Refine
Document Type
- Article (7)
- Part of a Book (6)
- Report (2)
- Doctoral Thesis (1)
Keywords
- Informationsfluss (3)
- Modellgetriebene Entwicklung (3)
- model-driven development (2)
- Android (platform) (1)
- Android <Systemplattform> (1)
- Codegenerierung (1)
- Computersicherheit (1)
- Modelltransformation (1)
- Softwareentwicklung (1)
- Verifikation (1)
Institute
As personal information moves from home computers to mobile devices, protection against information leaks and data theft becomes an increasingly important and current issue. We develop a model-driven approach called IFlow which allows a developer to model mobile Android applications with complex information flow properties using UML. Using model-to-model and model-to-code transformations we generate code skeletons for those applications and verify noninterference properties using a language-based approach. Further, we will use those properties as lemmas for a formal verification of an automatically generated formal representation of the modeled application. In this report, we focus on automatic code generation, evaluation of language-based information flow control solutions and deployment of generated code to target platforms.
This report presents an approach called IFlow which allows the model-driven development of secure systems regarding information flow. The approach focuses on the application domain of mobile applications and web services. A developer starts by creating an abstract UML model of a system where he can additionally specify information flow properties the system must satisfy. From the model, Java code is generated together with an information flow policy that can be checked by automated analysis tools like Jif or Joana. In addition, the UML model is transformed into a formal specification which is the basis for formal reasoning within our formal framework including the interactive theorem prover KIV. While automated tools are designed for the simple property of noninterference, formal verification allows to express more complex properties. In order that the results of verification can be carried to the code level and that the results of automated code analysis can be used as lemmas for formal verification, an information flow-preserving refinement relation is established between the formal specification and the code. The focus of this report is on the aspects of formal verification.
Die allgegenwärtigen und immer verbundenen mobilen Geräte sammeln große Mengen an persönlichen Daten über ihre Nutzer. In vielen Fällen wird die Vertraulichkeit solcher Daten nicht garantiert; so kommt es bei mobilen Apps und Webservices oft zu Datenlecks, wodurch die Privatsphäre ihrer Nutzer verletzt wird.
Diese Arbeit stellt den modellgetriebenen Ansatz IFlow zur Entwicklung informationsflusssicherer Anwendungen bestehend aus mobilen Apps und Webservices vor. Hierzu wird mit der Modellierungssprache Modelflow das Modell einer sicherheitskritischen Anwendung erstellt und ihre Informationsflusseigenschaften spezifiziert. Anschließend können diese Eigenschaften mit Hilfe vollautomatischer Informationsflussanalyse sowie interaktiver Verifikation garantiert werden. Die finale Anwendung besteht aus Android-Apps und Java-Webservices, die aus dem Modell generiert werden, und die modellierten Informationsflusseigenschaften erfüllen.
