A certified reference validation mechanism for the permission model of Android

TL;DR

This paper presents a formal, verified model of Android 6's permission system using Coq, including a certified implementation and proofs of security properties, enhancing trust in Android's security mechanisms.

Contribution

It introduces a formal, verified reference monitor model for Android 6 permissions, with a certified implementation and security proofs, advancing formal verification in mobile security.

Findings

Verified correctness of Android 6 permission model

Developed a certified reference validation mechanism

Derived a certified Haskell prototype

Abstract

Android embodies security mechanisms at both OS and application level. In this platform application security is built primarily upon a system of permissions which specify restrictions on the operations a particular process can perform. The critical role of these security mechanisms makes them a prime target for (formal) verification. We present an idealized model of a reference monitor of the novel mechanisms of Android 6 (and further), where it is possible to grant permissions at run time. Using the programming language of the proof-assistant Coq we have developed a functional implementation of the reference validation mechanism and certified its correctness with respect to the specified reference monitor. Several properties concerning the permission model of Android 6 and its security mechanisms have been formally formulated and proved. Applying the program extraction mechanism provided by Coq we have also derived a certified Haskell prototype of the reference validation mechanism.