UC Santa Barbara

An application is a computer program designed to run on a device. To ease our daily life, we delegate many tedious tasks to these applications. An event-driven application is one where the events drive an application from one state to the other. For example, in the case of Android apps, clicking UI buttons perform certain actions which change the app state. Here, clicking the button is an example of an event. Similarly, for smart contracts, which are very popular nowadays, the execution of a transaction, which can be thought of as an event, drives the state of the smart contract into a different one.

These event-driven applications suffer from both usability and security issues that can be abused by malicious actors. For example, a bug in an Android app may cause the device to become unresponsive or crash altogether. Frequent such crashes result in the instability of the app and a bad user experience. Moreover, app crashes due to a programming error, such as a null pointer exception, may create an opportunity for a malicious user to exploit the vulnerability and execute arbitrary code on the device. For decentralized applications, that use smart contracts, a vulnerability in a contract can be exploited by a malicious actor leading to tremendous losses, as demonstrated by recent attacks. For instance, the notorious "TheDAO'' reentrancy attack led to a financial loss of about 50M in 2016. In recent years, several other reentrancy attacks resulted in multimillion-dollar losses. Furthermore, given the high popularity and significant total value locked in decentralized applications, they have become attractive targets for various money-making opportunities for malicious actors. These bad actors may seek to exploit weaknesses in the applications to engage in high-frequency trading activities such as front-running and back-running or to corner the market by buying NFTs (Non-fungible tokens) and selling them later at a significant profit.

Hence, it is crucial to comprehensively analyze and understand the security and usability issues associated with event-driven applications. This is particularly important given the potential financial losses and negative impact on user experience that may result from vulnerabilities in these applications. However, these event-driven applications typically have multiple entry points and are highly stateful, allowing anyone to invoke these entry points independently and in any order---making the automated analysis challenging.

Throughout my PhD research, I focused on analyzing various aspects related to the security and usability issues of these event-driven applications and extensively discussed the findings in my dissertation.First, I introduce the fundamental differences between traditional applications and event-driven applications and highlight the unique challenges these event-driven applications pose. Next, I present a comprehensive threat model for these applications with associated security, usability issues, and risks. Lastly, I present in detail how my work focuses on analyzing these applications. Specifically, I present Columbus, a callback-driven Android app testing technique that employs a combination of static analysis, under-constrained symbolic execution, and type-guided dynamic heap introspection to generate valid and effective inputs to test the stability and usability of these apps. Furthermore, I developed Sailfish, a scalable system for automatically finding state-inconsistency bugs in smart contracts. Finally, my research delved into the intriguing economic landscape of decentralized applications, with a particular focus on the emerging field of NFT trading---exploring how actors in this ecosystem make use of these unique digital assets to earn profits through high-frequency trading activities, sometimes in a malicious way.