Hidden GEMs: Automated discovery of access control vulnerabilities in Graphical User Interfaces

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2014, Pages 149-162

  Mulliner, Collin ^a   Robertson, William ^a   Kirda, Engin ^a  

^a NORTHEASTERN UNIVERSITY   (United States)

Author keywords

access control; automation; GUI; vulnerability analysis; widget

Indexed keywords

ACCESS CONTROL; AUTOMATION; GEMS; MINERS;

ACCESS CONTROL POLICIES; AUTOMATED DISCOVERY; ENTERPRISE MARKET; GRAPHICAL USER INTERFACE (GUIS); VISUAL ELEMENTS; VULNERABILITY ANALYSIS; WIDGET; WINDOWS PLATFORM;

GRAPHICAL USER INTERFACES;

EID: 84914173351     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2014.17     Document Type: Conference Paper

References (29)

1. Acunetix, "Acunetix Web Vulnerability Scanner," http://www.acunetix.com/, 2008.
2. Auto It Consulting Ltd. (2013) Autolt. http://www.autoitscript.com.
3. B. Beizer, Software System Testing and Quality Assurance. Van Nostrand Reinhold, 1984.
4. -, Software Testing Techniques. Van Nostrand Reinhold, 1990.
5. P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan, "NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications," in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), 2010.
6. P. Bisht, T. L. Hinrichs, N. Skrupsky, and V. N. Venkatakrishnan, "WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction." in Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), 2011.
7. J. Brown. (2012, July) Win Spy++. http://www.catch22.net/software/winspy-17.
8. Burp Spider, "Web Application Security," http://portswigger.net/spider/, 2008.
9. T.-H. Chang, T. Yeh, and R. C. Miller, "GUI Testing Using Computer Vision," in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI), 2010.
10. J. Clarke, "Automated test generation from a Behavioral Model," in Proceedings of Pacific Northwest Software Quality Conference, 1998.
11. C. Ghezzi, M. Jazayeri, and D. Mandrioli, Fundamentals of Software Engineering. Prentice-Hall International, 1994.
12. HP/Mercury Interactive. (2003) Win Runner. http://support.openview. hp.com/encore/wr.j sp.
13. Insecure.org, "NMap Network Scanner," http://www.insecure.org/nmap I, 2008.
14. N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)," in IEEE Symposium on Security and Privacy (Oakland), 2006.
15. A. M. Memon, M. E. Pollack, and M. L. Soffa, "Hierarchical GUI Test Case Generation Using Automated Planning," IEEE Transactions on Software Engineering, pp. 155-155, 2001.
16. A. M. Memon, M. Pollack, and M. Soffa, "Using a Goal-driven Approach to Generate Test Cases for GUIs," in Proceedings of the 21st International Conference on Software Engineering (ICSE), 1999.
17. Microsoft. (2013) Visual Studio Spy++. http://msdn.microsoft.com/en-us/library/dd460756.aspx.
18. B. Moore. (2003, October) Shattering by Example, http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-moore/bh-us-04-moore-whitepaper.pdf.
19. B. N. Nguyen, B. Robbins, I. Baneijee, and A. Memon, "Guitar: an innovative tool for automated testing of gui-driven software," Automated Software Engineering, pp. 1-41, 2013.
20. Nikto, "Web Server Scanner," http://www.cirt.net/code/nikto.shtml, 2008.
21. J. Offutt and A. Abdurazik, "Generating Tests from UML Specifications," Second International Conference on the Unified Modeling Language, 1999.
22. -, "Using UML Collaboration Diagrams for Static Checking and Test Generation," Third International Conference on UML, 2000.
23. J. Offutt, S. Liu, A. Abdurazik, and P. Ammann, "Generating Test Data from State-based Specifications," Journal of Software Testing, Verification and Reliability, 2003.
24. C. Paget. (2002, August) Exploiting design flaws in the Win32 API for privilege escalation, http://www.thehackademy.net/madchat/vxdevl/papers/winsys/shatter.html.
25. PROFFIX Software AG. (2013) PROFFIX. http://www.proffix.net.
26. Z. Su and G. Wassermann, "The Essence of Command Injection Attacks in Web Applications," in Symposium on Principles of Programming Languages, 2006.
27. Tenable Network Security, "Nessus Open Source Vulnerability Scanner Project," http://www.nessus.org/, 2008.
28. "Web Application Attack and Audit Framework," http://w3af. sourceforge.net/.
29. Y. Xie and A. Aiken, "Static Detection of Security Vulnerabilities in Scripting Languages," in 15th USENIX Security Symposium (USENIX SEC), 2006.