Primary Focus - Emerging Platform Security

My research explores problems in the area of operating systems security and software security. My goal is to make emerging platforms such as smart homes and smart phones secure. The primary characteristic of such platforms is the availability of third-party apps that provide the user with expressive functionality, while using the restricted API provided by the OS. Therefore, I am exploring two research directions for securing such platforms, namely, (i) evaluating the effectiveness of application and platform-analysis security techniques, to enable misbehaving apps and vulnerable OS functions to be pre-emptively identified, and (ii) integrating stronger security guarantees such as data integrity into the platform, to provide security from malicious adversaries at runtime.

In the past, I have also explored the areas of user data privacy, application security, and systems security in general.

Funding/Support

  1. SaTC: CORE: Small: Enabling Systematic Evaluation of the Soundness of Android Security Analysis Techniques
    • PI: Adwait Nadkarni
    • Co-PI: Denys Poshyvanyk
    • Sponsor: National Science Foundation (NSF)
    • Total Award: $500,000
    • Duration: September 01, 2018 to August 31, 2021
  2. W&M Summer Research Award: Enabling Systematic Security Evaluation of Smart Home Routines through Android Application Vulnerability Analysis
    • PI: Adwait Nadkarni
    • Sponsor: William & Mary
    • Total Award: $4000
    • Duration: Summer 2018
  3. W&M Summer Research Award: Understanding the Impact of Lateral Privilege Escalation on Smart Home Routines through Systematic Analysis
    • PI: Adwait Nadkarni
    • Sponsor: William & Mary
    • Total Award: $4300
    • Duration: Summer 2019
  1. Kafle, K., Moran, K., Manandhar, S., Nadkarni, A., & Poshyvanyk, D. (2019). A Study of Data Store-based Home Automation. In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY). Dallas, TX, USA.Best Paper Award PDF
  2. Gorski III, S. A., Andow, B., Nadkarni, A., Manandhar, S., Enck, W., Bodden, E., & Bartel, A. (2019). ACMiner: Extraction and Analysis of Authorization Checks in Android’s Middleware. In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY). Dallas, TX, USA.
  3. Bonett, R., Kafle, K., Moran, K., Nadkarni, A., & Poshyvanyk, D. (2018). Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation. In Proceedings of the 27th USENIX Security Symposium. Baltimore, MD, USA. PDF
  4. Nadkarni, A., Andow, B., Enck, W., & Jha, S. (2016). Practical DIFC Enforcement on Android. In Proceedings of the 25th USENIX Security Symposium. Austin, TX, USA. PDF
  5. Heuser, S., Nadkarni, A., Enck, W., & Sadeghi, A.-R. (2014). ASM: A Programmable Interface for Extending Android Security. In Proceedings of the 23rd USENIX Security Symposium. San Diego, CA, USA. PDF
  6. Nadkarni, A., & Enck, W. (2013). Preventing accidental data disclosure in modern operating systems. In Proceedings of the 2013 ACM Conference on Computer & Communications Security (CCS) (pp. 1029–1042). Berlin, Germany. PDF
  1. Enck, W. H., Nadkarni, A. P., Sadeghi, A.-reza, & Heuser, S. (2016, February). PROGRAMMABLE INTERFACE FOR EXTENDING SECURITY OF APPLICATION-BASED OPERATING SYSTEM, SUCH AS ANDROID.US Patent 20,160,042,191, Patent pending
  1. mSE
  2. Weir
  3. ASM
  4. Aquifer

Press Coverage

Our recent work on evaluating smart home routines has received wide press coverage (WM Press, Washington Post, Daily Press, SF Gate, Quartz, NBC News, 13NewsNow, The Ambient, Insurance Journal, Claims Journal, Daily Mail)


 

Other Areas

User Data Privacy and Mobile Application Security

Smartphone users often use Web services via WebView applications, i.e., native applications that are mere shims to access the Web service. My research demonstrates that these WebView applications are often over-privileged, and may put user data privacy at risk. Additionally, the alternative of using a mobile Web browser is fraught with privacy risks resulting from cross-site tracking. My research proposes the third alternative of dynamically generating custom WebView wrappers for the user, using only the URL of the desired Web service. The proposed approach, NativeWrap, uses security best practices such as domain and SSL pinning, and allows users to customize the permissions for their custom WebView wrappers.

  1. Nadkarni, A., Verma, A., Tendulkar, V., & Enck, W. (2017). Reliable Ad Hoc Smartphone Application Creation for End Users. In Intrusion Detection and Prevention for Mobile Ecosystems. CRC Press. Retrieved from https://www.crcpress.com/Intrusion-Detection-and-Prevention-for-Mobile-Ecosystems/Kambourakis-Shabtai-Kolias-Damopoulos/p/book/9781138033573Editor: George Kambourakis and Asaf Shabtai and Konstantinos Kolias and Dimitrios Damopoulos
  2. Andow, B., Nadkarni, A., Bassett, B., Enck, W., & Xie, T. (2016). A Study of Grayware on Google Play. In Proceedings of the IEEE Mobile Security Technologies workshop (MoST). San Jose, CA, USA.
  3. Nadkarni, A., Tendulkar, V., & Enck, W. (2014). NativeWrap: Ad Hoc Smartphone Application Creation for End Users. In Proceedings of the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) (pp. 1005–1019). Oxford, UK. PDF
  1. NativeWrap

Privacy Auditing for Web Service Providers

My research explores privacy issues and their defenses both on the device as well as when the data is in the control of third parties. To provide accountability of private data use by third parties on the cloud, my research designs tools and mechanisms that automate complex privacy audits.

  1. Nadkarni, A., Sheth, A., Weinsberg, U., Taft, N., & Enck, W. (2014). GraphAudit: Privacy Auditing for Massive Graph Mining (Technical Report TR-2014-10). Raleigh, NC: North Carolina State University, Department of Computer Science.