Practical, formal synthesis and automatic enforcement of security policies for Android

Hamid Bagheri, Alireza Sadeghi, Reyhaneh Jabbarvand, Sam Malek

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

As the dominant mobile computing platform, Android has become a prime target for cyber-security attacks. Many of these attacks are manifested at the application level, and through the exploitation of vulnerabilities in apps downloaded from the popular app stores. Increasingly, sophisticated attacks exploit the vulnerabilities in multiple installed apps, making it extremely difficult to foresee such attacks, as neither the app developers nor the store operators know a priori which apps will be installed together. This paper presents an approach that allows the end-users to safeguard a given bundle of apps installed on their device from such attacks. The approach, realized in a tool, called SEPAR, combines static analysis with lightweight formal methods to automatically infer security-relevant properties from a bundle of apps. It then uses a constraint solver to synthesize possible security exploits, from which fine-grained security policies are derived and automatically enforced to protect a given device. In our experiments with over 4,000 Android apps, SEPAR has proven to be highly effective at detecting previously unknown vulnerabilities as well as preventing their exploitation.

Original languageEnglish (US)
Title of host publicationProceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages514-525
Number of pages12
ISBN (Electronic)9781467388917
DOIs
StatePublished - Sep 29 2016
Externally publishedYes
Event46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 - Toulouse, France
Duration: Jun 28 2016Jul 1 2016

Publication series

NameProceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

Other

Other46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
Country/TerritoryFrance
CityToulouse
Period6/28/167/1/16

ASJC Scopus subject areas

  • Hardware and Architecture
  • Software
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Practical, formal synthesis and automatic enforcement of security policies for Android'. Together they form a unique fingerprint.

Cite this