Güliz Seray Tuncay
Dr. Güliz Seray Tuncay is a Senior Research Scientist in the Platforms Security and Privacy team at Google. She received her Ph.D. from the University of Illinois at Urbana-Champaign in 2019. Her Ph.D. thesis titled "Practical least privilege for cross-origin interactions on mobile operating systems" was the runner up of the ACM SIGSAC Doctoral Dissertation Award. Güliz was selected as a Rising Star in EECS in 2019.
Güliz's research interests include mobile and IoT security, usable security, web security, and mobile computing. She has published her academic work in top-tier venues, including ACM Computer and Communications Security (CCS), IEEE Security & Privacy, USENIX Security, and ISOC Network and Distributed System Security (NDSS) Symposium. In 2018, her work on Android permissions received the Distinguished Paper Award at the NDSS Symposium.
Güliz is an active member of the research community. She has served as a technical program committee member for several prestigious venues, including ACM CCS, NDSS, USENIX Security, as well as several prestigious IEEE workshops and competitions such as the CSAW Applied research competition.
Güliz is passionate about using her research to make mobile devices more secure and private. She believes that everyone should be able to use mobile devices without fear of being hacked or having their privacy violated.
For more information, please visit www.gulizseray.com
Güliz's research interests include mobile and IoT security, usable security, web security, and mobile computing. She has published her academic work in top-tier venues, including ACM Computer and Communications Security (CCS), IEEE Security & Privacy, USENIX Security, and ISOC Network and Distributed System Security (NDSS) Symposium. In 2018, her work on Android permissions received the Distinguished Paper Award at the NDSS Symposium.
Güliz is an active member of the research community. She has served as a technical program committee member for several prestigious venues, including ACM CCS, NDSS, USENIX Security, as well as several prestigious IEEE workshops and competitions such as the CSAW Applied research competition.
Güliz is passionate about using her research to make mobile devices more secure and private. She believes that everyone should be able to use mobile devices without fear of being hacked or having their privacy violated.
For more information, please visit www.gulizseray.com
Research Areas
Authored Publications
Sort By
Preview abstract
Storage on Android has evolved significantly over the years, with each new Android version introducing changes aimed at enhancing usability, security, and privacy. While these updates typically help with restricting app access to storage through various mechanisms, they may occasionally introduce new complexities and vulnerabilities. A prime example is the introduction of scoped storage in Android 10, which fundamentally changed how apps interact with files. While intended to enhance user privacy by limiting broad access to shared storage, scoped storage has also presented developers with new challenges and potential vulnerabilities to address. However, despite its significance for user privacy and app functionality, no systematic studies have been performed to study Android’s scoped storage at depth from a security perspective. In this paper, we present the first systematic security analysis of the scoped storage mechanism. To this end, we design and implement a testing tool, named ScopeVerif, that relies on differential analysis to uncover security issues and implementation inconsistencies in Android’s storage. Specifically, ScopeVerif takes a list of security properties and checks if there are any file operations that violate any security properties defined in the official Android documentation. Additionally, we conduct a comprehensive analysis across different Android versions as well as a cross-OEM analysis to identify discrepancies in different implementations and their security implications. Our study identifies both known and unknown issues of scoped storage. Our cross-version analysis highlights undocumented changes as well as partially fixed security loopholes across versions. Additionally, we discovered several vulnerabilities in scoped storage implementations by different OEMs. These vulnerabilities stem from deviations from the documented and correct behavior, which potentially poses security risks. The affected OEMs and Google have acknowledged our findings and offered us bug bounties in response.
View details
On the Robustness of Image-based Malware Detection against Adversarial Attacks
Yassine Mekdad
Harun Oz
Ahmet Aris
Leonardo Babun
Faraz Naseem
Selcuk Uluagac
Nasir Ghani
Abbas Acar
Network Security Empowered by Artificial Intelligence, Springer (2024)
Preview abstract
Machine and deep learning models are now one of the most valuable tools in the arsenal of computer security practitioners. Their success has been demonstrated in various network-security-oriented applications such as intrusion detection, cyber threat intelligence, vulnerability discovery, and malware detection. Nevertheless, recent research studies have shown that crafted adversarial samples can be used to evade malware detection models. Even though several defense mechanisms such as adversarial training have been proposed in the malware detection domain to address this issue, they unfortunately suffer from model poisoning and low detection accuracy. In this chapter, we assess the robustness of image-based malware classifier against four different adversarial attacks: (a) random and benign brute-force byte append attacks for black-box settings and (b) random and benign Fast Gradient Sign Method (FGSM) attacks for white-box settings. To this end, we implement a Convolutional Neural Network (CNN) to classify the image representations of Windows Portable Executable (PE) malware with a detection accuracy of 95.05%. Then, we evaluate its robustness along with MalConv, a state-of-the-art malware classifier, by applying a set of functionality-preserving adversarial attacks. Our experimental results demonstrate that image-based classifier exhibits a lower evasion rate of 5% compared to MalConv that achieves an evasion rate ranging between 44 and 54% in black-box settings. However, in white-box settings, both models fail against random byte and benign byte FGSM attacks, with an evasion rate of more than 46%.
View details
Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables
Doguhan Yeke
Muhammad Ibrahim
Habiba Farukh
Abdullah Imran
Antonio Bianchi
Z. Berkay Celik
IEEE Symposium on Security and Privacy (2024)
Preview abstract
Wearable devices are becoming increasingly important, helping us stay healthy and connected. There are a variety
of app-based wearable platforms that can be used to manage
these devices. The apps on wearable devices often work with a
companion app on users’ smartphones. The wearable device and
the smartphone typically use two separate permission models
that work synchronously to protect sensitive data. However, this
design creates an opaque view of the management of permission-
protected data, resulting in over-privileged data access without
the user’s explicit consent. In this paper, we performed the first
systematic analysis of the interaction between the Android and
Wear OS permission models. Our analysis is two-fold. First,
through taint analysis, we showed that cross-device flows of
permission-protected data happen in the wild, demonstrating
that 28 apps (out of the 150 we studied) on Google Play
have sensitive data flows between the wearable app and its
companion app. We found that these data flows occur without
the users’ explicit consent, introducing the risk of violating
user expectations. Second, we conducted an in-lab user study
to assess users’ understanding of permissions when subject to
cross-device communication (n = 63). We found that 66.7% of
the users are unaware of the possibility of cross-device sensitive
data flows, which impairs their understanding of permissions in
the context of wearable devices and puts their sensitive data at
risk. We also showed that users are vulnerable to a new class of
attacks that we call cross-device permission phishing attacks on
wearable devices. Lastly, we performed a preliminary study on
other watch platforms (i.e., Apple’s watchOS, Fitbit, Garmin
OS) and found that all these platforms suffer from similar
privacy issues. As countermeasures for the potential privacy
violations in cross-device apps, we suggest improvements in the
system prompts and the permission model to enable users to
make better-informed decisions, as well as on app markets to
identify malicious cross-device data flows.
View details
(In)Security of File Uploads in Node.js
Harun Oz
Abbas Acar
Ahmet Aris
Amin Kharraz
Selcuk Uluagac
The Web conference (WWW) (2024)
Preview abstract
File upload is a critical feature incorporated by a myriad of web
applications to enable users to share and manage their files conveniently. It has been used in many useful services such as file-sharing
and social media. While file upload is an essential component of
web applications, the lack of rigorous checks on the file name, type,
and content of the uploaded files can result in security issues, often
referred to as Unrestricted File Upload (UFU). In this study, we analyze the (in)security of popular file upload libraries and real-world
applications in the Node.js ecosystem. To automate our analysis, we
propose NodeSec– a tool designed to analyze file upload insecurities in Node.js applications and libraries. NodeSec generates unique
payloads and thoroughly evaluates the application’s file upload security against 13 distinct UFU-type attacks. Utilizing NodeSec, we
analyze the most popular file upload libraries and real-world ap-
plications in the Node.js ecosystem. Our results reveal that some
real-world web applications are vulnerable to UFU attacks and dis-
close serious security bugs in file upload libraries. As of this writing,
we received 19 CVEs and two US-CERT cases for the security issues that we reported. Our findings provide strong evidence that
the dynamic features of Node.js applications introduce security
shortcomings and that web developers should be cautious when
implementing file upload features in their applications.
View details
Android Permissions: Evolution, Attacks, and Best Practices
IEEE Security & Privacy (2024)
Preview abstract
In this article, we study the evolution of Android permissions. We describe the rationale behind key changes in Android’s permission model and disclose two permission-related security vulnerabilities we discovered. Finally, we provide developers actionable insights to proactively address permission-related security and privacy risks during development.
View details
50 Shades of Support: A Device-Centric Analysis of Android Security Updates
Abbas Acar
Esteban Luques
Harun Oz
Ahmet Aris
Selcuk Uluagac
Network and Distributed System Security (NDSS) Symposium (2024)
Preview abstract
Android is by far the most popular OS with over
three billion active mobile devices. As in any software, uncovering
vulnerabilities on Android devices and applying timely patches
are both critical. Android Open Source Project (AOSP) has
initiated efforts to improve the traceability of security updates
through Security Patch Levels (SPLs) assigned to devices. While
this initiative provided better traceability for the vulnerabilities,
it has not entirely resolved the issues related to the timeliness
and availability of security updates for end users. Recent studies
on Android security updates have focused on the issue of delay
during the security update roll-out, largely attributing this to
factors related to fragmentation. However, these studies fail to
capture the entire Android ecosystem as they primarily examine
flagship devices or do not paint a comprehensive picture of the
Android devices’ lifecycle due to the datasets spanning over a
short timeframe. To address this gap in the literature, we utilize
a device-centric approach to analyze the security update behavior
of Android devices. Our approach aims to understand the security
update distribution behavior of OEMs (e.g., Samsung) by using
a representative set of devices from each OEM and characterize
the complete lifecycle of an average Android device. We obtained
367K official security update records from public sources, span-
ning from 2014 to 2023. Our dataset contains 599 unique devices
from four major OEMs that are used in 97 countries and are
associated with 109 carriers. We identify significant differences
in the roll-out of security updates across different OEMs, device
models/types, and geographical regions across the world. Our
findings show that the reasons for the delay in the roll-out of
security updates are not limited to fragmentation but also involve
OEM-specific factors. Our analysis also uncovers certain key
issues that can be readily addressed as well as exemplary practices
that can be immediately adopted by OEMs in practice.
View details
With Great Power Comes Great Responsibility: Security and Privacy Issues of Modern Browser APIs
Harun Oz
Daniele Cono D’Elia
Abbas Acar
Riccardo Lazzeretti
Selcuk Uluagac
IEEE Security and Privacy (2024)
Preview abstract
This paper discusses security and privacy issues in modern Browser
APIs by categorizing them based on their functionality. With this study, we aim to
alert the community about these issues and motivate further research into
analyzing the security and privacy concerns within modern Browser APIs.
View details
Android Permissions: Evolution, Attacks, and Best Practices
IEEE Security & Privacy (2024)
Preview abstract
In this article, we study the evolution of Android permissions. We describe the rationale behind key changes in Android’s permission model and disclose two permission-related security vulnerabilities we discovered. Finally, we provide developers actionable insights to proactively address permission-related security and privacy risks during development.
View details
RøB: Ransomware over Modern Web Browsers
Harun Oz
Ahmet Aris
Abbas Acar
Leonardo Babun
Selcuk Uluagac
USENIX Security (2023)
Preview abstract
File System Access (FSA) API enables web applications to
interact with files on the users’ local devices. Even though it
can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries
to cause significant harm. In this paper, for the first time in the
literature, we extensively study this new attack vector that can
be used to develop a powerful new ransomware strain over
a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware
called RØB as a malicious web application that encrypts the
user’s files from the browser. We use RØB to perform impact
analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it.
Our evaluations show that RØB can encrypt the victim’s local
files including cloud-integrated directories, external storage
devices, and network-shared folders regardless of the access
limitations imposed by the API. Moreover, we evaluate and
show how the existing defense solutions fall short against
RØB in terms of their feasibility. We propose three potential
defense solutions to mitigate this new attack vector. These
solutions operate at different levels (i.e., browser-level, filesystem-level, and user-level) and are orthogonal to each other.
Our work strives to raise awareness of the dangers of RØBlike browser-based ransomware strains and shows that the
emerging API documentation (in this case the popular FSA)
can be equivocal in terms of reflecting the extent of the threat.
View details
The Android Platform Security Model (2023)
Jeff Vander Stoep
Chad Brubaker
Dianne Hackborn
Roger Piqueras Jover
Michael Specter
Arxiv, Cornell University (2023)
Preview abstract
Android is the most widely deployed end-user focused operating system. With its growing set of use cases
encompassing communication, navigation, media consumption, entertainment, finance, health, and access to
sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical
threats in a wide variety of scenarios while being useful to non-security experts. To support this flexibility,
Android’s security model must strike a difficult balance between security, privacy, and usability for end users;
provide assurances for app developers; and maintain system performance under tight hardware constraints.
This paper aims to both document the assumed threat model and discuss its implications, with a focus on
the ecosystem context in which Android exists. We analyze how different security measures in past and
current Android implementations work together to mitigate these threats, and, where there are special cases
in applying the security model in practice; we discuss these deliberate deviations and examine their impact.
View details