Alessandro Armando

Bring your own device, securely

Modern mobile devices offer users powerful computational capabilities and complete customization. As a matter of fact, today smartphones and tablets have remarkable hardware profiles and a cornucopia of applications. Yet, the security mechanisms offered by most popular mobile operating systems offer only limited protection to the threats posed by malicious applications that may be inadvertently installed by the users and therefore they do not meet the security standards required in corporate environments. In this paper we propose a security framework for mobile devices that ensures that only applications complying with the organization security policy can be installed. This is done by inferring behavioral models from applications and by validating them against the security policy. We also present BYODroid, a prototype implementation of our proposed security framework for the Android OS.

Formal Modeling and Reasoning about the Android Security Framework

Android OS is currently the most widespread mobile operating system and is very likely to remain so in the near future. The number of available Android applications will soon reach the staggering figure of 500,000, with an average of 20,000 applications being introduced in the Android Market over the last 6 months. Since many applications e.g., home banking applications deal with sensitive data, the security of Android is receiving a growing attention by the research community. However, most of the work assumes that Android meets some given high-level security goals e.g.i¾?sandboxing of applications. Checking whether these security goals are met is therefore of paramount importance. Unfortunately this is also a very difficult task due to the lack of a detailed security model encompassing not only the interaction among applications but also the interplay between the applications and the functionalities offered by Android. To remedy this situation in this paper we propose a formal model of Android OS that allows one to formally state the high-level security goals as well as to check whether these goals are met or to identify potential security weaknesses.

Efficient run-time solving of RBAC user authorization queries: pushing the envelope

The User Authorization Query (UAQ) Problem for Role- Based Access Control (RBAC) amounts to determining a set of roles to be activated in a given session in order to achieve some permissions while satisfying a collection of authorization constraints governing the activation of roles. Techniques ranging from greedy algorithms to reduction to (variants of) the propositional satisfiability (SAT) problem have been used to tackle the UAQ problem. Unfortunately, available techniques su er two major limitations that seem to question their practical usability. On the one hand, authorization constraints over multiple sessions or histories are not considered. On the other hand, the experimental evaluations of the various techniques are not satisfactory since they do not seem to scale to larger RBAC policies. In this paper, we describe a SAT-based technique to solve the UAQ problem which overcomes these limitations. First, we show how authorization constraints over multiple sessions and histories can be supported. Second, we carefully tune the reduction to the SAT problem so that most of the clauses need not to be generated at run-time but only in a pre-processing step. Finally, we present an extensive experimental evaluation of an implementation of our techniques on a significant set of UAQ problem instances that show the practical viability of our approach; e.g., problems with 300 roles are solved in less than a second.

Model checking authorization requirements in business processes

Business processes are usually expected to meet high level authorization requirements (e.g., Separation of Duty). Since violation of authorization requirements may lead to economic losses and/or legal implications, ensuring that a business process meets them is of paramount importance. Previous work showed that model checking can be profitably used to check authorization requirements in business processes. However, building formal models that simultaneously account for both the workflow and the access control policy is a time consuming and error-prone activity. In this paper we present a new approach to model checking authorization requirements in business processes that allows for the separate specification of the workflow and of the associated access control policy while retaining the ability to carry out a fully automatic analysis of the business process. To illustrate the effectiveness of the approach we describe its application to a Loan Origination Process subject to an RBAC access control policy featuring conditional permission assignments and delegation.

An action-based approach to the formal specification and automatic analysis of business processes under authorization constraints

Business processes under authorization control are sets of coordinated activities subject to a security policy stating which agent can access which resource. Their behavior is difficult to predict due to the complex and unexpected interleaving of different execution flows within the process. Serious flaws may thus go undetected and manifest themselves only after deployment. For this reason, business processes are being considered a new, promising application domain for formal methods and model checking techniques in particular. In this paper we show that action-based languages provide a rich and natural framework for the formal specification of and automated reasoning about business processes under authorization constraints. We do this by discussing the application of the action language C to the specification of a business process from the banking domain that is representative of an important class of business processes of practical relevance. Furthermore we show that a number of reasoning tasks that arise in this context (namely checking whether the control flow together with the security policy meets the expected security properties, building a security policy for the given business process under given security requirements, and finding an allocation of tasks to agents that guarantees the completion of the business process) can be carried out automatically using the Causal Calculator CCalc. We also compare C with the prominent specification language used in model-checking.

SMT-based Enforcement and Analysis of NATO Content-based Protection and Release Policies

NATO is developing a new IT infrastructure that will enable automated information sharing between different information security domains and provide strong separation between different communities of interest while supporting dynamic and flexible enforcement of the need-to-know principle. In this context, the Content-based Protection and Release (CPR) model has been introduced to support the specification and enforcement of access control policies used in NATO and, more generally, in complex organizations. While the ability to support fine-grained security policies for a large variety of users, resources and devices is desirable, the definition, maintenance, and enforcement of these policies can be difficult, time-consuming, and error-prone. Thus, automated support for policy analysis to help designers in these activities is needed. In this paper we show that several policy-related analysis problems of practical interest can be reduced to SMT problems, we propose an effective enforcement mechanism relying on attribute-based encryption (ABE), and assess the scalability of our approach on an extensive set of synthetic benchmarks.

Assisted content-based labelling and classification of documents

The correct labelling of all information at its point of origin is a critical enabler for effective information access control in modern military systems. If information is not properly labeled it cannot be shared between different communities of interest and coalition partners, which affects the responsibility to share and potentially impedes ongoing military operations. This paper describes two experiments performed at the NATO Communications and Information Agency related to supporting correct labelling of both pre-existing and newly created information objects. Two different techniques are used, one based on semantic analysis and the other on machine learning. Both approaches offer promising results in their respective use case scenarios, but require further development prior to operational deployment.

Security Monitoring for Industrial Control Systems

An Industrial Control System (ICS) is a system of physical entities whose functioning heavily relies on information and communication technology components and infrastructures. ICS are ubiquitous and can be found in a number of safety-critical areas including energy, chemical processes, health-care, aerospace, manufacturing, and transportation. While originally isolated and inherently secure, ICS are recently becoming more and more exposed to cyber attacks (e.g. Stuxnet).

Effective Security Assessment of Mobile Apps with MAVeriC

Abstract Mobile applications, aka apps , mark the perimeter of the ecosystems of many service providers. Thus, their security assessment is crucial for any company aiming at protecting both customer data and other strategic assets. In fact, software analysts face an extremely hard problem due to, for example, continuous and fast development of new apps and the specific threat model of their organizations. For these reasons, new methodologies and tools are urgently required to drive and possibly automatize the process. In the last years, Poste Italiane carried out several initiatives to reduce the security incidents response time. More recently, MAVeriC was proposed as a unified security analysis platform for Android apps. MAVeriC was designed to achieve a seamless integration of both dynamic and static analysis techniques. In this chapter we present the integration of MAVeriC within the industrial business processes of Poste Italiante. We show how MAVeriC contributed to improve the effectiveness and efficiency of the threat identification as well as the reaction procedures. In particular, we discuss how the automatic security analysis was exploited for two distinct activities. Finally, we describe the application of MAVeriC to a case study involving a real-world application. Such case study is also important for identifying and discussing current limitations and future directions of this research line.

A Knowledge Based System for Automatic 3D Scene Generation

The goal of this paper is to describe NALIG, a system able to understand natural language like scene descriptions and to draw automatically the image of the scene on a graphic screen. NALIG is provided with knowledge to perform common sense reasoning about spatial configurations of objects, to derive default conclusions, to detect inconsistency and to modify the internal representation of the scene to preserve consistency.