Computational Soundness for Dalvik Bytecode

TL;DR

This paper introduces a method to incorporate cryptographic operations into automated Android app analysis, providing a computationally sound approach that accurately distinguishes secure from insecure cryptographic implementations.

Contribution

It presents the first computational soundness proof for Dalvik bytecode with cryptographic abstractions, enabling more precise security analysis of Android applications.

Findings

Cryptographic operations can be symbolically abstracted in Dalvik bytecode.

The approach is modular and compatible with existing analysis tools.

Provides the first computational soundness proof for Dalvik bytecode.

Abstract

Automatically analyzing information flow within Android applications that rely on cryptographic operations with their computational security guarantees imposes formidable challenges that existing approaches for understanding an app's behavior struggle to meet. These approaches do not distinguish cryptographic and non-cryptographic operations, and hence do not account for cryptographic protections: f(m) is considered sensitive for a sensitive message m irrespective of potential secrecy properties offered by a cryptographic operation f. These approaches consequently provide a safe approximation of the app's behavior, but they mistakenly classify a large fraction of apps as potentially insecure and consequently yield overly pessimistic results. In this paper, we show how cryptographic operations can be faithfully included into existing approaches for automated app analysis. To this end, we first show how cryptographic operations can be expressed as symbolic abstractions within the comprehensive Dalvik bytecode language. These abstractions are accessible to automated analysis, and they can be conveniently added to existing app analysis tools using minor changes in their semantics. Second, we show that our abstractions are faithful by providing the first computational soundness result for Dalvik bytecode, i.e., the absence of attacks against our symbolically abstracted program entails the absence of any attacks against a suitable cryptographic program realization. We cast our computational soundness result in the CoSP framework, which makes the result modular and composable.