TC: Medium: Collaborative Research: Program Analysis for Smartphone Application Security

TC：媒介：协作研究：智能手机应用程序安全的程序分析

• 批准号: 1064997
• 负责人: Jeffrey Foster
• 金额: $ 43.34万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-04-15 至 2017-03-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1064997&HistoricalAwards=false
• 关键词: TC; Medium; Collaborative; Research; Program

This project investigates a new approach for describing and reasoning about security properties of smartphone applications. Smartphones are becoming pervasive, and smartphone applications are increasingly used for a variety of social, health, scientific, and military purposes. However, the capabilities these phones provide, such as access to GPS, camera, Internet, calendar, contacts, and other sensitive information can lead to major security risks. Today's smartphone development methodologies do little to help developers construct applications that safely access sensitive resources.The goal of this project is to develop new program analysis techniques that can help developers express, reason about, and enforce security policies in smartphones. The proposed technical approach will allow developers to define rich security policies in an intuitive and flexible manner: as program code that interacts with a mobile application and checks desired properties. To ensure that application code conforms to such policies, the project is pursuing several techniques that leverage recent advances in static and dynamic program analysis. The project is also investigating approaches to automatically synthesize a code-based policy for a given application. The project is instantiating these ideas in the context of Google's Android operating system, and is evaluating the ideas in terms of effectiveness and performance on a broad range of Android-based smartphone applications.

该项目研究了一种描述和推理智能手机应用程序安全属性的新方法。 智能手机变得越来越普及，智能手机应用程序越来越多地用于各种社会、健康、科学和军事目的。然而，这些手机提供的功能，例如访问 GPS、相机、互联网、日历、联系人和其他敏感信息，可能会导致重大安全风险。 当今的智能手机开发方法几乎无法帮助开发人员构建安全访问敏感资源的应用程序。该项目的目标是开发新的程序分析技术，帮助开发人员在智能手机中表达、推理和执行安全策略。 所提出的技术方法将允许开发人员以直观且灵活的方式定义丰富的安全策略：作为与移动应用程序交互并检查所需属性的程序代码。 为了确保应用程序代码符合此类策略，该项目正在寻求多种利用静态和动态程序分析最新进展的技术。 该项目还在研究为给定应用程序自动合成基于代码的策略的方法。该项目正在谷歌 Android 操作系统的背景下实例化这些想法，并在各种基于 Android 的智能手机应用程序上评估这些想法的有效性和性能。