(For a full list see below)
Prianka Mandal, Amit Seal Ami, Victor Olaiya, Adwait Nadkarni
As IoT security regulations and standards emerge, the industry has begun adopting the traditional enforcement model for software compliance to the IoT domain, wherein Commercially Licensed Evaluation Facilities (CLEFs) certify vendor products on behalf of regulators (and in turn consumers). Since IoT standards are in their formative stages, we investigate a simple but timely question: does the traditional model work for IoT security, and more importantly, does it work as well as consumers expect it to? This paper investigates the initial artifacts resultant from IoT compliance certification, and user perceptions of compliance, in the context of certified mobile-IoT apps, i.e., critical companion and automation apps that expose an important IoT attack surface, with a focus on three key questions: (1) are certified IoT products vulnerable?, (2) are vulnerable-but-certified products non-compliant?, and finally, (3) how do consumers perceive compliance enforcement? Our systematic analysis of 11 mobile-IoT apps certified by IOXT, along with an analysis of 5 popular compliance standards, and a user study with 173 users, together yield 17 key findings. We find significant vulnerabilities that indicate gaps in certification, but which do not violate the standards due to ambiguity and discretionary language. Further, these vulnerabilities contrast with the overwhelming trust that users place in compliance certification and certified apps. We conclude with a discussion on future directions towards a “belt and suspenders” scenario of effective assurance that most users desire, from the status quo of “just red tape”, through objective checks and balances that empower the regulators and consumers to reform compliance enforcement for IoT.
Amit Seal Ami, Kevin Moran, Denys Poshyvanyk, Adwait Nadkarni
The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify 17 key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo — challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.
Code and Data - https://github.com/Secure-Platforms-Lab-W-M/false-negatives-kill
Xin Jin*, Sunil Manandhar*, Kaushal Kafle, Zhiqiang Lin, and Adwait Nadkarni
Consumer IoT products and services are ubiquitous; yet, a proper characterization of consumer IoT security is infeasible without an understanding of what IoT products are on the market, i.e., without a market-scale perspective. This paper seeks to close this gap by developing the IoTSpotter framework, which automatically constructs a market-scale snapshot of mobile-IoT apps, i.e., mobile apps that are used as companions or automation providers to IoT devices. IoTSpotter also extracts artifacts that allow us to examine the security of this snapshot in the IoT context (e.g., devices supported by apps, IoT-specific libraries). Using IoTSpotter, we identify 37,783 mobile-IoT apps from Google Play, the largest set of mobile-IoT apps so far, and uncover 7 key results in the process (R1–R7). We leverage this dataset to perform three key security analyses that lead to 10 impactful security findings (F1–F10) that demonstrate the current state of mobile-IoT apps. Our analysis uncovers severe cryptographic violations in 94.11% (863/917) mobile-IoT apps with >1 million installs each, 65 vulnerable IoT-specific libraries affected by 79 unique CVEs, and used by 40 popular apps, and 7,887 apps that is affected by the Janus vulnerability. Finally, a case study with 18 popular mobile-IoT apps uncovers the critical impact of the vulnerabilities in them on important IoT artifacts and functions, motivating the development of mobile security analysis contextualized to IoT.
Code and Data - https://github.com/Secure-Platforms-Lab-W-M/IoTSpotter
Sunil Manandhar, Kaushal Kafle, Benjamin Andow, Kapil Singh, and Adwait Nadkarni
Smart home devices transmit highly sensitive usage information to servers owned by vendors or third-parties as part of their core functionality. Hence, it is necessary to provide users with the context in which their device data is collected and shared, to enable them to weigh the benefits of deploying smart home technology against the resulting loss of privacy. As privacy policies are generally expected to precisely convey this information, we perform a systematic and data-driven analysis of the current state of smart home privacy policies, with a particular focus on three key questions: (1) how hard privacy policies are for consumers to obtain, (2) how existing policies describe the collection and sharing of device data, and (3) how accurate these descriptions are when compared to information derived from alternate sources. Our analysis of 596 smart home vendors, affecting 2,442 smart home devices yields 17 findings that impact millions of users, demonstrate gaps in existing smart home privacy policies, as well as challenges and opportunities for automated analysis.
Code and Data - https://github.com/Secure-Platforms-Lab-W-M/smart-home-privacy-policies
Amit Seal Ami, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni
The correct use of cryptography is central to ensuring data security in modern software systems. Hence, several academic and commercial static analysis tools have been developed for detecting and mitigating crypto-API misuse. While developers are optimistically adopting these crypto-API misuse detectors (or crypto-detectors) in their software development cycles, this momentum must be accompanied by a rigorous understanding of their effectiveness at finding crypto-API misuse in practice. This paper presents the MASC framework, which enables a systematic and data-driven evaluation of crypto-detectors using mutation testing. We ground MASC in a comprehensive view of the problem space by developing a data-driven taxonomy of existing crypto-API misuse, containing 105 misuse cases organized among nine semantic clusters. We develop 12 generalizable usage-based mutation operators and three mutation scopes that can expressively instantiate thousands of compilable variants of the misuse cases for thoroughly evaluating crypto-detectors. Using MASC, we evaluate nine major crypto-detectors and discover 19 unique, undocumented flaws that severely impact the ability of crypto-detectors to discover misuses in practice. We conclude with a discussion on the diverse perspectives that influence the design of crypto-detectors and future directions towards building security-focused crypto-detectors by design.
Code and Data - https://github.com/Secure-Platforms-Lab-W-M/MASC-Artifact
Sunil Manandhar, Kevin Moran, Kaushal Kafle, Ruhao Tang, Denys Poshyvanyk, and Adwait Nadkarni
Designing security systems is challenging without insights into real system use. To enable the development of practical security analysis/defenses for home automation, we built Helion, a framework that generates realistic home automation scenarios by identifying regularities in user-driven routines. With a corpus of 30,518 home automation events, constructed from 273 routines collected from 40 users, this paper demonstrates the naturalness, validity, and usefulness of Helion’s scenarios.
Code and Data - https://github.com/helion-security/helion
Kaushal Kafle, Kevin Moran, Sunil Manandhar, Adwait Nadkarni, and Denys Poshyvanyk
We performed a holistic security evaluation of two smart home platforms that use centralized data-stores to implement automation (i.e., routines). Our evaluation led to 10 impactful findings, including the first end-to-end demonstration of lateral privilege escalation in the smart home. The discovered vulnerabilities were reported to and acknowledged by the concerned vendors (TP Link, Philips, Google).
Press Coverage - W&M Press , Washington Post , Daily Press , SF Gate , Quartz , NBC News , 13NewsNow , The Ambient , Insurance Journal , Claims Journal , Daily Mail
“Belt and suspenders” or “just red tape”?: Investigating Early Outcomes and Perceptions of IoT Security Compliance Enforcement
Prianka Mandal, Amit Seal Ami, Victor Olaiya, Adwait Nadkarni
USENIX Security 2024
‘False negative - that one is going to kill you’ - Understanding Industry Perspectives of Static Analysis based Security Testing,
Amit Seal Ami, Kevin Moran, Denys Poshyvanyk, Adwait Nadkarni
IEEE S&P 2024
Helion: Enabling Natural Testing of Smart Homes
Prianka Mandal, Sunil Manandhar, Kaushal Kafle, K. Moran, D. Poshyvanyk, and Adwait Nadkarni
ESEC/FSE’23, Demonstrations track
MASC: A Tool for Mutation-based Evaluation of Static Crypto-API Misuse Detectors
Amit Seal Ami, Syed Yusuf Ahmed, Radowan Mahmud Redoy, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, Adwait Nadkarni
ESEC/FSE’23, Demonstrations track
Understanding IoT Security from a Market-Scale Perspective
Xin Jin*, Sunil Manandhar*, Kaushal Kafle, Zhiqiang Lin, and Adwait Nadkarni
ACM CCS 2022
Smart Home Privacy Policies Demystified: A Study of Availability, Content, and Coverage
Sunil Manandhar, Kaushal Kafle, Benjamin Andow, Kapil Singh, and Adwait Nadkarni
USENIX Security 2022
Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques
Amit Seal Ami, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni
IEEE S&P 2022
Demo: Mutation-based Evaluation of Security-focused Static Analysis Tools for Android.
Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk
ICSE 2021, Demonstrations track
Systematic Mutation-based Evaluation of the Soundness of Security-focused Android Static Analysis Techniques
Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk
ACM TOPS 2021
Security in Centralized Data Store-based Home Automation Platforms: A Systematic Analysis of Nest and Hue
Kaushal Kafle, Kevin Moran, Sunil Manandhar, Adwait Nadkarni, and Denys Poshyvanyk
ACM TCPS 2020
Towards a Natural Perspective of Smart Homes for Practical Security and Safety Analyses
Sunil Manandhar, Kevin Moran, Kaushal Kafle, Ruhao Tang, Denys Poshyvanyk, and Adwait Nadkarni
IEEE S&P (Oakland) 2020
A Study of Data Store-based Home Automation
Kaushal Kafle, Kevin Moran, Sunil Manandhar, Adwait Nadkarni, and Denys Poshyvanyk
ACM CODASPY 2019 (Best Paper Award)
ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware
Sigmund Albert Gorski III, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden and Alexandre Bartel
ACM CODASPY 2019
Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation
Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk
USENIX Security 2018
Practical DIFC Enforcement on Android
Adwait Nadkarni, Benjamin Andow, William Enck and Somesh Jha
USENIX Security 2016
ASM: A Programmable Interface for Extending Android Security
Stephan Heuser* & Adwait Nadkarni*, William Enck, Ahmad-Reza Sadeghi
USENIX Security 2014
NativeWrap: Ad Hoc Smartphone Application Creation for End Users
Adwait Nadkarni, Vasant Tendulkar, and William Enck
ACM WiSec 2014
Preventing accidental data disclosure in modern operating systems
Adwait Nadkarni and William Enck
ACM CCS 2013