Dr. Brendan Saltaformaggio is an Assistant Professor in the School of Electrical and Computer Engineering at Georgia Tech, with a courtesy appointment in the School of Computer Science. His research interests lie in computer systems security, cyber forensics, and the vetting of untrusted software.
Dr. Saltaformaggio serves as the Director of the Cyber Forensics Innovation (CyFI) Laboratory. The CyFI Lab's mission is to further the investigation of advanced cyber crimes and the analysis and prevention of next-generation malware attacks, particularly in mobile and IoT environments. This research has led to numerous publications at top cyber security venues, including a Best Paper Award from the ACM Conference on Computer and Communications Security (CCS’15) and a Best Student Paper Award from the 2014 USENIX Security Symposium.
Originally from New Orleans, Dr. Saltaformaggio earned his Bachelor of Science with Honors in Computer Science from the University of New Orleans in 2012. He received his M.S. and Ph.D. in Computer Science at Purdue University in 2014 and 2016, respectively, during which Dr. Saltaformaggio was honored with the 2017 ACM SIGSAC Doctoral Dissertation Award as well as two fellowships: the 2016 Symantec Research Labs Graduate Fellowship and the inaugural Emil Stefanov Memorial Fellowship in Computer Science.
Areas of Expertise (6)
Binary Analysis and Instrumentation
Computer Systems Security
Vetting of Untrusted Software
Selected Accomplishments (5)
ACM SIGSAC Doctoral Dissertation Award
Symantec Research Labs Graduate Fellowship
Inaugural Recipient of the Emil Stefanov Memorial Fellowship
Best Student Paper Award
The USENIX Security Symposium (USENIX Security) - 2014
Best Paper Award
ACM Conference on Computer and Communications Security (CCS) - 2015
Purdue University: Ph.D., Computer Science 2016
Purdue University: M.S., Computer Science
University of New Orleans: B.S., Computer Science 2012
Selected Media Appearances (5)
Cloud-based app backends - a rat's nest of mobile phone security vulnerabilities
If there were any doubts that mobile phones are a rat’s nest of security vulnerabilities, a scary new report from researchers at Georgia Tech and Ohio State University presented at the 28th USENIX Security Symposium in Santa Clara last week should lay that notion firmly to rest. Titled The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends, the abstract opens with this disturbing finding of mobile security:
Top 5K free apps on Google Play Store have vulnerabilities that allow hackers to attack servers, says a report
Digital Information World online
The top 5,000 free apps on the Google Play store have around 1600 vulnerabilities in their support system, as discovered by cybersecurity researchers.
New Tool Reveals Big Vulnerabilities In Mobile Apps That Use Multiple Clouds
Proponents frequently boast that cloud-based architectures are more secure than traditional networks, but that’s not necessarily the case for mobile apps that use lots of different cloud services all at once.
Smartphone Apps May Connect to Vulnerable Backend Cloud Servers
Georgia Tech News Center online
Cybersecurity researchers have discovered vulnerabilities in the backend systems that feed content and advertising to smartphone applications through a network of cloud-based servers that most users probably don’t even know exists.
Cyber criminals target Georgia law enforcement
FOX 5 Atlanta online
A critical cyber attack is affecting law enforcement officers across the state. The Georgia State Patrol is the latest victim of a ransomware attack.
Selected Articles (5)
Omar Alrawi, Chaoshun Zuo, Ruian Duan, Ranjita Pai Kasturi, Zhiqiang Lin, Brendan Saltaformaggio
Cloud backends provide essential features to the mobile app ecosystem, such as content delivery, ad networks, analytics, and more. Unfortunately, app developers often disregard or have no control over prudent security practices when choosing or managing these services. Our preliminary study of the top 5,000 Google Play Store free apps identified 983 instances of N-day and 655 instances of 0-day vulnerabilities spanning across the software layers (OS, software services, communication, and web apps) of cloud backends. The mobile apps using these cloud backends represent between 1M and 500M installs each and can potentially affect hundreds of thousands of users. Further, due to the widespread use of third-party SDKs, app developers are often unaware of the backends affecting their apps and where to report vulnerabilities. This paper presents SkyWalker, a pipeline to automatically vet the backends that mobile apps contact and provide actionable remediation. For an input APK, SkyWalker extracts an enumeration of backend URLs, uses remote vetting techniques to identify software vulnerabilities and responsible parties, and reports mitigation strategies to the app developer. Our findings suggest that developers and cloud providers do not have a clear understanding of responsibilities and liabilities in regards to mobile app backends that leave many vulnerabilities exposed.
Kexin Pei, Zhongshu Gu, Brendan Saltaformaggio, Shiqing Ma, Fei Wang, Zhiwei Zhang, Luo Si, Xiangyu Zhang, Dongyan Xu
Advanced cyber attacks consist of multiple stages aimed at being stealthy and elusive. Such attack patterns leave their footprints spatio-temporally dispersed across many different logs in victim machines. However, existing log-mining intrusion analysis systems typically target only a single type of log to discover evidence of an attack and therefore fail to exploit fundamental inter-log connections. The output of such single-log analysis can hardly reveal the complete attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present HERCULE, an automated multi-stage log-based intrusion analysis system. Inspired by graph analytics research in social network analysis, we model multi-stage intrusion analysis as a community discovery problem. HERCULE builds multi-dimensional weighted graphs by correlating log entries across multiple lightweight logs that are readily available on commodity systems. From these, HERCULE discovers any "attack communities" embedded within the graphs. Our evaluation with 15 well known APT attack families demonstrates that HERCULE can reconstruct attack behaviors from a spectrum of cyber attacks that involve multiple stages with high accuracy and low false positive rates.
Brendan Saltaformaggio, Rohit Bhatia, Zhongshu Gu, Xiangyu Zhang, Dongyan Xu
An Android app's graphical user interface (GUI) displays rich semantic and contextual information about the smartphone's owner and app's execution. Such information provides vital clues to the investigation of crimes in both cyber and physical spaces. In real-world digital forensics however, once an electronic device becomes evidence most manual interactions with it are prohibited by criminal investigation protocols. Hence investigators must resort to "image-and-analyze" memory forensics (instead of browsing through the subject phone) to recover the apps' GUIs. Unfortunately, GUI reconstruction is still largely impossible with state-of-the-art memory forensics techniques, which tend to focus only on individual in-memory data structures. An Android GUI, however, displays diverse visual elements each built from numerous data structure instances. Furthermore, whenever an app is sent to the background, its GUI structure will be explicitly deallocated and disintegrated by the Android framework. In this paper, we present GUITAR, an app-independent technique which automatically reassembles and redraws all apps' GUIs from the multitude of GUI data elements found in a smartphone's memory image. To do so, GUITAR involves the reconstruction of (1) GUI tree topology, (2) drawing operation mapping, and (3) runtime environment for redrawing. Our evaluation shows that GUITAR is highly accurate (80-95% similar to original screenshots) at reconstructing GUIs from memory images taken from a variety of Android apps on popular phones. Moreover, GUITAR is robust in reconstructing meaningful GUIs even when facing GUI data loss.
Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, Dongyan Xu
With the booming sale of iOS devices, the number of iOS applications has increased significantly in recent years. To protect the security of iOS users, Apple requires every iOS application to go through a vetting process called App Review to detect uses of private APIs that provide access to sensitive user information. However, recent attacks have shown the feasibility of using private APIs without being detected during App Review. To counter such attacks, we propose a new iOS application vetting system, called iRiS, in this paper. iRiS first applies fast static analysis to resolve API calls. For those that cannot be statically resolved, iRiS uses a novel iterative dynamic analysis approach, which is slower but more powerful compared to static analysis. We have ported Valgrind to iOS and implemented a prototype of iRiS on top of it. We evaluated iRiS with 2019 applications from the official App Store. From these, iRiS identified 146 (7%) applications that use a total number of 150 different private APIs, including 25 security-critical APIs that access sensitive user information, such as device serial number. By analyzing iOS applications using iRiS, we also identified a suspicious advertisement service provider which collects user privacy information in its advertisement serving library. Our results show that, contrary to popular belief, a nontrivial number of iOS applications that violate Apple's terms of service exist in the App Store. iRiS is effective in detecting private API abuse missed by App Review.
Brendan Saltaformaggio, Dongyan Xu, Xiangyu Zhang
Researchers continue to find side channels present in cloud infrastructure which threaten virtual machine (VM) isolation. Specifically, the memory bus on virtualized x86 systems has been targeted as one such channel. Due to its connection to multiple processors, ease of control, and importance to system stability the memory bus could be one of the most powerful cross-VM side channels present in a cloud environment. To ensure that this critical component cannot be misused by an attacker, we have developed BusMonitor, a hypervisor-based protection which prevents a malicious tenant from abusing the memory bus’s operation. In this paper we investigate the dangers of previously known and possible future memory bus based side channel attacks. We then show that BusMonitor is able to fully prevent these attacks with negligible impact to the performance of guest applications.