nach oben

International Journal of Information Security

Erschienen in:

17.06.2016 | Regular Contribution

Stateful Data Usage Control for Android Mobile Devices

verfasst von: Aliaksandr Lazouski, Fabio Martinelli, Paolo Mori, Andrea Saracino

Erschienen in: International Journal of Information Security | Ausgabe 4/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Modern mobile devices allow their users to download data from the network, such as documents or photos, to store local copies and to use them. Many real scenarios would benefit from this capability of mobile devices to easily and quickly share data among a set of users but, in case of critical data, the usage of these copies must be regulated by proper security policies. To this aim, we propose a framework for regulating the usage of data when they have been downloaded on mobile devices, i.e., they have been copied outside the producer’s domain. Our framework regulates the usage of the local copy by enforcing the Usage Control policy which has been embedded in the data by the producer. Such policy is written in UXACML, an extension of the XACML language for expressing Usage Control model-based policies, whose main feature is to include predicates which must be satisfied for the whole execution of the access to the data. Hence, the proposed framework goes beyond the traditional access control capabilities, being able to interrupt an ongoing access to the data as soon as the policy is no longer satisfied. This paper details the proposed approach, defines the architecture and the workflow of the main functionalities of the proposed framework, describes the implementation of a working prototype for Android devices, presents the related performance figures, and discusses the security of the prototype.

Nächster Artikel ADroid: anomaly-based detection of malicious events in Android platforms

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

http://mobiforge.com/research-analysis/global-mobile-statistics-2014-part-a-mobile-subscribers-handset-market-share-mobile-operators.

http://www.coco-cloud.eu/.

Lazouski, A., Martinelli, F., Mori, P., Saracino, A.: Stateful usage control for android mobile devices. In: Proceedings of the 10th International Workshop on Security and Trust Management (STM 2014). Volume 8743 of Lecture Notes in Computer Science, pp. 97–112. Springer, Berlin (2014)

Caimi, C., Gambardella, C., Manea, M., Petrocchi, M., Stella, D.: Technical and legal perspectives in data sharing agreements definition. In: Proceedings of Annual Privacy Forum, APF 2015. Volume 9484 of Lecture Notes in Computer Science, pp. 178–192. Springer, Berlin (2015)

Jia, L., Aljuraidan, J., Fragkaki, E., Bauer, L., Stroucken, M., Fukushima, K., Kiyomoto, S., Miyake, Y.: Run-time enforcement of information-flow properties on android. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. Volume8134 of Lecture Notes in Computer Science, pp. 775–792. Springer, Berlin (2013)

Kelbert, F., Pretschner, A.: Data usage control enforcement in distributed systems. In: Third ACM Conference on Data and Application Security and Privacy, CODASPY’13, San Antonio, TX, USA, pp. 71–82. ACM (2013). 18–20 Feb 2013

Kelbert, F., Pretschner, A.: A fully decentralized data usage control enforcement infrastructure. In: 13th International Conference on Applied Cryptography and Network Security (ACNS 2015), pp. 409–430 (2015)

Conti, M., Crispo, B., Fernandes, E., Zhauniarovich, Y.: Crêpe: a system for enforcing fine-grained context-related policies on android. IEEE Trans. Inf. Forensics Secur. 7(5), 1426–1438 (2012)CrossRef

Conti, M., Nguyen, V., Crispo, B.: Crêpe: context-related policy enforcement for android. In: 13 Information Security Conference (ISC10), pp. 331–345 (2010)

Costa, G., Martinelli, F., Mori, P., Schaefer, C., Walter, T.: Runtime monitoring for next generation Java ME platform. Comput. Secur. 29(1), 74–87 (2010)CrossRef

Aktug, I., Naliuka, K.: ConSpec: a formal language for policy specification. In: Proceedings of the First International Workshop on Run Time Enforcement for Mobile and Distributed Systems (REM 07), ESORICS, pp. 107–109 (2007)

10.

Bugiel, S., Davi, L., Dmitrienko, A., Heuser, S., Sadeghi, A.R., Shastry, B.: Practical and Lightweight Domain Isolation on Android. In ACM, ed.: 1st ACM workshop on Security and privacy in smartphones and mobile devices (SPSM11), pp. 51–61 (2011)

11.

Martinelli, F., Mori, P., Saracino, A.: Enhancing android permission through usage control: a byod use-case. In: 31st ACM Symposium on Applied Computing (SAC 2016), pp. 2049–2056 (2016)

12.

Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57(3), 99–106 (2014)CrossRef

13.

Heuser, S., Nadkarni, A., Enck, W., Sadeghi, A.R.: Asm: a programmable interface for extending android security. In: 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, USENIX Association, pp. 1005–1019 (2014)

14.

Miettinen, M., Heuser, S., Kronz, W., Sadeghi, A.R., Asokan, N.: Conxsense - context profiling and classification for context-aware access control. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2014), ACM (2014)

15.

Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), Washington, D.C., USENIX, pp. 131–146 (2013)

16.

Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: ACM (ed.) 5th ACM Symposium on Information Computer and Communication Security (ASIACCS’10), pp. 328–332 (2010)

17.

Nadkarni, A., Enck, W.: Preventing accidental data disclosure in modern operating systems. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. CCS ’13, New York, NY, USA, pp. 1029–1042. ACM (2013)

18.

Backes, M., Bugiel, S., Gerling, S., von Styp-Rekowsky, P.: Android security framework: Extensible multi-layered access control on android. In: Proceedings of the 30th Annual Computer Security Applications Conference. ACSAC ’14, New York, NY, USA, ACM, pp. 46–55 (2014)

19.

Chuang, C.Y., Wang, Y.C., Lin, Y.B.: Digital right management and software protection on android phones. In: Vehicular Technology Conference (VTC 2010-Spring), 2010 IEEE 71st, pp. 1–5 (2010)

20.

Ongtang, M., Butler, K., McDaniel, P.: Porscha: policy oriented secure content handling in android. In: Proceedings of the 26th Annual Computer Security Applications Conference. ACSAC ’10, New York, NY, USA, pp. 221–230. ACM (2010)

21.

von Styp-Rekowsky, P., Gerling, S., Backes, M., Hammer, C.: Idea: callee-site rewriting of sealed system libraries. In: Engineering Secure Software and Systems—5th International Symposium, ESSoS 2013, Paris, France. Proceedings, pp. 33–41 (2013). 27 Feb–1 March 2013

22.

Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: Appguard–fine-grained policy enforcement for untrusted android applications. In: Data Privacy Management and Autonomous Spontaneous Security—8th International Workshop, DPM 2013, and 6th International Workshop, SETOP 2013, Egham, UK, Revised Selected Papers, pp. 213–231 (2013). 12–13 Sept 2013

23.

Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: Appguard–enforcing user requirements on android apps. In: Tools and Algorithms for the Construction and Analysis of Systems—19th International Conference, TACAS 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy. Proceedings, pp. 543–548 (2013). 16–24 March 2013

24.

Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for android applications. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), Bellevue, WA, USENIX, pp. 539–552 (2012)

25.

Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: 4th International Conference on Trust and Trustworthy Computing (TRUST 2011), pp. 93–107 (2011)

26.

Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I.: Security-by-contract: toward a semantics for digital signatures on mobile code. In: Public Key Infrastructure, pp. 297–312. Springer (2007)

27.

Dini, G., Martinelli, F., Matteucci, I., Saracino, A., Sgandurra, D.: Introducing probabilities in contract-based approaches for mobile application security. In: Data Privacy Management and Autonomous Spontaneous Security—8th International Workshop, DPM 2013, and 6th International Workshop, SETOP 2013, Egham, UK, 12–13 Sept 2013, Revised Selected Papers, pp. 284–299 (2013)

28.

Di Cerbo, F., Trabelsi, S., Steingruber, T., Dodero, G., Bezzi, M.: Sticky policies for mobile devices. In: The 18th ACM Symposium on Acces Control Model and Technologies (SACMAT’13), pp. 257–260 (2013)

29.

Trabelsi, S., Sendor, J., Reinicke, S.: Ppl: primelife privacy policyengine. In: 2011 IEEE International Symposium on Policies for Distributed Systems and Networks, IEEE Computer Society, pp. 184–185 (2011)

30.

Colombo, M., Lazouski, A., Martinelli, F., Mori, P.: A proposal on enhancing XACML with continuous usage control features. In: proceedings of CoreGRID ERCIM Working Group Workshop on Grids, P2P and Services Computing, Springer US, pp. 133–146 (2010)

31.

La Polla, M., Martinelli, F., Sgandurra, D.: A survey on security for mobile devices. Commun. Surv. Tutor. IEEE 15(1), 446–471 (2013)CrossRef

32.

Trusted Computing Group: TPM 2.0 mobile reference architecture (draft) (2014)

33.

ARM-Ltd.: Building a secure system using trustzone technology (2009). http://goo.gl/9p7SWG

34.

Samsung-Electronics-Co-Ltd.: An overview of samsung knox (2013)

35.

Li, X., Hu, H., Bai, G., Jia, Y., Liang, Z., Saxena, P.: Droidvault: a trusted data vault for android devices. In: 2014 19th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 29–38 (2014)

36.

Bente, I., Dreo, G., Hellmann, B., Heuser, S., Vieweg, J., von Helden, J., Westhuis, J.: Towards permission-based attestation for the android platform. In: Trust and Trustworthy Computing. Volume 6740 of Lecture Notes in Computer Science, pp. 108–115. Springer, Berlin (2011)

37.

Park, J., Sandhu, R.: The \({UCON}_{ABC}\) usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRef

38.

Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 351–387 (2005)CrossRef

39.

Pretschner, A., Hilty, M., Basin, D.A.: Distributed usage control. Commun. ACM 49(9), 39–44 (2006)CrossRef

40.

Park, J., Zhang, X., Sandhu, R.S.: Attribute mutability in usage control. In: Research Directions in Data and Applications Security XVIII, IFIP TC11/WG 11.3 Eighteenth Annual Conference on Data and Applications Security, pp. 15–29 (2004)

41.

Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.: Toward a usage-based security framework for collaborative computing systems. ACM Trans. Inf. Syst. Secur. 11(1), 3:1–3:36 (2008)CrossRef

42.

OASIS: eXtensible Access Control Markup Language (XACML) version 3.0 (2013)

43.

Kumari, P., Pretschner, A., Peschla, J., Kuhn, J.: Distributed data usage control for web applications: a social network implementation. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 85–96 (2011)

44.

Birnstill, P., Pretschner, A.: Enforcing privacy through usage-controlled video surveillance. In: 10th IEEE International Conference on Advanced Video and Signal Based Surveillance, AVSS 2013, Krakow, Poland. IEEE, pp. 318–323 (2013), 27–30 Aug 2013

45.

Martinelli, F., Mori, P.: On usage control for grid systems. Future Gener. Comput. Syst. 26(7), 1032–1042 (2010)CrossRef

46.

Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Martinelli, F., Mori, P.: Testing of polpa authorization systems. Softw. Qual. J. 22(2), 241–271 (2014)CrossRef

47.

Lazouski, A., Mancini, G., Martinelli, F., Mori, P.: Architecture, workflows, and prototype for stateful data usage control in cloud. In: 2014 IEEE Security and Privacy Workshop, IEEE Computer Society, pp. 23–30 (2014)

48.

Armstrong, D.: An introduction to file integrity checking on unix systems (2003). https://www.giac.org/paper/gcux/188/introduction-file-integrity-checking-unix-systems/104739

49.

Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. Secur. Priv. IEEE 7(1), 50–57 (2009)CrossRef

50.

Nauman, M., Khan, S., Zhang, X., Seifert, J.P.: Beyond kernel-level integrity measurement: Enabling remote attestation for the android platform. In: Acquisti, A., Smith, S., Sadeghi, A.R. (eds.) Trust andTrustworthy Computing. Volume 6101 of Lecture Notes in Computer Science, pp. 1–15. Springer, Berlin (2010)

Titel: Stateful Data Usage Control for Android Mobile Devices
verfasst von: Aliaksandr Lazouski
Fabio Martinelli
Paolo Mori
Andrea Saracino
Publikationsdatum: 17.06.2016
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 4/2017
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-016-0336-y

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2017

Designing vulnerability testing tools for web services: approach, components, and tools

TermID: a distributed swarm intelligence-based approach for wireless intrusion detection

HiveSec: security in resource-constrained wireless networks inspired by beehives and bee swarms

Network-based detection of Android malicious apps

ADroid: anomaly-based detection of malicious events in Android platforms