Publications

Highlights

(For a full list see below)

Towards a Natural Perspective of Smart Homes for Practical Security and Safety Analyses. IEEE S&P (Oakland) 2020 (to appear)

Sunil Manandhar, Kevin Moran, Kaushal Kafle, Ruhao Tang, Denys Poshyvanyk, and Adwait Nadkarni

Designing security systems is challenging without insights into real system use. To enable the development of practical security analysis/defenses for home automation, we built Helion, a framework that generates realistic home automation scenarios by identifying regularities in user-driven routines. With a corpus of 30,518 home automation events, constructed from 273 routines collected from 40 users, this paper demonstrates the naturalness, validity, and usefulness of Helion’s scenarios.

Code and Data - https://github.com/helion-security/helion

A Study of Data Store-based Home Automation. ACM CODASPY 2019 (Best Paper Award)

Kaushal Kafle, Kevin Moran, Sunil Manandhar, Adwait Nadkarni, and Denys Poshyvanyk

We performed a holistic security evaluation of two smart home platforms that use centralized data-stores to implement automation (i.e., routines). Our evaluation led to 10 impactful findings, including the first end-to-end demonstration of lateral privilege escalation in the smart home. The discovered vulnerabilities were reported to and acknowledged by the concerned vendors (TP Link, Philips, Google).

Press Coverage - W&M Press , Washington Post , Daily Press , SF Gate , Quartz , NBC News , 13NewsNow , The Ambient , Insurance Journal , Claims Journal , Daily Mail

Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation. USENIX Security 2018

Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk

Designing security tools, and specifically those that employ static program analysis, is a complex process. Tool designers often make unsound choices in favor of increased precision or performance, which may be detrimental to the security guarantees provided by the tool. Moreover, these choices may also be inadvertantly inherited by future research. We developed a framework that uses mutation testing for soundness evaluation (i.e., μSE, pronounced as muse) of Android static analyses, in order to discover flaws in existing tools, resolve them to design or implementation-time unsound choices, and fix them to holistically improve soundness. Our initial exploration led to the discovery of 13 flaws in FlowDroid, one of the most popular data leak detection tools for Android apps.

Code and Data - https://muse-security-evaluation.github.io/

Practical DIFC Enforcement on Android. USENIX Security 2016

Adwait Nadkarni, Benjamin Andow, William Enck and Somesh Jha

When designing information flow control systems, designers are often forced to sacrifice soundness for precision, or vice versa. This paper leverages Android’s unique abstractions to demonstrate that this tradeoff can be overcome. We built Weir, a decentralized information flow control (DIFC) system for Android, which leverages our novel primitive of lazy polyinstantiation, and provides both secure (i.e., sound) and practical (i.e., precise) enforcement. Our evaluation demonstrates that Weir is resistent to data leaks that prior systems are vulnerable to, and is also significantly backwards compatible.

 

Full List

Towards a Natural Perspective of Smart Homes for Practical Security and Safety Analyses
Sunil Manandhar, Kevin Moran, Kaushal Kafle, Ruhao Tang, Denys Poshyvanyk, and Adwait Nadkarni
IEEE S&P (Oakland) 2020 (to appear)

A Study of Data Store-based Home Automation
Kaushal Kafle, Kevin Moran, Sunil Manandhar, Adwait Nadkarni, and Denys Poshyvanyk
ACM CODASPY 2019 (Best Paper Award)

ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware
Sigmund Albert Gorski III, Benjamin Andow, Adwait Nadkarni, Sunil Manandhar, William Enck, Eric Bodden and Alexandre Bartel
ACM CODASPY 2019

Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation
Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk
USENIX Security 2018

Practical DIFC Enforcement on Android
Adwait Nadkarni, Benjamin Andow, William Enck and Somesh Jha
USENIX Security 2016

ASM: A Programmable Interface for Extending Android Security
Stephan Heuser* & Adwait Nadkarni*, William Enck, Ahmad-Reza Sadeghi
USENIX Security 2014

NativeWrap: Ad Hoc Smartphone Application Creation for End Users
Adwait Nadkarni, Vasant Tendulkar, and William Enck
ACM WiSec 2014

Preventing accidental data disclosure in modern operating systems
Adwait Nadkarni and William Enck
ACM CCS 2013