Information Flow Policies vs Malware -- Final Battle --

Radoniaina Andriatsimandefitra 1 Valérie Viet Triem Tong 1
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
IRISA-D1 - SYSTÈMES LARGE ÉCHELLE, Inria Rennes – Bretagne Atlantique , CentraleSupélec
Abstract : Application markets offer more than 700'000 appli- cations: music, movies, games or small tools. It appears more and more difficult to propose an automatic and systematic method to analyse all of these applications. Google Bouncer [1] tries to keep malicious applications out of Google Play by analysing uploaded applications to find known malware and malicious behaviours. According to Google, this service decreased by 40% the number of potentially malicious applications download from Google Play. However, Google Bouncer suffers from the same drawbacks of usual scan methods: it is inefficient to detect unknown malicious behaviour and it may be costly. In this paper we propose another method to efficiently detect malicious actions of applications. Our proposal consists in a new scheme of submitting applications to market place and installing applications on the device. More pre- cisely, applications are uploaded with a companion information flow policy. A companion policy exactly describes where data used by the application can flow. The policies are studied for acceptance by reviewers. Accepted policies are certified by the market and are made publicly available. When a user acquires an application, he has to retrieve the certified version of its companion flow policy. The companion policy of the application is composed with the current flow policy enforced in the system. The application is then monitored and each time the monitor detects an information flow not allowed in the composed flow policy it raises an alert or blocks the information flow. This way, only applications respecting an official policy accepted by the market can efficiently run. In this article we experiment this proposal in proposing a efficient method to construct precise information flow policies. We show that these companion policies are relevant: a benign version of an application causes no security alert but on the contrary, a malicious version causes security alerts. In a last part we show how these alerts can be transform in graph that help to make a early diagnosis of the attack.
Type de document :
Article dans une revue
Journal of Information Assurance and Security, Dynamic Publishers Inc., USA, 2014, 9 (2), pp.72-82
Liste complète des métadonnées

https://hal.inria.fr/hal-01062313
Contributeur : Radoniaina Andriatsimandefitra <>
Soumis le : mardi 9 septembre 2014 - 15:51:22
Dernière modification le : jeudi 15 novembre 2018 - 11:57:50

Identifiants

  • HAL Id : hal-01062313, version 1

Citation

Radoniaina Andriatsimandefitra, Valérie Viet Triem Tong. Information Flow Policies vs Malware -- Final Battle --. Journal of Information Assurance and Security, Dynamic Publishers Inc., USA, 2014, 9 (2), pp.72-82. 〈hal-01062313〉

Partager

Métriques

Consultations de la notice

792