Science of Secure Frameworks (CMU/Wayne State University/George Mason University Collaborative Proposal) - January 2017
Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.
PI(s): David Garlan (CMU), Jonathan Aldrich (CMU)
Researchers: Marwan Abi Antoun (Wayne State University), Sam Malek (University of California, Irvine), Joshua Sunshine (CMU), Bradley Schmerl (CMU)
1) HARD PROBLEM(S) ADDRESSED (with short descriptions)
This refers to Hard Problems, released November 2012.
By leveraging approaches to software architecture we will be able to better understand the security implications of frameworks used to build many of today's mobile software systems. This will allow us and provide tools and techniques for building more scalable and composable frameworks that have security assurances that can be verified statically, can be used for building self-securing resllient systems, and that ultimately reduce security vulnerabilities in frameworks and applications based on them in practice.
2) PUBLICATIONS
-
Alireza Sadeghi, Hamid Bagheri, Joshua Garcia, and Sam Malek. A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software. Accepted to appear in IEEE Transactions on Software Engineering. Published online on October 6, 2016: http://ieeexplore.ieee.org/document/7583740/
-
Capability Safe Reflection for the Wyvern Language. Esther Wang and Jonathan Aldrich. In Proceedings of the Workshop on Meta-Programming Techniques and Reflection (META), Amsterdam, Netherlands, October 30, 2016.
-
Hamid Bagheri and Sam Malek. "Titanium: Efficient Analysis of Evolving Alloy Specifications." 24th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE 2016), Seattle, WA, November 2016.
-
Bradley Schmerl, Jeffrey Gennari, Alireza Sadeghi, Hamid Bagheri, Sam Malek, Javier Camara and David Garlan. Architecture Modeling and Analysis ofSecurity in Android Systems. In Proceedings of the 10th European Conference on Software Architecture (ECSA 2016), Vol. 9839 of Lecture Notes in Computer Science, Springer, Copenhagen, Denmark, 30 November - 2 December 2016.
-
Ebrahim Khalaj and Marwan Abi-Antoun. What You See Is What You Get Object Graphs. In preparation, Jan. 2017. http://www.cs.wayne.edu/~mabianto/inprep/17-ecoop-draft.pdf
3) KEY HIGHLIGHTS
Enhanced and evaluated a semi-automated algorithm and tool for iteratively and interactively refining a global hierarchical graph while maintaining its soundness, thus tackling the scalability hard problem associated with using the Scoria approach.
UCI researchers constructed a framework for generating exploits for Android apps that are vulnerable to inter-component communication (ICC) vulnerabilities based on Intents, which are messages that Android apps exchange. The framework leverages an analysis that is path-sensitive, enabling the generation of exploits capable of executing particular program paths of an Android app. The framework is pluggable, allowing the automatic generation of exploits that can execute a particular program statement identified as vulnerable to an ICC-based attack.
4) COMMUNITY ENGAGEMENT
5) EDUCATIONAL ADVANCES
Ebrahim Khalaj completed the requirements for the M.S. degree in Dec. 2017, and is on target to graduate with a Ph.D. by May or Aug. 2017.