Show simple item record

dc.contributor.advisorAspinall, David
dc.contributor.advisorStark, Ian
dc.contributor.authorFranzen, Daniel
dc.date.accessioned2017-06-13T14:06:19Z
dc.date.available2017-06-13T14:06:19Z
dc.date.issued2016-11-29
dc.identifier.urihttp://hdl.handle.net/1842/22060
dc.description.abstractCurrent resource policies for mobile phone apps are based on permissions that unconditionally grant or deny access to a resource like private data, sensors and services. In reality, the legitimacy of an access may be context-dependent - for example, depending on how often a resource is accessed and in which situation. This thesis presents research into providing bounds on the access of JavaScript apps to security and privacy-relevant resources on mobile devices. The investigated bounds are quantitative and interaction-dependent: for example, permitting one access each time the user presses a specified button. Two novel systems are presented with different approaches to providing these bounds. The system PhoneWrap injects a quantitative policy into an app and enforces the bound dynamically during runtime by monitoring the resource consumption and the user interaction. If the injected bound is exceeded, the resource request is replaced by a deny action. This way, PhoneWrap restricts the unwanted behaviour while the expected functionality can be performed. Policies for this system describe the UI elements which trigger the expected resource consumption and the number of resource units consumed for each interaction. The enforcement of the policies is achieved via wrapping the critical APIs using JavaScript internal features. The injection of a policy can be performed automatically. PhoneWrap is the first system using the lightweight wrapping method to inject policies directly into mobile apps and the first to combine quantitative policies with interaction-dependencies. The second system AmorJiSe statically analyses the resource consumption of a given JavaScript program. This system automatically infers amortised annotations on top of given JavaScript data types. The amortised annotations symbolise reserved resource units stored in the data structures. This way the amount of resource units available to the app is expressed dependent on the size of the data structures. The resulting function types of the UI handlers can be used to extract interaction-dependent bounds. The correctness of these bounds is proven in relation to a resource-aware operational semantics. AmorJiSe extends the known amortised type paradigm to JavaScript with its dynamic object structures and applies this paradigm to the novel domain of mobile resources. Although, the two systems are based on similar resource models and produce similar resource bounds, they use different methods with different properties which are presented in this dissertation.en
dc.language.isoenen
dc.publisherThe University of Edinburghen
dc.relation.hasversionDaniel Franzen and David Aspinall. Towards an amortized type system for JavaScript. In SCSS, pages 12–26. EPiC Series, vol. 30, 2014.en
dc.relation.hasversionDaniel Franzen and David Aspinall. PhoneWrap - Injecting the “How Often” into Mobile Apps. In Proceedings of the 1st International Workshop on Innovations in Mobile Privacy and Security (IMPS), pages 11–19. ceur-ws.org, 2016.en
dc.subjectJavaScripten
dc.subjectMobile appsen
dc.subjectresource analysisen
dc.subjectprivacyen
dc.subjectsecurityen
dc.titleQuantitative bounds on the security-critical resource consumption of JavaScript appsen
dc.typeThesis or Dissertationen
dc.type.qualificationlevelDoctoralen
dc.type.qualificationnamePhD Doctor of Philosophyen


Files in this item

This item appears in the following Collection(s)

Show simple item record