Limin Jia

Android taint flow analysis for app sets

One approach to defending against malicious Android applications has been to analyze them to detect potential information leaks. This paper describes a new static taint analysis for Android that combines and augments the FlowDroid and Epicc analyses to precisely track both inter-component and intra-component data flow in a set of Android applications. The analysis takes place in two phases: given a set of applications, we first determine the data flows enabled individually by each application, and the conditions under which these are possible; we then build on these results to enumerate the potentially dangerous data flows enabled by the set of applications as a whole. This paper describes our analysis method, implementation, and experimental results.

Modeling and Enhancing Android’s Permission System

Several works have recently shown that Android’s security architecture cannot prevent many undesired behaviors that compromise the integrity of applications and the privacy of their data. This paper makes two main contributions to the body of research on Android security: first, it develops a formal framework for analyzing Android-style security mechanisms; and, second, it describes the design and implementation of Sorbet, an enforcement system that enables developers to use permissions to specify secrecy and integrity policies. Our formal framework is composed of an abstract model with several specific instantiations. The model enables us to formally define some desired security properties, which we can prove hold on Sorbet but not on Android. We implement Sorbet on top of Android 2.3.7, test it on a Nexus S phone, and demonstrate its usefulness through a case study.

Run-Time Enforcement of Information-Flow Properties on Android

Recent years have seen a dramatic increase in the number and importance of mobile devices. The security properties that these devices provide to their applications, however, are inadequate to protect against many undesired behaviors. A broad class of such behaviors is violations of simple information-flow properties. This paper proposes an enforcement system that permits Android applications to be concisely annotated with information-flow policies, which the system enforces at run time. Information-flow constraints are enforced both between applications and between components within applications, aiding developers in implementing least privilege. We model our enforcement system in detail using a process calculus, and use the model to prove noninterference. Our system and model have a number of useful and novel features, including support for Android’s single- and multiple-instance components, floating labels, declassification and endorsement capabilities, and support for legacy applications. We have developed a prototype of our system on Android 4.0.4 and tested it on a Nexus S phone, verifying that it can enforce practically useful policies that can be implemented with minimal modification to off-the-shelf applications.

Constraining Credential Usage in Logic-Based Access Control

Authorization logics allow concise specification of flexible access-control policies, and are the basis for logic-based access-control systems. In such systems, resource owners issue credentials to specify policies, and the consequences of these policies are derived using logical inference rules. Proofs in authorization logics can serve as capabilities for gaining access to resources. Because a proof is derived from a set of credentials possibly issued by different parties, the issuer of a specific credential may not be aware of all the proofs that her credential may make possible. From this credential issuer’s standpoint, the policy expressed in her credential may thus have unexpected consequences. To solve this general problem, we propose a system in which credentials can specify constraints on how they are to be used. We show how to modularly extend wellstudied authorization logics to support the specification and enforcement of such constraints. A novelty of our design is that we allow the constraints to be arbitrary well-behaved functions over authorization proofs. Since all the information about an access is contained in the proofs, this makes it possible to express many interesting constraints. We study the formal properties of such a system, and give examples of constraints.

xDomain: cross-border proofs of access

A number of research systems have demonstrated the benefits of accompanying each request with a machine-checkable proof that the request complies with access-control policy - a technique called proof-carrying authorization. Numerous authorization logics have been proposed as vehicles by which these proofs can be expressed and checked. A challenge in building such systems is how to allow delegation between institutions that use different authorization logics. Instead of trying to develop the authorization logic that all institutions should use, we propose a framework for interfacing different, mutually incompatible authorization logics. Our framework provides a very small set of primitives that defines an interface for communication between different logics without imposing any fundamental constraints on their design or nature. We illustrate by example that a variety of different logics can communicate over this interface, and show formally that supporting the interface does not impinge on the integrity of each individual logic. We also describe an architecture for constructing authorization proofs that contain components from different logics and report on the performance of a prototype proof checker.

Analyzing the dangers posed by Chrome extensions.

A common characteristic of modern web browsers is that their functionality can be extended via third-party add-ons. In this paper we focus on Chrome extensions, to which the Chrome browser exports a rich API: extensions can potentially make network requests, access the local file system, get low-level information about running processes, etc. To guard against misuse, Chrome uses a permission system to curtail an extensions privileges. We demonstrate a series of attacks by which extensions can steal data, track user behavior, and collude to elevate their privileges. Although some attacks have previously been reported, we show that subtler versions can easily be devised that are less likely to be prevented by proposed defenses and can evade notice by the user. We quantify the potential danger of attacks by examining how many currently available extensions have sufficient privileges to carry them out. As many web sites do not employ defenses against such attacks, we examine how many popular web sites are vulnerable to each kind of attack. Our results show that a surprisingly large fraction of web sites is vulnerable to many attacks, and a large fraction of currently available extensions is potentially able to carry them out.

Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes

The use of end-user programming, such as if-this-then-that (IFTTT), is becoming increasingly common. Services like IFTTT allow users to easily create new functionality by connecting arbitrary Internet-of-Things (IoT) devices and online services using simple if-then rules, commonly known as recipes. However, such convenience at times comes at the cost of security and privacy risks for end users. To gain an in-depth understanding of the potential security and privacy risks, we build an information-flow model to analyze how often IFTTT recipes involve potential integrity or secrecy violations. Our analysis finds that around 50% of the 19,323 unique recipes we examined are potentially unsafe, as they contain a secrecy violation, an integrity violation, or both. We next categorize the types of harm that these potentially unsafe recipes can cause to users. After manually examining a random selection of potentially unsafe recipes, we find that recipes can not only lead to harms such as personal embarrassment but can also be exploited by an attacker, e.g., to distribute malware or carry out denial-of-service attacks. The use of IoT devices and services like IFTTT is expected only to grow in the near future; our analysis suggests users need to be both informed about and protected from these emerging threats to which they could be unwittingly exposing themselves.

Timing-Sensitive Noninterference through Composition

Sound compositional reasoning principles are the foundation for analyzing the security properties of complex systems. We present a general theory for compositional reasoning about the information-flow security of interactive discrete-timed systems. We develop a simple core--and with it, a language--of combinators, including ones that orchestrate the execution of a collection of interactive systems. We establish conditions under which timing-sensitive noninterference is preserved through composition, for each combinator in our language. To demonstrate the practicality of our theory, we model secure multi-execution SME using our combinators. Through this, we show that our theory makes it straightforward 1 to prove, through compositional reasoning, that complex systems are free of external timing channels, and 2 to identify sub-components that cause information leakage of a compositei¾?system.