Adwait Nadkarni - College of William and Mary

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Building Practical Security Systems for the Post-App Smart Home

Jan 20, 2021

Download:

MP4 Video Size: 384.7MB

Watch on YouTube

Abstract

Modern end-user computing platforms such as smartphones (e.g., Android and iOS)and smart home systems (e.g., SmartThings and NEST) provide programmable interfaces for third-party integration, enabling expressive and popular functionality that is often manifested in applications, or apps. Thus, for the last decade, designing security systems to analyze apps for vulnerabilities or unwanted behavior has been a major focus within the security community. This approach has continued well into the smart home, with researchers developing systems inspired by lessons from Android security to inspect IoT apps developed for popular platforms such as SmartThings. However, emerging characteristics of smart home ecosystems indicate that IoTapps may not represent automation in real homes, and may even be unavailable in the near future. That is, while API misuse by third-party developers is an important problem, the approach of analyzing/instrumenting IoT apps may not offer an effective or sustainable solution.

In this talk, I will describe the challenges for research in the backdrop of the unsuitability of IoTapps for practical security analysis, and motivate three alternate research directions. First, I will describe the need to develop an alternative artifact for security analysis that is representative of automation usage in the wild. To this end, I will introduce Helion, a system that uses statistical language modeling to generate natural home automation scenarios, i.e., realistic event sequences that are closely aligned with the real home automation usage in end-user homes,which can be used for security or safety analysis. Second, I will illustrate the need to improve the security of mobile companion apps, which often form the weakest link in smart home deployments, and the important position of security analysis/compliance tools in ensuring the development of secure companion apps. To this end, I will present the mSE framework, which automatically and rigorously evaluates static program analysis-based security systems using mutation testing. Our work on mSE (and its successor, MASC) culminated in the discovery of critical security flaws in popular tools such as FlowDroid, CryptoGuard, Argus, and Coverity that affect the reliability and soundness of their analysis. Finally, I will conclude the talk by describing our current efforts to build system-level defenses into IoT platforms that are agnostic to IoTapps, i.e., independent of their visibility or mutability, thereby potentially providing a lasting solution to API misuse by third-party developers.

About the Speaker

Adwait Nadkarni is an Assistant Professor in the Department of Computer Science, and director of the Secure Platforms Lab (SPL) at William & Mary. Prof. Nadkarni's primary research domain is security and privacy, with a focus on emerging platforms, and the areas of operating systems and software security. Prior to joining William & Mary, Prof. Nadkarni earned his Bachelor of Engineering (BE) in Computer Engineering from the University of Mumbai in July 2011, followed by his Ph.D. and M.S. in Computer Science from the Computer Science Department at the North Carolina State University in May 2017 and December 2012respectively, both with Dr. William Enck. At NC State, Prof. Nadkarni was a founding member of the Wolfpack Security and Privacy Research (WSPR) Lab, and served as its Lead Graduate Student until May 2017.

Ways to Watch

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!