Sign In

Communications of the ACM

Research highlights

Technical Perspective: Smartphone Security 'Taint' What It Used to Be


There is something seductive about information flow as a security policy. You can state a very clear and concise policy (for example, "forbid my GPS location information from flowing to the network"), which seems to more closely capture our intuition for right and wrong than the sorts of policies that smartphone operating systems like iOS and Android seek to enforce today (more like "give this app your GPS location, yes or no, and you have no say over how it's used"). Information flow research dates back to the early 1970s. Although much of the original computer science theory and systems were developed around modeling the military's rules for handling classified, secret, and top-secret data, information flow policies and techniques are perfectly valuable today and we can benefit from this earlier work.

An excellent foundational reference is Dorothy and Peter Denning's landmark 1977 paper, "Certifying Programs for Secure Information Flow," which pursued a static analysis strategy and appeared in Communications.a At the same time, others were pursuing hardware or runtime-based solutions. A lot of the complexity then, as now, comes when the control flow of the program depends on sensitive values (for example, "if my GPS location is in Washington D.C., then behave differently"), never mind unusual control flows (for example, interrupt handlers, exceptions, indirect branches) and ambiguous data references (pointer dereferencing, array indexing). Tracking all of this in hardware requires extra computation and state, while analyzing it statically can induce false alarms over execution paths that might never happen at runtime.


 

No entries found

Log in to Read the Full Article

Sign In

Sign in using your ACM Web Account username and password to access premium content if you are an ACM member, Communications subscriber or Digital Library subscriber.

Need Access?

Please select one of the options below for access to premium content and features.

Create a Web Account

If you are already an ACM member, Communications subscriber, or Digital Library subscriber, please set up a web account to access premium content on this site.

Join the ACM

Become a member to take full advantage of ACM's outstanding computing information resources, networking opportunities, and other benefits.
  

Subscribe to Communications of the ACM Magazine

Get full access to 50+ years of CACM content and receive the print version of the magazine monthly.

Purchase the Article

Non-members can purchase this article or a copy of the magazine in which it appears.
Sign In for Full Access
» Forgot Password? » Create an ACM Web Account