Automatically securing permission-based software by reducing the attack surface: An application to android

2012 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012 - Proceedings

Volumn , Issue , 2012, Pages 274-277

  Bartel, Alexandre ^a   Klein, Jacques ^a   Le Traon, Yves ^a   Monperrus, Martin ^b  

^a UNIVERSITY OF LUXEMBOURG   (Luxembourg)

^b UNIV LILLE   (France)

Author keywords

Android; Call graph; Permission based software; Permissions; Security; Soot; Static analysis

Indexed keywords

ANDROID; CALL-GRAPH; CODE INJECTION; DATA SETS; MALWARES; PERMISSION-BASED SECURITY; PERMISSIONS; SECURITY; ANDROID APPLICATIONS;

ROBOTS; SOFTWARE ENGINEERING; SOOT; APPLICATION PROGRAMS;

STATIC ANALYSIS;

EID: 84866946869     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2351676.2351722     Document Type: Conference Paper

References (19)

1. The android developer's guide, last-accessed: 2011-09. http://developer.android.com/guide/index.html.
2. D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In ACM Conference on Computer and Communications Security (CCS 2010), pages 73-84, Chicago, Illinois, USA, October 4-8, 2010.
3. A. Bartel, J. Klein, M. Monperrus, and Y. Le Traon. Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android. Report ISBN: 978-2-87971-107-2, University of Luxembourg, Mar. 2012.
4. L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Proceedings of the 13th International Conference on Information Security, 2011.
5. W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM CCS, pages 235-245, New York, NY, USA, 2009.
6. W. Enck, M. Ongtang, and P. McDaniel. Understanding android security. IEEE Security and Privacy, 2009.
7. A. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In ACM CCS 2011.
8. A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proceedings of the 2nd USENIX conference on Web application development, WebApps'11, pages 7-7, Berkeley, CA, USA, 2011. USENIX Association.
9. A. P. Felt, H. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In Proceedings of the 20th USENIX Security Symposium, 2011.
10. Gartner.com. Gartner says sales of mobile devices grew 5.6 percent in third quarter of 2011; smartphone sales increased 42 percent. http://goo.gl/HkyA4, Last accessed: March 2 2012.
11. E. Geay, M. Pistoia, T. Tateishi, B. G. Ryder, and J. Dolby. Modular string-sensitive permission analysis with demand-driven precision. In ICSE, pages 177-187. IEEE, 2009.
12. C. Gibler, J. Crussel, J. Erickson, and H. Chen. Androidleaks detecting privacy leaks in android applications. Technical report, UC Davis, 2011.
13. S. Hoffman. Zeus banking trojan variant attacks android smartphones. CRN, 2011. http://goo.gl/xAEGr.
14. L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. ACM SIGPLAN Notices, 37(11):359-372, Nov. 2002.
15. O. Lhot́ak and L. Hendren. Scaling Java points-to analysis using Spark. In 12th International Conference on Compiler Construction, 2003.
16. P. Manadhata and J. Wing. An attack surface metric. IEEE Transactions on Software Engineering, 37(3):371 -386, may-june 2011.
17. C. Marforio, A. Francillon, and S. ̌Capkun. Application collusion attack on the permission-based security model and its implications for modern smartphone systems. Technical Report 724, ETH Zurich, April 2011.
18. M. Pistoia, S. J. Fink, R. J. Flynn, and E. Yahav. When role models have flaws: Static validation of enterprise security policies. In ICSE, 2007.
19. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE, 1975.