poster

Raindroid: a system for run-time mitigation of Android intent vulnerabilities [poster]

Authors:

Bradley Schmerl,

Jeffrey Gennari,

Javier Cámara,

David GarlanAuthors Info & Claims

HotSos '16: Proceedings of the Symposium and Bootcamp on the Science of Security

Pages 115 - 117

https://doi.org/10.1145/2898375.2898389

Published: 19 April 2016 Publication History

Get Access

Abstract

Modern frameworks are required to be extendable as well as secure. However, these two qualities are often at odds. In this poster we describe an approach that uses a combination of static analysis and run-time management, based on software architecture models, that can improve security while maintaining framework extendability. We implement a prototype of the approach for the Android platform. Static analysis identifies the architecture and communication patterns among the collection of apps on an Android device and which communications might be vulnerable to attack. Run-time mechanisms monitor these potentially vulnerable communication patterns, and adapt the system to either deny them, request explicit approval from the user, or allow them.

References

[1]

M. Abi-Antoun, S. Chandrashekar, R. Vanciu, and A. Giang. Are object graphs extracted using abstract interpretation significantly different from the code? In SCAM 2014, 2014.

Digital Library

Google Scholar

[2]

S.-W. Cheng. Rainbow: Cost-Effective Software Architecture-Based Self-Adaptation. PhD thesis, Carnegie Mellon University, May 2008. Institute for Software Research Technical Report CMU-ISR-08-113.

Digital Library

Google Scholar

[3]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In MobiSys '11, 2011.

Digital Library

Google Scholar

[4]

D. Garlan, S.-W. Cheng, A.-C. Huang, B. Schmerl, and P. Steenkiste. Rainbow: Architecture-based self adaptation with reusable infrastructure. IEEE Computer, 37(10), October 2004.

Digital Library

Google Scholar

[5]

D. Garlan and B. Schmerl. Architecture-driven modelling and analysis. In Proceedings of the 11th Australian Workshop on Safety Related Programmable Systems (SCS'06), 2006.

Digital Library

Google Scholar

[6]

D. Jackson. Software Abstractions: Logic, Language, and Analysis. The MIT Press, 2006.

Digital Library

Google Scholar

[7]

G. A. Lewis and P. Lago. A catalog of architectural tactics for cyber-foraging. In Proceedings of the 11th International ACM SIGSOFT Conference on Quality of Software Architectures, QoSA '15, pages 53--62, New York, NY, USA, 2015. ACM.

Digital Library

Google Scholar

[8]

S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2014.

Crossref

Google Scholar

[9]

A. Sadeghi, H. Bagheri, and S. Malek. Analysis of android inter-app security vulnerabilities using COVERT. In ICSE 2015, 2015.

Digital Library

Google Scholar

[10]

B. Schmerl, J. Gennari, and D. Garlan. An architecture style for android security analysis: Poster. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS '15, pages 15:1--15:2, New York, NY, USA, 2015. ACM.

Digital Library

Google Scholar

[11]

R. Vanciu and M. Abi-Antoun. Ownership object graphs with dataflow edges. In 20th Working Conference on Reverse Engineering (WCRE), 2013.

Digital Library

Google Scholar

Cited By

View all

El-Zawawy MFaruki PConti M(2022)Formal model for inter-component communication and its security in androidComputing10.1007/s00607-022-01069-2104:8(1839-1865)Online publication date: 27-Mar-2022
https://doi.org/10.1007/s00607-022-01069-2
Zhang YWeng JWeng JHou LYang ALi MXiang YDeng R(2021)Looking Back! Using Early Versions of Android Apps as Attack VectorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.291420218:2(652-666)Online publication date: 1-Mar-2021
https://doi.org/10.1109/TDSC.2019.2914202
Xiao YJia YLiu CCheng XYu JLv W(2019)Edge Computing Security: State of the Art and ChallengesProceedings of the IEEE10.1109/JPROC.2019.2918437107:8(1608-1631)Online publication date: Aug-2019
https://doi.org/10.1109/JPROC.2019.2918437
Show More Cited By

Index Terms

Raindroid: a system for run-time mitigation of Android intent vulnerabilities [poster]
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Information flow control
    2. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. Context specific languages
      1. Domain specific languages
  2. Software organization and properties
    1. Software system structures
      1. Software architectures

Recommendations

Architectural Solutions to Mitigate Security Vulnerabilities in Software Systems
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Security issues emerging out of the constantly evolving software applications became a huge challenge to software security experts. In this paper, we propose a prototype to detect vulnerabilities by identifying their architectural sources and also use ...
Bittersweet ADB: Attacks and Defenses
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Android devices and applications become prevalent and ask for unanticipated capabilities thanks to the increased interests in smartphones and web applications. As a way to use the capabilities not directly available to ordinary users, applications have ...
Self-protection against business logic vulnerabilities
SEAMS '20: Proceedings of the IEEE/ACM 15th International Symposium on Software Engineering for Adaptive and Self-Managing Systems

Attacks against business logic rules occur when the attacker exploits the domain rules in a malicious way. Such attacks have not received sufficient attention in research so far. In this paper, we propose a novel self-protecting approach that defends a ...

Comments

Information & Contributors

Information

Published In

HotSos '16: Proceedings of the Symposium and Bootcamp on the Science of Security

April 2016

138 pages

ISBN:9781450342773

DOI:10.1145/2898375

General Chairs:
William L. Scherlis
Carnegie Mellon University
,
David Brumley
Carnegie Mellon University

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 April 2016

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

National Security Agency

Conference

HotSoS '16

HotSoS '16: HotSos 2016 Science of Security

April 19 - 21, 2016

Pennsylvania, Pittsburgh

Acceptance Rates

Overall Acceptance Rate 34 of 60 submissions, 57%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
149
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

El-Zawawy MFaruki PConti M(2022)Formal model for inter-component communication and its security in androidComputing10.1007/s00607-022-01069-2104:8(1839-1865)Online publication date: 27-Mar-2022
https://doi.org/10.1007/s00607-022-01069-2
Zhang YWeng JWeng JHou LYang ALi MXiang YDeng R(2021)Looking Back! Using Early Versions of Android Apps as Attack VectorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.291420218:2(652-666)Online publication date: 1-Mar-2021
https://doi.org/10.1109/TDSC.2019.2914202
Xiao YJia YLiu CCheng XYu JLv W(2019)Edge Computing Security: State of the Art and ChallengesProceedings of the IEEE10.1109/JPROC.2019.2918437107:8(1608-1631)Online publication date: Aug-2019
https://doi.org/10.1109/JPROC.2019.2918437
Sun HRosa AJaved OBinder W(2017)ADRENALIN-RV: Android Runtime Verification Using Load-Time Weaving2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST.2017.61(532-539)Online publication date: Mar-2017
https://doi.org/10.1109/ICST.2017.61

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Architectural Solutions to Mitigate Security Vulnerabilities in Software Systems

Bittersweet ADB: Attacks and Defenses

Self-protection against business logic vulnerabilities