CAREER: Secure OS Views for Modern Computing Platforms

Sponsor: NSF SaTC CAREER
Award #: 1253346
Amount: $400,000
Duration: 5 years (February 1, 2013 - January 31, 2018)
Single PI

Abstract: The security architecture of consumer operating systems is currently undergoing a fundamental change. In platforms such as Android, iOS, and Windows 8, each application is a separate security principal that can own data. While this distinction is a vast improvement over traditional user-focused security architectures, sharing data between applications results in an unexpected loss of control of that data, potentially exposing security and privacy sensitive information. This research improves the security of these modern consumer operating systems by providing a holistic view of data protection. In particular, this work proposes a new operating system abstraction for transparently tracking and controlling access to all data, allowing policy to determine if a reader is given the true value, a fake or modified value, or no value at all. To efficiently and practically accomplish this goal, this work combines several existing and new techniques to track and control access to data. The new abstraction provided by this work not only solves a significant problem affecting modern consumer operating systems by enabling applications to retain pervasive control over their data, but also more broadly provides a new abstraction on which a variety of new security solutions can be built.

Public Artifacts

• Weir: practical enforcement of information flow control on Android.
• Android Security Modules (ASM): programmable interface for extending Android OS security.
• Aquifer: DIFC on Android to prevent accidental data disclosure in modern operating systems.
• NativeWrap: ad-hoc creation of Web-based apps in modern operating systems.
• WHYPER: demonstrates how to extract user expections from textual descriptions in app stores (de facto software distribution for modern operating systems).

Education and Outreach

• Advisory Committee, Project Lead The Way (PLTW) Computer Science Applications (CSA) curriculum for high school students. October 2014 - present.
• December 4, 2014: "Back-to-Basics" tutorial on techniques for securing Android applications for Raleigh Chapter of ISSA, attended by local industry professionals and community college students.
• October 2, 2014: "Back-to-Basics" tutorial on developing Android applications for Raleigh Chapter of ISSA, attended by local industry professionals and community college students.
• Integration of modern OS security findings and conceptualization into advanced graduate level course, CSC 705 (OS Security), which discusses the foundations and history of OS security as it has evolved to current day systems. Last taught Spring 2014.
• Faculty advisor, NCSU Information Assurance Student Group (IASG), 2012-2016

Publications

1. Luke Deshotels, Razvan Deaconescu, Mihai Chiroiu, Lucas Davi, William Enck, and Ahmad-Reza Sadeghi, SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), Vienna, Austria, 2016.
   [PDF] (acceptance rate=16.5%)
2. Adwait Nadkarni, Benjamin Andow, William Enck, and Somesh Jha, Practical DIFC Enforcement on Android, in Proceedings of the USENIX Security Symposium, Austin, TX, 2016.
   [PDF] (acceptance rate=15.6%)
3. Ruowen Wang, William Enck, Douglas Reeves, Xinwen Zhang, Peng Ning, Dingbang Xu, Wu Zhou, and Ahmed Azab, EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning, in Proceedings of the USENIX Security Symposium, Washington, DC, 2015.
   [PDF] (acceptance rate=15.7%)
4. Wei Yang, Xusheng Xiao, Benjamin Andow, Sihan Li, Tao Xie, and William Enck, AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context, in Proceedings of the International Conference on Software Engineering (ICSE), Firenze, Italy, 2015.
   [PDF] (acceptance rate=18.5%)
5. Stephan Heuser, Adwait Nadkarni, William Enck, and Ahmad-Reza Sadeghi, ASM: A Programmable Interface for Extending Android Security, in Proceedings of the USENIX Security Symposium, San Diego, CA, 2014.
   [PDF] (acceptance rate=19.1%) (supercedes TUD-CS-2014-0063)
6. Adwait Nadkarni, Vasant Tendulkar, and William Enck, NativeWrap: Ad Hoc Smartphone Application Creation for End Users, in Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), Oxford, United Kingdom, 2014.
   [PDF] (acceptance rate=26.0%)
7. Tsung-Hsuan Ho, Daniel Dean, Xiaohui Gu, and William Enck, PREC: Practical Root Exploit Containment for Android Devices, in Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY), San Antonio, TX, 2014.
   [PDF] (acceptance rate=16.0%) (supercedes TR-2012-12)
8. Adwait Nadkarni and William Enck, Preventing Accidental Data Disclosure in Modern Operating Systems, in Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, 2013.
   [PDF] (acceptance rate=19.8%)
9. Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie, WHYPER: Towards Automating Risk Assessment of Mobile Applications, in Proceedings of the USENIX Security Symposium, Washington, D.C., 2013.
   [PDF] (acceptance rate=16.2%)