A Formal Model to Analyze the Permission Authorization and Enforcement in the Android Framework

Shin, Wook; Kiyomoto, Shinsaku; Fukushima, Kazuhide; Tanaka, Toshiaki

doi:10.1109/socialcom.2010.140

Cited by 56 publications

(29 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the fulfillment of the principle of least privilege when creating a new instance is widely studied in the literature [32,44], the analysis of this principle when accessing a content provider or delegating/revoking a permission has not been covered in other publications. Since our model includes these two scenarios, we are able to formally state and prove lemmas like the following:…”

Section: Privilegesmentioning

confidence: 99%

“…Finally, Shin et al [44] adapt the approach followed by Zanella et al [17] to build a formal framework that represents the Android permission system, which is based on the Calculus of Inductive Constructions and it is developed in Coq, as we do. However, that formalization does not consider several aspects of the platform covered in our model, namely, the different types of components, the interaction between a running instance and the system, the reading/writing operation on a content provider and the semantics of the permission delegation mechanism.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Formal Analysis of Android's Permission-Based Security Model

Betarte¹,

Campo²,

Luna³

et al. 2016

SACS

View full text Add to dashboard Cite

In this work we present a comprehensive formal specification of an idealized formulation of Android's permission model. Permissions in Android are basically tags that developers declare in their applications, more precisely in the so-called application manifest, to gain access to sensitive resources. Several analyses have recently been carried out concerning the security of the Android system. Few of them, however, pay attention to the formal aspects of the permission enforcing framework. We provide a complete and uniform formulation of several security properties using the higher order logic of the Calculus of Inductive Constructions and sketch the proofs that have been developed and verified using the Coq proof assistant. We also analyze how the changes introduced in the latest version of Android, that allows to manage permissions at runtime, impact the presented model.

show abstract

Section: Privilegesmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Formal Analysis of Android's Permission-Based Security Model

Betarte¹,

Campo²,

Luna³

et al. 2016

SACS

View full text Add to dashboard Cite

show abstract

“…Shin et al [25] developed a formal model in order to verify functional correctness properties of Android, which revealed a flaw in the naming scheme for permissions and a possible attack [26]. In contrast, our work develops a more abstract model suitable for reasoning about extensions to Android's permission system.…”

Section: Related Workmentioning

confidence: 99%

Modeling and Enhancing Android’s Permission System

Fragkaki

Bauer

Jia

et al. 2012

Computer Security – ESORICS 2012

View full text Add to dashboard Cite

Abstract. Several works have recently shown that Android's security architecture cannot prevent many undesired behaviors that compromise the integrity of applications and the privacy of their data. This paper makes two main contributions to the body of research on Android security: first, it develops a formal framework for analyzing Android-style security mechanisms; and, second, it describes the design and implementation of Sorbet, an enforcement system that enables developers to use permissions to specify secrecy and integrity policies. Our formal framework is composed of an abstract model with several specific instantiations. The model enables us to formally define some desired security properties, which we can prove hold on Sorbet but not on Android. We implement Sorbet on top of Android 2.3.7, test it on a Nexus S phone, and demonstrate its usefulness through a case study.

show abstract

“…Shin et al [24] developed a formal model in order to verify functional correctness properties of Android, which revealed a flaw in the naming scheme for permissions and a possible attack [25]. In contrast, our work develops a more abstract model suitable for reasoning about extensions to Android's permission system.…”

Section: Related Workmentioning

confidence: 99%

Modeling and Enhancing Android's Permission System

Fragkaki¹,

Bauer²,

Jia³

et al. 2012

View full text Add to dashboard Cite

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Several works have recently shown that Android's security architecture cannot prevent many undesired behaviors that compromise the integrity of applications and the privacy of their data. This paper makes two main contributions to the body of research on Android security: first, it develops a formal framework for analyzing Android-style security mechanisms; and, second, it describes the design and implementation of Sorbet, an enforcement system that enables developers to use permissions to specify secrecy and integrity policies. Our formal framework is composed of an abstract model with several specific instantiations. The model enables us to formally define some desired security properties, which we can prove hold on Sorbet but not on Android. We implement Sorbet on top of Android 2.3.7, test it on a Nexus S phone, and demonstrate its usefulness through a case study.

show abstract

A Formal Model to Analyze the Permission Authorization and Enforcement in the Android Framework

Cited by 56 publications

References 4 publications

Formal Analysis of Android's Permission-Based Security Model

Formal Analysis of Android's Permission-Based Security Model

Modeling and Enhancing Android’s Permission System

Modeling and Enhancing Android's Permission System

Contact Info

Product

Resources

About