Advanced Security Analysis for Emergent Software Platforms

Emergent software ecosystems, boomed by the advent of smartphones and the Internet of Things (IoT) platforms, are perpetually sophisticated, deployed into highly dynamic environments, and facilitating interactions across heterogeneous domains. Accordingly, assessing the security thereof is a pressing need, yet requires high levels of scalability and reliability to handle the dynamism involved in such volatile ecosystems. This dissertation seeks to enhance conventional security detection methods to cope with the emergent features of contemporary software ecosystems. In particular, it analyzes the security of Android and IoT ecosystems by developing rigorous vulnerability detection methods. A critical aspect of this work is the focus on detecting vulnerable and unsafe interactions between applications that share common components and devices. Contributions of this work include novel insights and methods for: (1) detecting vulnerable interactions between Android applications that leverage dynamic loading features for concealing the interactions; (2) identifying unsafe interactions between smart home applications by considering physical and cyber channels; (3) detecting malicious IoT applications that are developed to target numerous IoT devices; (4) detecting insecure patterns of emergent security APIs that are reused from open-source software. In all of the four research thrusts, we present thorough security analysis and extensive evaluations based on real-world applications. Our results demonstrate that the proposed detection mechanisms can efficiently and effectively detect vulnerabilities in contemporary software platforms. Advisers: Hamid Bagheri and Qiben Ya

Cybersecurity and smart home devices: A resource governance model

A yet to be explored area of cybersecurity, as experienced through the security embedded within a focal firm’s products, is cloud-based smart home devices being rapidly adopted in homes. Adoption of these cloud-based products is growing some 22%, indicating the potential of the home market for future revenue and profit growth. With the uncovering of generous data collection functionality currently built-into these products and the seeming routineness of data breaches in general, security and data privacy of smart home devices has been identified as a critical concern of consumers. As a first step in addressing this concern, we propose a theoretical model of cybersecurity in smart home devices based on a foundation of information governance and resource dependence theories. The Resource Governance Model provides a framework for smart home device firms to help ensure products incorporate their chosen cybersecurity design. Future direction for application of the Resource Governance Model is then discussed

Evil Twin Attacks on Smart Home IoT Devices for Visually Impaired Users

Securing the Internet of Things (IoT) devices in a smart home has become inevitable due to the recent surge in the use of smart devices by the visually impaired. The visually impaired users rely heavily on these IoT devices and assistive technologies for guidance, medical usage, mobility help, voice recognition, news feeds and emergency communications. However, cyber attackers are deploying Evil Twin and Man-in-the-middle (MITM) attacks, among others, to penetrate the network, establish rogue Wi-Fi access points and trick victims into connecting to it, leading to interceptions, manipulation, exploitation, compromising the smart devices and taking command and control. The paper aims to explore the Evil Twin attack on smart devices and provide mitigating techniques to improve privacy and trust. The novelty contribution of the paper is three-fold: First, we identify the various IoT device vulnerabilities and attacks. We consider the state-of-the-art IoT cyberattacks on Smart TVs, Smart Door Lock, and cameras. Secondly, we created a virtual environment using Kali Linux (Raspberry Pi) and NetGear r7000 as the home router for our testbed. We deployed an Evil Twin attack to penetrate the network to identify the vulnerable spots on the IoT devices. We consider the Kill Chain attack approach for the attack pattern. Finally, we recommend a security mechanism in a table to improve security, privacy and trust. Our results show how vulnerabilities in smart home appliances are susceptible to attacks. We have recommended mitigation techniques to enhance the security for visually impaired users

Detecting Rogue Manipulation of Smart Home Device Settings

Smart home devices control a home’s environmental and security settings. This includes devices that control home thermostats, sprinkler systems, light bulbs, and home appliances. Malicious manipulation of the settings of these devices by an outside adversary has caused emotional distress and could even cause physical harm. For example, researchers have reported that there is a rise in domestic abuse perpetrated via smart home devices; victims have reported their thermostat settings being unwittingly manipulated and being locked out of their house due to their smart lock code being changed. Rapid adoption of smart home devices by consumers has led to an urgent need to research mitigation strategies to protect consumers from device takeover. Currently there is not an easy way for home users to detect that a malicious actor is making unwanted changes to their smart home devices. Change requests to smart home devices travel across the network in the form of network packets. Most of time the payloads of the packets are encrypted using strong encryption methods, so it is not possible to simply read the contents of the packet to learn if the packet contains instructions for the smart device to change states. Previous research has successfully trained machine learning algorithms to identify unique network traffic patterns indicative of state change requests sent to smart home devices. This research extends previous research by identifying state change requests of smart home devices made by residents via a smart home device app on their smart phones or tablets. This research identified 13 key attributes of 3,178 encrypted network traffic connections. The attributes were used as features to train three machine learning algorithms to recognize state change requests. Four smart home devices were used chosen from the following categories: 1) devices with simple behaviors (turns on and off), 2) devices with complex behaviors (can be turned on for a set amount of time), and 3) devices that send a large amount of data (i.e. video camera). The success of identifying state change requests over encrypted traffic from a mobile app, combined with previous research that identified state changes sent to the smart home device, allows for the development of a system that could block unwanted state changes that originate from a malicious user located outside of the house. Therefore, this research contributes to the body of knowledge of smart home device security and could be extended to the identification of other networking patterns based on encrypted traffic

Program Analysis Based Approaches to Ensure Security and Safety of Emerging Software Platforms

Our smartphones, homes, hospitals, and automobiles are being enhanced with software that provide an unprecedentedly rich set of functionalities, which has created an enormous market for the development of software that run on almost every personal computing devices in a person's daily life, including security- and safety-critical ones. However, the software development support provided by the emerging platforms also raises security risks by allowing untrusted third-party code, which can potentially be buggy, vulnerable or even malicious to control user's device. Moreover, as the Internet-of-Things (IoT) technology is gaining vast adoptions by a wide range of industries, and is penetrating every aspects of people's life, safety risks brought by the open software development support of the emerging IoT platform (e.g., smart home) could bring more severe threat to the well-being of customers than what security vulnerabilities in mobile apps have done to a cell phone user. To address this challenge posed on the software security in emerging domains, my dissertation focuses on the flaws, vulnerabilities and malice in the software developed for platforms in these domains. Specifically, we demonstrate that systematic program analyses of software (1) Lead to an understanding of design and implementation flaws across different platforms that can be leveraged in miscellaneous attacks or causing safety problems; (2) Lead to the development of security mechanisms that limit the potential for these threats.We contribute static and dynamic program analysis techniques for three modern platforms in emerging domains -- smartphone, smart home, and autonomous vehicle. Our app analysis reveals various different vulnerabilities and design flaws on these platforms, and we propose (1) static analysis tool OPAnalyzer to automates the discovery of problems by searching for vulnerable code patterns; (2) dynamic testing tool AutoFuzzer to efficiently produce and capture domain specific issues that are previously undefined; and (3) propose new access control mechanism ContexIoT to strengthen the platform's immunity to the vulnerability and malice in third-party software. Concretely, we first study a vulnerability family caused by the open ports on mobile devices, which allows remote exploitation due to insufficient protection. We devise a tool called OPAnalyzer to perform the first systematic study of open port usage and their security implications on mobile platform, which effectively identify and characterize vulnerable open port usage at scale in popular Android apps. We further identify the lack of context-based access control as a main enabler for such attacks, and begin to seek for defense solution to strengthen the system security. We study the popular smart home platform, and find the existing access control mechanisms to be coarse-grand, insufficient, and undemanding. Taking lessons from previous permission systems, we propose the ContexIoT approach, a context-based permission system for IoT platform that supports third-party app development, which protects the user from vulnerability and malice in these apps through fine-grained identification of context. Finally, we design dynamic fuzzing tool, AutoFuzzer for the testing of self-driving functionalities, which demand very high code quality using improved testing practice combining the state-of-the-art fuzzing techniques with vehicular domain knowledge, and discover problems that lead to crashes in safety-critical software on emerging autonomous vehicle platform.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/145845/1/jackjia_1.pd

Urban Informatics

This open access book is the first to systematically introduce the principles of urban informatics and its application to every aspect of the city that involves its functioning, control, management, and future planning. It introduces new models and tools being developed to understand and implement these technologies that enable cities to function more efficiently – to become ‘smart’ and ‘sustainable’. The smart city has quickly emerged as computers have become ever smaller to the point where they can be embedded into the very fabric of the city, as well as being central to new ways in which the population can communicate and act. When cities are wired in this way, they have the potential to become sentient and responsive, generating massive streams of ‘big’ data in real time as well as providing immense opportunities for extracting new forms of urban data through crowdsourcing. This book offers a comprehensive review of the methods that form the core of urban informatics from various kinds of urban remote sensing to new approaches to machine learning and statistical modelling. It provides a detailed technical introduction to the wide array of tools information scientists need to develop the key urban analytics that are fundamental to learning about the smart city, and it outlines ways in which these tools can be used to inform design and policy so that cities can become more efficient with a greater concern for environment and equity

Urban Informatics

This open access book is the first to systematically introduce the principles of urban informatics and its application to every aspect of the city that involves its functioning, control, management, and future planning. It introduces new models and tools being developed to understand and implement these technologies that enable cities to function more efficiently – to become ‘smart’ and ‘sustainable’. The smart city has quickly emerged as computers have become ever smaller to the point where they can be embedded into the very fabric of the city, as well as being central to new ways in which the population can communicate and act. When cities are wired in this way, they have the potential to become sentient and responsive, generating massive streams of ‘big’ data in real time as well as providing immense opportunities for extracting new forms of urban data through crowdsourcing. This book offers a comprehensive review of the methods that form the core of urban informatics from various kinds of urban remote sensing to new approaches to machine learning and statistical modelling. It provides a detailed technical introduction to the wide array of tools information scientists need to develop the key urban analytics that are fundamental to learning about the smart city, and it outlines ways in which these tools can be used to inform design and policy so that cities can become more efficient with a greater concern for environment and equity