A Noninterference Model for Mobile OS Information Flow Control and Its Policy Verification

Abstract

Mobile operating systems such as Android are facing serious security risk. First, they have a large number of users and store a large number of users’ private data, which have become major targets of network attack; second, their openness leads to high security risks; third, their coarse-grained static permission control mechanism leads to a large number of privacy leaks. Recent decentralized information flow control (DIFC) operating systems such as Asbestos, HiStar, and Flume dynamically adjust the label of each process. Asbestos contains inherent covert channels due to this implicit label adjustment. The others close these covert channels through the use of explicit label change, but this impedes communication and increases performance overhead. We present an enhanced implicit label change model (EILCM) for mobile operating systems that can close the known covert channel in these models with implicit label change and supports dynamic constraints on tags for separation of duty. We also formally analyze the reasons why EILCM can close the known covert channels and prove that abstract EILCM systems have the security property of noninterference with declassification by virtue of the model checker tool FDR. We also prove that the problem of EILCM policy verification is NP-complete and propose a backtrack-based search algorithm to solve the problem. Experiments are presented to show that the algorithm is effective.