Martina Lindorfer Receives the 2018 Cor Baayen Young Researcher Award

Martina Lindorfer was selected as the winner of the 2018 Cor Baayen Young Researcher Award. The award committee recognises Martina's impressive achievements and outstanding quality of her research in the field of systems security, especially the analysis of malicious software and mobile operating system vulnerabilities. Martina Lindorfer is a tenure-track assistant professor in the Security & Privacy group at TU Wien. Until recently, she was a postdoctoral researcher in the Computer Security Group (SecLab) at the University of California, Santa Barbara, US. She received her PhD from TU Wien, where she was working at the International Secure Systems Lab (iSecLab). During her PhD, she was also a researcher with SBA Research, the largest research centre in Austria which exclusively addresses information security, where she was advised by Edgar Weippl, SBA Research’s research director.

Malware is the basis of many forms of cybercrime. Motivated by financial gains, malware authors are constantly evolving their code to increase their profit by evading security defences and developing new monetisation techniques. Manual analysis of an ever-increasing number of malware samples is infeasible and developing effective and efficient automated analysis methods is technically challenging because source code for these types of programs is not available, and malware binaries are highly obfuscated and designed to foil any type of analysis. In her work, Martina developed novel techniques to address the challenges faced by large-scale dynamic analysis of malware samples due to the arms race against malware authors. Martina has also developed novel analysis techniques for detecting and mitigating privacy leaks in mobile apps.

During her postdoctoral work she expanded her research to the exploitation of the Rowhammer bug, which is a low-level vulnerability in operating systems and hardware that can be exploited by malicious apps, and defences against the resulting attacks. In her resulting work - Drammer: Deterministic Rowhammer Attacks on Mobile Platforms - she demonstrated for the first time that this vulnerability also affects mobile devices, and that it can be exploited deterministically, without having to rely on software vulnerabilities or special operating system services. In follow-up work, “GuardION,” she also demonstrated how Google’s patches against Drammer are incomplete, and proposed a better defence based on memory isolation, which is expected to be integrated in future Android versions.

Her research on Drammer received a number of awards: the Best Paper Award at the CSAW Applied Research Competition, the Best Dutch Cyber Security Research Paper (DCSRP), as well as a Pwnie award for Best Privilege Escalation Bug and a Pwnie nomination for Most Innovative Research at Black Hat 2017. Drammer was also recognised by the Android Security Rewards Program, and has prompted Google to issue a number of patches. She developed a popular Android app to allow users to verify whether their devices are vulnerable.

Beyond academic publications, her work has had a significant impact on the research community and society in general. Fellow researchers, malware analysts in industry, as well as individuals who were interested in the security and privacy implications of mobile apps have frequently used her dynamic Android app analysis sandbox “Andrubis.” It was used by law enforcement to analyse suspicious apps found on seized devices, and featured in TV news programmes. The techniques used by Andrubis and her follow-up work are now being widely used in industry: they are integrated in anti-virus solutions, being sold as stand-alone products and services to secure enterprises, and used by app market operators, such as Google, to vet apps before they are being published and made available to the general public.

Her work on privacy leak detection with ReCon, which is a service for detecting and blocking private information leaks in mobile app traffic, received a grant from the Data Transparency Lab. ReCon and its follow-up work are also publicly available to end users. Her analysis on the longitudinal privacy behaviour of mobile apps serves as a guideline for users to decide whether to install or update an app, based on their personal privacy preferences. Her work has also raised the interest of regulatory agencies, such as the Federal Trade Commission (FTC), and telecom providers, who are interested in adopting her techniques to protect consumers’ privacy. ReCon was also featured in the short film documentary “Harvest” to raise awareness of mobile privacy issues. The film was shown at several prestigious film festivals, including Aspen Shortsfest, HotDocs, Seattle International Film Festival, and the Rooftop Films summer series in New York.