Exception Handling (WEH 2012), pp. 49–51. IEEE (June 2012)

    Google Scholar 

  5. Bagge, A.H., David, V., Haveraaen, M., Kalleberg, K.T.: Stayin’ alert: Moulding failure and exceptions to your needs. In: Proceedings of the 5th International Conference on Generative Programming and Component Engineering (GPCE 2006). ACM Press, Portland (2006)

    Google Scholar 

  6. Bagge, A.H., Haveraaen, M.: Interfacing concepts: Why declaration style shouldn’t matter. In: Ekman, T., Vinju, J.J. (eds.) Proceedings of the Ninth Workshop on Language Descriptions, Tools and Applications (LDTA 2009). Electronic Notes in Theoretical Computer Science, vol. 253, pp. 37–50. Elsevier, New York (2010)

    Google Scholar 

  7. Bagge, A.H., Haveraaen, M.: The Magnolia programming language (2013), http://magnolia-lang.org/ (retrieved May 2013)

  8. Bagge, A.H., Haveraaen, M.: Programming by concept (2013) (unpublished manuscript)

    Google Scholar 

  9. Batory, D., Sarvela, J., Rauschmayer, A.: Scaling step-wise refinement. IEEE Transactions on Software Engineering 30(6), 355–371 (2004)

    Article  Google Scholar 

  10. Benavides, D., Segura, S., Ruiz-Cort’es, A.: Automated analysis of feature models 20 years later: A literature review. Information Systems 35(6), 615–636 (2010)

    Article  Google Scholar 

  11. Bergen Language Design Laboratory: Anyxporter, https://github.com/bldl/anyxporter

  12. BlackBerry: BlackBerry Developer, http://developer.blackberry.com/ (retrieved May 2013)

  13. BlackBerry: BlackBerry 10 Native SDK 10.0.9. Software distribution (December 2012)

    Google Scholar 

  14. Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A practical system for verifying concurrent C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 23–42. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  15. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638 (2011)

    Google Scholar 

  16. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: User attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14 (2012)

    Google Scholar 

  17. Gay, D., Levis, P., von Behren, R., Welsh, M., Brewer, E., Culler, D.: The nesC language: A holistic approach to networked embedded systems. SIGPLAN Not. 38(5), 1–11 (2003)

    Article  Google Scholar 

  18. Hasu, T.: ContextLogger2—a tool for smartphone data gathering. Tech. Rep. 2010-1, Helsinki Institute for Information Technology HIIT, Aalto University (August 2010)

    Google Scholar 

  19. Heath, C.: Symbian OS Platform Security: Software Development Using the Symbian OS Security Architecture. Wiley (February 2006)

    Google Scholar 

  20. Hernie, D.: Windows Phone 8 security deep dive. Slide set (October 2012)

    Google Scholar 

  21. Kostiainen, K., Reshetova, E., Ekberg, J.E., Asokan, N.: Old, new, borrowed, blue – a perspective on the evolution of mobile platform security architectures. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 13–24 (2011)

    Google Scholar 

  22. Microsoft: Microsoft Developer Network, http://msdn.microsoft.com/ (retrieved July 2013)

  23. mssf-team: Mobile simplified security framework (May 2012), http://gitorious.org/meego-platform-security

  24. Nokia Corporation: Nokia Developer, http://www.developer.nokia.com/ (retrieved May 2013)

  25. Nokia Corporation: Qt Mobility 1.2: Qt Mobility project reference documentation (2011), http://doc.qt.digia.com/qtmobility/

  26. Samsung: bada Developers, http://developer.bada.com (retrieved March 2013)

  27. Samsung: bada SDK 2.0.0. Software distribution (August 2011)

    Google Scholar 

  28. Tizen Project: Tizen Developers dev guide, https://developer.tizen.org/ (retrieved May 2013)

  29. Tizen Project: Tizen SDK 2.0. Software distribution (February 2013)

    Google Scholar 

  30. Vidas, T., Christin, N., Cranor, L.: Curbing Android permission creep. In: Proceedings of the Web 2.0 Security and Privacy 2011 Workshop (W2SP 2011), Oakland, CA (May 2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Bergen Language Design Laboratory, Department of Informatics, University of Bergen, Norway

    Tero Hasu, Anya Helene Bagge & Magne Haveraaen

Authors
  1. Tero Hasu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anya Helene Bagge
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Magne Haveraaen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Applied Mathematics and Computer Science, DTU Compute, Technical University of Denmark, Richard Petersens Plades, Building 322, 2800, Lyngby, Denmark

    Hanne Riis Nielson

  2. Institut für Sicherheit in verteilten Anwendungen, Technische Universität Hamburg-Harburg, E-15, Harburger Schloßstraße 20, 21079, Hamburg, Germany

    Dieter Gollmann

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hasu, T., Bagge, A.H., Haveraaen, M. (2013). Inferring Required Permissions for Statically Composed Programs. In: Riis Nielson, H., Gollmann, D. (eds) Secure IT Systems. NordSec 2013. Lecture Notes in Computer Science, vol 8208. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41488-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41488-6_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41487-9

  • Online ISBN: 978-3-642-41488-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation