Side-Channel Attack on Web
Counteracting Web Malvertising
Secure Computing on Hybrid Clouds
Secure Web Commerce
Mobile Fragmentation

CNS-1527141: TWC: Small: Understanding and Mitigating the Security Hazards of Mobile Fragmentation

Introduction

Mobile computing technologies are rapidly evolving and phone (and other mobile device) manufacturers are under constant pressure to offer new product models. Each manufacturer customizes operating system software for its devices and often changes this software to support its new models. Given the many manufacturers in the mobile device marketplace and the many different generations of products, there are many customized branches of mobile operating systems in use at any time. Unfortunately, high-impact, security-critical flaws have been introduced through the combination of the operating system customization process and the design of mobile applications. This project is the first to systematically study and mitigate such security hazards. The researchers are collaborating closely with device manufacturers to transfer the results of the project into practice.

More specifically, the project involves an in-depth study of the security risks and pitfalls that lead to fragmentation-related vulnerabilities. The researchers are developing novel technologies to detect such flaws in existing systems and avoid them when building new ones. The project includes the development of automatic analysis techniques that scan a large number of factory images to identify inconsistencies in the protection of a system capability on different operating system (OS) layers (e.g., Android framework layer, Linux layer, etc.), and across a customized version and its official counterpart. This consistency check helps elevate the security qualities of customized systems to that of Android official systems. Furthermore, to mitigate the security risk introduced by the services or apps designed for cross-version, cross-device compatibility, the research team is studying techniques for automatically analyzing a variety of services on new OS releases, enhancing the mechanism for capturing exploits on them, and eliminating new security hazards like hanging capabilities.

Related paper

  • K. Chen, X. Wang, Y. Chen, P. Wang, Y. Lee, X. Wang, B. Ma, A. Wang, Y. Zhang, W. Zou (2016). Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS. the 36th IEEE Symposium on Security and Privacy (IEEE S&P). . Status = PUBLISHED; Acknowledgment of Federal Support = Yes ; Peer Reviewed = Yes
  • L. Xing, X. Bai, T. Li, X. Wang, K. Chen, X. Liao, S. Hu and X. Han (2015). Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS X and iOS. 22nd ACM Conference on Computer and Communications Security (CCS). . Status = PUBLISHED; Acknowledgment of Federal Support = Yes ; Peer Reviewed = Yes
  • X. Bai, L. Xing, N. Zhang, X. Wang, X. Liao, T. Li and S. Hu (2016). Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf. the 36th IEEE Symposium on Security and Privacy (IEEE S&P). . Status = PUBLISHED; Acknowledgment of Federal Support = Yes ; Peer Reviewed = Yes
  • Y. Aafer, N. Zhang, Z. Zhang, X. Zhang, K. Chen, X. Wang, X. Zhou, W. Du and M. Grace (2015). Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References. 22nd ACM Conference on Computer and Communications Security (CCS). . Status = PUBLISHED; Acknowledgment of Federal Support = Yes ; Peer Reviewed = Yes
  • Y. Lee, T. Li, N. Zhang, S. Demetriou, M. Zha, X. Wang, K. Chen, X. Zhou, X. Han, M. Grace (2017). Ghost Installer in the Shadow: Security analysis of App Installation on Android, the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).
  • X. Pan, X. Wang, Y. Duan, X. Wang, H. Yin (2017). Dark Hazard: Learning-based, Large-Scale Discovery of Hidden Sensitive Operations in Android Apps. the Network and Distributed System Security Symposium 2017 (NDSS).
  • S. Demetriou, N. Zhang, Y. Lee, X. Wang, C. Gunter, X. Zhou, M. Grace (2017). HanFence: SDN-driven protection of smart home WiFi devices from malicious mobile apps. . 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec).

Other Resources

  • Under construction