Yousra Aafer, "Normalizing Diverse Android Access Control Checks for Inconsistency Detection"

Summary: Access control systems are known to be vulnerable to anomalies in security policies, such as inconsistency. Android Security model is no exception. This talk presents a new approach aiming to unveil Android inconsistent access controls enforced across multiple instances of the same resource. ​To address the complex nature of Android security checks (e.g., semantic similarity of syntactically different enforcements), the presented approach detects inconsistencies through modeling and normalizing diverse checks. The talk further presents application results of the approach, including the discovery of actual exploits.