BEGIN:VCALENDAR VERSION:2.0 PRODID:-//jEvents 2.0 for Joomla//EN CALSCALE:GREGORIAN METHOD:PUBLISH BEGIN:VEVENT UID:8704bc53a73abec2c734d376aefa0b8f CATEGORIES:Lectures & Presentations CREATED:20160229T144108 SUMMARY:Guest talk: "Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces" LOCATION:SBA Research gGmbH\, Vienna DESCRIPTION:
Engin Kirda, Professor of Computer Science and Engineeri ng at Northeastern University in Boston, and the director of the Northeaste rn Information Assurance Institute, gives a talk about "Hidden GEMs: Automa ted Discovery of Access Control Vulnerabilities in Graphical User Interface s"
He is also a co-found er and Chief Architect at Lastline, Inc—a company specialized in advanced m alware detection and defense. Before moving to the US, he held faculty posi tions at Institute Eurecom in the French Riviera and the Technical Universi ty of Vienna where he co-founded the Secure Systems Lab that is now distrib uted over five institutions in Europe and US. Engin‘s research has focused on malware analysis (e.g., Anubis, Exposure, Fire) and detection, web appli cation security, and automated vulnerability discovery and mitigation. He c o-authored more than 100 peer-reviewed scholarly publications and served on program committees of numerous international conferences and workshops. In 2009, Engin was the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID), in 2010/11, Program Chair of the E uropean Workshop on Systems Security (Eurosec), in 2012 the Program Chair o f the USENIX Workshop on Large Scale Exploits and Emergent Threats, and cha ired the flagship security conference NDSS in 2015. Engin will be chairing USENIX Security in 2017.
Abstract: Graphical user interfaces (GUIs) are the predom inant means by which users interact with modern programs. GUIs contain a n umber of common visual elements or widgets such as labels, textfields, butt ons, and lists, and GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether the y are writable. While these attributes are extremely useful to provide vis ual cues to users to guide them through an application‘s GUI, they can also be misused for purposes they were not intended. In particular, in the con text of GUI-based applications that include multiple privilege levels withi n the application, GUI element attributes are often misused as a mechanism for enforcing access control policies.
In this talk, I will present GEMs, or instances of GUI elem ent misuse, as a novel class of access control vulnerabilities in GUI-based applications. I will present a classification of different GEMs that can a rise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applicati ons. I will then present GEM Miner, an implementation of our GEM analysis for the Windows platform.
CONTACT:Bettina Bauer (This email address is being protected from spambots. You need JavaScript enabled to view it. document.getElementById('cloak789e6089278e335b6cf76ceba4abb5de').innerHTML = ''; var prefix = 'ma' + 'il' + 'to'; var path = 'hr' + 'ef' + '='; var addy789e6089278e335b6cf76ceba4abb5de = 'bbauer' + '@'; addy789e6089278e335b6cf76ceba4abb5de = addy789e6089278e335b6cf76ceba4abb5de + 'sba-research' + '.' + 'org'; var addy_text789e6089278e335b6cf76ceba4abb5de = 'bbauer' + '@' + 'sba-research' + '.' + 'org';document.getElementById('cloak789e6089278e335b6cf76ceba4abb5de').innerHTML += ''+addy_text789e6089278e335b6cf76ceba4abb5de+''; ) X-EXTRAINFO:15 DTSTAMP:20240329T142817 DTSTART:20160202T100000 DTEND:20160202T110000 SEQUENCE:0 TRANSP:OPAQUE END:VEVENT END:VCALENDAR