security-by-contract_for_mobile_and_smart_card
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
security-by-contract_for_mobile_and_smart_card [2013/03/25 14:04] – [Security-by-Contract for Mobiles and Smart Cards] olga.gadyatskaya@unitn.it | security-by-contract_for_mobile_and_smart_card [2021/01/29 10:58] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Security-by-Contract for Mobiles and Smart Cards ====== | ====== Security-by-Contract for Mobiles and Smart Cards ====== | ||
- | Among the [[research_activities|research topics]] | + | Among the [[research_activities|research topics]] |
+ | |||
+ | Our idea, dubbed the // | ||
+ | |||
+ | ==== Themes ==== | ||
+ | |||
+ | Within the main stream project we covered a number of themes. | ||
+ | |||
+ | * Security for Android phones (ongoing) | ||
+ | * Load-time security checking for Java smart cards | ||
+ | * Load-time checking and run-time monitoring for .NET and Java Phones | ||
- | Our idea is that a checker could verify on the fly whether an application would respect the security policy of a mobile phone application at download time, e.g. you could forbid the possibility of sending silent SMSs or making phone calls to premium numbers. If the application didn’t meet your constraints you would inoculate it with your policy monitoring algorithm. In this way the phone should not trust anybody, no market place, no security ratings, etc. It could just trust itself. Of course you always have Android' | ||
In 2006 in the [[S3MS]] project we proved it worked on many different mobile phones (Java and .NET) equipped with the system. It was the start of a long standing collaboration with [[http:// | In 2006 in the [[S3MS]] project we proved it worked on many different mobile phones (Java and .NET) equipped with the system. It was the start of a long standing collaboration with [[http:// | ||
- | Recently in the framework of the [[SECURECHANGE]] project we were able to push the envelope even further: we could run the verification technique over a smart card by meeting the tough requirements set forth by Gemalto, one of the leading companies in the field. This might be a possible road for the deployment of open, multi-applications smart cards (one of the use cases is SIM card open for over-the-air application loading). | + | Recently in the framework of the [[SECURECHANGE]] project we were able to push the envelope even further: we could run the verification technique over a smart card by meeting the tough requirements set forth by Gemalto, one of the leading companies in the field. This might be a possible road for the deployment of open, multi-applications smart cards (one of the use cases is a SIM card open for over-the-air application loading). |
A short description of the embedded checker for smart cards can be found here: ({{: | A short description of the embedded checker for smart cards can be found here: ({{: | ||
Line 16: | Line 25: | ||
- | The SxC idea was also applied to multi-tenant OSGi platforms. An application contract (implemented on OSGi as part of the manifest) was used to enable declarative policies for bundle interactions. We used as a case study a smart home scenario generously shared by Telefonica. More details of our proposal can be found here: [[http:// | + | The SxC idea was also applied to multi-tenant OSGi platforms. An application contract (implemented on OSGi as a part of the manifest) was used to enable declarative policies for bundle interactions. We used as a case study a smart home scenario generously shared by Telefonica. More details of our proposal can be found here: [[http:// |
Currently we are researching how to apply the load time checks on Android and other novel mobile platforms. The load time checks are appropriate for mobile platforms: the users typically expect that installation of an app will take some time, while they will not tolerate the delays introduced by run-time monitoring in the execution of their favorite apps. In the same time, during load time we can already effectively disable some vulnerabilities in the app code, such as reducing the number of permissions granted to the app to the permissions actually required in the code. | Currently we are researching how to apply the load time checks on Android and other novel mobile platforms. The load time checks are appropriate for mobile platforms: the users typically expect that installation of an app will take some time, while they will not tolerate the delays introduced by run-time monitoring in the execution of their favorite apps. In the same time, during load time we can already effectively disable some vulnerabilities in the app code, such as reducing the number of permissions granted to the app to the permissions actually required in the code. | ||
- | ==== Themes ==== | ||
- | |||
- | Within the main stream project we covered a number of themes. | ||
- | |||
- | * Security for Android phones (ongoing) | ||
- | * Load-time security checking for Java smart cards | ||
- | * Load-time checking and run-time monitoring for .NET and Java Phones | ||
==== People ==== | ==== People ==== | ||
Line 33: | Line 35: | ||
* Nicola Dragoni | * Nicola Dragoni | ||
- | * Olga Gadyatskaya | + | * Olga Gadyatskaya |
* Ida Siahaan | * Ida Siahaan | ||
- | * Nicola | + | * Marco De La Torre |
- | * Fabio Massacci | + | * Fabio Massacci |
- | * Katsyarina Naliuka | + | * Katsyarina Naliuka |
+ | * Anton Philippov | ||
==== Projects ==== | ==== Projects ==== | ||
Line 45: | Line 48: | ||
* [[SECURECHANGE]] | * [[SECURECHANGE]] | ||
* [[S3MS]] | * [[S3MS]] | ||
+ | * [[NESSOS]] | ||
====Talks and Tutorials ==== | ====Talks and Tutorials ==== | ||
Line 57: | Line 60: | ||
==== Publications ==== | ==== Publications ==== | ||
**SxC for Java Card:** | **SxC for Java Card:** | ||
+ | * O.Gadyatskaya and F.Massacci: Controlling Application Interactions on the Novel Smart Cards with Security-by-Contract. In // | ||
* O.Gadyatskaya, | * O.Gadyatskaya, | ||
* O. Gadyatskaya, | * O. Gadyatskaya, | ||
Line 88: | Line 91: | ||
==== Software ==== | ==== Software ==== | ||
- | * We released the binaries of the SxC verifier for Java Card (the developer version for PC). To get them please contact Fabio Massacci or Olga Gadyatskaya[[name.surname@unitn.it]] | + | |
security-by-contract_for_mobile_and_smart_card.1364216692.txt.gz · Last modified: (external edit)