TWC: Medium: Collaborative: Flexible and Practical Information Flow Assurance for Mobile Apps

TWC：媒介：协作：灵活实用的移动应用信息流保障

• 批准号: 1228695
• 负责人: Gary Leavens
• 金额: $ 32.57万
• 依托单位: The University of Central Florida Board of Trustees
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-08-01 至 2017-12-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1228695&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Flexible; Practical

This project is developing tools and techniques for cost-effective evaluation of the trustworthiness of mobile applications (apps). The work focuses on enterprise scenarios, in which personnel at a business or government agency use mission-related apps and access enterprise networks.In such scenarios there are incentives and resources for much more substantive evaluations and controls on information flow than are currently found in commodity app marketplaces. The project aims to advance the science needed for static techniques to be usable by professional development and evaluation teams and useful for achieving dramatically improved assurance. The project's goals are to: (a) find flexible and expressive ways to specify information flow requirements for apps, (b) find effective ways to specify what is assumed about the Android platform, and (c) find practical static analysis and verification techniques to check security of apps with respect to given policies and the platform. Results include specification techniques and theory - models and algorithms. These are applied in case studies with prototype tools that the project develops, to evaluate how well the goals are achieved.The project's techniques can be deployed by certification organizations to provide scientifically sound techniques for assurance, thusenabling the full benefits of highly-integrated mobile software in mission-critical situations. Software designers will benefit from being able to precisely specify end-to-end requirements as well as component interfaces. Software developers will benefit from reliable means to detect design flaws and bugs, malware in third-party software, and unintended functionality that exposes vulnerabilities. Beyond the specific target of mobile software, the techniques will be of use in other settings, especially web applications, where it is crucial to reason about interfaces between mutually untrusting parties making heavy use of callbacks. The project could help improve security in government agencies and private sector, indirectly benefitting national security and the general population.

该项目正在开发工具和技术，用于对移动的应用程序的可信度进行成本效益评估。 这项工作的重点是企业场景，在这种场景中，企业或政府机构的人员使用与任务相关的应用程序并访问企业网络。在这种场景中，有激励和资源对信息流进行比目前商品应用程序市场更实质性的评估和控制。 该项目旨在推进静态技术所需的科学，使其可供专业开发和评估团队使用，并有助于大幅提高保证。 该项目的目标是：（a）找到灵活和有表现力的方法来指定应用程序的信息流要求，（B）找到有效的方法来指定关于Android平台的假设，以及（c）找到实用的静态分析和验证技术来检查应用程序相对于给定策略和平台的安全性。结果包括规范技术和理论-模型和算法。 这些应用于案例研究与原型工具，该项目的开发，以评估如何以及目标的实现。该项目的技术可以部署由认证机构提供科学合理的技术保证，thusenabling高度集成的移动的软件在关键任务的情况下的全部好处。 软件设计人员将受益于能够精确地指定端到端需求以及组件接口。 软件开发人员将受益于检测设计缺陷和错误、第三方软件中的恶意软件以及暴露漏洞的非预期功能的可靠方法。 除了移动的软件的特定目标之外，这些技术还将用于其他设置，特别是Web应用程序，在这些应用程序中，对大量使用回调的相互不信任的各方之间的接口进行推理至关重要。 该项目有助于改善政府机构和私营部门的安全，间接造福于国家安全和普通民众。