Towards Modular and Flexible Access Control on Smart Mobile Devices

Smart mobile devices, such as smartphones and tablets, have become an integral part of our daily personal and professional lives. These devices are connected to a wide variety of Internet services and host a vast amount of applications, which access, store and process security- and privacy-sensitive data. A rich set of sensors, ranging from microphones and cameras to location and acceleration sensors, allows these applications and their back end services to reason about user behavior. Further, enterprise administrators integrate smart mobile devices into their IT infrastructures to enable comfortable work on the go. Unsurprisingly, this abundance of available high-quality information has made smart mobile devices an interesting target for attackers, and the number of malicious and privacy-intrusive applications has steadily been rising. Detection and mitigation of such malicious behavior are in focus of mobile security research today. In particular, the Android operating system has received special attention by both academia and industry due to its popularity and open-source character. Related work has scrutinized its security architecture, analyzed attack vectors and vulnerabilities and proposed a wide variety of security extensions. While these extensions have diverse goals, many of them constitute modifications of the Android operating system and extend its default permission-based access control model. However, they are not generic and only address specific security and privacy concerns. The goal of this dissertation is to provide generic and extensible system-centric access control architectures, which can serve as a solid foundation for the instantiation of use-case specific security extensions. In doing so, we enable security researchers, enterprise administrators and end users to design, deploy and distribute security extensions without further modification of the underlying operating system. To achieve this goal, we first analyze the mobile device ecosystem and discuss how Android's security architecture aims to address its inherent threats. We proceed to survey related work on Android security, focusing on system-centric security extensions, and derive a set of generic requirements for extensible access control architectures targeting smart mobile devices. We then present two extensible access control architectures, which address these requirements by providing policy-based and programmable interfaces for the instantiation of use-case specific security solutions. By implementing a set of practical use-cases, ranging from context-aware access control, dynamic application behavior analysis to isolation of security domains we demonstrate the advantages of system-centric access control architectures over application-layer approaches. Finally, we conclude this dissertation by discussing an alternative approach, which is based on application-layer deputies and can be deployed whenever practical limitations prohibit the deployment of system-centric solutions

On Modularity In Abstract State Machines

In the field of model based formal methods we investigate the Abstract State Machine (ASM) modularity features. With the growing complexity of systems and the experience gained in more than thirty years of ASM method application a need for more manageable models emerged. We mainly investigate the notion of modules in ASMs as independent interacting components and the ability to identify portions of the machine state with the aim of improving the modelling process. In this thesis we provide a language level semantically well defined solution for (1) the definition of ASM modules as independent services and their communication behaviour; (2) a new construct that operates on the global state of an ASM machine that ease the management of state partitions and their identification; (3) a novel transition rule for the management of computations providing different execution strategies and putting termination condition for the machine inside the specification; (4) a data definition convention along with a new transition rule for their manipulation via pattern matching. In our work we build upon CoreASM, a well-known extensible modelling framework and tool environment for ASMs. The semantic of our modularity constructs is compatible with the one defined for the CoreASM interpreter. This ease the implementation of extension plugins for tool support of modularity features. A real world system use case ground model ends the thesis exemplifying the practical usage of our modularity constructs

An All-in-One Debugging Approach: Java Debugging, Execution Visualization and Verification

We devise a widely applicable debugging approach to deal with the prevailing issue that bugs cannot be precisely reproduced in nondeterministic complex concurrent programs. A distinct efficient record-and-playback mechanism is designed to record all the internal states of execution including intermediate results by injecting our own bytecode, which does not affect the source code, and, through a two-step data processing mechanism, these data will be aggregated, structured and parallel processed for the purpose of replay in high fidelity while keeping the overhead at a satisfactory level. Docker and Git are employed to create a clean environment such that the execution will be undertaken repeatedly with a maximum precision of reproducing bugs. In our development, several other forefront technologies, such as MongoDB, Spark and Node.js are utilized and smoothly integrated for easy implementation. Altogether, we develop a system for Java Debugging Execution Visualization and Verification (JDevv), a debugging tool for Java although our debugging approach can apply to other languages as well. JDevv also offers an aggregated and interactive visualization for the ease of users’ code verification