Defending smartphone systems by exposing fundamental flaws in system design

Mobile technology is on the forefront of cutting-edge technology; the number of smartphone users worldwide will surpass two billion in 2016. Such a wide adoption of smartphones comes with great security risks, so it is extremely important to tighten smartphone security. Dr. Wenliang (Kevin) Du, Professor of Electrical Engineering & Computer Science at Syracuse University, exposes loopholes in Android designs to “find problems before hackers do,” to safeguard the fundamental phone systems and create ways to defend against attacks.” A pioneer in computer security, Dr. Du works with developers in industry to present problems that need attention, envisioning a hack-proof future. The industry cannot afford time to probe deeply into all the potential flaws exhibited by the system; it can only provide patches against known problems, and it is where academic research can greatly help. Therefore, Dr. Du dives into system-level problems, to accommodate the industry. With increased funding and resources, Dr. Du will be able to recruit more researchers to crack the complicated Android operating system, understanding how the system is organized at a broader scale and how it can be enhanced.

Before venturing into mobile technology in 2011, Dr. Du was already a prominent researcher in the field of computer security and has been leading the field for the past 15 years. When computer security studies were still nascent in 2001, there was a shortage in practical educational materials to equip students with; students could learn programming through textbooks but did not have the means to practice it. To respond to this need, Dr. Du started developing hands-on exercises and experiments to teach security concepts. Currently, he has created about 30 lab projects covering a wide range of topics in computer security education, now adopted by more than 300 universities worldwide. Although he continues to work on his computer security research and works to strengthen education in the field, he has expanded his expertise into mobile technology, to respond to the growing need of security on an increasing number of mobile interfaces.

Dr. Du’s current research includes:

  • Education Project: When adequate educational materials for computer security were rare if not nonexistent, students had to learn about attacks and defenses on paper and through textbooks. To this end, Dr. Du developed 30 hands-on computer programs to properly teach students computer security concepts, funded by the National Science Foundation. What started as his passion for providing his students with practical materials has now become a national breakthrough in computer security education, adopted by about 300 universities. With increased funding and resources, Dr. Du hopes to disseminate the materials even broader, bringing in 60 instructors from prominent US universities to receive further training on how to educate their students on protecting computer systems. Dr. Du also plans to add educational materials for mobile security.
  • “Attack”: In order to defend against and prevent hacks, “we have to learn the skills of a hacker” -- and be better hackers than the hackers we are trying to repress to stay ahead of the curve. Therefore, Dr. Du works to find ways to attack smartphones and expose security problems in the smartphone systems, with a focus on their design problems. He has had success in finding several high-impact vulnerabilities in Android’s design, and his current mission is to identify new risks or new attacks that could be targeted in these mobile systems before hackers do.
  • “Defense”: Once flaws are exposed, Dr. Du and his team develop novel designs to enhance mobile systems’ security features. By looking at the fundamental cause of the problem, Dr. Du and his team are able to strategize defenses on multi-levels of security principles, and study how to address a core principle that may otherwise result in many other problems. Because his lab has a very good sharing culture and students are encouraged to share their knowledge and skills with each other, they can learn from one another to make good progress in the field.

Dr. Kevin Du grew up in China and came to the US in 1994 to pursue graduate studies in security. He first learned about computers at the age of 15, back in middle school, through books he found in the libraries. Despite not having a computer, Dr. Du spent much of his time writing computer programs -- on paper. In high school, he was thrilled to find an extracurricular activity that enabled students to access computers, which were at the time merely basic machines that looked much different from the computers of today. Nonetheless, Dr. Du was able to write and run his programs on the computer, and watch them come alive in front of his eyes. This was truly exciting for Dr. Du, although his teacher wanted him to hone his math skills and focus on competing in national math competitions. Dr. Du and his group of friends, however, would still often attend these computer clubs “behind her back” because they could not resist the lure of advanced technology.

Back then, China’s computing technology was far behind technology in the US, and there was still very limited access to the computers by the time Dr. Du went to college. He was first admitted to the physics department, and it was very difficult to change disciplines in schools at the time. However, there was an experimental class that allowed students to explore different disciplines, a chance Dr. Du took to switch to a computer science major in 1988. When he was choosing his graduate school between Purdue and other prestigious universities, he was hooked by the initial advisor assigned to him by Purdue who was working in the field of security and whose book Dr. Du purchased and pored over. He thought, “This was the research I wanted to work on,” and came to Purdue -- only to realize that your initial advisor is not necessarily your research advisor. This misunderstanding led him to the field of security, and he has walked this journey since.

Although in 1996, security was still an under-established field with limited knowledge and resources available, Dr. Du has never looked back, and continues to expand the field today.

For more example, visit http://www.cis.syr.edu/~wedu/Research/publication.html

AAAS Report Highlights Promising Innovation for Undergraduate STEM Education

American Association for the Advancement of Science

Professor uncovers potential issues with apps built for Android systems

ScienceDaily

Kevin Du Media Coverage

Media coverage of Syracuse University research on HTML-5 smartphone apps and potential problems that exist for users and developers

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation

PINPOINT: Efficient and Effective Resource Isolation for Mobile Security and Privacy

Attacks on WebView in the Android System

AFrame: Isolating Advertisements from Mobile Applications in Android

Privacy-MaxEnt: Integrating Background Knowledge in Privacy Quantification.
Kevin Du

Deans' Award for Excellence in Engineering Education, 2014

ACM CCS Test-of-Time Award, 2013

Faculty Excellence Award from College of Engineering and Computer Science, 2013

Guo Mo-ruo Award, University of Science & Technology of China, 1992

First-class prize winner in the National High-school Mathematics Contests, 1987 and 1988