Collaborative verification of information flow for a high-assurance app store

Download: PDF, slides (PDF), SPARTA toolset and experimental data.

“Collaborative verification of information flow for a high-assurance app store” by Michael D. Ernst, René Just, Suzanne Millstein, Werner Dietl, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros, Ravi Bhoraskar, Seungyeop Han, Paul Vines, and Edward X. Wu. In CCS 2014: Proceedings of the 21st ACM Conference on Computer and Communications Security, (Scottsdale, AZ, USA), Nov. 2014, pp. 1092-1104.
A previous version appeared as “Collaborative verification of information flow for a high-assurance app store” by Michael D. Ernst, René Just, Suzanne Millstein, Werner M. Dietl, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros, Ravi Bhoraskar, Seungyeop Han, Paul Vines, and Edward X. Wu. University of Washington Department of Computer Science and Engineering technical report UW-CSE-14-04-02, (Seattle, WA, USA), Apr. 2014.

Abstract

Current app stores distribute some malware to unsuspecting users, even though the app approval process may be costly and time-consuming. High-integrity app stores must provide stronger guarantees that their apps are not malicious. We propose a verification model for use in such app stores to guarantee that the apps are free of malicious information flows. In our model, the software vendor and the app store auditor collaborate — each does tasks that are easy for her/him, reducing overall verification cost. The software vendor provides a behavioral specification of information flow (at a finer granularity than used by current app stores) and source code annotated with information-flow type qualifiers. A flow-sensitive, context-sensitive information-flow type system checks the information flow type qualifiers in the source code and proves that only information flows in the specification can occur at run time. The app store auditor uses the vendor-provided source code to manually verify declassifications.

We have implemented the information-flow type system for Android apps written in Java, and we evaluated both its effectiveness at detecting information-flow violations and its usability in practice. In an adversarial Red Team evaluation, we analyzed 72 apps (576,000 LOC) for malware. The 57 Trojans among these had been written specifically to defeat a malware analysis such as ours. Nonetheless, our information-flow type system was effective: it detected 96% of malware whose malicious behavior was related to information flow and 82% of all malware. In addition to the adversarial evaluation, we evaluated the practicality of using the collaborative model. The programmer annotation burden is low: 6 annotations per 100 LOC. Every sound analysis requires a human to review potential false alarms, and in our experiments, this took 30 minutes per 1,000 LOC for an auditor unfamiliar with the app.

Download: PDF, slides (PDF), SPARTA toolset and experimental data.

BibTeX entry:

@inproceedings{ErnstJMDPRKBBHVW2014,
   author = {Michael D. Ernst and Ren{\'e} Just and Suzanne Millstein and
	Werner Dietl and Stuart Pernsteiner and Franziska Roesner and Karl
	Koscher and Paulo Barros and Ravi Bhoraskar and Seungyeop Han and
	Paul Vines and Edward X. Wu},
   title = {Collaborative verification of information flow for a
	high-assurance app store},
   booktitle = {CCS 2014: Proceedings of the 21st ACM Conference on
	Computer and Communications Security},
   pages = {1092--1104},
   address = {Scottsdale, AZ, USA},
   month = nov,
   year = {2014}
}

(This webpage was created with bibtex2web.)

Back to Michael Ernst's publications.