Scalable and Effective Security and Privacy Analysis
of Web and Mobile Applications
|
Speaker (s):
Shar Lwin Khin
Research Scientist,
School of Computer Science and Engineering,
Nanyang Technological University
|
|
Date:
Time:
Venue:
|
|
August 1, 2018, Wednesday
1:30pm - 3:00pm
Meeting Room 5.1, Level 5
School of Information Systems
Singapore Management University
80 Stamford Road
Singapore 178902
|
|
ABSTRACT
Web and mobile applications (apps), nowadays, have legitimate access to sensitive data such as contacts, photos, geo-location, health information, and account credentials. They might use such data in ways the user may be unaware of, for example, exposing them to external entities through the Internet or with other apps. Confidentiality of user or corporate data could be breached if there are anomalies in the way sensitive data is handled by an app which is vulnerable or malicious. Given that accessing, processing, propagating of such sensitive data is a normal behavior for legitimate apps, an effective security analysis technique to detect malicious apps has to characterize “what is normal” and “what is probably an anomaly”. To detect vulnerable apps that may leak sensitive data, the analysis technique has to tackle widespread security problems such as code injection vulnerabilities and access control issues in a scalable way.
In the first part of this talk, I will discuss how program analysis, search-based test generation, natural language processing and machine learning can be seamlessly combined to detect anomalous mobile apps in a scalable and effective manner. In the second part of the talk, I will present scalable and effective methods for analyzing code injection vulnerabilities and access control issues in web apps.
About the Speaker
Shar Lwin Khin is a research scientist in School of Computer Science and Engineering, Nanyang Technological University (NTU), Singapore, since July 2017. He was a research associate at the Interdisciplinary Centre for Security, Reliability and Trust (SnT), University of Luxembourg, from 2014—2017. He received his PhD degree and Bachelor of Engineering (1st class honors) from School of Electrical and Electronic Engineering in NTU. His research focuses on scalable and effective analysis of security and privacy issues in web and mobile applications, using program analysis, constraint solving, search-based testing, and machine learning techniques.
In NTU, he is currently teaching three undergraduate courses – Application Security, Software Security, and Software Systems Analysis and Design. He is the course coordinator of the first two aforementioned courses. At SnT, he worked on three European and Industrial research projects, funded over 1.5 million euro, in collaboration with industrial partners and European universities. Specifically, he worked on the analysis of software privacy leakage in collaboration with Saarland University, Germany. He also worked on the industrial-driven research project on access control testing of distributed information sharing platform in collaboration with HITEC, International Emergency Response and Crisis Management Centre based in Luxembourg. In addition, he worked on requirements-driven security testing of mobile applications in collaboration with university of Geneva and industrial partners from UK and Switzerland. On these three projects, he co-supervised three PhD students. His research was published in top-tier international journals and conferences such as IEEE Transactions on Software Engineering, IEEE Transactions on Dependable and Secure Computing, IEEE Computer, Information and Software Technology, Journal of Systems and Software, International Conference on Software Engineering, International Conference on Automated Software Engineering, Foundations of Software Engineering.
