Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Symposium Organizers
  • At a Glance
  • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
  • Technical Sessions
  • Co-Located Workshops
  • Accepted Posters
  • Purchase the Box Set
  • Activities
    • Birds-of-a-Feather Sessions
    • Work-in-Progress Reports
  • Sponsorship
  • Students and Grants
  • Services
  • Questions?
  • Help Promote!
  • Flyer PDF
  • For Participants
  • Call for Papers
  • Past Symposia

sponsors

Gold Sponsor
Gold Sponsor
Gold Sponsor
Silver Sponsor
Bronze Sponsor
Bronze Sponsor
Bronze Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Industry Partner

twitter

Tweets by USENIXSecurity

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » SpanDex: Secure Password Tracking for Android
Tweet

connect with us

http://twitter.com/usenixsecurity
https://www.facebook.com/usenixassociation
http://www.linkedin.com/groups/USENIX-Association-49559/about
https://plus.google.com/108588319090208187909/posts
http://www.youtube.com/user/USENIXAssociation

SpanDex: Secure Password Tracking for Android

Friday, August 1, 2014 - 10:00am
Authors: 

Landon P. Cox , Peter Gilbert, Geoffrey Lawler, Valentin Pistol, and Ali Razeen, Bi Wu, and Sai Cheemalapati, Duke University

Abstract: 

This paper presents SpanDex, a set of extensions to Android’s Dalvik virtual machine that ensures apps do not leak users’ passwords. The primary technical challenge addressed by SpanDex is precise, sound, and efficient handling of implicit information flows (e.g., information transferred by a program’s control flow). SpanDex handles implicit flows by borrowing techniques from symbolic execution to precisely quantify the amount of information a process’ control flow reveals about a secret. To apply these techniques at runtime without sacrificing performance, SpanDex runs untrusted code in a data-flow sensitive sandbox, which limits the mix of operations that an app can perform on sensitive data. Experiments with a SpanDex prototype using 50 popular Android apps and an analysis of a large list of leaked passwords predicts that for 90% of users, an attacker would need over 80 login attempts to guess their password. Today the same attacker would need only one attempt for all users.

Landon P. Cox, Duke University

Peter Gilbert, Duke University

Geoffrey Lawler, Duke University

Valentin Pistol, Duke University

Ali Razeen, Duke University

Bi Wu, Duke University

Sai Cheemalapati, Duke University

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {184401,
author = {Landon P. Cox and Peter Gilbert and Geoffrey Lawler and Valentin Pistol and Ali Razeen and Bi Wu and Sai Cheemalapati},
title = {SpanDex: Secure Password Tracking for Android},
booktitle = {23rd {USENIX} Security Symposium ({USENIX} Security 14)},
year = {2014},
isbn = {978-1-931971-15-7},
address = {San Diego, CA},
pages = {481--494},
url = {https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/cox},
publisher = {{USENIX} Association},
month = aug,
}
Download
Cox PDF
View the slides

Presentation Video

Presentation Audio

MP3 Download OGG Download

Download Audio

  • Log in or    Register to post comments

Gold Sponsors

Silver Sponsors

Bronze Sponsors

Media Sponsors & Industry Partners

© USENIX

  • Privacy Policy
  • Conference Policies
  • Contact Us