Threat Modeling
Companion to the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications
Ownership Object Graphs with Dataflow Edges
WCRE '12 Proceedings of the 2012 19th Working Conference on Reverse Engineering
Hi-index | 0.00 |
Mobile devices store confidential information. As a result, security vulnerabilities such as information disclosure in mobile apps can have serious consequences. To build secure apps, developers are expected to follow security policies that are described only informally. Some policies target architectural flaws, rather than coding defects, and are not easily checked or enforced with existing tools. Scoria is a prototype tool that allows architects to write security policies as machine-checkable constraints that are executed against a program abstraction that is a hierarchy of abstract objects with dataflow communication edges. Using Scoria, architects reason not only about the presence or absence of communication, but also about object provenance, hierarchy and reachability. We show how Scoria can find information disclosure in an open-source Android app.