Instead of analyzing the massive amount of results our program can spit out, I spent my last week writing documentation about everything I've done this summer to make it easier for others to pick up in the future. Even though Royce and I have been working together, our parts for the script are pretty distinct; it would definitely take me a while to figure out how his Java programs are put together, and I wrote my programs in Python and bash scripting, neither of which he's familiar with. In retrospect, it would probably have been smarter to write my programs in Java - while everyone at Mudd, where I come from, is taught Python as a frosh, I get the impression that it's not too widespread otherwise. As a language, though, it's pretty simple and very readable, so I trust that future students will be okay.
I had a last meeting with Dawn and Steve on Friday afternoon. It seems like this summer was a positive experience for everyone; they were happy with what I've done, especially since a lot of it was without a lot of guidance, and I was happy that I'd gotten to work with another student and that we actually had a working product to show for it.
Looking back, I really am pleased with what we've done; it didn't seem like a particularly tricky project compared to a lot of what I've seen other people do, but I started writing my final report and realized that between Android, computer security, and research in general, I've learned a lot more than I thought I did this summer. It's been fun!
With the majority of our project over with, we spent this week making small debugging changes and cleaning up our code. We had some little things left over that we hadn't yet done - sometime after we fixed SmsManager from running repeatedly, our SmsManager class stopped being able to create itself, so we fixed that up. We also put in a feature or two that we'd meant to have all along, like organizing the logfiles we pulled out from the phone into directories based on class and date, and put in some command-line options to make it easier to run the script.
We also caught our script up to date in the Subversion repository, which we really(, really) should have been using all along. This involved a couple of pretty annoying mishaps, and at the very least I came out knowing a couple more things about how to use svn.
Overall, we're pretty much done - aside from analyzing results. I'm not sure I'll get to be around for that, though, since we decided that writing documentation for the script should come first, so that other students can pick it up in the future, especially since I won't be around Berkeley to help anyone else pick it up.
I'm pretty ready to go home at this point - only one more week! I'll definitely miss some little things about Berkeley, like all the fro-yo places, and the bubble tea house that's about three blocks away from I House (honey milk tea is my favorite, I've discovered), but mostly I just can't wait to get back and have a car. Even with Bart, I feel pretty restricted here, since all of the interesting places I've found to go require two hours or so of transportation, including a four-mile walk (one mile on each side of each Bart station).
Steve came back from vacation at the end of this week (though Dawn is still out of town), so we met with him on Monday. Even though SmsManager still wasn't working, we were able to demonstrate what we'd done with other classes. He seemed impressed, and also took a few hours to help us figure out what was wrong with SmsManager.
It turned out that one of our unit tests involved a function call that could take in a class name. We'd originally passed it NULL, but in one of our discussions with Steve, learned that passing in dummy values like NULL aren't really helpful when the tests we're running are supposed to emulate the way the function would actually be used in an app. Then we'd changed to passing it itself as a class name, but as a side effect, it created bunches and bunches of SmsManagers, flooding our logs until they crashed the phone. Steve actually pointed out that it's a good thing we came across that, since apps don't have to do something obvious like steal contacts or credic card numbers to be malicious - an app could cause problems by crashing the phone, or keeping it busy enough to slow the system down, or other things like that.
We fixed that up pretty quickly once we identified the problem, and then felt even better about showing it off and being proud of what we'd done. There are still a few features we need to polish, like the ability to run it without editing the script file to say which class to test.
It turns out that the second phase of our script is going to be a lot less complicated than I originally thought, which is great. I was picturing convoluted loops and code that was going to be tricky and nasty both to understand and implement - but it turned out that we made a convenient decision early on, and the way we modularized our programs means that it's actually just a case of generating a number of files and then working with each one in turn, which is simple with scripting.
With that, we came really close to finishing. One of our classes still has a bug in it - for some reason, when we test our script on SmsManager, it runs over and over and over again on the phone. We can't figure out why, though, especially since it's not a problem with any of the other classes.
Still - it works! It's rough around the edges - there are still a few values that have to be hand-tweaked before each run - but it runs on its own and it ends on its own and it does everything it's supposed to do! It's a really good feeling.
With our project in good shape and Steve out of town, I actually ended up taking part of this week off. My boyfriend Aaron came to visit, so I spent most of Thursday and Friday hanging out with him. We went into San Francisco on Friday and visited a couple bookstores and Golden Gate Park, which was unfortunately pretty cloudy and cold, but still a good time.
We also got to eat out a lot around Berkeley, which was awesome. I still haven't gotten used to the food at I House, and I'm even starting to get sick of the sandwich bar. They had a special French-themed dinner for Bastille Day on Wednesday, though, which was fantastic!
The plan we drew up is working just fine so far; we haven't yet run into anything we planned to do that we can't, or even anything that required us to be super creative. We haven't done any of the parts that I think are going to be trickiest yet, though.
I thought we were stuck for a while because I found out that in order to run commands through the built-in terminal on the Android phone - which we wanted to do in order to do things like run our application - the phone has to be a special development phone (which ours aren't) or "rooted", which is the Android equivalent of jailbroken, which we really didn't think would be a good idea to do to our phones. Thankfully, we found a way around needing to run commands that way thanks to some savvy Google searches and built-in capabilities of adb.
The good news is that now, I'm pretty sure we can do everything we want to be able to do - before I wasn't sure there was a way to automatically install our app (since compiling it requires a password to sign it) or run it from the computer once installed, but we found ways to do everything. The only trouble now is making sure that we can correctly implement the rest of the algorithm we came up with. I don't have a perfectly clear grasp of how to do it in my head, so it could end up being easy, or (I'm guessing) we'll have to do some pretty hard thinking.
Royce and I originally thought that we'd be able to do everything in 3 or 4 days, but we were pretty wrong - it's been a week and we're about halfway through. Thankfully, Steve and Erika, with their superior experience, warned us that it would take twice as long as we thought it would. I was pretty surprised to find out they were right. We don't actually have that much code to write, which is why it feels like it shouldn't take very long, but it takes a more time than I expected to look up how to do things I don't know how to do, and to correct things when they don't quite work, and things like that.
Royce and I spent the early part of this week creating an outline for exactly how we were going to accomplish the "second stage" of our project - the automated part. We wanted to have our outline done by the time Steve left on Thursday, so we spent most of Monday and Tuesday discussing and drawing up what to do. We met with Steve to discuss it on Tuesday afternoon, and he generally approved of our plan, and then pointed out a few areas we hadn't thought through all the way. I realized during the meeting that I've been subconsciously treating this project like it's an assignment for a class - one that's been done dozens of times before, where the instructor and graders have ideas about approaches that work and approaches that don't work. It was pretty cool to realize that that's not the case at all, and we're working on something that noone's actually done before.
I'm still a little worried that we'll run into problems, since we had to make a few assumptions about what is possible to do with phone-computer connections. We haven't actually found out whether or not it's possible to make a phone application run by plugging the phone into a computer and running a command, and our life will get a lot more difficult if there isn't already a way to do that.
Danni and Amber, the other two DREU students at Berkeley for the summer, finally showed up this week too. They're living together in an apartment a few blocks away from me, and it looks like we won't have any overlap in working on projects together, so I probably won't see too much of them, which is a shame.
My life got pretty exciting on Friday; I'm severely allergic to cashews, and I accidentally ate something during lunch that must have had nuts mixed in, so I had to find and walk to the medical center on campus, where they ended up keeping me all afternoon. I was fine after a couple of hours, but it was still a scary experience because I didn't know where the health center was beforehand and had to walk all the way across campus to get there.
International House had a pretty great barbecue for dinner on the 4th of July. I'm not too impressed with the food overall, since it's generally not to my taste, but the barbecues and other special-occasion dinners have been great so far. Somebody a couple streets away shot off a few (probably illegal) fireworks, which were cool to watch through my window.
It turns out Steve (my grad student mentor) and Dawn (my professor mentor) are both going to be going on vacation soon, Steve for two weeks and Dawn for a month. Steve's working with Royce and me to lay out a plan and a timeline for what we're going to do while he's gone. He's going to Europe (sweet) and won't be able to keep in touch, so it would be pretty bad if Royce and I got completely stuck.
The first stage of our project was running a bunch of unit tests in an application without any permissions. This second stage is to run the same unit tests with all sorts of combinations of the necessary permissions. Since it could get pretty awful if there are a lot of different permissions a function needs to use, we're automating the whole thing: generating permission combinations, rebuilding the app, reinstalling it, and rerunning it, over and over. We're probably also going to extend the range of our tests. It's going to take us at least the two weeks Steve is gone, plus maybe another one or two.
Our phones arrived! I keep wondering if our tests are really going to take sufficiently long that it really justifies getting us each a phone for testing. Not that I'm complaining.
I still don't have a Cal ID, which is only a problem because it means I can't use the buses (at least not for free). I sort of enjoy the 15-minute walk to work, plus it would probably take just as long on average to work around the bus schedule, but it would be nice to hop on a bus to go to downtown Berkeley instead of walking the mile or so. With Steve and Dawn going out of town, though, I doubt any progress will be made on getting one until it's too late to be worth it. Getting the exercise isn't too bad anyway!
It's pretty clear that for now, my main project is going to be the Android app project (Project 1), with Royce. My part in the medical project is over for now, at least until we hear back from the one hospital we contacted. Steve is working on another aspect of it, though; he's working on reverse engineering firmware that was extracted from a defibrillator. He's really cool about taking a few minutes to show me what he's doing. My next step in the banking project is to start exploring banking websites and such on Android, but since it doesn't seem to be urgent at all, I'm going to wait until the Android phones ordered for Royce and I arrive so I can poke around on a real phone. That's right - Royce and I each get our own Android for testing! Definitely awesome.
I was given a desk in Cory Hall to work at, but I ended up not using it at all. Instead, Royce and I work in the open areas on the top floor of Soda Hall, which is nice because it's where all the security grad students have offices. They wander by occasionally and say hi, and it's really easy to run off and ask a question if we need to. There's an alcove with sofas that I especially like grabbing.
Royce and I presented our work of the last week and a half or so to Dawn, Steve, Erika, and another grad student (who was just sitting in) on Friday. It was nice and casual; we used a 5-slide Powerpoint to give overviews of the Android classes we'd tested, and asked some questions about what to do next.
Since it's summer, everyone here is pretty chilled out, and the only deadlines are the ones we set ourselves. It means that things are taking a pretty slow pace, which is really nice and relaxing! It also makes it even harder to be motivated. Right now I usually only work in the afternoon, between lunch and dinner. I'm sure I'll start putting more time in when my projects get more involved.
Last Tuesday, on the first day of my second week, I met Royce, who's an undergrad in my year here at Berkeley. We're working together on this project. We spent the first week writing "unit tests" for an Android; basically, we picked the most important aspects of the phone security-wise (Wifi, text messages, Bluetooth, phone calls) and wrote tests to see which functions require permission to execute, and which don't, and whether or not someone could do something malicious without having any permissions. The grad students are going to be writing a program to explore these connections automatically, so they need a basis for comparison. I'm glad to be working with Royce; what we've done would have been pretty challenging for someone to do alone, but it's really easy with two people, and I think our code is definitely all the better for having two people working on it.
I spent a few hours on the phone talking to the IT departments of various hospitals, trying to find someone to contact about the possibility of getting the hospital's cooperation in our research. I didn't have much success, but thankfully it turned out not to matter too much. I went to a meeting yesterday (Tuesday, actually the first day of my third week) with Prof Dawn, Steve, and two professors from UMass, one who was visiting and one who was on the phone, where we talked about what to do with this project. We hope to get permission from hospitals to go visit them and assess their security practices regarding computers, but it's a lot more difficult than it sounds. For one thing, our project would mean more work for the hospital staff, so we're worried they'll turn us down right away. For another, if we uncover a lot of lax security, it won't look very good for the hospital. Also, there are some human rights issues; if we want to interview anyone for the study, we have to get our questions cleared with a board ahead of time. Steve and I are going to look into the paperwork, and in the meantime, we're going to send a letter to one (more or less randomly chosen) hospital and see what their reaction is.
I also had a meeting yesterday to discuss this project, with Steve and another grad student, Devdatta. I met Arman, who's another UC Berkeley undergrad who's going to be working with me. We talked about a few different ways in which security while banking might be compromised, and got a couple more things to read (which I have to go look at soon!). Later, Devdatta found a couple of papers that have already looked at a couple of the approaches we discussed (namely, clickjacking and phishing). Arman is going to look for more papers, so we don't end up doing the same research somebody else already covered.
I still haven't really met anyone at I House, but I haven't been trying, either. Staying in my room and reading or watching tv is honestly just too much fun, since I never get the opportunity to be alone like this in college or even at home! I'm thinking of going to the latin dancing lessons that are offered on Monday nights, though I've already done a bit of salsa and tango. I wish there was blues dancing at I House. Maybe somewhere else in Berkeley.
My first week here has mostly been setting up, meeting people, and a whole lot of background reading. I'm the first undergrad REU student in the department to arrive, so I have a lot of setting up to figure out; my fellow DREU students aren't coming until the end of June, so I hope it will be easier for them now that everyone's already dealt with one setup. There are a couple other programs for REU students, TRUST and SUPERB, but those students are arriving next week.
I was able to meet with my professor, Dawn Song, on the first day, which was a relief after the blogs of Berkeley students I read from last year, whose professor was too busy to see them for a while. She seems really busy and really nice, and she set me up with a grad student, Steve, who will basically be my supervisor for the projects. I can keep in touch with him through email and Google Talk, and though he's pretty busy, he's really nice about responding quickly.
Speaking of projects, I was introduced to three of them (!), all run by grad students. One (the one I consider the main one, since it was presented first) is about potential security breaches in how Android applications talk to each other, one about security in health devices (a very broad topic, to be narrowed down as research progresses), and one about security in banking on mobile systems (similarly broad). I find it a little overwhelming to keep up with all of them; I felt like I was supposed to be reading papers (for Android), collecting hospital contact information (for medicals devices), and collecting a list of banking apps at the same time. It was really hard to prioritize, and for a while on Thursday, every time I started working on something, I thought "No, I should be working on one of the other ones" and didn't really get anywhere that day. I finally realized I wasn't going to do anything that way and just decided to work with Android until I heard otherwise, which turned out to be more or less fine.
As for setup, it took me three days to get set up with Internet access outside of I House, but it's still a guest account. I installed all the software I'm working with on my laptop, which is really nice for me because it's familiar to work with. I'm trying to get a Cal ID so I can have a real account to access the Internet and ride the buses (it's a 10-to-15-minute walk from I House to Soda Hall, where Dawn and Steve are). Usually, I'd also need a Cal ID to get in and out of the room my desk is in, but it turns out that by coincidence, something went wrong with the system the day I got here, so I had no trouble getting a temporary keycard.
Most of the time I wasn't meeting people and getting set up was spent reading papers; the grad students on my project sent me a LOT of background papers that they used when investigating something similar last semester. It's pretty slow going since I've never had to read papers before, and I don't know how much I'm really getting out of it or how much the reading will help in the future.
For fun over the weekend, I took BART to meet a college friend at an arcade about an hour away. It was a really easy trip; I love public trains! According to Google Maps, BART is cheaper than driving - and there isn't any traffic (not on a Saturday morning, anyway; I had no problem getting a couple of seats to myself). Trains come by every station about every 20 minutes, so I didn't even have a tight schedule to make. I explored Berkeley a little bit when I got back, but I felt awkward wandering around on my own. Hopefully I'll make it back down there after I meet a couple more people.