Inferring Required Permissions for Statically Composed Programs

Tero Hasu, Anya Helene Bagge, and Magne Haveraaen
Bergen Language Design Laboratory
Department of Informatics, University of Bergen
Bergen, Norway


Permission-based security models are common in smartphone operating systems. Such models implement access control for sensitive APIs, introducing an additional concern for application developers. It is important for the correct set of permissions to be declared for an application, as too small a set is likely to result in runtime errors, whereas too large a set may needlessly worry users. Unfortunately, not all platform vendors provide tools support to assist in determining the set of permissions that an application requires.

We present a language-based solution for permission management. It entails the specification of permission information within a collection of source code, and allows for the inference of permission requirements for a chosen program composition. Our implementation is based on Magnolia, a programming language demonstrating characteristics that are favorable for this use case. A language with a suitable component system supports permission management also in a cross-platform codebase, allowing abstraction over different platform-specific implementations and concrete permission requirements. When the language also requires any “wiring” of components to be known at compile time, and otherwise makes design tradeoffs that favor ease of static analysis, then accurate inference of permission requirements becomes possible.


  author =       {Tero Hasu and Anya Helene Bagge and Magne Haveraaen},
  title =        {Inferring Required Permissions for Statically
                  Composed Programs},
  booktitle =    {NordSec 2013},
  pages =        {51--66},
  year =         2013,
  month =        oct,
  location =     {Ilulissat, Greenland},
  editor =       {Hanne Riis Nielson and Dieter Gollmann},
  volume =       8208,
  series =       "Lecture Notes in Computer Science",
  isbn =         {978-3-642-41487-9},
  doi =          {10.1007/978-3-642-41488-6_4},
  publisher =    {Springer-Verlag},
  address =      {Berlin, Heidelberg}


(define hasu-etal-13-inferring
   #:title @elem{Inferring Required Permissions
                 for Statically Composed Programs}
   #:author (authors "Tero Hasu"
                     "Anya Helene Bagge"
                     "Magne Haveraaen")
   #:date "2013"
   #:location (proceedings-location
               #:pages '(51 66))))

Publication Details

paper (as PDF)
slides (as PDF)
NordSec 2013 (18th Nordic Conference on Secure IT Systems)