collaborative verification of information flow for a high
play

Collaborative Verification of Information Flow for a High-Assurance - PowerPoint PPT Presentation

Jun 11, 2023 •383 likes •1.24k views

Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst, Ren Just , Suzanne Millstein, Werner Dietl*, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros, Ravi Bhoraskar, Seungyeop Han, Paul

  1. Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst, René Just , Suzanne Millstein, Werner Dietl*, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros, Ravi Bhoraskar, Seungyeop Han, Paul Vines, and Edward X. Wu University of Washington *University of Waterloo November 6, 2014

  2. Introduction Approach Evaluation Conclusion Current commercial app stores Several hundred Approval process new apps per day René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 1/24

  3. Introduction Approach Evaluation Conclusion Current commercial app stores Several hundred Approval process new apps per day Problem: Every major app store has approved malware! René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 1/24

  4. Introduction Approach Evaluation Conclusion Current commercial app stores Several hundred Approval process new apps per day Problem: Every major app store has approved malware! Best-effort solution: Malware removed when encountered René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 1/24

  5. Introduction Approach Evaluation Conclusion High-assurance app stores Needed in multiple domains ◮ Government app stores (e.g., DoD) ◮ Corporate app stores (e.g., financial sector) ◮ App stores for medical apps Require stronger guarantees ◮ Verified absence of (certain types of) malware Verification is costly ◮ Effort is solely on app store side ◮ Analyst needs to understand/reverse-engineer the app René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 2/24

  6. Introduction Approach Evaluation Conclusion High-assurance app stores Needed in multiple domains ◮ Government app stores (e.g., DoD) ◮ Corporate app stores (e.g., financial sector) ◮ App stores for medical apps Require stronger guarantees ◮ Verified absence of (certain types of) malware Verification is costly ◮ Effort is solely on app store side ◮ Analyst needs to understand/reverse-engineer the app Our solution: Collaboratively verify absence of malware Our focus: Information-flow malware René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 2/24

  7. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Read location Internet Sudoku René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  8. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Read location Internet Sudoku René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  9. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Read location Internet Sudoku Read location Internet Camera René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  10. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Read location Internet Sudoku Read location Internet Camera René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  11. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Sudoku Read location Location → Internet Internet Camera René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  12. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Sudoku Read location Location → Internet Internet Camera René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  13. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Sudoku Read location Location → Internet Internet Camera Read location Internet Map René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  14. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Sudoku Read location Location → Internet Internet Camera Read location Internet Map René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  15. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Sudoku Read location Location → Internet Internet Camera Read location Location → Internet Internet Map René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  16. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Sudoku Read location Location → Internet Internet Camera Read location Location → Internet Internet Map René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  17. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Sudoku Read location Location → Internet Internet Camera Location → Read location Location → BadGuy.com Internet Internet Map René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  18. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Sudoku Read location Location → Internet Internet Camera Location → Read location Location → BadGuy.com Internet Internet Map René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  19. Introduction Approach Evaluation Conclusion Example: Information-flow malware App Permissions Information flow Read location Internet Prevent malware using an Sudoku information flow type-system Read location Location → Internet Internet Camera Location → Read location Location → BadGuy.com Internet Internet Map René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 3/24

  20. Introduction Approach Evaluation Conclusion Approach: Overview Collaborative verification model ◮ Leverage but don’t trust the developer Information Flow Type-checker (IFT) ◮ Finer-grained permission model for Android ◮ False positives and declassifications ◮ Implicit information flow Evaluation ◮ Effectiveness: Effective for real malware in real apps ◮ Usability: Low annotation and auditing burden René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 4/24

  21. Introduction Approach Evaluation Conclusion Collaborative verification model Developer provides App Annotated description source code René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 5/24

  22. Introduction Approach Evaluation Conclusion Collaborative verification model Developer provides App Declassification Information Annotated description justifications flow policy source code High-level description of information flows in app ( LOCATION -> INTERNET ) René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 5/24

  23. Introduction Approach Evaluation Conclusion Collaborative verification model Developer provides App Declassification Information Annotated description justifications flow policy source code App store verifies René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 5/24

  24. Introduction Approach Evaluation Conclusion Collaborative verification model Developer provides App Declassification Information Annotated description justifications flow policy source code 1 Analyst verifies: acceptable behavior App store verifies René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 5/24

  25. Introduction Approach Evaluation Conclusion Collaborative verification model Developer provides App Declassification Information Annotated description justifications flow policy source code 1 2 Analyst verifies: Type checker verifies: acceptable behavior annotations consistent App store verifies René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 5/24

  26. Introduction Approach Evaluation Conclusion Collaborative verification model Developer provides App Declassification Information Annotated description justifications flow policy source code 1 2 3 Analyst verifies: Type checker verifies: Analyst verifies: acceptable behavior annotations consistent declassifications App store verifies René Just, UW CSE Collaborative Verification of Information Flow for a High-Assurance App Store 5/24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza,

An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza,

An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza, Raghavendra K.R., Barbara Sprick Indian Institute of Science, Bangalore, India An Automata Based Approach for Verification of Information Flow

696 views • 58 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not

Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not

4/3/2008 Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not formal 1 4/3/2008 Idealised Flow High level Not formal Equally high level Formal spec. Math, expressive logic Idealised Flow High level

402 views • 22 slides
Nickel: A framework for design and verification of information flow control systems Luke Nelson

Nickel: A framework for design and verification of information flow control systems Luke Nelson

Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day 1

749 views • 31 slides
Collaborative Tools Agile Project Management and Collaborative Workflow git/GitHub

Collaborative Tools Agile Project Management and Collaborative Workflow git/GitHub

Collaborative Tools Agile Project Management and Collaborative Workflow git/GitHub git-flow ZenHub Documentation Sphinx/ReadTheDocs (high-level manuals, how-tos, etc) Doxygen (low-level code details) JEDI Wiki

1.04k views • 51 slides
Collaborative Tools Agile Project Management and Collaborative Workflow git/GitHub

Collaborative Tools Agile Project Management and Collaborative Workflow git/GitHub

Collaborative Tools Agile Project Management and Collaborative Workflow git/GitHub git-flow ZenHub Documentation Sphinx/ReadTheDocs (high-level manuals, how-tos, etc) Doxygen (low-level code details) JEDI Wiki

772 views • 62 slides
Collaborative Tools 1 Agile Project Management and Collaborative Workflow git/GitHub

Collaborative Tools 1 Agile Project Management and Collaborative Workflow git/GitHub

Collaborative Tools 1 Agile Project Management and Collaborative Workflow git/GitHub git-flow ZenHub Documentation Sphinx/ReadTheDocs (high-level manuals, how-tos, etc) Doxygen (low-level code details) Computing

804 views • 34 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
Combining Graph-Based Information-Flow Analysis with KeY for Proving Non-Interference KeY

Combining Graph-Based Information-Flow Analysis with KeY for Proving Non-Interference KeY

Combining Graph-Based Information-Flow Analysis with KeY for Proving Non-Interference KeY Symposium | 27.07.2016 INSTITUTE FOR APPLICATION-ORIENTED FORMAL VERIFICATION , FACULTY OF INFORMATICS KIT University of the State of Baden-Wuerttemberg

409 views • 30 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
High-Flow Oxygen & Mechanical Ventilation Donna Lynch-Smith, DNP, ACNP-BC, APRN, NE-BC, CNL

High-Flow Oxygen & Mechanical Ventilation Donna Lynch-Smith, DNP, ACNP-BC, APRN, NE-BC, CNL

High-Flow Oxygen & Mechanical Ventilation Donna Lynch-Smith, DNP, ACNP-BC, APRN, NE-BC, CNL Associate Professor/AG-ACNP Concentration Coordinator UTHSC CON High-Flow Oxygen High-Flow Oxygen Nasal Cannula (HFNC) Oxygen Supply System

418 views • 20 slides
Enhancing Collaborative Research and Development with High Definition Video Conference David

Enhancing Collaborative Research and Development with High Definition Video Conference David

Enhancing Collaborative Research and Development with High Definition Video Conference David Abramson ARC Professorial Fellow Faculty of Information Technology, Monash University AUSTRALIA With special thanks to APAN (JB) and AARnet Nng

419 views • 40 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh

Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh

Toward Automated Info-Flow Integrity Verification (or, Fixing your security policy) Umesh Shankar (UC Berkeley) Trent Jaeger (Penn State / IBM) Reiner Sailer (IBM) The goal, with an example Integrity property: Trusted processes dont

317 views • 20 slides
Verification and Validation of Pseudospectral Shock Fitted Simulations of Supersonic Flow over a

Verification and Validation of Pseudospectral Shock Fitted Simulations of Supersonic Flow over a

Verification and Validation of Pseudospectral Shock Fitted Simulations of Supersonic Flow over a Blunt Body Gregory P . Brooks Air Force Research Laboratory, WPAFB, Ohio Joseph M. Powers University of Notre Dame, Notre Dame, Indiana 42nd

430 views • 24 slides
Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang Pennsylvania State University University Park, PA, USA {pzl129,zhang}@cse.psu.edu Background: Information Flow Analysis o Security enforcement to prevent

379 views • 24 slides
We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

510 views • 39 slides
5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene

5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene

5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene Sponsored by MEET YOUR SPEAKER Rhonda Greene, APSC Principal Solutions Consultant AvidXchange Current Challenges Understanding How to Save

434 views • 24 slides
Taking Your Cannabis Company Public In Canada With Marko Glisic Audit Partner at GreenGrowth

Taking Your Cannabis Company Public In Canada With Marko Glisic Audit Partner at GreenGrowth

Taking Your Cannabis Company Public In Canada With Marko Glisic Audit Partner at GreenGrowth CPAs About Us 1000+ Prepared Annual Tax Returns for cannabis operators spread across all verticals: Dispensary, distribution, cultivation,

405 views • 15 slides
Q2 2020 Earnings Call Supplemental Slides Kevin OMeara, Chief Executive Officer Geoff Krause,

Q2 2020 Earnings Call Supplemental Slides Kevin OMeara, Chief Executive Officer Geoff Krause,

July 30, 2020 Q2 2020 Earnings Call Supplemental Slides Kevin OMeara, Chief Executive Officer Geoff Krause, Chief Financial Officer Advisory Special Note Regarding Forward-Looking Statements Certain information and statements contained in

205 views • 18 slides
Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I?

Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I?

Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I? @vysecurity Vincent Yiu vincent.yiu@syonsecurity.com Founder of SYON Security Offensive Operations including Adversary Simulaton and Penetration

344 views • 33 slides
Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

544 views • 22 slides
Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco Lancini Security Consultant, CEFRIEL @lancinimarco Roberto Puricelli Security Consultant, CEFRIEL @robywankenoby 2 Introduction Intro

870 views • 35 slides
Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa

Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa

Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa Infrastructure Engineer https://keys.casa https://lopp.net asa @lopp A History Rife with Failure An estimated 4,000,000+ BTC lost. An estimated

346 views • 24 slides

More recommend