Guest talk: "Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces"

Engin Kirda, Professor of Computer Science and Engineering at Northeastern University in Boston, and the director of the Northeastern Information Assurance Institute, gives a talk about "Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces"

He is also a co-founder and Chief Architect at Lastline, Inc—a company specialized in advanced malware detection and defense. Before moving to the US, he held faculty positions at Institute Eurecom in the French Riviera and the Technical University of Vienna where he co-founded the Secure Systems Lab that is now distributed over five institutions in Europe and US. Engin‘s research has focused on malware analysis (e.g., Anubis, Exposure, Fire) and detection, web application security, and automated vulnerability discovery and mitigation. He co-authored more than 100 peer-reviewed scholarly publications and served on program committees of numerous international conferences and workshops. In 2009, Engin was the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID), in 2010/11, Program Chair of the European Workshop on Systems Security (Eurosec), in 2012 the Program Chair of the USENIX Workshop on Large Scale Exploits and Emergent Threats, and chaired the flagship security conference NDSS in 2015. Engin will be chairing USENIX Security in 2017.

Abstract: Graphical user interfaces (GUIs) are the predominant means by which users interact with modern programs.  GUIs contain a number of common visual elements or widgets such as labels, textfields, buttons, and lists, and GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether they are writable.  While these attributes are extremely useful to provide visual cues to users to guide them through an application‘s GUI, they can also be misused for purposes they were not intended.  In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes are often misused as a mechanism for enforcing access control policies.

In this talk, I will present  GEMs, or instances of GUI element misuse, as a novel class of access control vulnerabilities in GUI-based applications. I will present a classification of different GEMs that can arise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applications.  I will then present GEM Miner, an implementation of our GEM analysis for the Windows platform.