Cross-Platform Security and Privacy Analysis of Emerging Systems
Shezan, Faysal Hossain, Computer Science - School of Engineering and Applied Science, University of Virginia
Tian, Yuan, Electrical and Computer Engineering, University of California, Los Angeles
First, limited labeled data: Given that emerging technologies continuously develop at an unprecedented pace, there is a lack of labeled data to study the potential security and privacy threats of emerging technologies. This limitation prevents us from leveraging existing data-driven machine learning-based detection tools. So far, these approaches have been successful in well-studied platforms individually. But those are not generalized well to the new platforms due to the diverse system implementations. For example, prior works can unfold applications asking for unnecessary access to user-sensitive data in the Android platform, but they cannot be extended to IoT applications (e.g., IF-This-Then-That, SmartThings) to detect similar threats. In this dissertation, we overcome the first challenge by introducing data-driven ML-based approach where we transfer security and privacy knowledge across multiple platforms. We successfully find 329 applications from the web and IoT that request access to unnecessary user-sensitive data. Later, we experience that solely relying on ML-based techniques does not always unfold security and privacy issues in cross-platforms. Hence, we improvise the detection tool by designing ML augmented program analysis-based approach. Using this tool, we discover 59 zero-day vulnerabilities acknowledged by Google LLC. Our research findings have resulted in the publishing of 12 Common Vulnerabilities and Exposures. Second, cross-language analysis: Due to the interaction among multiple programming languages it becomes very challenging to identify security and privacy violations in many applications. In such cases, analyzing a single platform is not enough, as it does not provide a comprehensive understanding of the application, leading to numerous mispredictions of violations. In light of this, the dissertation presents an end-to-end framework that captures information flow within web applications. We use the General Data Protection Regulation as a case study to assess the compliance of these applications. With the help of our developed tool, we identify 381 web applications that do not comply with such regulations. Both challenges underscore the risks associated with untrusted applications in modern and emerging systems. The development of these generalized detection tools marks a significant step towards more secure and privacy-conscious use of emerging systems. Furthermore, it lays a foundation for future research in this field, facilitating the development of more robust security and privacy measures as technology evolves.
PHD (Doctor of Philosophy)
Cross-platform, Security, Privacy, Emerging System