[cs-talks] Upcoming CS Seminars: NRG (Mon) + BUSec (Wed)
fgreen1 at bu.edu
Mon Dec 7 10:50:43 EST 2015
Discovering Servers Leaking Sensitive Information
William Koch, BU PhD Student
Monday, December 7, 2015 at 11am in MCS 148
Authors: William Koch (Presenter), Abdelberi Chaabane, Manuel Egele, Wil Robertson, Engin Kirda
Abstract: Modern applications are often split into separate client and server tiers that communicate via message passing over the network. One well-understood threat to privacy for such applications is the leakage of sensitive user information either in transit or at the server. In response, an array of defensive techniques have been developed to identify or block unintended or malicious information leakage. However, prior work has primarily considered privacy leaks originating at the client directed at the server, while leakage in the reverse direction -- from the server to the client -- is comparatively under-studied. The question of whether and to what degree this leakage constitutes a threat remains an open question.
We answer this question in the affirmative with our system, a technique for semi-automatically identifying server-side information leakage (SERIAL) vulnerabilities in multi-tier applications. In particular, the technique detects SERIAL vulnerabilities that arise due to oversharing of sensitive information from server-side APIs that is not displayed by the application's user interface. The technique first performs a scalable static program analysis to screen applications for potential vulnerabilities, and then attempts to confirm these candidates as true vulnerabilities with a partially-automated dynamic analysis. Our evaluation over a large corpus of Android applications demonstrates the effectiveness of the technique by discovering several previously-unknown SERIAL vulnerabilities in five applications. We have reported these vulnerabilities to the developers of the affected applications, and have received confirmation for two of them. Furthermore, one developer already patched their cloud-backend to prevent the SERIAL vulnerability we reported.
Modular Cryptographic Accumulators
Sophia Yakoubov, BU PhD Student
Wednesday, December 9, 2015 at 10am in MCS 180- Hariri Seminar Room
Abstract: Cryptographic accumulators provide a compact commitment to a set. Most allow additions of set members; some (known as “dynamic accumulators”) also allow deletions. All allow proofs of membership; some (known as “universal accumulators”) also allow proofs of nonmembership. In this talk, we provide a unified view of accumulator functionalities and reductions between them. We then use this unified view to construct two new accumulators (both dynamic) with greater efficiency than existing constructions. As an application, we show how to use our new accumulators to build efficient anonymous membership management.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cs-talks