"To raise new questions, new possibilities, to regard old problems from a new angle, requires creative imagination and marks a real advance in science."

  - Albert Einstein



Investigating network covert channels in smartphones has become increasingly important as smartphones have recently replaced the role of traditional computers. Smartphones are subject to traditional computer network covert channel techniques. Smartphones also introduce new sets of covert channel techniques as they add more capabilities and multiple network connections. This work presents a new network covert channel in smartphones. The research studies the ability to leak information from the smartphones applications by reaching the cellular voice stream, and it examines the ability to employ the cellular voice channel to be a potential medium of information leakage through carrying modulated speech-like data covertly. To validate the theory, an Android software audio modem has been developed and it was able to leak data successfully through the cellular voice channel stream by carrying modulated data with a throughput of 13 bps with 0.018% BER. Moreover, Android security policies are investigated and broken in order to implement a user-mode rootkit that opens the voice channels by stealthily answering an incoming voice call. Multiple scenarios are conducted to verify the effectiveness of the proposed covert channel. This study identifies a new potential smartphone covert channel and discusses some security vulnerabilities in Android OS that allow the use of this channel demonstrating the need to set countermeasures against this kind of breach.

In the Media

Modern mobile apps incorporate rich and complex features, opening doors for different aspects of security concerns. Android is the dominant platform in mobile app markets, and enhancing the security of its app is a considerable area of research. Android malware (introduced intentionally by devel- opers) has been well studied and many tools are available to detect them. However, little attention has been directed to address vulnerabilities caused unintentionally by developers in Android apps. Static analysis has been one way to detect such vulnerabilities in traditional desktop and server-side desktop. Therefore, our research aims at assessing static analysis tools that could be used by Android developers. Our preliminary analysis revealed that Buffer Errors are the most frequent type of vulnerabilities that threaten Android apps. Also, we found that Buffer Errors in Android apps have the highest risk on Android that affects data integrity, confidentiality, and availability. Our main study, therefore, tested whether state-of-the-art static analysis tools could detect Buffer Errors in Android apps. We investigated 6 static analysis tools that are designed to detect Buffer Errors. The study shows that the free and open source state-of-the-art static analysis tools do not efficiently discover Buffer Error vulnerabilities in Android apps. We analyzed the tools carefully to see why they could not discover Buffer Errors and found that the lack of semantic analysis capabilities, inapplicability to Android apps, and the gap between native code and other contexts were some of the reasons. Thus, we concluded that there is a need to build  better free and open source static analysis tools for detecting Buffer Errors in Android apps.

An Empirical Study of Security Warnings from Static Application Security Testing Tools 

The Open Web Application Security Project (OWASP) defines Static Application Security Testing (SAST) tools as those that can help find security vulnerabilities in the source code or compiled code of the software. Such tools detect and classify the vulnerability warnings into one of many types (e.g., input validation and representation). It is well known that these tools are known to produce a large number of false positive warnings. However, what is not known is if specific types of warnings have a higher predisposition to be false positives or not. Therefore, our goal is to investigate the different types of SAST-produced warnings and their evolution over time to determine if one type of warning is more likely to have false positives than others. In order to achieve our goal, we carry out a large empirical study where we examine 116 large and popular C++ projects using six different state-of-the-art open source and commercial SAST tools that detect security vulnerabilities. In order to track a piece of code that has been tagged with a warning, we use a new state of the art framework called cregit+ that traces source code lines across different commits. The results demonstrate the potential of using SAST tools as an assessment tool to measure the quality of a product and the possible risks without manually reviewing the warnings. In addition, this work shows that pattern-matching static analysis technique is a very powerful method when combined with other advanced analysis methods.


Best poster | Cybersecurity and Privacy Institute Annual Conference 2019

SoS: Source Sink Filter forModern Software

Static taint analysis is a useful analysis technique to detect a range of security vulnerability types. Usually, this type of analysis involves analyzing data from sources to sinks. However, modern software is more complex, making it challenging to applying such an analysis method to detect security vulnerabilities. In this paper, a methodology is proposed to filter out the source and sink pairs that do not have feasible paths. The goal is to introduce a practical and generally low-cost extensible and configurable static analysis methodology to remove many pairs that are likely not reachable.

BEFinder: Buffer Errors Finder for Modern Software

Buffer errors are still among the most frequent and dangerous types of exploitable vulnerabilities nowadays, despite all the efforts made during the past 30 years of studying and introducing solutions to solve such a problem. The technological advancement and software shifting, make finding this type of vulnerability trickier in modern apps, such as Android apps. In this paper, a methodology is introduced to meet the needs of modern software analysis. The introduced methodology is based on the reduced set of sources and sinks provided by SoS tool. This paper aims to propose a methodology that performs taint analysis to examine the reachability between sources and sinks and look for “sanitizer” or “validator” that validates the untrusted input. We implemented the described methodology in a tool called Buffer Error Finder (BEFinder) and tested with Android apps.