A new revocable and re-delegable proxy signature and its application

With the popularity of cloud computing and mobile Apps, on-demand services such as on-line music or audio streaming and vehicle booking are widely available nowadays. In order to allow efficient delivery and management of the services, for large-scale on-demand systems, there is usually a hierarchy where the service provider can delegate its service to a top-tier (e.g., countrywide) proxy who can then further delegate the service to lower level (e.g., region-wide) proxies. Secure (re-)delegation and revocation are among the most crucial factors for such systems. In this paper, we investigate the practical solutions for achieving re-delegation and revocation utilizing proxy signature. Although proxy signature has been extensively studied in the literature, no previous solution can achieve both properties. To fill the gap, we introduce the notion of revocable and re-delegable proxy signature that supports efficient revocation and allows a proxy signer to re-delegate its signing right to other proxy signers without the interaction with the original signer. We define the formal security models for this new primitive and present an efficient scheme that can achieve all the security properties. We also present a secure on-line revocable and re-delegate vehicle ordering system (RRVOS) as one of the applications of our proposed scheme

Service re-routing for service network graph: efficiency, scalability and implementation

The key to success in Next Generation Network is service routing in which service requests may need to be redirected as in the case of the INVITE request in Session Initiation Protocol. Service Path (SPath) holds the authentication and server paths along side with service information. As the number of hops in a redirection increases, the length of SPath increases. The overhead for service routing protocols which uses SPath increases with the length of SPath. Hence it is desirable to optimize SPath to ensure efficiency and scalability of protocols involving service routing. In this paper, we propose a re-routing strategy to optimize service routing, and demonstrate how this strategy can be implemented using SPath to enhance the efficiency and scalability of Service Network Graph (SNG)

Compartmentation policies for Android apps:A combinatorial optimization approach

Some smartphone platforms such as Android have a distinctive message passing system that allows for sophisticated interactions among app components, both within and across app boundaries. This gives rise to various security and privacy risks, including not only intentional collusion attacks via permission re-delegation but also inadvertent disclosure of information and service misuse through confused deputy attacks. In this paper, we revisit the perils of app coexistence in the same platform and propose a risk mitigation mechanism based on segregating apps into isolated groups following classical security compartmentation principles. Compartments can be implemented using lightweight approaches such as Inter-Component Communication (ICC) firewalling or through virtualization, effectively fencing off each group of apps. We then leverage recent works on quantified risk metrics for Android apps to couch compartmentation as a combinatorial optimization problem akin to the classical bin packing or knapsack problems. We study a number of simple yet effective numerical optimization heuristics, showing that very good compartmentation solutions can be obtained for the problem sizes expected in current’s mobile environments

AdSplit: Separating smartphone advertising from applications

A wide variety of smartphone applications today rely on third-party advertising services, which provide libraries that are linked into the hosting application. This situation is undesirable for both the application author and the advertiser. Advertising libraries require additional permissions, resulting in additional permission requests to users. Likewise, a malicious application could simulate the behavior of the advertising library, forging the user's interaction and effectively stealing money from the advertiser. This paper describes AdSplit, where we extended Android to allow an application and its advertising to run as separate processes, under separate user-ids, eliminating the need for applications to request permissions on behalf of their advertising libraries. We also leverage mechanisms from Quire to allow the remote server to validate the authenticity of client-side behavior. In this paper, we quantify the degree of permission bloat caused by advertising, with a study of thousands of downloaded apps. AdSplit automatically recompiles apps to extract their ad services, and we measure minimal runtime overhead. We also observe that most ad libraries just embed an HTML widget within and describe how AdSplit can be designed with this in mind to avoid any need for ads to have native code

Security Code Smells in Android ICC

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.Comment: Accepted on 28 Nov 2018, Empirical Software Engineering Journal (EMSE), 201

Android application evolution and malware detection

Android has dominated the mobile market for a few years now, and continues to increase its market share. Meanwhile, Android has seen a sharper increase in malware. It is a matter of utmost urgency to find a better way to detect Android malware. In this thesis, we use static code analysis to extract the android application security features and two different classification models to detect Android malware. Our permissions-based classification model can achieve 96.5% accuracy, 97.2% TPR and 95.5% TNR with lower overhead. Comparing with others’ work, our results increase the accuracy by 4.9%, TPR by 5.6% and TNR by 3.9%. By using multiple security metrics in the classification model, the detection rate increases to 99.3% accuracy, 99.5% TPR and 99% TNR. Moreover, we investigate Android application security evolution. The data shows that more than half applications have security vulnerabilities and/or dangerous behaviors. The security problems remain or even worse in the updated versions of most applications. Based on this result, we argue that there can be higher chance to impose update attack, where, the malware is contained in the updated version of a benign application. Our multiple-metrics based classification model is adapted to detect the update attack and can achieve similar or even better detection rate based on our initial results

Security analysis of finance and healthcare android applications

Thesis (M.S.)--Boston UniversityAndroid is a major mobile operating system pre-installed and shipped with more than 60% of smart-phones in the market. The open source nature of android en- courages developers to innovate wide-range of applications. Meantime, the sweeping android acceptance with individuals and industries caught the attention of malicious software writers, which led to a sharp increase of security threats. Such threats raise a deeper concern in financial and healthcare applications that are inherently bound to handle private and sensitive information. The research provides a deeper analysis on security vulnerabilities of android applications in finance and healthcare category, from official Google app store. It is proposed and implemented a security analysis framework that takes account of a wide range of vulnerability metrics to provide unified and quantified method of measuring android applications vulnerability. The framework implementation automated the process of crawling google's app store, downloading applications package to a repository and conducting vulnerability analysis. It automatically extracts security parameters, measures vulnerability metrics and generates vulnerability report. The security parameters were extracted from manifest, de-compiled source code and app store meta-data. The analysis, on the top 632 free apps from finance and medical category revealed that on average financial apps found to be more vulnerable than medical apps. Medical apps have the maximum value for all types of vulnerabilities. Furthermore, a descriptive statistical analysis on the vulnerability metrics revealed that there is a linear relationship between implicitly open components and the number of times they access sensitive android resources

AGENCY, ASSOCIATIONS AND CULTURE: A THALE OF STATE AND SOCIETY

The way in which the social subjects take decisions, the interactions established between these, the web of social institutions and rules, the architecture of the power relationships between the various “points of social coagulation” have as a foundation a complex set of determinants, in which the “pure” economic factors have an important, but not unique role. Thus, this paper intends to draft a possible analytical framework, capable of allowing the stress of some existing connections between the cultural variables, the social actions and the role of the public power. Heavy indebted to OLSON and NOZICK, the starting point is made out by a version of the mandate theory, within the way in which society, as a whole, as well as its individual components, delegates a certain set of social responsibilities to the public authorities, based on some social utility functions, which include the characteristics of the dominant cultural model. Part I of the paper deals with the elements of the theoretical foundation, elements resumed by a set of critical postulates and a special definition of state as the dominant agency in a social space and also of the negotiation/parallel associations. Part II is an attempt to examine some empirical evidences in the favor of some results derived from this foundation. The main conclusion of the paper could be resumed by the idea that trying to describe the interactions between state and society without taking into the account the characteristics of the cultural paradigm is equivalent to talk about Hamlet without mentioning the prince of Denmark.agency, negotiation/parallel associations, cultural paradigm