报告题目(Title)：Enhancing Mobile App Security via Contextual Integrity and User Awareness
时间(Date & Time)：2023.5.31 2-4pm
地点(Location)：理科一号楼1126（燕园校区） Room 1126, Science Building #1 (Yanyuan)
Mobile apps have become an indispensable part of our daily lives, but their increasing access to users’ private data raises security and privacy concerns. Mainstream mobile platforms (e.g., Android and iOS) adopt the permission-based access control mechanism, but has shown little success due to two fundamental limitations: (1) contextual integrity: it fails to consider the context in which permission requests arise; and (2) user awareness: it does not explain how and why the app uses sensitive data, causing users to make uninformed decisions in controlling their privacy.
In this talk, I will discuss how my techniques address these fundamental limitations. Specifically, I will first discuss how my research addresses contextual integrity. I will present how I combine program analysis, text analysis, and computer vision techniques to analyze both program code and the texts and images in the GUIs to model behavior intentions of mobile apps. I will then discuss how my techniques train a behavior model that combines both program semantics and behavior intention to detect undesired behaviors that cannot be justified by apps’ functionality. Next, I will present how my research addresses user awareness. I will present two static analysis techniques that compute information flows for explaining how apps use users’ private data and identify sentences in app descriptions to explain why apps use users’ private data. I will also present how my techniques train a neural machine translation that generates app-specific descriptions for explaining sensitive behaviors that are not described in app descriptions.
Dr. Xusheng Xiao is an Associate Professor in the School of Computing and Augmented Intelligence at Arizona State University (ASU). His research interests span the interdisciplinary areas of software engineering and computer security, focusing on developing advanced software analysis techniques to improve the reliability and the security of software applications. Particularly, his research combines program analysis and machine learning techniques to model both program semantics and behavior intention for detecting undesired software behaviors that compromise software qualities. His papers in mobile app analysis and cyber threat investigation were selected as the top ten finalists for CSAW Best Applied Security Paper Award. His static analysis technique for mobile apps was deployed in Microsoft Research for two years and was granted a US patent. His research in cyber threat investigation has been integrated into a security product in NEC, which won the Grand Prix award at CEATEC Award 2016.
His collaboration with industry partners has resulted in 6 granted US patents. He is a recipient of NSF CAREER Award, NSF CRII Award, Samsung GRO Award, and the Case School of Engineering Faculty Research Award at CWRU. His research has been supported by NSF, DOE-ARPA-E, NRC, and Samsung.