Bring Your Own Device, Securely

(1)

Bring Your Own Device, Securely

A. Armando, G. Costa, A. Merlo, L. Verderame

28th Symposium On Applied Computing (SAC 2013)

Security Track

(2)

Agenda

I

BYOD paradigm, Android and Users;

I

Formal reasoning about Android;

I

Type and Effect System for Mobile Apps;

I

Writing and verifying BYOD policies;

(3)

The BYOD paradigm on mobile

I

The Bring Your Own Device paradigm pushes the use of

personal devices inside organizations.

I

BYOD solutions must both

1. allow users to freely personalize devices outside the

organization;

2. grant the security of corporate data accessed by personal

devices inside the organization.

I

Mobile OSes do not have the sufficient level of protection

(4)

Android, Security and Users

Device owner Personal Device A1, A2, , AN App market - Internet - Access SD card Manifest of AX - Access SD card Manifest of AY

Manifests and Apps

I

Android applications come up

with a manifest file, containing

required permissions.

I

Users must accept at install time

all the required permissions.

I

Do users understand both the

meaning and the impact of such

permissions on their

(5)

Android and BYOD

Device owner

Personal Device

BYOD Policy:

« devices cannot access the network after accessing local file system in the same session»

A1, A2, , AN Corporation App market - Internet - Access SD card Manifest of AX - Access SD card Manifest of AY

(6)

BYOD through secure meta-markets

Personal Device A1, A2, , AN Corporation App market Secure Meta-market

Manifests and Apps

BYOD Policy Require AY

(7)

Programming Framework

Extension of Featherweight Java (FJ) with Android

app-to-system

and

app-to-app

security sensitive interactions

L

::=

class C extends C

0 {

¯

_{D ¯}

_f

_;

_{K ¯}

_M}

_Class

K

::=

C

(

¯

D ¯

x

)

{super

(

x

¯

) ;

this

.

¯

_f

_:=

_¯

_x

_;

_}

_Constructor

M

::=

C m

(

D x

)

{return

E

;

}

Method

E

::=

null

|

u

|

x

|

new C

( ¯

E

)

|

E

.

f

|

Expressions

E

.

m

(

E

0 )

|

system

_σ

E

|

E

;

E

0 |

(

C

)

E

|

if

(

E

=

E

0 )

{

E

tt

}

else

{

E

ff

} |

thread

{

E

}

in

{

E

0 } |

(8)

A simple example

class Browser extends Receiver

{

Browser

()

{

super

();

}

void

receive

(

I

www

i

)

{

return

system

connect

i

.

data

;

}

class Game

{

Game

()

{

super

();

}

void start

()

{

return

system

read

∼

/sav

;

if

(

UsrAct

=

TouchAD

)

then

{

icast I

www

(”

http

:

//

ad

.

com

”)

;

}

else

{

/

∗

...

play

...

∗

/

system

write

∼

/sav

;

}

;

}

(9)

Operational Semantics (Fragment)

Small steps semantics:

ω,

E

→

ω

0

,

E

0

(

SYS

2

)

ω,

system

σ

u

→

ω

· σ

(

u

)

,

null

(

METH

3

)

mbody

(

m

,

C

) =

x

,

E

ω,

(

new C

(¯

v

))

.

m

(

v

0

)

→

ω,

E

[

v

0

/

x

,

(

new C

(¯

v

))

/

this

]

(

EXPC

2

)

new

C

(¯

v

)

∈

receiver

(

α

)

ω,

ecast C

I

α

(

u

)

→

ω,

(

new

C

(¯

v

))

.

receive

(

I

α

(

u

))

(

IMPC

2

)

new

C

(¯

v

)

∈

receiver

(

α

)

ω,

icast

I

α

(

u

)

→

ω,

new

C

(¯

v

)

.

receive

(

I

α

(

u

))

(

DATA

2

)

ω,

I

α

(

v

)

.

data

→

ω,

v

(10)

History Expressions

I

Syntax

H

,

H

0

::=

ε

|

h

|

α

χ(

u

)

|

α

¯

C

h

.

H

|

σ(

u

)

|

H

· H

0

|

H

+

H

0

|

H

k

H

0

|

µ

h

.

H

I

Semantics

σ(

u

)

−−−→

σ(u)

ε

α

χ

(

u

)

αχ(u)

−−−−→

ε

H

−−−−→

αχ(u)

H

00

_H

˙

₌

P

H

0

_{

_α

?

(

u

)/

h

}

s.t.

α

¯

C

h

.

H

0

∈

ρ

(

α

)

and

χ

<

C

H

−

→

·

_H

˙

H

0

₋

_→

a

_H

00

H

k

H

0

−

→

a

H

k

H

00

H

−

→

a

H

00

H

k

H

0

−

→

a

H

00

k

H

0

H

−

→

a

H

00

H

· H

0

−

→

a

H

00

· H

0

H

−

→

a

H

00

H

+

H

0

₋

_→

a

_H

00

H

0

−

→

a

H

00

H

+

H

0

₋

_→

a

_H

00

H

{

µ

h

.

H

/

h

}

−

→

a

H

0

µ

h

.

H

−

→

a

H

0

(11)

Type and Effect System

I

Types and type environment

τ, τ

0

::=

1 | U | I

α

(

U

)

|

C

Γ

,

Γ

0

::=

∅ |

Γ

{

τ /

x

}

Γ

`

E

:

τ .

H

I

Typing rules

(

T

−

SYS

)

Γ

`

E

:

U

.

H

Γ

`

system

_σ

E

:

1 .

H

· P

u∈U

σ(

u

)

(

T

−

INT

)

Γ

`

E

:

U

.

H

Γ

`

E

0

:

τ .

H

0

Γ

`

I

α

(

E

,

E

0

) :

I

α

(

U

, τ

)

.

H

· H

0

(

T

−

IMPC

)

Γ

`

E

:

I

α

(

U

)

.

H

Γ

`

icast

E

:

1 .

H

· P

u∈U

α

?

(

u

)

(

T

−

EXPC

)

Γ

`

E

:

I

α

(

U

)

.

H

Γ

`

ecast C

E

:

1 .

H

· P

u∈U

α

C

(

u

)

(12)

Type and Effect System: Properties

Lemma

For each closed (i.e., without free variables) expression E ,

environment

Γ

, history expression H, type

τ

and trace

ω

, if

Γ

`

E

:

τ .

H then either E is a value or

ω,

E

→

ω

0 ,

E

0 (for some

ω

0 ,

E

0 ).

Theorem

For each closed expression E , history expression H, type

τ

and

trace

ω

, if

∅ `

E

:

τ .

H and

· ,

E

→

∗

ω,

E

0 then there exist H

0 and

(13)

Security Policies

Policies language = Hennessy-Milner Logic (HML with negation and

parametric actions)

ϕ, ϕ

0

::=

tt

| ¬

ϕ

|

ϕ

∧

ϕ

0

| h

σ

( ˙

x

)

i

.ϕ

Validation of history expressions against policies (

H

|

=

ϕ

)

H

|

=

tt

(true)

H

|

=

¬

ϕ

⇐⇒

H

6|

=

ϕ

(negation)

H

|

=

ϕ

∧

ϕ

0

⇐⇒

H

|

=

ϕ

and

H

|

=

ϕ

0

(conjunction)

H

|

=

h

σ

(

u

)

i

.ϕ

⇐⇒

H

−−→

σ(u)

H

0

and

H

0

|

=

ϕ

(c-diamond)

(14)

Policy compliance in our Example

Assumptions:

I

H

=

read

(

∼

/

sav

)

· (

www

?

(”

http

:

//

ad

.

com

”) +

write

(

∼

/

sav

))

I

ϕ

=

h

read

(

x

)

i

.

h

connect

(

y

)

i

.

ff

.

I

ρ(

www

)

=

{

www

Browser

h

.

connect

(”

http

:

//

ad

.

com

”)

}

Does

H|

=ϕ

?

Proof:

read

(

∼

/

sav

)

· (

www

?

(”

http

:

//

ad

.

com

”) +

write

(

∼

/

sav

))

|

=

h

read

(

x

)

i

.

h

connect

(

y

)

i

.

ff

⇐⇒

(a-diamond)

www

?

(”

http

:

//

ad

.

com

”) +

write

(

∼

/

sav

)

|

=

h

connect

(

y

)

i

.

ff

=

⇒

(HE choice)

www

?

(”

http

:

//

ad

.

com

”)

|

=

h

connect

(

y

)

i

.

ff

=

⇒

(HE intent)

connect

(”

http

:

//

ad

.

com

”)

|

=

h

connect

(

y

)

i

.

ff

⇐⇒

(a-diamond)

(15)

Partial Model Checking

I

Problem: check a new application against the current device

configuration and the policy.

I

PMC allows to partially evaluate a formula against a model, using

reduction rules for

transferring information

from the model to the

formula to satisfy.

I

PMC has been originally defined for

µ

-calculus, we adapted it to HML

by redefining the operator

·

//·

for the partial evaluation against parallel

composition:

tt

//

H

=

tt

(

¬

ϕ

)

//

H

=

¬

ϕ

//

H

(

ϕ

∧

ϕ

0 )

//

H

=

ϕ

//

H

∧

ϕ

0 //

H

(

h

σ

(

u

)

i

.ϕ

)

_//

_H

=

h

σ

(

u

)

i

.ϕ

//

H

∨

W

H

−

−−

σ(u

→

)

H

0

ϕ

//

H

0

(

h

σ

(

x

)

i

.ϕ

)

_//

_H

=

h

σ

(

x

)

i

.ϕ//

H

∨

W

H

−

−−

σ(u

→

)

H

0

ϕ

{

u

/

x

}

_//

_H

0

Theorem

H

|

=

ϕ

//H0

=

⇒

H

k

H

0

|

=

ϕ

(16)

(17)

Security Policy Manager

j

A

₁

j

//A1

j

//A1//A3

A

3 d

d

A

2

Device Registration phase

Install

A

3

Attemp to install A

2

I

A

1 :

UI

;

I

A

2 :

Game

;

I

A

3 :

Browser

;

(18)

Conclusion

Open Issues and Future Developments:

I

Expressiveness of policies

→

other policy languages (e.g. ConSpec);

I

inconclusive analysis and run-time policies

→

instrumenting and

monitoring of applications;

I

uninstalling applications is cumbersome

→

design solutions for inhibit

execution of non-compliant applications;

I

BYODroid works on a single BYOD policy

→

enhancements for

supporting many policies and policy switching.

(19)

THANK YOU !!!