W&M Homepage
[PAST EVENT] Kaushal Kafle, Computer Science - Dissertation Defense
Abstract:
Consumer-oriented software systems have become the foundation on which consumer data is collected and transported from the consumers to the data processors. They are complex, with various interconnected, heterogeneous components working together, making their security and privacy analysis challenging, and impact on the user uncertain. In this work, we first explore how security threats can arise in novel context in such systems by performing a security evaluation of data-store based smart home platforms and the overall security risks posed by the design of routines within such platforms. We analyze various components of the smart home such as the platform’s permission enforcement mechanism and the apps/services that connect to the smart home that are used during the creation and execution of routines. We find that 1) platform’s permission enforcement and access control model may be broken and allow for attacker’s to bypass user’s consent to perform privileged tasks, 2) around 20% of apps that connect to smart home platforms may have vulnerable SSL connections, and 3) lateral privilege escalation in smart home platforms is possible with the help of routines, wherein we demonstrate by compromising a smart home camera by escalating our privilege gained with a smart home switch app. Secondly, to develop a practical defense against the threats introduced by the routines, we leverage the unique opportunity provided by the smart home i.e., validating incoming state change requests by comparing with the observations gathered by physical devices connected to the platform, for enhancing integrity in smart home platforms. Using this insight, we propose HomeEndorser, which is a practical framework to provide integrity guarantees to smart home platforms. To do so, HomeEndorser endorses (or rejects) requests by apps or services to modify Abstract Home Objects (AHOs) such as home or fire by enforcing integrity policies based on the current state of devices in the home. By protecting against malicious modifications of AHOs, HomeEndorser is able to prevent arbitrary privilege escalation attacks that were possible by exploiting routines. Finally, to understand how effectively stakeholders convey security and privacy risks to the users, we designed the Polityzer framework to systematically analyze the privacy postures of election campaign websites. Using Polityzer, we find a vast majority of election campaign websites lack a privacy disclosure, and even in cases where privacy policies were provided, they were often incomplete. We also found that campaigns may be inadvertently sharing data with other campaigns through common fundraising platforms, without disclosing such sharing.
Bio:
Kaushal Kafle is a PhD candidate under the supervision of Dr. Adwait Nadkarni. He completed a B.E. in Computer Engineering from the Tribhuvan University, Nepal. His research interest is in the area of security and privacy, with the primary focus on identifying and preventing risks in consumer-oriented software. His work has been featured in various news outlets and has been published in multiple top security venues such as IEEE S&P, USENIX and ACM CCS. He has won the ‘Best Paper Award’ at ACM CODASPY’19 and the 'Best Poster Award' at Commonwealth Cyber Initiative (CCI) - 2023. He is a Commonwealth of Virginia Engineering and Science (COVES) Policy fellow of 2023.
Sponsored by: Computer Science