Cross-Platform Security and Privacy Analysis of Emerging Systems

Emerging systems are characterized by their diverse range of functionalities and applications, from routine smartphone usage to Internet of Things (IoT) applications. While such advancements offer remarkable benefits, they also expose users to significant security and privacy risks, necessitating rigorous research to identify and address these challenges. This dissertation focuses on the security and privacy challenges that are present in detecting untrusted applications in the rapidly evolving world of emerging cross-platform technologies. In this dissertation, we use the term `cross-platform' to encompass settings that involve sharing of knowledge among multiple platforms, such as, web, IoT, as well as capturing the interaction among different platforms like PHP, JavaScript, SQL, and HTML. The behavior of untrusted applications can manifest in various ways, including, but not limited to, gathering excessive user information, being riddled with vulnerabilities (such as, integer and buffer overflows), and failing to adequately safeguard user data. This thesis is motivated by two key challenges in detecting security and privacy threats in emerging technologies-- limited labeled data and cross-language analysis.

First, limited labeled data: Given that emerging technologies continuously develop at an unprecedented pace, there is a lack of labeled data to study the potential security and privacy threats of emerging technologies. This limitation prevents us from leveraging existing data-driven machine learning-based detection tools. So far, these approaches have been successful in well-studied platforms individually. But those are not generalized well to the new platforms due to the diverse system implementations. For example, prior works can unfold applications asking for unnecessary access to user-sensitive data in the Android platform, but they cannot be extended to IoT applications (e.g., IF-This-Then-That, SmartThings) to detect similar threats. In this dissertation, we overcome the first challenge by introducing data-driven ML-based approach where we transfer security and privacy knowledge across multiple platforms. We successfully find 329 applications from the web and IoT that request access to unnecessary user-sensitive data. Later, we experience that solely relying on ML-based techniques does not always unfold security and privacy issues in cross-platforms. Hence, we improvise the detection tool by designing ML augmented program analysis-based approach. Using this tool, we discover 59 zero-day vulnerabilities acknowledged by Google LLC. Our research findings have resulted in the publishing of 12 Common Vulnerabilities and Exposures. Second, cross-language analysis: Due to the interaction among multiple programming languages it becomes very challenging to identify security and privacy violations in many applications. In such cases, analyzing a single platform is not enough, as it does not provide a comprehensive understanding of the application, leading to numerous mispredictions of violations. In light of this, the dissertation presents an end-to-end framework that captures information flow within web applications. We use the General Data Protection Regulation as a case study to assess the compliance of these applications. With the help of our developed tool, we identify 381 web applications that do not comply with such regulations. Both challenges underscore the risks associated with untrusted applications in modern and emerging systems. The development of these generalized detection tools marks a significant step towards more secure and privacy-conscious use of emerging systems. Furthermore, it lays a foundation for future research in this field, facilitating the development of more robust security and privacy measures as technology evolves.