Yousra
Aafer,
Postdoctoral
Researcher
Department
of
Computer
Science,
Purdue
University
The pervasiveness of mobile devices (e.g., smartphones, guidance systems, and smart watches) mounts great pressure on today's mobile security infrastructures. Particularly, with the threat of Android malware and Potentially Harmful Apps on the rise, there is a strong demand for detecting security vulnerabilities, especially those related to access control anomalies. Due to the highly complex and diverse nature of Android access control implementation, existing efforts produce a significant number of false alarms.
In this talk, I will present my two recent efforts on evaluating Android access control mechanism. The first effort proposes and implements a new approach for automatically detecting framework-level access control discrepancies. The solution models and normalizes diverse Android security checks to a canonical form, allowing a precise comparison of access control enforcement for exploitable inconsistencies detection. I will present evaluation results demonstrating the effectiveness of the proposed framework — through analyzing 12 Android images, the tool uncovered a substantial number of inconsistencies, leading to the discovery of 28 actual exploits.
My second effort aims to help developers avoid access control vulnerabilities through providing an accurate protection specification for APIs. To precisely capture the co-relations between enforced API-level security checks, the approach derives Android protection specification in a path-sensitive fashion, using a novel graph abstraction technique. I will further showcase how security researchers can leverage the derived specifications to tackle security issues through logical satisfiability reasoning. Lastly, I will present comparison data with the state-of-the-art static solutions, which highlight the significance of the proposed approach. A breakdown of the generated API protection specification for 8 different Android codebases reveals that 41% of API's protections cannot be correctly modeled without the proposed technique.
Bio: Yousra Aafer is a postdoctoral researcher in the Department of Computer Science at Purdue University. Her research interests span the areas of System Security and Design, and particularly tackles emerging threats of Mobile and Smart Systems. She completed her Ph.D. in Computer Engineering from Syracuse University while focusing on evaluating security aspects of Android vendor-customization. Her discoveries directly benefited mobile vendors and led to publications on top-tier security venues. She is an elected member of the ACM's Future of Computing Academy.