Preventing Capability Abuse through Systematic Analysis of Exposed Interfaces

Connectivity and interoperability are becoming more and more important in today's software and cyber-physical systems. Different components of the system are able to better collaborate, enabling new innovation opportunities. However, in order to support connectivity and interoperability, systems have to expose certain capabilities, which inevitably expand their attack surfaces and increase the risk of being abused. Due to the complexity of software systems and the heterogeneity of cyber-physical systems, it is challenging to secure their exposed interfaces and prevent abuses of system capabilities. To address the problems in a proactive manner, in this dissertation we demonstrate that by systematically analyzing exposed interfaces and how applications use them, leveraging techniques such as program analysis, we can effectively discover vulnerabilities, pinpoint system design weaknesses, and develop mitigation solutions to prevent capability abuse.

My dissertation addresses four problems in this space. First, we detect inconsistencies in access control policy enforcement in the Android framework. We design and build a tool that compares permissions enforced on different code paths and identifies the paths enforcing weaker or no permissions. Our methodology does not require security policies, which are non-trivial to learn, and it targets only on the enforcement. Second, we propose the Application Lifecycle Graph (ALG), a novel modeling approach to describing system-wide app lifecycle. We develop a lightweight runtime framework that utilizes ALG to realize fine-grained app lifecycle control, with a focus on restricting diehard apps that abuse entry points to automatically start up and game the priority-based memory management mechanism to evade being killed. Third, we conduct the first systematic study in understanding the security properties of the usage of Unix domain sockets by both Android apps and system daemons as IPC channels, especially for cross-layer communications between the Java and the native layers. Lastly, we study real-world programmable logic controller programs for identifying insecure configurations that can lead to critical security and safety violations.