February 7, 2019: Invited Speaker Seminar: Precise and Logical Modeling of Android Access Control Mechanism

Yousra Aafer, Ph.D.
Syracuse University

Thursday, February 7, 2019 at 10:45 am
Room EV003.309

Abstract

The pervasiveness of mobile devices (e.g., smartphones, guidance systems, smart watches) mounts great pressure on today's mobile security infrastructures.  Particularly, with the threat of Android malware and Potentially Harmful Apps on the rise, there is a strong demand for detecting security vulnerabilities, especially those related to access control anomalies. Due to the highly complex and diverse nature of Android access control implementation, existing efforts produce a significant number of false alarms. In this talk, I will present my two recent efforts on evaluating Android access control mechanism. The first effort proposes and implements an automatic approach for detecting framework-level access control inconsistencies which led to the discovery of 28 actual exploits in 12 Android images.

The second effort aims to help developers avoid access control vulnerabilities through providing an accurate protection specification for APIs. To precisely capture the co-relations between enforced API-level security checks, the approach derives Android protection specification in a path-sensitive fashion, using a novel graph abstraction technique.  I will further showcase how security researchers can leverage the derived specifications to tackle security issues through logical satisfiability reasoning.  Lastly, I will present comparison data with the state-of-the-art solutions, which highlight the significance of the proposed approach. A breakdown of the generated API protection specification reveals that 41% of API's protections cannot be correctly modeled without the proposed technique.

Biography

Dr. Yousra Aafer is a postdoctoral researcher in the Department of Computer Science at Purdue University. Her research interests span the areas of systems security and design, and particularly tackles emerging threats of Mobile and Smart Systems. She completed her Ph.D. in Computer Engineering from Syracuse University while focusing on evaluating security aspects of Android vendor-customization, which uncovered a new class of Android vulnerabilities. The results of her research led to publications on top-tier security venues and directly benefited leading mobile vendors such as Samsung, LG, and Sony in identifying and addressing vulnerabilities caused by customization. She is an elected member of the ACM's Future of Computing Academy.