Science of Secure Frameworks (CMU/Wayne State University/George Mason University Collaborative Proposal) - October 2014

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): David Garlan, Jonathan Aldrich, Josh Sunshine
Co-PI(s):
Researchers: Marwan Abi Antoun (Wayne State University), Sam Malek (George Mason University)

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

By leveraging approaches to software architecture we will be able to better understand the security implications of frameworks used to build many of today's software systems, and provide tools and techniques for building more scalable and composable frameworks that have security assurances that can be verified statically, can be used for building self-securing systems, and that ultimately reduce security vulnerabilities in frameworks and applications based on them in practice.

PUBLICATIONS
Abi-Antoun, M., Chandrashekar, S., Vanciu, R., and Giang, A. Are Object Graphs Extracted Using Abstract Interpretation Significantly Different from the Code? In IEEE International Working Conference on Source Code Analysis and Manipulation, 10 pages. 2014. 28-29 September 2014 - Victoria, British Columbia, Canada.
Abi-Antoun, M., Chandrashekar, S., Vanciu, R., and Giang, A. Are Object Graphs Extracted Using Abstract Interpretation Significantly Different from the Code? (Extended Version). Technical report, Wayne State University, September 2014. The companion technical report to the conference paper has a formalization of the metrics. The dataset is also available at the online appendix below: http://www.cs.wayne.edu/~mabianto/arch_metrics/
Jonathan Aldrich, Cyrus Omar, Alex Potanin, and Du Li. Language-Based Architectural Control. Proc. the 6th International Workshop on Aliasing, Capabilities, and Ownership (IWACO '14), 2014.
Javier Camara, Antonia Lopes, David Garlan and Bradley Schmerl. Impact Models for Architecture-Based Self-Adaptive Systems. In Proceedings of the 11th International Symposium on Formal Aspects of Component Software (FACS2014), Bertinoro, Italy, 10-12 September 2014.
SUBMITTED PUBLICATIONS

Hamid Bagheri, Alireza Sadeghi, Joshua Garcia, and Sam Malek. COVERT: Compositional Analysis of Android Inter-App Security Vulnerabilities. Submitted to the IEEE Transactions on Software Engineering.
Hamid Bagheri, Alireza Sadeghi, Reyhaneh Jabbarvand Behrouz, and Sam Malek. DroidGuard: Automatic Synthesis and Enforcement of Security Policies for Android. Submitted to the International Conference on Software Engineering.
Javier Camara, Gabriel Moreno, David Garlan, and Bradley Schmerl. Analyzing Latency-aware Self-adaptation using Stochastic Games and Simulations. Submitted to the IEE Transactions on Autonomous and Adaptive Systems.

ACCOMPLISHMENT HIGHLIGHTS

Co-PI Jonathan Aldrich gave a talk at TTI/Vanguard, a conference attended by leaders in industry and government. The talk covered our Lablet-sponsored research, both in providing security against command-injection attacks through language extensibility, and our ongoing Science of Secure Frameworks research on architectural control. Follow-on discussions with a number of individuals, including Alan Kay, David Reed, and several researchers from the NSA, provided positive feedback and useful suggestions for future research.

Developed a program analysis tool for extracting a model of Android apps for detecting privilege escalation vulnerabilities.

Implemented a transformation engine that takes the models extracted through program analysis and generates Alloy models to automatically detect security vulnerabilities that are due to the interaction of multiple apps on the same device.

Completed an initial iteration of metrics to quantify the differences between the code structure and the abstract runtime structure.