Courses

North Carolina State University, Department of Computer Science

Pennsylvania State University, College of Engineering

Tutorials

Text Analytics for Security

ACM Conference on Computer and Communications Security (CCS'14)
co-presented with Tao Xie
November 5, 2014

Computing systems that make security decisions often fail to take into account human expectations. This failure occurs because human expectations are typically drawn from in textual sources (e.g., mobile application description and requirements documents) and are hard to extract and codify. Recently, researchers in security and software engineering have begun using text analytics to create initial models of human expectation. In this tutorial, we will provide an introduction to popular techniques and tools of natural language processing (NLP) and text mining, and share our experiences in applying text analytics to security problems. We will also highlight the current challenges of applying these techniques and tools for addressing security problems. We conclude with discussion of future research directions.

[Slides]

Intro to Securing Android Applications

Raleigh Chapter of ISSA, Back-to-Basics session
December 4, 2014 (planned)

The Android platform runs on hundreds of millions of smartphones and mobile devices, with over a million applications available in the Google Play Store. As Android continues to mature to meet the requirements of enterprises, companies have begun to develop custom Android applications that allow employees to access business information. When developing these applications, application security is of utmost importance. In this talk, we will discuss common security failures in Android applications. We will also discuss best practices and overview security features that Android makes available to developers.

Intro to Developing Android Applications

Raleigh Chapter of ISSA, Back-to-Basics session
October 2, 2014

Android has become pervasive as a computing platform. In addition to smartphones and tablets, Android is increasingly appearing in embedded systems such as TVs and cars. This adoption is occurring because Android provides an embedded platform on top of which software can be easily developed. This talk will start the attendees on their way of developing Android applications. We will overview the basic design of an Android application and then work through a "Hello World" example. Throughout the talk, we will point the attendees towards valuable resources for learning to develop Android apps. Note that to get the most out of this talk, attendees should bring a laptop pre-setup with the Android SDK (http://developer.android.com/sdk) and have a basic knowledge of Java.

[Slides]

Understanding Android's Security Framework

ACM Conference on Computer and Communications Security (CCS'08)
co-presented with Patrick McDaniel
October 29, 2008

The Google Android mobile phone platform is one of the most anticipated smartphone operating systems. Android defines a new component-based framework for developing mobile applications, where each application is comprised of different numbers and types of components. Activity components form the basis of the user interface; each screen presented to the user is a different Activity. Service components provide background processing that continues even after its application loses focus. Services also define arbitrary interfaces for communicating with other applications. Content Provider components share information in relational database form. For instance, the system includes an application with a Content Provider devoted to sharing the user's address book upon which other applications can query. Finally, Broadcast Receiver components act as an asynchronous mailbox for messages from the system and other applications. As a whole, this application framework supports a flexible degree of collaboration between applications, where dependencies can be as simple or complex as a situation requires.

In this tutorial, we will overview the mechanisms required to develop secure applications within the Android development framework, indicating how the environment has evolved with recent releases of the SDK. We will begin with the basics of building an Android application; no prior knowledge of Android is required. From this base, we will demonstrate how applications can communicate and provide services to one another. However, these interfaces must be carefully secured to defend against general malfeasance. We show how Android's security model aims to provide mechanisms for requisite protection of applications and critical smartphone functionality and present a number of "best practices" for secure application development within the environment

The slides and example application source code are available.