10-22-2015 Writer(s): Staff Reports

Researchers from the Purdue Computer Science Department won the Best Paper award at the 22nd ACM Conference on Computer and Communications Security (CCS’15), a top-tier cyber-security conference.

The paper, “GUITAR: Piecing Together Android App GUIs from Memory Images,” was co-authored by Ph.D. students Brendan Saltaformaggio, Rohit Bhatia, and Zhongshu Gu (now with IBM Research) with their advisors, Professors Xiangyu Zhang and Dongyan Xu.

The authors are also affiliated with Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS).

This award was presented at the conference on October 14th in Denver, and this paper is one of only three papers sharing the award from the 128 papers accepted out of 646 submissions.

The paper describes the author’s new memory forensics tool, GUITAR, which allows cyber crime investigators to recover the graphical user interface (GUI) of Android apps frozen in a device’s memory snapshot. The internals of Android app GUIs are notoriously complex, and what’s worse is that the Android system will intentionally destroy many GUI components when each app is backgrounded (replaced on the device’s screen by a new app). These challenges have made it impossible for previous memory forensics tools to be able to recover full GUIs.

GUITAR overcomes the challenges of in-memory GUI recovery using program analysis and creative “puzzle piecing” techniques. The image shown on the right is an illustration from the paper demonstrating some of GUITAR’s novel GUI rebuilding techniques. Using GUITAR, an investigator can recover the GUIs of any apps in a memory image of any Android device (e.g., the reconstructed Contacts App GUI shown on the left).

This work was supported in part by the National Science Foundation (NSF) under a SaTC Medium award.