On-Device Control Flow Verification for Java Programs
- 667 Downloads
While mobile devices have become ubiquitous and generally multi-application capable, their operating systems provide few high level mechanisms to protect services offered by application vendors against potentially hostile applications coexisting on the device. In this paper, we tackle the issue of controlling application interactions including collusion in Java-based systems running on open, constrained devices such as smart cards or mobile phones. We present a model specially designed to be embedded in constrained devices to verify on-device at loading-time that interactions between applications abide by the security policies of each involved application without resulting in run-time computation overheads; this model deals with application (un)installations and policy changes in an incremental fashion. We sketch the application of our approach and its security enhancements on a multi-application use case for GlobalPlatform/Java Card smart cards.
KeywordsSmart Card Security Policy Java Program Java Virtual Machine Call Graph
Unable to display preview. Download preview PDF.
- 3.Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Progress in Informatics (5), 35–47 (2008)Google Scholar
- 8.Sistla, A.P., Venkatakrishnan, V.N., Zhou, M., Branske, H.: CMV: automatic verification of complete mediation for java virtual machines. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), pp. 100–111. ACM, New York (2008)CrossRefGoogle Scholar
- 11.Necula, G.C.: Proof-carrying code. In: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1997, pp. 106–119. ACM, New York (1997)Google Scholar
- 14.Dragoni, N., Massacci, F., Schaefer, C., Walter, T., Vetillard, E.: A Security-by-Contract Architecture for Pervasive Services. In: SECPerU, pp. 49–54 (2007)Google Scholar
- 15.Ion, I., Dragovic, B., Crispo, B.: Extending the Java Virtual Machine to Enforce Fine-Grained Security Policies in Mobile Devices. In: ACSAC, pp. 233–242 (2007)Google Scholar
- 16.Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in Android. In: Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009), pp. 340–349. IEEE Computer Society, Los Alamitos (2009)Google Scholar
- 17.Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: CCS 2009, Chicago, IL, USA, pp. 235–245. ACM, New York (November 2009)Google Scholar