Joshua Garcia

Assistant Professor of Informatics at UCI Donald Bren School of Information and Computer Sciences

Ph.D., Computer Science, USC


Researcher Spotlight: Joshua Garcia

What brought you to UCI?
UCI is an amazing institution, with top-notch software and security research, which are my two main areas of research interest. This means the researchers at UCI are outstanding. Additionally, Southern California and Irvine are wonderful places to live. I grew up in Southern California and count myself as extremely lucky to have continued to be at such an excellent institution, even in a career that tends to prevent you from having much choice about where I live.

What is your major focus area as a researcher, and why?
I am a software-engineering researcher focusing on software security, testing, analysis, and design. I have been primarily researching mobile security for the last several years.

In one sentence, what is the most important question you want to address?
To what extent can software analysis and design be improved to achieve high accuracy and scalability for software security and other software qualities?

What has been (or will be) the impact of your research?
My research tools and datasets have been used by dozens of researchers, agencies, and companies around the world—including universities in Argentina, Australia, Brazil, Canada, China, Europe, and the United States, and by companies and government agencies such as Boeing, Bosch, Google, IBM, Microsoft, Northrop Grumman, the FBI, the Department of Homeland Security, and NASA.

What is innovative about your research?
In the area of mobile security, my approach, called LetterBomb, is the first automatic exploit-generation approach for Android apps, with the ability to generate over 180 zero-day exploits from a random selection of 10,000 apps, including popular apps with up to 10,000,000 downloads. Types of vulnerabilities for which we utilized automatically generated exploits include privilege escalations, denial of service, and spoofing vulnerabilities. We further created an Android malware-detection and family-identification approach, called RevealDroid, that is highly accurate, scalable, and obfuscation-resilient—with results superior to the top 60 commercial anti-virus tools and state-of-the-research approaches. RevealDroid has the novel ability to analyze unconventional code mechanisms, i.e., reflection (the ability of a program to inspect or modify itself) and native code, using lightweight static program analysis.

What papers do you have coming through in the next year?
We are leveraging LetterBomb and automatic program repair to automatically fix vulnerabilities in Android apps. We will also be presenting the first approach, called Darcy, for detecting and repairing architectural inconsistencies in modern Java programs, which now contain modules that allow engineers to specify exposed interfaces, which has novel security implications. Specifically,  we found 146 instances of inconsistencies among 38 Java applications. By automatically fixing these inconsistencies, we were able to measurably improve various attributes of the subject applications’ architectures, e.g., reducing the attack surface of applications by 61%, producing deployable applications that consume 17% less memory, and improving the encapsulation of applications by 28%.