Skip to main content

Introducing Probabilities in Contract-Based Approaches for Mobile Application Security

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8247)

Abstract

Security for mobile devices is a problem of capital importance, especially due to new threats coming from malicious applications. This has been proved by the increasing interest of the research community on the topic of security on mobile devices. Several security solutions have been recently proposed, to address the uprising threats coming from malicious applications. However, several mechanisms may result not flexible enough, hard to apply, or too coarse grained, e.g. several critics have been raised against the Android permission system.

We argue that, it is possible to obtain more flexible security tools and finer grained security requirements by introducing probability measurements.

In this paper we discuss how to introduce probabilistic clauses into the Security-by-Contract and the Security-by-Contract-with-Trust frameworks, revising the main building blocks and providing tools to write probabilistic contracts and policies. A proof-of-concept implementation on Android system has also been presented.

Keywords

  • Probabilistic contract
  • Probabilistic policy compliance
  • Contract-based security approaches
  • Run-time enforcement

The research leading to these results has received funding from the EU Seventh Framework Programme (FP7/2007-2013) under grant n. 256980 (NESSoS), n. 257930 (Aniketos), from PRIN Security Horizons funded by MIUR with D.D. 23.10.2012 n. 719, and EIT ICT Labs activity 13077.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-54568-9_18
  • Chapter length: 16 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-642-54568-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

References

  1. Dragoni, N., Martinelli, F., Massacci, F., Mori, P., Schaefer, C., Walter, T., Vetillard, E.: Security-by-contract (\({\text{ S } \times \text{ C }}\)) for software and services of mobile systems. In: At Your Service - Service-Oriented Computing from an EU Perspective. MIT Press, Cambridge (2008)

    Google Scholar 

  2. Costa, G., Dragoni, N., Lazouski, A., Martinelli, F., Massacci, F., Matteucci, I.: Extending Security-by-Contract with quantitative trust on mobile devices. In: Proceeding of the Fourth International Conference on Complex, Intelligent and Software Intensive Systems, pp. 872–877. IEEE Computer Society (2010)

    Google Scholar 

  3. Costa, G., Dragoni, N., Issarny, V., Lazouski, A., Martinelli, F., Massacci, F., Matteucci, I., Saadi, R.: Security-by-Contract-with-Trust for mobile devices. JOWUA 1(4), 75–91 (2010)

    Google Scholar 

  4. Greci, P., Martinelli, F., Matteucci, I.: A framework for contract-policy matching based on symbolic simulations for securing mobile device application. In: Margaria, T., Steffen, B. (eds.) ISoLA 2008. CCIS, vol. 17, pp. 221–236. Springer, Heidelberg (2008)

    Google Scholar 

  5. Necula, G.C.: Proof-carrying code. In: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’97), pp. 106–119 (1997)

    Google Scholar 

  6. Sekar, R., Venkatakrishnan, V., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-carrying code: a practical approach for safe execution of untrusted applications. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 15–28 (2003)

    Google Scholar 

  7. Hermanns, H., Parma, A., Segala, R., Wachter, B., Zhang, L.: Probabilistic logical characterization. Inf. Comput. 209(2), 154–172 (2011)

    CrossRef  MATH  MathSciNet  Google Scholar 

  8. Baier, C., Engelen, B., Majster-Cederbaum, M.: Deciding bisimilarity and similarity for probabilistic processes. J. Comput. Syst. Sci. 60(1), 187–231 (2000)

    CrossRef  MATH  MathSciNet  Google Scholar 

  9. Sharkey, M.I.: Probabilistic proof-carrying code. Ph.D. thesis, Carleton University (2012)

    Google Scholar 

  10. Tsukada, Y.: Interactive and probabilistic proof of mobile code safety. Autom. Software Eng. 12(2), 237–257 (2005)

    CrossRef  Google Scholar 

  11. Desharnais, J., Laviolette, F., Tracol, M.: Approximate analysis of probabilistic processes: logic, simulation and games. In: Proceedings of the 2008 Fifth International Conference on Quantitative Evaluation of Systems, QEST ’08, pp. 264–273. IEEE Computer Society, Washington DC (2008)

    Google Scholar 

  12. Aldini, A., Martinelli, F., Saracino, A., Sgandurra, D.: A collaborative framework for generating probabilistic contracts. In: Smari, W.W., Fox, G.C. (eds.) Proceedings of the 2013 IEEE International Conference on Collaboration Technologies and Systems, SECOTS 2013, pp. 139–143. IEEE Computer Society, San Diego (2013)

    Google Scholar 

  13. Juniper Networks Global Threat Center: Malicious Mobile Threats Report 2010/2011 (2011)

    Google Scholar 

  14. Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) TRUST 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)

    Google Scholar 

  15. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. Technical report, Electrical Engineering and Computer Sciences, University of California at Berkeley (2012) http://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-26.html

  16. Dragoni, N., Massacci, F.: Security-by-contract for web services. In: SWS, pp. 90–98 (2007)

    Google Scholar 

  17. Gadyatskaya, O., Massacci, F., Philippov, A.: Security-by-Contract for the OSGi platform. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 364–375. Springer, Heidelberg (2012)

    Google Scholar 

  18. Easwaran, A., Kannan, S., Lee, I.: Optimal control of software ensuring safety and functionality. Technical Report MS-CIS-05-20, University of Pennsylvania (2005)

    Google Scholar 

  19. Martinelli, F., Morisset, C.: Quantitative access control with partially-observable markov decision processes. In: Proceedings of CODASPY ’12, pp. 169–180. ACM (2012)

    Google Scholar 

  20. Bielova, N., Massacci, F.: Predictability of enforcement. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 73–86. Springer, Heidelberg (2011)

    Google Scholar 

  21. Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for android malware. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 240–253. Springer, Heidelberg (2012)

    Google Scholar 

  22. Delahaye, B., Caillaud, B., Legay, A.: Probabilistic contracts: a compositional reasoning methodology for the design of stochastic systems. In: 10th International Conference on Application of Concurrency to System Design (ACSD), 2010, IEEE (2010)

    Google Scholar 

  23. Hoang, X.A., Hu, J.: An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: 12th IEEE International Conferecence on Networks, ICON 2004. vol. 2, pp. 470–474. IEEE (2004)

    Google Scholar 

  24. Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secure Comput. 7(4), 381–395 (2010)

    CrossRef  Google Scholar 

  25. Koresow, A.P.: Intrusion detection via system call traces. Software 14(5), 35–42 (1997)

    CrossRef  Google Scholar 

  26. Briffaut, J., Lefebvre, E., Rouzaud-Cornabas, J., Toinard, C.: PIGA-Virt: an advanced distributed MAC protection of virtual systems. In: Alexander, M., et al. (eds.) Euro-Par 2011, Part II. LNCS, vol. 7156, pp. 416–425. Springer, Heidelberg (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Daniele Sgandurra .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dini, G., Martinelli, F., Matteucci, I., Saracino, A., Sgandurra, D. (2014). Introducing Probabilities in Contract-Based Approaches for Mobile Application Security. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2013 2013. Lecture Notes in Computer Science(), vol 8247. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54568-9_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-54568-9_18

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-54567-2

  • Online ISBN: 978-3-642-54568-9

  • eBook Packages: Computer ScienceComputer Science (R0)