Information-Flow Control in Modern App Platforms: Modeling, Formal Verification, and Controlled Declassification

Abstract

Smartphones are today used by people around the world to manage and organize many aspects of their digital life from financial and health information to everyday social interactions. Modern mobile OSs allow applications from a variety of vendors to be installed. These applications might not all be trustworthy. While mobile OSs employ several security measures to protect the user data, researchers have shown that these measures are not enough. Android, the most widespread smartphone OS in the market, has been vulnerable to attacks such as information leakage and privilege escalation. This thesis studies the application of information-flow control (IFC) schemes to Android. IFC can provide formally proven security guarantees that enable a high level of assurance. We start by proposing a tag-based IFC policy specification scheme and run-time enforcement mechanism for Android. This mechanism can prevent attacks such as information leakage and privilege escalation. Policies can be specified for apps andindividual components within an app. App-level policies are robustly enforced because Android provides strong isolation between apps. However, enforcement of component-level policies is best effort because Android allows components to communicate directly and avoid the monitoring of the enforcement mechanism. To bridge this gap, we develop a static analysis tool that detects direct informationflows between components. This tool can be used by developers to ensure that their apps lack such unmonitored flows, which makes component-level enforcementrobust. We used the tool to study more than 2,500 of the most popular Android apps. We found that about 17% of these apps do not use direct communications between components and thus have robust component-level enforcement. However, the majority of these apps had very well connected components, making enforcing component-level policies by, for example, preventing these flows throughinstrumentation, impractical. In addition, we developed a faithful process-calculus based model of Androidand our enforcement mechanism. We then formally prove that the model satisfies the basic noninterference property. However, basic noninterference only guarantees security in the absence of declassification. Declassification capabilities provide flexibility to the otherwise too strict IFC policies. Therefore, we propose a novel noninterference definition based on label versioning that, unlike other enhancednoninterference definitions, supports label reuse.Even more expressive policies can be supported if conditions can be specified to control declassification. We propose an enhancement to stateful declassificationthat supports the specification of such conditions based on global, app-level, and instance-level state. We show that this approach can be used to enforce interesting security policies.