UC Berkeley

New architectures require careful examination of security properties in order to assess and contain new threats. In light of this, emerging technologies, such as web APIs, medical devices, and applications on mobile phones, are a new security landscape that has recurring security problems. We develop new techniques to analyze these applications for security vulnerabilities, utilizing techniques including: dynamic symbolic execution, binary analysis and reverse engineering, and wide scale application comparison and classification. We develop Kudzu, a system for symbolic execution of JavaScript, and use it to evaluate a wide variety of JavaScript applications in order to find client-side validation vulnerabilities. Secondly, we use this system to evaluate the security, in practice, of new HTML5 primitives. Then, we conduct the first publicly available reverse engineering and security evaluation of a ubiquitous medical device, namely an Automated External Defibrillator. We discovered a wide array of vulnerabilities and we confirm our findings using COTS software components. We offer considerations to help guide future development of medical devices. Finally, we developed Juxtapp, a scalable, efficient system for detecting code reuse in Android Applications. Using Juxtapp we detected instances of piracy, malware and buggy code reuse among Android applications. We demonstrate that these techniques are useful at discovering and/or preventing attacks, in their respective application domains.