[Busec] busec this week: Engin Kirda (Wed 10am)

Sharon Goldberg goldbe at cs.bu.edu
Mon Nov 17 12:06:29 EST 2014

At this week's busec seminar, Engin Kirda from Northeastern will talk about
security vulnerabilities in graphical user interfaces. The following week,
our seminar will be on Monday, with our own Omer Paneth explaining recent
work on the first candidate construction of obfuscation for all circuits.
Also, next week on Tuesday, Ben Fuller will have his PhD Defense (on key
derivation from noisy sources).

Lunch is provided at both seminars as usual, and abstracts are below.

See you there!

BUsec Calendar:  http://www.bu.edu/cs/busec/
BUsec Mailing list: http://cs-mailman.bu.edu/mailman/listinfo/busec
The busec seminar gratefully acknowledges the support of BU's Center for
Reliable Information Systems and Cyber Security (RISCS).


Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in
Graphical User Interfaces
Engin Kirda, NEU.
Wed Nov 19, 2014, 10:00am – 11:30am
Hariri Seminar Room, MCS180


Graphical user interfaces (GUIs) are the predominant means by which users
interact with modern programs.  GUIs contain a number of common visual
elements or widgets such as labels, textfields, buttons, and lists, and
GUIs typically provide the ability to set attributes on these widgets to
control their visibility, enabled status, and whether they are writable.
While these attributes are extremely useful to provide visual cues to users
to guide them through an application's GUI, they can also be misused for
purposes they were not intended.  In particular, in the context of
GUI-based applications that include multiple privilege levels within the
application, GUI element attributes are often misused as a mechanism for
enforcing access control policies.

In this talk, I will present  GEMs, or instances of GUI element misuse, as
a novel class of access control vulnerabilities in GUI-based applications.
I will present a classification of different GEMs that can arise through
misuse of widget attributes, and describe a general algorithm for
identifying and confirming the presence of GEMs in vulnerable
applications.  I will then present GEM Miner, an implementation of our GEM
analysis for the Windows platform.


Candidate Construction of Obfuscation for all Circuits
Omer Paneth, BU.
Monday November 24, 2014, 10:00am – 11:30am
Hariri Seminar Room, MCS180

Last year Garg, Gentry, Halevi, Raykova, Sahai and Waters [FOCS 2013]
presented the first candidate construction of obfuscation for all circuits.
I will describe a variant of this  construction and give a security proof
in the generic graded encoding model based on [Garg et. al. EUROCRYPT 2014].

Links to papers:


PhD Defense: Strong Key Derivation from Noisy Sources
Ben Fuller, BU
Tuesday, November 25, 2014 at 2:30pm
MCS 180 – Hariri Institute

A shared cryptographic key enables strong authentication.  Candidate
sources for creating such a shared key include biometrics and physically
unclonable functions.  However, these sources come with a substantial
problem: noise in repeated readings.

A fuzzy extractor produces a stable key from a noisy source.  For many
sources of practical importance, traditional fuzzy extractors provide no
meaningful security guarantee.  This dissertation improves fuzzy extractors.

First, we show how to incorporate structural information about the physical
source to facilitate key derivation.  Second, most fuzzy extractors work by
first recovering the initial reading from the noisy reading.  We improve
key derivation by producing a consistent key without recovering the
original reading.  Third, traditional fuzzy extractors provide
information-theoretic security.  We build fuzzy extractors achieving new
properties by only providing security against computational bounded

Leonid Reyzin (Advisor and First Reader)
Ran Canetti (Second Reader)
Daniel Wichs (NEU, Third Reader)
Sharon Goldberg
Steve Homer (Committee Chair)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20141117/0850a04f/attachment.html>

More information about the Busec mailing list