On-Device Control Flow Verification For Java Programs

While mobile devices have become ubiquitous and generally multi-application capable, their operating systems provide few high level mechanisms to protect services offered by application vendors against; potentially hostile applications coexisting on the device. In this paper, we tackle the issue of controlling application interactions including collusion in Java-based systems running on open, constrained devices such as smart cards or mobile phones. We present; a model specially designed to be embedded in constrained devices to verify on-device at loading-time that interactions between applications abide by the security policies of each involved application without resulting in run-time computation overheads; this model deals with application (un)installations and policy changes in an incremental fashion. We sketch the application of our approach and its security enhancements on a multi-application use case for Global Platform/Java Card smart cards.