DCert: Find the Leak in Your Pocket
share
Static data-flow analysis has proven its effectiveness in assessing security of applications. One major challenge it faces is scalability to large software. This issue is even exacerbated when additional limitations on computing and storage resources are imposed, as is the case for mobile devices. In such cases the analysis is performed on a conventional computer. This poses two problems. First, a man-in-the-middle attack can tamper with an analyzed application. So once on the mobile device, what guarantees that the actual version is not corrupt. Second, the analysis itself might be broken leading to an erroneous result. As a solution, we present DCert a tool for checking and certifying data-flow properties that consists of two components: a (heavy- weight) analyzer and a (lightweight) checker. The analyzer is deployed on a conventional computer. It verifies the conformance of a given application to a specified policy and generates a certificate attesting the validity of the analysis result. It suffices then for the checker, on a mobile device, to perform a linear pass in the application size to validate or refute the certificate as well as the policy. This allows us to separate the verification and the checking process while ensuring a trust relationship between them via the certificate. We describe DCert and report on experimental results obtained for real-world applications.
READ FULL TEXT