Effective Security and Forensic Analysis for Mobile and IoT Environments

Security and forensic analysis is a well-established technique to reconstruct an attack. It provides insights from the symptom to the origin of the attack. It also helps to understand damage from attacks, recover the system and prevent similar attacks in the future. However, it is typically infeasible to directly apply existing security and forensic analysis tools to mobile or IoT environments. Mobile devices have different structure of execution environments from desktops or servers, and IoT devices comprise diverse hardware and software platforms and have restricted computing resources. Fast growing malicious content on mobile and IoT environments urges the need for effective security and forensic analysis on these platforms.In this dissertation, we propose security and forensics analysis techniques for mobile and IoT environments. We make four contributions as follows. Our first contribution is DroidForensics, a multi-layer forensic logging technique for Android. It captures different levels of information from high-level application semantics to low-level system events, and inter-process communication via Android’s binder protocol. We show that DroidForensics effectively and efficiently collects essential logs to reconstruct attacks from real-world malwares. Second, we design an Android helper application for PushAdMiner. It enables PushAdMiner to harvest Web Push Notifications (WPN) from Android Chromium, and to monitor their corresponding landing pages. We use PushAdMiner to automatically collect and analyze 21,541 WPN messages across thousands of different websites. Among these, PushAdMiner identified 572 WPN ad campaigns, for a total of 5,143 WPN-based ads, of which 51% are malicious. Third, we propose MQTTprov, a data provenance and forensic log collection technique for MQTT protocol. MQTTprov fills the gap of lacking in-depth study and solution for forensic logging in IoT environment. We show the MQTTprov's effectiveness of reconstructing real-world attacks. Fourth, we propose an attack model named ChatterHub, a novel approach accurately identifies smart-home devices’ activities with only encrypted traffic in the home network. Using ChatterHub, an adversary can identify smart-home devices’ specific activities without prior knowledge of the target home (e.g., list of deployed devices). We further demonstrate that ChatterHub successfully recognizes privacy-sensitive activities, including open/close of a smart door lock and turn on/off of smart LED.