A systematic approach to uncover security flaws in GUI logic

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2007, Pages 71-85

  Chen, Shuo ^a   Meseguer, José ^b   Sasse, Ralf ^a,b   Wang, Helen J ^a   Wang, Yi Min ^a  

^a MICROSOFT RESEARCH   (United States)

^b University of Illinois at Urbana Champaign

Author keywords

End to end security; Formal methods; GUI logic flaw; HTML; Visual spoofing

Indexed keywords

CASE BASED REASONING; FORMAL LOGIC; GRAPHICAL USER INTERFACES; HTML; HUMAN COMPUTER INTERACTION; SOFTWARE RELIABILITY;

LOGIC FLAW; SECURITY MEASURES; SOFTWARE IMPLEMENTATIONS; VISUAL SPOOFING;

SECURITY SYSTEMS;

EID: 34548780878     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2007.6     Document Type: Conference Paper

References (27)

1. Thomas Ball, Sriram K. Rajamani. "The SLAM Project: Debugging System Software via Static Analysis", ACM Principles of Programming Languages Conference, 2002.
2. Manuel Clavel, Francisco Durán, Steven Eker, Patrick Lincoln, Narciso Martí-Oliet, at al. Maude: specification and programming in rewriting logic. Theoretical Computer Science, 285(2): 2002.
3. Hao Chen, Drew Dean, and David Wagner. "Model checking one million lines of C code". Network and Distributed System Security Symposium (NDSS), 2004.
4. Richard S. Cox, Jacob G. Hansen, Steven D. Gribble, and Henry M. Levy: "A Safety-Oriented Platform for Web Applications," IEEE Symposium on Security and Privacy, 2006
5. Rachna Dhamija and J. D. Tygar. "The Battle Against Phishing: Dynamic Security Skins," Symposium on Usable Privacy and Security (SOUPS), July 2005.
6. Rachna Dhamija, J. D. Tygar and Marti Hearst. "Why Phishing Works". Conference on Human Factors in Computing Systems (CHI), 2006.
7. Jeremy Epstein, John McHugh, Rita Pascale, Hilarie Orman, Glenn Benson, et al, "A prototype B3 trusted X Window System," Computer Security Applications Conference, 1991.
8. Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach. "Web Spoofing: An Internet Con Game," 20th National Information Systems Security Conference, 1996
9. Dinei Florencio and Cormac Herley. "Stopping a Phishing Attack, Even when the Victims Ignore Warnings". Microsoft Research MSR-TR-2005-142
10. Galen Hunt and Doug Brubacher. "Detours: Binary Interception of Win32 Functions," Proceedings of the 3rd USENIX Windows NT Symposium, pp. 135-143. Seattle, WA, July 1999.
11. Internet Explorer Window Loading Race Condition Address Bar Spoofing, http://secunia.com/advisories/19521/
12. José Meseguer. "Conditional Rewriting Logic as a United Model of Concurrency". Theoretical Computer Science, 96(1): 73-155, 1992.
13. Benjamin Livshits, Monica S. Lam. "Finding Security Vulnerabilities in Java Applications with Static Analysis," USENIX Security Symposium, 2005.
14. Microsoft Corporation. Microsoft's Vision for an Identity Metasystem, http://msdn.microsoft.com/
15. Catherine Meadows. Formal Verification of Cryptographic Protocols: A Survey. Lecture Notes in Computer Science, 917, 135-150, 1995, Springer.
16. The MSDN Library. "Changing Element Styles". http://msdn.microsoft.com/
17. The MSDN Library. "OLE Background," http://msdn.microsoft.com/ library/default.asp?url=/library/en-us/vccore/html/_core_ole_background.asp
18. Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. "BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML". Operating Systems Design and Implementation, 2006.
19. Blake Ross, Collin Jackson, Nicholas Miyake, et al. "Stronger Password Authentication Using Browser Extensions". Usenix Security Symposium, 2005.
20. SpoofStick. http://www.spoofstick.com/
21. Firefox Visual Spoofing Flaws. Bugtraq list, http://securityfocus.com/ bid. Bug IDs: 10532, 10832, 12153, 12234, 12798, 14526, 14919
22. Internet Explorer Visual Spoofing Flaws. Bugtraq list, http://securityfocus.com/bid. Bug IDs: 3469, 10023, 10943, 11561, 11590, 11851, 11855, 1254.
23. Netscape Navigator Visual Spoofing Flaws. Bugtraq list, http://securityfocus.com/bid. Bug IDs: 7564, 10389
24. Min Wu, Robert C. Miller and Simson L. Garfinkel. "Do Security Toolbars Actually Prevent Phishing Attacks?" Conference on Human Factors in Computing Systems (CHI), 2006.
25. E. Ye, S.W. Smith. "Trusted Paths for Browsers." 11th Usenix Security Symposium. August 2002. (Also, E. Ye, Y.Yuan, S. W. Smith. "Web Spoofing Revisited: SSL and Beyond," Technical Report TR2002-417, Dartmouth College. February 2002.)
26. Ka-Ping Yee, Kragen Sitaker. "Passpet: Convenient Password Management and Phishing Protection," Symposium on Usable Privacy and Security, 2006.
27. Junfeng Yang, Paul Twohey, Dawson Engler, Madanlal, Musuvathi. "Using model checking to find serious file system errors". USENIX Symposium on Operating Systems Design and Implementation, 2004