Gabriele Costa

Detection of images with adult content for parental control on mobile devices

In this paper we present a prototype for parental control that detects images with adult content received on a mobile device. More specifically, the application that we developed is able to intercept images received through various communication channels (bluetooth, MMS) on mobile devices based on the Symbian#8482; operating systems. Once intercepted, the images are analysed by the component of the system that automatically classify images with explicit sexual content. At the current stage the application that intercept images runs on the mobile device, the classifier runs on a remote server.

Runtime monitoring for next generation Java ME platform

Many modern mobile devices, such as mobile phones or Personal digital assistants (PDAs), are able to run Java applications, such as games, Internet browsers, chat tools and so on. These applications perform some operations on the mobile device, that are critical from the security point of view, such as connecting to the Internet, sending and receiving SMS messages, connecting to other devices through the Bluetooth interface, browsing the users contact list, and so on. Hence, an adequate security support is required to protect the device from malicious applications. This paper proposes an enhanced security support for next generation Java Micro Edition platform. This support performs a runtime monitoring of the operations performed by the Java applications, and enforces a security policy that defines which operations applications are allowed to perform. Two possible design approaches for the security support are presented and compared.

Security and Trust

Security and Trust offer two different prospectives on the problem of the correct interaction among software components. For many aspects, they represent complementary viewpoints. Moreover, in the study of the verification of non-functional properties of programs they represent a mainstream. Several security aspects, e.g., access control, could be based also on trust and, vice versa, trust models could update the level of trust of a (component of a ) system according to the satisfaction of a particular security policies. According to that, here we present the Security-by-Contract-with-Trust framework, S×C×T for short. It has been developed considering a system platform that has to execute an application whose developer is unknown in such a way that security policies set on it are not violated. The S×C×T mechanism is driven by both security and trust aspects. It is based of three main concepts: the application code, the application contract, and the system security policy The level of trust we consider measures the adherence of the application code to its contract, i.e., if the code respects its contract then the application is trusted, otherwise its level of trust decreases. According to the level of trust of the application, S×C×T decides if check the contract against the policies and if the answer is positive, execute the application just monitoring its contract, or directly enforce the security policy set on the platform.

Extending Security-by-Contract with Quantitative Trust on Mobile Devices

Security-by-Contract (SxC) is a paradigm providing security assurances for mobile applications. In this work, we present an extension of SxC enriched with an authomatic trust management infrastructure. Indeed, we enhance the already existing architecture by adding new modules and configurations for contracts managing. At deploy-time, our system decides the run-time configuration depending on the credentials of contract provider. Roughly, the run-time environment can both enforce a security policy and monitor the declared contract. According to the actual behaviour of the running program our architecture updates the trust level associated with the contract provider. The main advantage of this method is an authomatic management of the level of trust of software and contract releasers.

Enabling BYOD through secure meta-market

Mobile security is a hot research topic. Yet most of available techniques focus on securing individual applications and therefore cannot possibly tackle security weaknesses stemming from the combined use of one or more applications (e.g. confused deputy attacks). Preventing these types of attacks is crucial in many important application scenarios. For instance, their prevention is a prerequisite for the widespread adoption of the BYOD paradigm in the corporate setting. To this aim, in this paper we propose a secure meta-market which supports the specification and enforcement of security policies spanning multiple applications. Moreover, the meta-market keeps track of the security state of devices and -through a functional combination of static analysis and code instrumentation techniques- supervises the installation of new applications thereby ensuring the enforcement of the security policies. Also, we developed a prototype implementation of the secure meta-market and we used it for validating a wide range of popular Android applications against a security policy drawn from the US Government BYOD Security Guidelines. Experimental results obtained by running the prototype confirm the effectiveness of the approach.

Jalapa: Securing Java with Local Policies

We present Jalapa, a tool for securing Java bytecode programs with history-based usage policies. Policies are defined by usage automata, that recognize the forbidden execution histories. Usage automata are expressive enough to allow programmers specify of many real-world usage policies; yet, they are simple enough to permit formal reasoning. Programmers can sandbox untrusted pieces of code with usage policies. The Jalapa tool rewrites the Java bytecode by adding the hooks for the mechanism that enforces the given policies at run-time.

Android Permissions Unleashed

The Android Security Framework controls the executions of applications through permissions which are statically granted by the user during installation. However, the definition of security policies over permissions is not supported. Security policies must be therefore manually encoded into the application by the developer, which is a dangerous practice and may cause security breaches. We propose an improvement over the Android permission system that supports the specification and enforcement of fine-grained security policies. Enforcement is achieved by reducing policy decision problems to propositional satisfiability and leveraging a state-of-the-art SAT solver. Unlike alternative proposals, our approach does not require changes in the operating system and, therefore, it can be readily deployed in any commercial device.

SAM: The Static Analysis Module of the MAVERIC Mobile App Security Verification Platform

The tremendous success of the mobile application paradigm is due to the ease with which new applications are uploaded by developers, distributed through the application markets e.g.i¾?Google Play, and finally installed by the users. Yet, the very same model is causing serious security concerns, since users have no or little means to ascertain the trustworthiness of the applications they install on their devices. To protect their customers, Poste Italiane has defined the Mobile Application Verification Cluster MAVERIC, a process for the systematic security analysis of third-party mobile apps that leverage the online services provided by the company e.g.i¾?home banking, parcel tracking. We present SAM, a toolkit that supports this process by automating a number of operations including reverse engineering, privilege analysis, and automatic verification of security properties. We introduce the functionalities of SAM through a demonstration of the platform applied to real Android applications.

Modular plans for secure service composition

Service Oriented Computing SOC is a programming paradigm aiming at characterising Service Networks. Services are entities waiting for requests from clients and they often result from the composition of many sub-services.We address here the problem of statically guaranteeing security of open services, i.e., services with unknown components. Security constraints are expressed by policies that service components must obey.We present here a type and effect system that safely over-approximates the possible run-time behaviour of open services, collecting partial information on the behaviour of their components. From such an approximation, we then extract a partial plan that drives executions of an open system that raises no security violations when plugged in any context.

Gate automata-driven run-time enforcement

Security and trust represent two different perspectives on the problem of guaranteeing the correct interaction among software components. Gate automata have been proposed as a formalism for the specification of both security and trust policies in the scope of the Security-by-Contract-with-Trust (SxCxT) framework. Indeed, they watch the execution of a target program, possibly modifying its behaviour, and produce a feedback for the trust management system. The level of trust changes the environment settings by dynamically activating/deactivating some of the defined gate automata. The goal of this paper is to present gate automata and to show a gate automata-driven strategy for the run-time enforcement in the SxCxT.