My research solves problems in the area of operating systems security. Most recently, my focus has been integrating stronger security guarantees (e.g., data secrecy) into commodity operating systems. My past research experience has been in the areas of user data privacy, application security, and systems security in general.


 

Primary Focus - Operating Systems Security

Commodity operating systems provide users with a platform to execute third party applications, that allow the user to create, process and export information in every way conceivable. Yet, popular operating systems such Windows and Mac OS X often lack in effectively protecting user data.

The security architectures of modern operating systems such as Android and Windows 10 are an improvement over the traditional commodity OSes such as Linux, as they treat applications as security principals, thereby reducing the privileges of each application to only a subset of the user’s. My research has found opportunities for integrating strong security guarantees in these operating systems.

  1. Nadkarni, A., Andow, B., Enck, W., & Jha, S. (2016). Practical DIFC Enforcement on Android. In Proceedings of the 25th USENIX Security Symposium. Austin, TX, USA. PDF
  2. Heuser, S., Nadkarni, A., Enck, W., & Sadeghi, A.-R. (2014). ASM: A Programmable Interface for Extending Android Security. In Proceedings of the 23rd USENIX Security Symposium. San Diego, CA, USA. PDF
  3. Nadkarni, A., & Enck, W. (2013). Preventing accidental data disclosure in modern operating systems. In Proceedings of the 2013 ACM Conference on Computer & Communications Security (CCS) (pp. 1029–1042). Berlin, Germany. PDF
  1. Enck, W. H., Nadkarni, A. P., Sadeghi, A.-reza, & Heuser, S. (2016, February). PROGRAMMABLE INTERFACE FOR EXTENDING SECURITY OF APPLICATION-BASED OPERATING SYSTEM, SUCH AS ANDROID.US Patent 20,160,042,191, Patent pending
  1. Weir
  2. ASM
  3. Aquifer

 

Other Areas

User Data Privacy and Mobile Application Security

Smartphone users often use Web services via WebView applications, i.e., native applications that are mere shims to access the Web service. My research demonstrates that these WebView applications are often over-privileged, and may put user data privacy at risk. Additionally, the alternative of using a mobile Web browser is fraught with privacy risks resulting from cross-site tracking. My research proposes the third alternative of dynamically generating custom WebView wrappers for the user, using only the URL of the desired Web service. The proposed approach, NativeWrap, uses security best practices such as domain and SSL pinning, and allows users to customize the permissions for their custom WebView wrappers.

  1. Nadkarni, A., Verma, A., Tendulkar, V., & Enck, W. (2017). Reliable Ad Hoc Smartphone Application Creation for End Users. In Intrusion Detection and Prevention for Mobile Ecosystems. CRC Press. Retrieved from https://www.crcpress.com/Intrusion-Detection-and-Prevention-for-Mobile-Ecosystems/Kambourakis-Shabtai-Kolias-Damopoulos/p/book/9781138033573Editor: George Kambourakis and Asaf Shabtai and Konstantinos Kolias and Dimitrios Damopoulos
  2. Andow, B., Nadkarni, A., Bassett, B., Enck, W., & Xie, T. (2016). A Study of Grayware on Google Play. In Proceedings of the IEEE Mobile Security Technologies workshop (MoST). San Jose, CA, USA.
  3. Nadkarni, A., Tendulkar, V., & Enck, W. (2014). NativeWrap: Ad Hoc Smartphone Application Creation for End Users. In Proceedings of the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) (pp. 1005–1019). Oxford, UK. PDF
  1. NativeWrap

Privacy Auditing for Web Service Providers

My research explores privacy issues and their defenses both on the device as well as when the data is in the control of third parties. To provide accountability of private data use by third parties on the cloud, my research designs tools and mechanisms that automate complex privacy audits.

  1. Nadkarni, A., Sheth, A., Weinsberg, U., Taft, N., & Enck, W. (2014). GraphAudit: Privacy Auditing for Massive Graph Mining (Technical Report TR-2014-10). Raleigh, NC: North Carolina State University, Department of Computer Science.