Science of Secure Frameworks (CMU/Wayne State University/George Mason University Collaborative Proposal) - January 2016

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): David Garlan (CMU), Jonathan Aldrich (CMU)
Researchers: Marwan Abi Antoun (Wayne State University), Sam Malek (George Mason University), Joshua Sunshine (CMU), Bradley Schmerl (CMU)

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)
This refers to Hard Problems, released November 2012.

By leveraging approaches to software architecture we will be able to better understand the security implications of frameworks used to build many of today's mobile software systems. This will allow us and provide tools and techniques for building more scalable and composable frameworks that have security assurances that can be verified statically, can be used for building self-securing resllient systems, and that ultimately reduce security vulnerabilities in frameworks and applications based on them in practice.

2) PUBLICATIONS

Nariman Mirzaei, Hamid Bagheri, Riyadh Mahmood, and Sam Malek. "SIG-Droid: Automated System Input Generation for Android Applications." In proceedings of the 26th IEEE International Symposium on Software Reliability Engineering (ISSRE 2015), Gaithersburg, MD, November 2015. (19% acceptance rate)

Hamid Bagheri, Alireza Sadeghi, and Sam Malek. "COVERT: Compositional Analysis of Android Inter-App Permission Leakage." IEEE Transactions on Software Engineering, Vol. 41, No. 9, September 2015.

Ivan Ruchkin, Ashwini Rao, Dio De Niz, Sagar Chaki and David Garlan. Eliminating Inter-Domain Vulnerabilities in Cyber-PhysicalSystems: An Analysis Contracts Approach. In Proceedings of the First ACM Workshop on Cyber-Physical Systems Security and Privacy, Denver, Colorado, 16 October 2015.

Michael Maass, Adam Sales, Benjamin Chung, and Joshua Sunshine. A Systematic Analysis of the Science of Sandboxing. PeerJ Computer Science (to appear).

Nariman Mirzaei, Joshua Garcia, Hamid Bagheri, Alireza Sadeghi, and Sam Malek. "Reducing Combinatorics in GUI Testing of Android Applications." To appear in proceedings of the 38th International Conference on Software Engineering (ICSE 2016), Austin, TX, May 2016.

Naeem Esfahani, Eric Yuan, Kyle R. Canavera, and Sam Malek. "Inferring Software Component Interaction Dependencies for Adaptation Support". To appear in ACM Transactions on Autonomous and Adaptive Systems.

3) KEY HIGHLIGHTS

• Inter-component communication (ICC) among Android apps is shown to be the source of many security vulnerabilities. Prior research has developed compositional analyses to detect the existence of ICC vulnerabilities in a set of installed apps. However, all prior analyses lack the ability to efficiently respond to incremental system changes---such as adding/removing apps. Every time the system changes, the entire analysis has to be repeated, making them too expensive for practical use, given the frequency with which apps are updated, installed, and removed on a typical Android device. GMU researchers developed a novel Android-specific formal analyzer for automatically and efficiently updating ICC analysis results in response to incremental system changes. Leveraging the fact that the changes are likely to impact only a small fraction of the prior analysis results, the new approach re-computes the analysis only where required, thereby greatly improving performance and scalability of the overall approach.
  Experimental results using different bundles of real-world apps show an order of magnitude speedup over prior techniques.

• Enhanced a semi-automated algorithm and tool for iteratively and interactively refining a global hierarchical graph while maintaining its soundness, thus tackling the scalability hard problem associated with using the Scoria approach.

  Developed a dynamic rich web interface for the tool to enable remote evaluation with professionals.