CRêPE: A system for enforcing fine-grained context-related policies on android

IEEE Transactions on Information Forensics and Security

Volumn 7, Issue 5, 2012, Pages 1426-1438

  Conti, Mauro ^a,c   Crispo, Bruno ^b   Fernandes, Earlence ^a,d   Zhauniarovich, Yury ^b  

^a VU UNIVERSITY AMSTERDAM   (Netherlands)

^b UNIVERSITY OF TRENTO   (Italy)

^c UNIVERSITY OF PADOVA   (Italy)

^d UNIVERSITY OF MICHIGAN   (United States)

Author keywords

Android security; context policy; smartphone security

Indexed keywords

ANDROID SECURITY; CONTEXTUAL INFORMATION; LOW LEVEL; POLICY ENFORCEMENT SYSTEMS; PRODUCTION ENVIRONMENTS; RUNTIMES; THIRD PARTIES;

ACCESS CONTROL; DATA HANDLING; ENERGY UTILIZATION; SENSORS; SIGNAL ENCODING; SMARTPHONES;

ROBOTS;

EID: 84866302360     PISSN: 15566013     EISSN: None     Source Type: Journal    
DOI: 10.1109/TIFS.2012.2204249     Document Type: Article

References (47)

1. W. Enck, M. Ongtang, and P.McDaniel, "On lightweight mobile phone application certification," in Proc. CCS '09, 2009, pp. 235-245.
2. Android Project InternetWebpage [Online]. Available: http://www.android. com
3. W. Enck, M. Ongtang, and P. McDaniel, "Understanding android security," IEEE Security Privacy, vol. 7, no. 1, pp. 50-57, Jan./Feb. 2009.
4. N. Damianou, N. Dulay, E. Lupu, and M. Sloman, "The ponder policy specification language," in Proc. POLICY '01, 2001, pp. 18-38. (Pubitemid 33225338)
5. J. Park and R. Sandhu, "The UCONABC usage control model," ACM Trans. Inf. Syst. Secur., vol. 7, pp. 128-174, Feb. 2004.
6. CRePEdroid Project Internet Webpage [Online]. Available: http://www.crepedroid.org/crepedroid.html
7. M. Conti, V. T. N. Nguyen, and B. Crispo, "CRePE: Context-related policy enforcement for Android," in Proc. ISC'10, 2010, pp. 331-345.
8. K. Twidle, E. Lupu, N. Dulay, and M. Sloman, "Ponder2-A policy environment for autonomous pervasive systems," in Proc. POLICY '08, 2008, pp. 245-246.
9. Openmoko Project Internet Webpage [Online]. Available: http://www. openmoko.com
10. OMTP: Mobile terminal platform Internet Webpage [Online]. Available: http://www.omtp.org
11. H. Dwivedi,Mobile Application Security, 1 ed. New York: McGraw-Hill, Inc., 2010.
12. "Application Certification Requirements For Windows Phone, Manual" [Online]. Available: http://msdn.microsoft.com/en-us/library/ hh184843(v=VS.92).aspx
13. Windows Phone 7 Security Model. Windows Phone 7 Security Model-FINAL-122010.pdf [Online]. Available: http://www.microsoft. com/
14. Nokia Forum. Signed MIDlet Developer's Guide. MIDP-2-0-Signed-MIDlet- Developers-Guide-v2-0-en.pdf [Online]. Available: http://www.forum.nokia.com/
15. Symbian Ltd., Simbian Signed. Internet Webpage [Online]. Available: https://www.symbiansigned.com
16. I. Ion, B. Dragovic, and B. Crispo, "Extending the java virtual machine to enforce fine-grained security policies in mobile devices," in Proc. ACSAC '07, 2007, pp. 233-242.
17. M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel, "Semantically rich application-centric security in android," in Proc. ACSAC '09, 2009, pp. 73-82.
18. G. Bai, L. Gu, T. Feng, Y. Guo, and X. Chen, "Context-aware usage control for android," in Proc. SecureComm 2010, 2010, pp. 326-343.
19. M. Nauman, S.Khan, andX. Zhang, "Apex: Extending android permission model and enforcement with user-defined runtime constraints," in Proc. ASIACCS '10, 2010, pp. 328-332.
20. A. R. Beresford, A. Rice, and N. Skehin, "MockDroid: Trading privacy for application functionality on smartphones," in Proc. HotMobile '11, 2011, to be published.
21. Y. Zhou, X. Zhang, X. Jiang, and V. Freeh, "Taming Informationstealing smartphone applications (on Android)," in Proc. TRUST 2011, 2011, to be published.
22. G. Sampemane, P. Naldurg, and R. H. Campbell, "Access control for active spaces," in Proc. ACSAC '02, 2002, pp. 343-352.
23. Andromaly-Anomaly Detaction in Android Platform. Internet Webpage [Online]. Available: http://andromaly.wordpress.com
24. W. Han, J. Zhang, and X. Yao, "Context-sensitive access controlmodel and implementation," in Proc. CIT '05, 2005, pp. 757-763.
25. M. C. Matthew, Matthew, J. Moyer, and M. Ahamad, Generalized Role-Based Access Control for Securing Future Applications 2000.
26. M. L. Damiani, E. Bertino, B. Catania, and P. Perlasca, "GEO-RBAC: A spatially aware RBAC," ACM Trans. Inf. Syst. Secur., vol. 10, no. 1, pp. 1-42, 2007.
27. F. Hansen and V. Oleshchuk, "Srbac: A spatial role-based access control model for mobile systems," in Proc. NORDSEC'03, 2003, pp. 129-141.
28. J. Chin, N. Zhang, A. Nenadic, and O. Bamasak, "A context-constrained authorisation (cocoa) framework for pervasive grid computing," Wirel. Netw., vol. 16, pp. 1541-1556, Aug. 2010.
29. N. N. Diep, L. X. Hung, Y. Zhung, S. Lee, Y.-K. Lee, and H. Lee, "Enforcing access control using risk assessment," in Proc. ECUMN '07, 2007, pp. 419-424. (Pubitemid 47131312)
30. A. Ahmed and N. Zhang, "A context-risk-aware access control model for ubiquitous environments," in Proc. IMCSIT '08, 2008, pp. 775-782.
31. A. Corradi, R. Montanari, and D. Tibaldi, "Context-based access control management in ubiquitous environments," in Proc. NCA '04, 2004, pp. 253-260. (Pubitemid 40681683)
32. N. Gohring, (2011, February) VMWare Shows off Mobile Virtualization on Android. Internet Article [Online]. Available: http://www.pcworld. com/article/219671
33. E. Yuan and J. Tong, "Attributed based access control (abac) for web services," in Proc. IEEE Int. Conf. Web Services, Washington, D.C. [Online]. Available: http://dx.doi.org/10.1109/ICWS.2005.25, IEEE Computer Society, 2005 pp. 561-569, ser. ICWS '05 (Pubitemid 44460249)
34. R. Bhatti, E. Bertino, and A. Ghafoor, "A trust-based context-aware access control model for web-services," Distributed and Parallel Databases, vol. 18, no. 1, pp. 83-105, 2005. (Pubitemid 40859651)
35. A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer, "Google android: A comprehensive security assessment," IEEE Security Privacy, vol. 8, no. 2, pp. 35-44, Mar./Apr. 2010.
36. M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, "Protection in operating systems," Commun. ACM, vol. 19, pp. 461-471, Aug. 1976.
37. T. Moses, eXtensible Access Control Markup Language (XACML). ver. 2.0, 2005, OASIS Standard.
38. P. Mazzoleni, B. Crispo, S. Sivasubramanian, and E. Bertino, "XACML policy integration algorithms," ACM Trans. Inf. Syst. Secur., vol. 11, no. 1, pp. 1-29, Feb. 2008.
39. Z. Liu, A. Ranganathan, and A. Riabov, "Specifying and enforcing high-level semantic obligation policies," Web Semant., vol. 7, pp. 28-39, 2009.
40. M. Conti, I. Zachia-Zlatea, and B. Crispo, "Mind how you answer me! (transparently authenticating the user of a smartphone when answering or placing a call)," in Proc. ASIACCS '11, 2011, pp. 249-259.
41. B. van Wissen, N. Palmer, R. Kemp, T. Kielmann, and H. Bal, "Contextdroid: An expression-based context framework for android," in Proc. PhoneSense '10, 2010, pp. 1-5.
42. Android Open Source Project (AOSP), Internet Webpage [Online]. Available: http://source.android.com/
43. ANother Tool for Language Recognition (ANTLR), Internet Webpage [Online]. Available: http://www.antlr.org/
44. ARM Trustzone Technology, Internet Webpage [Online]. Available: http://www.arm.com/products/processors/technologies/trustzone.php
45. D. Wallach, (2011, February) Things overheard on the Wi-Fi from my Android smartphone. Internet Article [Online]. Available: http://www.freedom-to- tinker.com/blog/dwallach/things-overheard-wifi-my%-android-smartphone
46. L. Zhang, B. Tiwana, Z. Qian, Z. Wang, R. P. Dick, Z. M. Mao, and L. Yang, "Accurate online power estimation and automatic battery behavior based power model generation for smartphones," in Proc. CODES/ISSS '10, 2010, pp. 105-114.
47. G. M. Djuknic and R. E. Richton, "Geolocation and assisted gps," Computer, vol. 34, no. 2, pp. 123-125, 2001.