AppGuard — fine-grained policy enforcement for untrusted android applications

Android’s success makes it a prominent target for malicious software. However, the user has very limited control over security-relevant operations. This work presents AppGuard, a powerful and flexible security system that overcomes these deficiencies. It enforces user-defined security policies on untrusted Android applications without requiring any changes to a smartphone’s firmware, root access, or the like. Finegrained and stateful security policies are expressed in a formal specification language, which also supports secrecy requirements. Our system offers complete mediation of security-relevant methods based on calleesite inline reference monitoring and supports widespread deployment. In the experimental analysis we demonstrate the removal of permissions for overly curious apps as well as how to defend against several recent real-world attacks on Android phones. Our technique exhibits very little space and runtime overhead. The utility of AppGuard has already been demonstrated by more than 1,000,000 downloads

Retrofitting privacy controls to stock Android

Android ist nicht nur das beliebteste Betriebssystem für mobile Endgeräte, sondern auch ein ein attraktives Ziel für Angreifer. Um diesen zu begegnen, nutzt Androids Sicherheitskonzept App-Isolation und Zugangskontrolle zu kritischen Systemressourcen. Nutzer haben dabei aber nur wenige Optionen, App-Berechtigungen gemäß ihrer Bedürfnisse einzuschränken, sondern die Entwickler entscheiden über zu gewährende Berechtigungen. Androids Sicherheitsmodell kann zudem nicht durch Dritte angepasst werden, so dass Nutzer zum Schutz ihrer Privatsphäre auf die Gerätehersteller angewiesen sind. Diese Dissertation präsentiert einen Ansatz, Android mit umfassenden Privatsphäreeinstellungen nachzurüsten. Dabei geht es konkret um Techniken, die ohne Modifikationen des Betriebssystems oder Zugriff auf Root-Rechte auf regulären Android-Geräten eingesetzt werden können. Der erste Teil dieser Arbeit etabliert Techniken zur Durchsetzung von Sicherheitsrichtlinien für Apps mithilfe von inlined reference monitors. Dieser Ansatz wird durch eine neue Technik für dynamic method hook injection in Androids Java VM erweitert. Schließlich wird ein System eingeführt, das prozessbasierte privilege separation nutzt, um eine virtualisierte App-Umgebung zu schaffen, um auch komplexe Sicherheitsrichtlinien durchzusetzen. Eine systematische Evaluation unseres Ansatzes konnte seine praktische Anwendbarkeit nachweisen und mehr als eine Million Downloads unserer Lösung zeigen den Bedarf an praxisgerechten Werkzeugen zum Schutz der Privatsphäre.Android is the most popular operating system for mobile devices, making it a prime target for attackers. To counter these, Android’s security concept uses app isolation and access control to critical system resources. However, Android gives users only limited options to restrict app permissions according to their privacy preferences but instead lets developers dictate the permissions users must grant. Moreover, Android’s security model is not designed to be customizable by third-party developers, forcing users to rely on device manufacturers to address their privacy concerns. This thesis presents a line of work that retrofits comprehensive privacy controls to the Android OS to put the user back in charge of their device. It focuses on developing techniques that can be deployed to stock Android devices without firmware modifications or root privileges. The first part of this dissertation establishes fundamental policy enforcement on thirdparty apps using inlined reference monitors to enhance Android’s permission system. This approach is then refined by introducing a novel technique for dynamic method hook injection on Android’s Java VM. Finally, we present a system that leverages process-based privilege separation to provide a virtualized application environment that supports the enforcement of complex security policies. A systematic evaluation of our approach demonstrates its practical applicability, and over one million downloads of our solution confirm user demand for privacy-enhancing tools

A Machine-Checked, Type-Safe Model of Java Concurrency : Language, Virtual Machine, Memory Model, and Verified Compiler

The Java programming language provides safety and security guarantees such as type safety and its security architecture. They distinguish it from other mainstream programming languages like C and C++. In this work, we develop a machine-checked model of concurrent Java and the Java memory model and investigate the impact of concurrency on these guarantees. From the formal model, we automatically obtain an executable verified compiler to bytecode and a validated virtual machine

On the Security of Software Systems and Services

This work investigates new methods for facing the security issues and threats arising from the composition of software. This task has been carried out through the formal modelling of both the software composition scenarios and the security properties, i.e., policies, to be guaranteed. Our research moves across three different modalities of software composition which are of main interest for some of the most sensitive aspects of the modern information society. They are mobile applications, trust-based composition and service orchestration. Mobile applications are programs designed for being deployable on remote platforms. Basically, they are the main channel for the distribution and commercialisation of software for mobile devices, e.g., smart phones and tablets. Here we study the security threats that affect the application providers and the hosting platforms. In particular, we present a programming framework for the development of applications with a static and dynamic security support. Also, we implemented an enforcement mechanism for applying fine-grained security controls on the execution of possibly malicious applications. In addition to security, trust represents a pragmatic and intuitive way for managing the interactions among systems. Currently, trust is one of the main factors that human beings keep into account when deciding whether to accept a transaction or not. In our work we investigate the possibility of defining a fully integrated environment for security policies and trust including a runtime monitor. Finally, Service-Oriented Computing (SOC) is the leading technology for business applications distributed over a network. The security issues related to the service networks are many and multi-faceted. We mainly deal with the static verification of secure composition plans of web services. Moreover, we introduce the synthesis of dynamic security checks for protecting the services against illegal invocations

Plugging in trust and privacy : three systems to improve widely used ecosystems

The era of touch-enabled mobile devices has fundamentally changed our communication habits. Their high usability and unlimited data plans provide the means to communicate any place, any time and lead people to publish more and more (sensitive) information. Moreover, the success of mobile devices also led to the introduction of new functionality that crucially relies on sensitive data (e.g., location-based services). With our today’s mobile devices, the Internet has become the prime source for information (e.g., news) and people need to rely on the correctness of information provided on the Internet. However, most of the involved systems are neither prepared to provide robust privacy guarantees for the users, nor do they provide users with the means to verify and trust in delivered content. This dissertation introduces three novel trust and privacy mechanisms that overcome the current situation by improving widely used ecosystems. With WebTrust we introduce a robust authenticity and integrity framework that provides users with the means to verify both the correctness and authorship of data transmitted via HTTP. X-pire! and X-pire 2.0 offer a digital expiration date for images in social networks to enforce post-publication privacy. AppGuard enables the enforcement of fine-grained privacy policies on third-party applications in Android to protect the users privacy.Heutige Mobilgeräte mit Touchscreen haben unsere Kommunikationsgewohnheiten grundlegend geändert. Ihre intuitive Benutzbarkeit gepaart mit unbegrenztem Internetzugang erlaubt es uns jederzeit und überall zu kommunizieren und führt dazu, dass immer mehr (vertrauliche) Informationen publiziert werden. Des Weiteren hat der Erfolg mobiler Geräte zur Einführung neuer Dienste die auf vertraulichen Daten aufbauen (z.B. positionsabhängige Dienste) beigetragen. Mit den aktuellen Mobilgeräten wurde zudem das Internet die wichtigste Informationsquelle (z.B. für Nachrichten) und die Nutzer müssen sich auf die Korrektheit der von dort bezogenen Daten verlassen. Allerdings bieten die involvierten Systeme weder robuste Datenschutzgarantien, noch die Möglichkeit die Korrektheit bezogener Daten zu verifizieren. Diese Dissertation führt drei neue Mechanismen für das Vertrauen und den Datenschutz ein, die die aktuelle Situation in weit verbreiteten Systemen verbessern. WebTrust, ein robustes Authentizitäts- und Integritätssystem ermöglicht es den Nutzern sowohl die Korrektheit als auch die Autorenschaft von über HTTP übertragenen Daten zu verifizieren. X-pire! und X-pire 2.0 bieten ein digitales Ablaufdatum für Bilder in sozialen Netzwerken um Daten auch nach der Publikation noch vor Zugriff durch Dritte zu schützen. AppGuard ermöglicht das Durchsetzen von feingranularen Datenschutzrichtlinien für Drittanbieteranwendungen in Android um einen angemessen Schutz der Nutzerdaten zu gewährleisten

Plugging in trust and privacy : three systems to improve widely used ecosystems

The era of touch-enabled mobile devices has fundamentally changed our communication habits. Their high usability and unlimited data plans provide the means to communicate any place, any time and lead people to publish more and more (sensitive) information. Moreover, the success of mobile devices also led to the introduction of new functionality that crucially relies on sensitive data (e.g., location-based services). With our today’s mobile devices, the Internet has become the prime source for information (e.g., news) and people need to rely on the correctness of information provided on the Internet. However, most of the involved systems are neither prepared to provide robust privacy guarantees for the users, nor do they provide users with the means to verify and trust in delivered content. This dissertation introduces three novel trust and privacy mechanisms that overcome the current situation by improving widely used ecosystems. With WebTrust we introduce a robust authenticity and integrity framework that provides users with the means to verify both the correctness and authorship of data transmitted via HTTP. X-pire! and X-pire 2.0 offer a digital expiration date for images in social networks to enforce post-publication privacy. AppGuard enables the enforcement of fine-grained privacy policies on third-party applications in Android to protect the users privacy.Heutige Mobilgeräte mit Touchscreen haben unsere Kommunikationsgewohnheiten grundlegend geändert. Ihre intuitive Benutzbarkeit gepaart mit unbegrenztem Internetzugang erlaubt es uns jederzeit und überall zu kommunizieren und führt dazu, dass immer mehr (vertrauliche) Informationen publiziert werden. Des Weiteren hat der Erfolg mobiler Geräte zur Einführung neuer Dienste die auf vertraulichen Daten aufbauen (z.B. positionsabhängige Dienste) beigetragen. Mit den aktuellen Mobilgeräten wurde zudem das Internet die wichtigste Informationsquelle (z.B. für Nachrichten) und die Nutzer müssen sich auf die Korrektheit der von dort bezogenen Daten verlassen. Allerdings bieten die involvierten Systeme weder robuste Datenschutzgarantien, noch die Möglichkeit die Korrektheit bezogener Daten zu verifizieren. Diese Dissertation führt drei neue Mechanismen für das Vertrauen und den Datenschutz ein, die die aktuelle Situation in weit verbreiteten Systemen verbessern. WebTrust, ein robustes Authentizitäts- und Integritätssystem ermöglicht es den Nutzern sowohl die Korrektheit als auch die Autorenschaft von über HTTP übertragenen Daten zu verifizieren. X-pire! und X-pire 2.0 bieten ein digitales Ablaufdatum für Bilder in sozialen Netzwerken um Daten auch nach der Publikation noch vor Zugriff durch Dritte zu schützen. AppGuard ermöglicht das Durchsetzen von feingranularen Datenschutzrichtlinien für Drittanbieteranwendungen in Android um einen angemessen Schutz der Nutzerdaten zu gewährleisten

Combining behavioural types with security analysis

Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties

Progetto e Realizzazione di una Architettura Software per il Monitoraggio dell'Esecuzione di Applicazioni per Dispositivi Mobili

Negli ultimi anni, il crescente sviluppo tecnologico ha permesso la realizzazione di dispositivi portatili sempre più potenti ed efficienti. Una simile innovazione ha consentito di aumentare le opportunità nel campo della computazione mobile, permettendo ai dispositivi portatili di gestire funzionalità un tempo delegate prettamente agli ambienti desktop. Nello scenario della computazione mobile, il framework applicativo Java 2 Micro Edition (J2ME) si sta sempre più affermando come tecnologia di riferimento, grazie anche alle caratteristiche di sicurezza offerte dall‟ambiente d‟esecuzione. Il framework J2ME, pur utilizzando un modello di sicurezza efficace per il controllo delle applicazioni, non consente di specificare con sufficiente dettaglio, quali comportamenti dell‟applicazione possono essere considerati “dannosi” dall‟utente proprietario del dispositivo mobile, ed una simile mancanza di risoluzione lascia spazio ad esecuzioni potenzialmente rischiose di codice ritenuto corretto. Nel 2006 la comunità europea ha dato vita ad un progetto di ricerca denominato Security of Software and Services for Mobile Systems (S3MS) per lo sviluppo di modelli e strumenti in grado di fronteggiare simili problematiche, sempre più di primo piano con il diffondersi delle tecnologie mobili di ultima generazione. Il presente lavoro di tesi è stato svolto nell‟ambito del progetto S3MS e sfrutta i risultati conseguiti dal progetto per lo sviluppo di un nuovo approccio al problema del monitoraggio dell‟esecuzione di applicazioni J2ME. Il lavoro presentato è mirato alla realizzazione di un‟architettura in grado di estendere il modello di sicurezza J2ME attuale senza la necessità di modificarne la struttura originale