Understanding and Improving Security of the Android Operating System

Successful realization of practical computer security improvements requires an understanding and insight into the system\u27s security architecture, combined with a consideration of end-users\u27 needs as well as the system\u27s design tenets. In the case of Android, a system with an open, modular architecture that emphasizes usability and performance, acquiring this knowledge and insight can be particularly challenging for several reasons. In spite of Android\u27s open source philosophy, the system is extremely large and complex, documentation and reference materials are scarce, and the code base is rapidly evolving with new features and fixes. To make matters worse, the vast majority of Android devices in use do not run the open source code, but rather proprietary versions that have been heavily customized by vendors for product differentiation. Proposing security improvements or making customizations without sufficient insight into the system typically leads to less-practical, less-efficient, or even vulnerable results. Point solutions to specific problems risk leaving other similar problems in the distributed security architecture unsolved. Far-reaching general-purpose approaches may further complicate an already complex system, and force end-users to endure significant performance and usability degradations regardless of their specific security and privacy needs. In the case of vendor customization, uninformed changes can introduce access control inconsistencies and new vulnerabilities. Hence, the lack of methodologies and resources available for gaining insight about Android security is hindering the development of practical security solutions, sound vendor customizations, and end-user awareness of the proprietary devices they are using. Addressing this deficiency is the subject of this dissertation. New approaches for analyzing, evaluating and understanding Android access controls are introduced and used to create an interactive database for use by security researchers as well as system designers and end-user product evaluators. Case studies using the new techniques are described, with results uncovering problems in Android\u27s multiuser framework and vendor-customized System Services. Finally, the new insights are used to develop and implement a novel virtualization-based security architecture that protects sensitive resources while preserving Android\u27s open architecture and expected levels of performance and usability

Instructions-Based Detection of Sophisticated Obfuscation and Packing

Every day thousands of malware are released online. The vast majority of these malware employ some kind of obfuscation ranging from simple XOR encryption, to more sophisticated anti-analysis, packing and encryption techniques. Dynamic analysis methods can unpack the file and reveal its hidden code. However, these methods are very time consuming when compared to static analysis. Moreover, considering the large amount of new malware being produced daily, it is not practical to solely depend on dynamic analysis methods. Therefore, finding an effective way to filter the samples and delegate only obfuscated and suspicious ones to more rigorous tests would significantly improve the overall scanning process. Current techniques of identifying obfuscation rely mainly on signatures of known packers, file entropy score, or anomalies in file header. However, these features are not only easily bypass-able, but also do not cover all types of obfuscation. In this paper, we introduce a novel approach to identify obfuscated files based on anomalies in their instructions-based characteristics. We detect the presence of interleaving instructions which are the result of the opaque predicate anti-disassembly trick, and present distinguishing statistical properties based on the opcodes and control flow graphs of obfuscated files. Our detection system combines these features with other file structural features and leads to a very good result of detecting obfuscated malware

Near-Real-Time Cloud Auditing for Rapid Response

Due to the rapid emergence of Information Technology, cloud computing provides assorted advantages to service providers, developers, organizations, and customers with respect to scalability, flexibility, cost-effectiveness, and availability. However, it also introduces new challenges and concerns, especially in terms of security and privacy. One of the major security obstacles to widespread adoption of cloud computing is the lack of near-real-time auditability. In particular, near-real-time cloud auditing, which provides timely evaluation results and rapid response, is the key to assuring the cloud. In this paper, we discuss security and privacy concerns in cloud computing and the current status of cloud auditing efforts. Next, we address the strategies for reliable cloud auditing and analyze the deficiencies of current approaches. We then discuss the summary of our case study with Amazon CloudWatch, which is one of the most developed cloud-monitoring APIs