A certified reference validation mechanism for the permission model of Android
This work addresses security verification for Android systems, which is critical for developers and users, but it is incremental as it builds on existing formal methods applied to a specific platform update.
The authors tackled the problem of verifying the security mechanisms of Android's permission model by developing a functional implementation of a reference validation mechanism in Coq and certifying its correctness, resulting in a formally proven model and a derived certified Haskell prototype.
Android embodies security mechanisms at both OS and application level. In this platform application security is built primarily upon a system of permissions which specify restrictions on the operations a particular process can perform. The critical role of these security mechanisms makes them a prime target for (formal) verification. We present an idealized model of a reference monitor of the novel mechanisms of Android 6 (and further), where it is possible to grant permissions at run time. Using the programming language of the proof-assistant Coq we have developed a functional implementation of the reference validation mechanism and certified its correctness with respect to the specified reference monitor. Several properties concerning the permission model of Android 6 and its security mechanisms have been formally formulated and proved. Applying the program extraction mechanism provided by Coq we have also derived a certified Haskell prototype of the reference validation mechanism.