BEGIN:VCALENDAR VERSION:2.0 PRODID:-//jEvents 2.0 for Joomla//EN CALSCALE:GREGORIAN METHOD:PUBLISH BEGIN:VEVENT UID:8704bc53a73abec2c734d376aefa0b8f CATEGORIES:Lectures & Presentations CREATED:20160229T144108 SUMMARY:Guest talk: "Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces" LOCATION:SBA Research gGmbH\, Vienna DESCRIPTION:Engin Kirda (http://www.ccs.neu.edu/home/ek/), Professor of Computer Scienc e and Engineering at Northeastern University in Boston, and the director of the Northeastern Information Assurance Institute, gives a talk about "Hidd en GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces"\nHe is also a co-founder and Chief Architect at Lastline, Inc—a company specialized in advanced malware detection and defense. Befor e moving to the US, he held faculty positions at Institute Eurecom in the F rench Riviera and the Technical University of Vienna where he co-founded th e Secure Systems Lab that is now distributed over five institutions in Euro pe and US. Engin‘s research has focused on malware analysis (e.g., Anubis, Exposure, Fire) and detection, web application security, and automated vuln erability discovery and mitigation. He co-authored more than 100 peer-revie wed scholarly publications and served on program committees of numerous int ernational conferences and workshops. In 2009, Engin was the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (R AID), in 2010/11, Program Chair of the European Workshop on Systems Securit y (Eurosec), in 2012 the Program Chair of the USENIX Workshop on Large Scal e Exploits and Emergent Threats, and chaired the flagship security conferen ce NDSS in 2015. Engin will be chairing USENIX Security in 2017.\nAbstract: Graphical user interfaces (GUIs) are the predominant means by which users interact with modern programs. GUIs contain a number of common visual elem ents or widgets such as labels, textfields, buttons, and lists, and GUIs ty pically provide the ability to set attributes on these widgets to control t heir visibility, enabled status, and whether they are writable. While thes e attributes are extremely useful to provide visual cues to users to guide them through an application‘s GUI, they can also be misused for purposes th ey were not intended. In particular, in the context of GUI-based applicati ons that include multiple privilege levels within the application, GUI elem ent attributes are often misused as a mechanism for enforcing access contro l policies.\nIn this talk, I will present GEMs, or instances of GUI elemen t misuse, as a novel class of access control vulnerabilities in GUI-based a pplications. I will present a classification of different GEMs that can ari se through misuse of widget attributes, and describe a general algorithm fo r identifying and confirming the presence of GEMs in vulnerable application s. I will then present GEM Miner, an implementation of our GEM analysis fo r the Windows platform.\n X-ALT-DESC;FMTTYPE=text/html:
Engin Kirda, Professor of Computer Science and Engineeri ng at Northeastern University in Boston, and the director of the Northeaste rn Information Assurance Institute, gives a talk about "Hidden GEMs: Automa ted Discovery of Access Control Vulnerabilities in Graphical User Interface s"
He is also a co-found er and Chief Architect at Lastline, Inc—a company specialized in advanced m alware detection and defense. Before moving to the US, he held faculty posi tions at Institute Eurecom in the French Riviera and the Technical Universi ty of Vienna where he co-founded the Secure Systems Lab that is now distrib uted over five institutions in Europe and US. Engin‘s research has focused on malware analysis (e.g., Anubis, Exposure, Fire) and detection, web appli cation security, and automated vulnerability discovery and mitigation. He c o-authored more than 100 peer-reviewed scholarly publications and served on program committees of numerous international conferences and workshops. In 2009, Engin was the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID), in 2010/11, Program Chair of the E uropean Workshop on Systems Security (Eurosec), in 2012 the Program Chair o f the USENIX Workshop on Large Scale Exploits and Emergent Threats, and cha ired the flagship security conference NDSS in 2015. Engin will be chairing USENIX Security in 2017.
Abstract: Graphical user interfaces (GUIs) are the predom inant means by which users interact with modern programs. GUIs contain a n umber of common visual elements or widgets such as labels, textfields, butt ons, and lists, and GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether the y are writable. While these attributes are extremely useful to provide vis ual cues to users to guide them through an application‘s GUI, they can also be misused for purposes they were not intended. In particular, in the con text of GUI-based applications that include multiple privilege levels withi n the application, GUI element attributes are often misused as a mechanism for enforcing access control policies.
In this talk, I will present GEMs, or instances of GUI elem ent misuse, as a novel class of access control vulnerabilities in GUI-based applications. I will present a classification of different GEMs that can a rise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applicati ons. I will then present GEM Miner, an implementation of our GEM analysis for the Windows platform.
CONTACT:Bettina Bauer (This email address is being protected from spambots. You need JavaScript enabled to view it. document.getElementById('cloakf92df940af909137fd9c3bd215258a4b').innerHTML = ''; var prefix = 'ma' + 'il' + 'to'; var path = 'hr' + 'ef' + '='; var addyf92df940af909137fd9c3bd215258a4b = 'bbauer' + '@'; addyf92df940af909137fd9c3bd215258a4b = addyf92df940af909137fd9c3bd215258a4b + 'sba-research' + '.' + 'org'; var addy_textf92df940af909137fd9c3bd215258a4b = 'bbauer' + '@' + 'sba-research' + '.' + 'org';document.getElementById('cloakf92df940af909137fd9c3bd215258a4b').innerHTML += ''+addy_textf92df940af909137fd9c3bd215258a4b+''; ) X-EXTRAINFO:15 DTSTAMP:20240328T111100 DTSTART:20160202T100000 DTEND:20160202T110000 SEQUENCE:0 TRANSP:OPAQUE END:VEVENT END:VCALENDAR