Speaker: Xusheng Xiao
Title: Improving Mobile App Security via Analyzing Structured and Unstructured Artifacts
Abstract: The increasing popularity of smartphones has made them a target for malware, which steals and abuses users’ sensitive information. To protect users, smartphone application markets like Google Play and App Store employ protection mechanisms based on permissions, which have shown limited success due to three major challenges: (1) permissions show only what sensitive user information is used by the applications; (2) permissions used in benign and malicious behaviors are often the same; (3) permissions do not protect all types of sensitive user information, such as sensitive information entered through graphical user interfaces (GUI). In this talk, I will present my work on developing program analysis and text analysis techniques to address these three major challenges. My techniques automatically analyze application behavior from structured and unstructured artifacts, including app code, app descriptions, API documents, app meta-data, and GUIs. In particular, I will discuss information flow classification and WHYPER, two techniques that explain How and Why sensitive user information is used by the applications to help users make better decisions in permission granting. In addition, I will present AppContext, a program analysis technique that analyzes the context in which the security-sensitive behavior occurs to determine whether the behavior is malicious, and SUPOR, a static analysis technique that detects sensitive information entered by users through GUIs.
Bio: Xusheng Xiao is a researcher at NEC Labs America. He received his Ph. D. degree in Computer Science at North Carolina State University in 2014, working under the guidance of Prof. Tao Xie from University of Illinois at Urbana-Champaign and Prof. Laurie Williams from North Carolina State University. He was a visiting student in Computer Science department of the University of Illinois at Urbana-Champaign in 2013-2014. His research interests are in software engineering and computer security, with the focus on making software applications and computer systems more reliable and secure via program analysis, software testing, text analysis, and system monitoring. His work in mobile security was selected as one of the top ten finalists for CSAW Best Applied Security Paper Award 2015. The security intelligence solution built by our team at NEC Labs America won first place in the Town Life and Society Innovation Category at CEATEC Award. He was awarded the ICSE SRC Best Project Representing an Innovative Use of Microsoft Technology at ACM SRC Grand Final 2012. His static analysis tool on mobile security was deployed in TouchDevelop of Microsoft Research and was granted a U.S. patent. His research has been presented at top-tier venues such as ICSE, FSE, ISSTA, ASE, USENIX Security, CCS, and VLDB. He has served as Program Committee members in the top conferences including ICSE and ICST conferences, and a guest editor for the top journal JCST. He did internships at Microsoft Research, IBM Research, and NEC Labs America. His home page is athttps://sites.google.com/site/xushengxiaoshome/.