Formal Analysis of Language-Based Android Security Using Theorem Proving Approach

Khan, Wilayat; Kamran, Muhammad; Ahmad, Aakash; Khan, Farrukh Aslam; Derhab, Abdelouahid

doi:10.1109/access.2019.2895261

Cited by 14 publications

(14 citation statements)

References 20 publications

(51 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The work of [18] developed the Sorbet framework, an enforcement model that enables permissions to specific security policies. Other recent modeling approaches focused on abstracting the permission system for specific purposes, such as the permission-based model for attack defense [19] and language-based security analysis [20]. However, most papers that implemented abstract models lack a comprehensive analysis covering the permissions system's changes throughout its published releases.…”

Section: Literature Reviewmentioning

confidence: 99%

A Comprehensive Analysis of the Android Permissions System

Almomani

Alkhayer

2020

IEEE Access

View full text Add to dashboard Cite

Android is one of the most essential and highly used operating systems. Android permissions system is a core security component that offers an access-control mechanism to protect system resources and users' privacy. As such, it has experienced continuous change over each Android release. However, previous research on the permissions system has employed static analysis techniques. Furthermore, most of these studies are outdated, covering older versions of Android. This paper aims to discuss the permissions system intensively to provide a nutshell overview of the Android platform's access-control mechanism. The paper presents a comprehensive analysis of the Android permissions system since it was introduced in 2008 until now, accompanied by a formal model of its components. The results of the analysis reveal a continuous growth in the number of permissions since the original release-a growth of seven times in some permission categories. A case study has been conducted for the last five years' versions of the top Android apps to examine the permissions system's evolution and its attendant security issues from the applications' perspective. Some apps showed an increase in permissions usage of 73.33% by the 2020 release. Additionally, the results of the case study contribute to the understanding of permissions deployment by both vendors and developers. Finally, a discussion of the permission-based security enhancements discloses that the Android permissions system faces various security issues. In general, this paper provides researchers and academics an up-to-date, comprehensive, self-contained reference study of the Android permissions system.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

A Comprehensive Analysis of the Android Permissions System

Almomani

Alkhayer

2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…For this reason, static analysis requires a final manual audit of the results to discard the false positives and find the false negatives (much more complicated). However, several works confirm that different SAST tools have distinct algorithm designs as Abstract Interpretation [29][30][31], Taint Analysis [32], Theorem Provers [33], SAT Solvers [34] or Model Checking [35,36]. Therefore, combining SAST tools can find different types of vulnerabilities and therefore obtain a better combination result [6,7].…”

Section: Static Analysis Security Testingmentioning

confidence: 99%

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Tudela

Higuera

et al. 2020

Applied Sciences

View full text Add to dashboard Cite

The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination.

show abstract

“…Tools based on model checking can be used to check equivalence of two functions (models); however, they are constrained by the popular state explosion [37,38] problem. ere is a body of research works in the literature on formal verification of software systems [63][64][65]; however, literature review of hardware verification and simulation tools for checking Boolean functions equivalence is included in this section.…”

Section: Related Workmentioning

confidence: 99%

Formal Verification of Hardware Components in Critical Systems

Khan

Kamran

Naqvi

et al. 2020

Wireless Communications and Mobile Computing

Self Cite

View full text Add to dashboard Cite

Hardware components, such as memory and arithmetic units, are integral part of every computer-controlled system, for example, Unmanned Aerial Vehicles (UAVs). The fundamental requirement of these hardware components is that they must behave as desired; otherwise, the whole system built upon them may fail. To determine whether or not a component is behaving adequately, the desired behaviour of the component is often specified in the Boolean algebra. Boolean algebra is one of the most widely used mathematical tools to analyse hardware components represented at gate level using Boolean functions. To ensure reliable computer-controlled system design, simulation and testing methods are commonly used to detect faults; however, such methods do not ensure absence of faults. In critical systems’ design, such as UAVs, the simulation-based techniques are often augmented with mathematical tools and techniques to prove stronger properties, for example, absence of faults, in the early stages of the system design. In this paper, we define a lightweight mathematical framework in computer-based theorem prover Coq for describing and reasoning about Boolean algebra and hardware components (logic circuits) modelled as Boolean functions. To demonstrate the usefulness of the framework, we (1) define and prove the correctness of principle of duality mechanically using a computer tool and all basic theorems of Boolean algebra, (2) formally define the algebraic manipulation (step-by-step procedure of proving functional equivalence of functions) used in Boolean function simplification, and (3) verify functional correctness and reliability properties of two hardware components. The major advantage of using mechanical theorem provers is that the correctness of all definitions and proofs can be checked mechanically using the type checker and proof checker facilities of the proof assistant Coq.

show abstract

Formal Analysis of Language-Based Android Security Using Theorem Proving Approach

Cited by 14 publications

References 20 publications

A Comprehensive Analysis of the Android Permissions System

A Comprehensive Analysis of the Android Permissions System

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Formal Verification of Hardware Components in Critical Systems

Contact Info

Product

Resources

About