105 research outputs found
Abstract Certification of Java Programs in Rewriting Logic
In this thesis we propose an abstraction based certification technique for Java programs which is based on rewriting logic, a very general logical and semantic framework efficiently implemented in the functional programming language Maude. We focus on safety properties, i.e. properties of a system that are defined in terms of certain events not happening, which we characterize as unreachability problems in rewriting logic. The safety policy is expressed in the style of JML, a standard property specification language for Java modules.
In order to provide a decision procedure, we enforce finite-state models of programs by using abstract interpretation.
Starting from a specification of the Java semantics written in Maude, we develop an abstraction based,
finite-state operational semantics also written in Maude which is appropriate for program verification.
As a by-product of the verification based on abstraction, a dependable safety certificate is delivered which consists of a set of rewriting proofs that can be easily checked by the code consumer by using a standard rewriting logic engine. The abstraction based proof-carrying code technique, called JavaPCC, has been implemented and successfully tested on several examples, which demonstrate the feasibility of our approach.
We analyse local properties of Java methods: i.e. properties of methods regarding their parameters and results. We also study global confidentiality properties of complete Java classes, by initially considering non--interference and, then, erasure with and without non--interference. Non--interference is a semantic program property that assigns confidentiality levels to data objects and prevents illicit information flows from occurring from high to low security levels. In this thesis, we present a novel security model for global non--interference which approximates non--interference as a safety property.Alba Castro, MF. (2011). Abstract Certification of Java Programs in Rewriting Logic [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/13617Palanci
LJGS: Gradual Security Types for Object-Oriented Languages
LJGS is a lightweight Java core calculus with a gradual security type system. The calculus guarantees secure information flow for
sequential, class-based, typed object-oriented programming with
mutable objects and virtual method calls. An LJGS program is
composed of fragments that are checked either statically or
dynamically. Statically checked fragments adhere to a security type
system so that they incur no run-time penalty whereas dynamically
checked fragments rely on run-time security labels. The programmer
marks the boundaries between static and dynamic checking with casts
so that it is always clear whether a program fragment requires
run-time checks. LJGS requires security annotations on fields and
methods. A field annotation either specifies a fixed static
security level or it prescribes dynamic checking. A method
annotation specifies a constrained polymorphic security signature.
The types of local variables in method bodies are analyzed
flow-sensitively and require no annotation. The dynamic checking of
fields relies on a static points-to analysis to approximate implicit
flows. We prove type soundness and non-interference for LJGS
A sound dependency analysis for secure information flow (extended version)
In this paper we present a flow-sensitive analysis for secure information flow for Java bytecode. Our approach consists in computing, at different program points, a dependency graph which tracks how input values of a method may influence its outputs. This computation subsumes a points-to analysis (reflecting how objects depend on each others) by addressing dependencies arising from data of primitive type and from the control flow of the program. Our graph construction is proved to be sound by establishing a non-interference theorem stating that an output value is unrelated with an input one in the dependency graph if the output remains unchanged when the input is modified. In contrast with many type-based information flow techniques, our approach does not require security levels to be known during the computation of the graph: security aspects of information flow are checked by labeling "a posteriori" the dependency graph with security levels
Design and Analysis of Mobile Operating System Security Architecture using Formal Methods
The Android operating system (OS) is now used in the majority of
mobile devices.
Hence, Android security is an important issue to handle. In this
work, we tackle
the problem using two separate approaches: directly modifying
Android OS and
developed a framework to provide a guarantee of
non-interference.
Firstly, we present a design and an implementation of a security
policy specifi-
cation language based on metric linear-time temporal logic (MTL)
to specify timing-
dependent security policies. The design of the language is driven
by the problem of
runtime monitoring of applications in mobile devices. A main case
of the study is the
privilege escalation attack in the Android OS, where an
unprivileged app gains ac-
cess to privileged resource or functionalities through indirect
flow. To capture these
attacks, we extend MTL with recursive definitions to express call
chains between
apps. We then show how our language design can be used to specify
policies to
detect privilege escalation under various fine-grained
constraints. We present a new
algorithm for monitoring safety policies written in our
specification language. The
monitor does not need to store the entire history of events
generated by the apps. We
modified the Android OS kernel to allow us to insert our
generated monitors mod-
ularly. We have tested the modified OS (LogicDroid) on an actual
device, and show
that it is effective in detecting policy violations. Furthermore,
LogicDroid is able to
prevent a previously unknown exploit to breach Android security
which allows an
unprivileged application to access certain critical and
privileged functionalities of an
Android phone, such as making phone calls, terminating phone
calls, and sending
SMS, without having to ask any permissions to do so.
Subsequently, we provided a framework to ensure non-interference
properties
of DEX bytecode. Each application in Android runs in an instance
of the Dalvik
virtual machine, which is a register-based virtual machine (VM).
Most applications
for Android are developed using Java, compiled to Java bytecode
and further into
DEX bytecode. Following a methodology that has been developed for
Java byte-
code certification by Barthe et al., we developed a type-based
method for certifying
non-interference property of a DEX program. To this end, we
develop a formal oper-
ational semantics of the Dalvik VM, a type system for DEX
bytecode, and prove the
soundness of the type system with respect to a notion of
non-interference. We have
also formalized the proof of a subset of DEX in Coq for an
additional guarantee that
our proof is correct.
We then study the translation process from Java bytecode to DEX
bytecode, as
implemented in the dx tool in the Android SDK. We show that an
abstracted version
of the translation from Java bytecode to DEX bytecode preserves
the non-interference
property. More precisely, we show that if the Java bytecode is
typable in Barthe
et al.’s type system, then its translation is typable in our
type system.
This result opens up the possibility to leverage existing
bytecode verifiers for Java to certify
non-interference properties of Android bytecode
Information flow analysis for mobile code in dynamic security environments
With the growing amount of data handled by Internet-enabled
mobile devices, the task of preventing software from leaking
confidential information is becoming increasingly important. At
the same time, mobile applications are typically executed on
different devices whose users have varying requirements for the
privacy of their data. Users should be able to define their
personal information security settings, and they should get a
reliable assurance that the installed software respects these
settings. Language-based information flow security focuses on
the analysis of programs to determine information flows among
accessed data resources of different security levels, and to
verify and formally certify that these flows follow a given
policy. In the mobile code scenario, however, both the dynamic
aspect of the security environment and the fact that mobile
software is distributed as bytecode pose a challenge for existing
static analysis approaches. This thesis presents a
language-based mechanism to certify information flow security in
the presence of dynamic environments. An object-oriented
high-level language as well as a bytecode language are equipped
with facilities to inspect user-defined information flow security
settings at runtime. This way, the software developer can create
privacy-aware programs that can adapt their behaviour to
arbitrary security environments, a property that is formalized as
"universal noninterference". This property is statically
verified by an information flow type system that uses restrictive
forms of dependent types to judge abstractly on the concrete
security policy that is effective at runtime. To verify compiled
bytecode programs, a low-level version of the type system is
presented that works on an intermediate code representation in
which the original program structure is partially restored.
Rigorous soundness proofs and a type-preserving compilation
enable the generation of certified bytecode programs in the style
of proof-carrying code. To show the practical feasibility of the
approach, the system is implemented and demonstrated on a
concrete application scenario, where personal data are sent from
a mobile device to a server on the Internet
- …