Ensuring Security of Android Software via Tailorable Multi-Layer Customization

Abstract

Secure and trustworthy software systems are an integral part of the cyber infrastructure crucial to missions of the U.S.Naval Force"s. To maintain vital competitive advantages while reducing the development cost, they often leveragecommercial off-the-shelf (COTS)"" software, which unfortunately contain overly generalized features that decreaseperformance and increase security risks.Proposed R"esearch. This research aims to drastically improve the performance and security of mission-critical Androidsoftware by developing foundational Java bytecode analysis and transformation techniques for removing featurerelated bloat. These transformations will lead" to apps with no unneeded features that may expose vulnerableinterfaces, consume less runtime resources, and requires a smaller mem"ory and storage footprint. The main researchitems (thrusts) are given as follows:Automated Identification of Unneeded Features and" Interfaces: We will develop new and comprehensive bytecodeanalysis techniques for identifying features, functionalities, and softw"are code that are irrelevant to the mission. Thesetechniques will be implemented in tools that can directly analyze deployed Android software without developerintervention and provide expert users with a way to visually specify UI widgets that correspond to unneeded features.De-bloating the App: We will develop new and innovative static analysis based techniques to remove unneededfeatures from the target apps. This transformation will be designed to remove all code transitively related to theidentified unneeded features and optimize the remaining code to reduce the overhead of commonly used frameworks.Our analyses will ensure that feature elimination and code optimization are performed soundly and efficiently.Automated Validation and Formal Verification: We will leverage re"cent developments in regression testing, symbolicexecution, and formal methods to automatically assemble test suites to ensure the"" correctness of the transformedcode. To ensure the efficiency and scalability of the proposed analyses, we will exploit both struct"ural and semanticsimilarities of the original and transformed software as much as possible.Research Impact. Our research differs significantly from prior works on removing bloat from code. Prior work providedsome point solutions but ignored the much larger land"scape of possible sources of bloat in Android apps as well astheir security implications. In comparison, our approach for identifyi""ng and removing mission-irrelevant features will beboth security-centric and significantly more comprehensive. Furthermore, we guar""antee the correctness and security ofour transformations by using rigorous validation and formal verification, which are severely l""acking in prior works.Finally, in addition to enhancing the security of Android software, the bytecode analysis and transformation" techniquesdeveloped in this project will benefit a much wider range ofnon-functional properties. These include reducing the development cost of hardening an Android app and reducing theresource requirements of the apps at runtime.

Document Details

Document Type

DoD Grant Award

Publication Date

Sep 29, 2017

Source ID

N000141712896

Entities

Tags