Wook Shin

A Formal Model to Analyze the Permission Authorization and Enforcement in the Android Framework

This paper proposes a formal model of the Android permission scheme. We describe the scheme specifying entities and relationships, and provide a state-based model which includes the behavior specification of permission authorization and the interactions between application components. We also show how we can logically confirm the security of the specified system. Utilizing a theorem prover, we can verify security with given security requirements based on mechanically checked proofs. The proposed model can be used as a reference model when the scheme is implemented in a different embedded platform, or when we extend the current scheme with additional constraints or elements. We demonstrate the use of the verifiable specification through finding a security vulnerability in the Android system. To our knowledge, this is the first formalization of the permission scheme enforced by the Android framework.

A Small But Non-negligible Flaw in the Android Permission Scheme

This paper presents a flaw in the permission scheme of Android. The Android framework enforces a permission-based security policy where an application can access the other parts of the system only when the application is explicitly permitted. The security of the framework depends to a large extent on the owner of a device since the authorization decisions are mainly made by the user. As a result, the permission scheme imposes much of the administrative burden on the user instead of keeping it simple. Moreover, the framework does not impose enough controls nor support dynamic adjustment in the following respects: No naming rule or constraint is applied for a new permission declaration; once an application acquires a permission, the permission is never revoked during the lifetime of the application, two different permissions can be in use having the same name. These features of the framework can result in a security flaw. We explain how we found the flaw, demonstrate an exploit example, and discuss the solution.

PAS: A Wireless-Enabled, Cell-Phone-Incorporated Personal Assistant System for Independent and Assisted Living

Advances in networking, sensors, medical devices and smart phones have made it feasible to monitor and provide medical and other assistance to people either in their homes or outside. Aging populations will benefit from reduced costs and improved healthcare through assisted living based on these technologies. However, these systems challenge current state-of-the-art techniques for usability, reliability, and security. In this paper we present the PAS open architecture for assisted living, which allows independently developed third party components to collaborate. Furthermore, we incorporate cell phones in PAS as the local intelligence in order to enhance the robustness and ubiquity. We discuss key technological issues in assisted living systems, such as software architecture layout, power preserving, security and privacy; and results from our pilot study in a real assisted living facility are presented.

Securing the drop-box architecture for assisted living

Home medical devices enable individuals to monitor some of their own health information without the need for visits by nurses or trips to medical facilities. This enables more continuous information to be provided at lower cost and will lead to better healthcare outcomes. The technology depends on network communication of sensitive health data. Requirements for reliability and ease-of-use provide challenges for securing these communications. In this paper we look at protocols for the drop-box architecture, an approach to assisted living that relies on a partially-trusted Assisted Living Service Provider (ALSP). We sketch the requirements and architecture for assisted living based on this architecture and describe its communication protocols. In particular, we give a detailed description of its report and alarm transmission protocols and give an automated proof of correspondence theorems for them. Our formulation shows how to characterize the partial trust vested in the ALSP and use the existing tools to verify this partial trust.

How to Bootstrap Security for Ad-Hoc Network: Revisited

There are various network-enabled and embedded computers deployed around us. Although we can get enormous conveniences by connecting them together, it is difficult to securely associate them in an ad-hoc manner. The difficulties originate from authentication and key distribution problems among devices that are strangers to each other. In this paper, we review the existing ways of initiating secure communication for ad-hoc network devices, and propose another solution. Exploiting Pairing-based cryptography and the notion of location-limited channel, the proposed solution bootstraps security conveniently and efficiently. Further, it supports ownership enforcement and key-escrow.

AMY: Use your cell phone to create a protected personal network over devices

We present the design of an apparatus that creates a protected personal communication channel over computer-embedded devices. The prototype implementation of the apparatus demonstrates that it can securely and intuitively link devices with no contact with an online server while imposing low overhead.

Emergency Alerts as RSS Feeds with Interdomain Authorization

Emergency alert systems typically demand push notification because of the infrequency of such events and the urgency of notifying parties about them. However, push notification systems like email have many limitations, such as susceptibility to SPAM and security vulnerabilities. We explore the idea of basing health alerts on RSS feeds, which are a polling-based notification system. Since emergency alerts may be restricted to parties like doctors or health administrators and may be drawn from diverse administrative domains, RSS for health alerts requires a mechanism for expressing and enforcing inter-domain access policies for feeds. In particular, we explore using Shibboleth, a federated identity system developed for use in universities, and an attribute-based policy language, to provide secure RSS for emergency alerts. We validate the approach by showing how it can be used to deliver CDC PHIN health alerts. Our experimental validation shows that, based on our design, existing server technologies can obtain acceptable throughput even with fairly complex and diverse access policies.

AMY: A simple and secure way to connect devices using pairing-based cryptography

We present the design of an apparatus that creates a personal private communication channel over computer-embedded devices. The prototype implementation of the apparatus demonstrated that it can securely and intuitively link devices with no contact with an online server while imposing low overhead.

A Policy Language for the Extended Reference Monitor in Trusted Operating Systems

The main focus of current research in trusted operating systems (TOS) is on the enhanced access control of reference monitors which, in turn, control the individual operations on a given access instance. However, many real-life runtime attacks involve behavioral semantics. We have proposed an extended reference monitor to support both access and behavior controls. This results in a sequence of operations which are also of concern in security enforcement. This paper presents a policy language for the extended reference monitor. Our policy language is based on domain and type enforcement (DTE) and role-based access control (RBAC). Permission is defined as an event and a state of behavior is represented as a fluent to be accorded with the convention of event calculus (EC). Behavior policies can be expressed with the EC style syntax as well as access control policies