SaTC: CORE: Small: Collaborative: Enabling Precise and Automated Insecurity Analysis of Middleware on Mobile Platforms

SaTC：核心：小型：协作：实现移动平台上中间件的精确和自动不安全分析

• 批准号: 1856380
• 负责人: Qiang Zeng
• 金额: $ 16.67万
• 依托单位: University of South Carolina at Columbia
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-10-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1856380&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Collaborative; Enabling

During the past decade, middleware on mobile platforms (such as the Application Framework in Android and the Core Services layer in iOS) has been flourishing, but the insecurity analysis of such middleware has been lagging behind. For example, while comprehensive studies have been conducted at the application layer of the Android system, there is very limited work analyzing the Android Application Framework (Android Framework, for short), a middleware layer in the Android system. The two billion Android mobile devices and the many Android Things devices all rely on the system services provided by Android Framework. Recently, many vulnerabilities of Android Framework are exposed, showing that Android Framework is vulnerable and exploitable. Given the critical role of Android Framework, a vulnerability in the framework can be exploited to launch large-scale cyber attacks and cause serious harms to user security and privacy. However, the insecurity analysis of Android Framework has been rather ad hoc, imprecise, and requires much manual effort, mainly because there is a severe lack of techniques and tools developed for insecurity analysis of such middleware on mobile platforms (MoMP). This research project seeks to fill the gap by developing new techniques and tools for insecurity analysis of MoMP like Android Framework and consequently lead to more secure and trustworthy computing environments for the huge number of smartphone and Internet-of-Things (IoT) device users. Educational resources developed in this project, including course modules on mobile computing security and vulnerability discovery, will be disseminated through a dedicated web site. Collaborations with the industry will be sought to transfer the technology to interested software companies and government entities that perform insecurity analysis of MoMP.The project will develop new architectural designs, algorithms and techniques for precise and automated insecurity analysis of MoMP. To make the research concrete, demonstrations will be created for the Android Framework for mobile smartphones, tablets and IoT devices, and the first platform for precise and automated insecurity analysis of Android Framework will be built, combining current software analysis techniques, such as symbolic execution, hybrid dynamic/static analysis, and cross-process and cross-layer software analysis, to make them capable of analyzing complex and large-sized MoMP like Android Framework. The platform will be evaluated and applied to discovering various types of zero-day vulnerabilities and generating proof-of-concept exploits.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在过去的十年中，移动平台上的中间件（例如Android中的应用程序框架和iOS中的核心服务层）一直在蓬勃发展，但是对此类中间件的不安全感分析一直落后。例如，尽管在Android系统的应用层进行了全面研究，但分析Android应用框架（简称Android框架）的工作非常有限，这是Android系统中的中间件层。 20亿个Android移动设备和许多Android Things设备都依赖于Android框架提供的系统服务。最近，暴露了许多Android框架的漏洞，表明Android框架是脆弱和可剥削的。鉴于Android框架的关键作用，可以利用框架中的脆弱性来发起大规模的网络攻击，并对用户安全和隐私造成严重伤害。但是，对Android框架的不安全感分析相当临时，不精确，需要大量的手动努力，主要是因为严重缺乏用于移动平台（MOMP）此类中间件的不安全感分析的技术和工具。该研究项目旨在通过开发新技术和工具来填补差距，以用于对Android框架（例如Android框架）的不安全感分析，从而为大量智能手机和智能手机（IoT）设备用户提供了更安全和可信赖的计算环境。该项目中开发的教育资源，包括有关移动计算安全性和漏洞发现的课程模块，将通过专用的网站传播。将寻求与行业的合作，将技术转移到对MOMP进行不安全感分析的感兴趣的软件公司和政府实体中。该项目将开发新的建筑设计，算法和技术，以确切和自动化的MOMP不安全感分析。为了制作研究混凝土，将为移动智能手机，平板电脑和物联网设备的Android框架创建演示，以及将建立精确和自动化的不安全感分析的第一个平台，结合当前软件分析技术，例如符号分析，例如符号执行，诸如混合动态/静态分析以及跨越跨越的软件分析，以使其分析，以使其分析，以使其分析，以使其分析，以使其分析，以使其构成符号分析技术，从而使象征性分析技术组合，从Android框架。该平台将被评估并应用于发现各种类型的零日漏洞并产生概念证明利用。该奖项反映了NSF的法定任务，并被认为是值得通过基金会的知识分子和更广泛影响的评估审查标准的评估来获得支持的。

项目成果

IoT Phantom-Delay Attacks: Demystifying and Exploiting IoT Timeout Behaviors

• DOI: 10.1109/dsn53405.2022.00050
• 发表时间: 2022-06
• 期刊: 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Chenglong Fu;Qiang Zeng;Haotian Chi;Xiaojiang Du;Siva Likitha Valluru

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples

• DOI: 10.1109/dsn.2019.00019
• 发表时间: 2018-12
• 期刊: 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Qiang Zeng;Jianhai Su;Chenglong Fu;Golam Kayas;Lannan Luo

Cross-App Interference Threats in Smart Homes: Categorization, Detection and Handling

• DOI: 10.1109/dsn48063.2020.00056
• 发表时间: 2018-08
• 期刊: 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Haotian Chi;Qiang Zeng;Xiaojiang Du;Jiaping Yu

Neural Machine Translation Inspired Binary Code Similarity Comparison beyond Function Pairs

• DOI: 10.14722/ndss.2019.23492
• 发表时间: 2019-01-01
• 期刊: 26TH ANNUAL NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS 2019)
• 作者: Zuo, Fei;Li, Xiaopeng;Zhang, Zhexin
• 通讯作者: Zhang, Zhexin

PFirewall: Semantics-Aware Customizable Data Flow Control for Smart Home Privacy Protection

• DOI: 10.14722/ndss.2021.24464
• 发表时间: 2021-01
• 期刊: ArXiv
• 作者: Haotian Chi;Qiang Zeng;Xiaojiang Du;Lannan Luo