Meet Joshua Garcia at the Crossroads of Mobile Security and Software Architecture

Dr. Joshua GarciaFor the past two and a half years, Associate Project Scientist Dr. Joshua Garcia, has made his mark at ISR, focussing his research on mobile security, testing, and analysis; software architecture; and software maintenance and re-engineering. Garcia, who is a member of Professor Sam Malek’s Software Engineering and Analysis Laboratory, received his Ph.D. in 2014 from the University of Southern California under the advisement of Professor Nenad Medvidović.

Garcia’s research utilizes static and dynamic analysis techniques, machine learning, and artificial intelligence to address problems in the area of mobile applications and decay of software architecture. “Both implementation-level artifacts, such as source code and build files, along with other artifacts, such as architectural design documents, are critically important for effectively maintaining a software system,” says Garcia. “With that in mind, my work extracts and abstracts from implementation-level artifacts to analyze for important functional and nonfunctional properties, such as security, and architectural abstractions. As a result, my research aids software architects, software engineers, and security analysts from a variety of essential high-level and low-level abstractions and perspectives. ” Garcia’s research tools and datasets have been used by dozens of researchers, agencies, and companies around the world—including universities in Argentina, Australia, Brazil, Canada, China, Europe and the United States, and by companies and government agencies such as Huawei, Northrop Grumman, Boeing, Bosch, IBM, the FBI, and the Department of Homeland Security. “I’m lucky and privileged to have a variety of institutions throughout the world that use and build on my tools. I think having the opportunity to impact real world practice is an honor for any software-engineering researcher” says Garcia.

Garcia has worked with mobile and embedded devices over the last ten years. He began studying these devices from a software architectural perspective, dealing with issues of high availability in the face of changing requirements, failures after deployment, and new operational contexts. His early work touched upon issues with dynamically adapting software distributed across mobile and embedded devices to address the need for high availability during maintenance and operation of such software systems.

Along the lines of evolution and maintenance of software systems, Garcia’s dissertation studies led him towards a focus on the joint problems of architectural drift and erosion, collectively referred to as decay. Architectural decay occurs when design decisions are introduced to a software system that are different from or in violation of the design decisions made by the system’s original architects. Garcia says, “This decay increases the time, effort, and cost of maintaining a software system due to the introduction of architectural defects, additional unnecessary complexity, or misunderstandings of the software system’s architecture by its current architects or engineers.”

Figure 1. LetterBomb automatically generates exploits targeting Android’s distributed event-based interface and produces messages, called Intents in Android, and test oracles in the form of instrumentation for a variety of vulnerability types.To address problems of architectural decay, Garcia produced techniques for determining the architecture of software systems from their implementation-level artifacts (e.g., source code) and identifying instances of architectural decay. Specifically, Garcia constructed novel approaches for identifying architectural information from its implementation; and has conducted studies of software architectures of evolving, widely used software systems. The results of his research in this area have produced the first novel approach for recovering architectures based on system concerns (e.g., job scheduling in software for large-scale data processing, or filesystem storage and manipulation), the recovery of architectures of widely used software systems (e.g., Apache Hadoop and the Bourne Again Shell), and novel insights obtained regarding architectural change and decay across large, popular open-source software systems. The overall workbench of tools resulting from this line of Garcia’s research is called Architecture Recovery, Change, and Decay Evaluator. (ARCADE), which has been used by universities around the world and major companies such as Huawei, Northrup Grumman, and Boeing.

With the massive growth of mobile devices and platforms, Garcia returned to conducting research on mobile software in recent years, focusing on mobile application security, testing, and analysis. He produced the first approach for automatically generating exploits for Android applications, called LetterBomb [Figure 1]—which has identified nearly 200 exploits from 10,000 randomly selected apps from Google Play, the official Android app store. LetterBomb leverages static and dynamic program analysis to efficiently and accurately generate exploits for a variety of vulnerabilities types.

Figure 2. RevealDroid uses machine learning and static analysis of Android API usage, reflective code, and native code to identify malicious Android apps and the families those apps belong to.Although some mobile apps contain vulnerabilities, an increasing number of malicious Android apps are being deployed onto Android markets, such as Google Play. These apps attempt to steal security sensitive information, control a user’s mobile device, lock or encrypt a device until a ransom is paid, etc. To hide these malicious behaviors, Android malware uses a variety of obfuscations to evade detection. To address the threat of evasive and malicious Android apps, Garcia has produced an approach for Android malware detection and malware family identification called RevealDroid [Figure 2]. To enable efficiency, accuracy, and obfuscation resilience, RevealDroid relies upon lightweight static analysis of Android APIs, reflective code, and native code— with no previous technique leveraging static analysis of reflective and native code for malicious-app detection. RevealDroid is capable of identifying malware with a 98% success rate, determining a malicious app’s family with a 95% success rate, and demonstrates superior accuracy and obfuscation resiliency compared to state-of-the-art malware detection approaches. RevealDroid has been deployed to the Software Assurance Marketplace, a joint venture between the University of Wisconsin-Madison and the Department of Homeland Security, and a paper titled “Lightweight, Obfuscation- Resilient Detection and Family Identification of Android Malware” was recently accepted to ACM Transactions on Software Engineering and Methodology.

To find out more about Dr. Garcia, visit his website.

Garcia can be reached via his ISR staff listing.

This article appeared in ISR Connector issue: