[NRG] Notification: Discovering servers leaking sensitive information (Wil Koch) @ Mon Dec 7, 2015 11am - 12pm (NRG at BU)

Google Calendar calendar-notification at google.com
Sun Dec 6 11:00:06 EST 2015

This is a notification for:

Title: Discovering servers leaking sensitive information (Wil Koch)
Discovering servers leaking sensitive information

William Koch (Presenter), Abdelberi Chaabane, Manuel Egele, Wil Robertson,  
Engin Kirda

Modern applications are often split into separate client and server tiers  
that communicate via message passing over the network. One well-understood  
threat to privacy for such applications is the leakage of sensitive user  
information either in transit or at the server. In response, an array of  
defensive techniques have been developed to identify or block unintended or  
malicious information leakage. However, prior work has primarily considered  
privacy leaks originating at the client directed at the server, while  
leakage in the reverse direction -- from the server to the client -- is  
comparatively under-studied. The question of whether and to what degree  
this leakage constitutes a threat remains an open question.

We answer this question in the affirmative with our system, a technique for  
semi-automatically identifying server-side information leakage (SERIAL)  
vulnerabilities in multi-tier applications. In particular, the technique  
detects SERIAL vulnerabilities that arise due to oversharing of sensitive  
information from server-side APIs that is not displayed by the  
application's user interface. The technique first performs a scalable  
static program analysis to screen applications for potential  
vulnerabilities, and then attempts to confirm these candidates as true  
vulnerabilities with a partially-automated dynamic analysis. Our evaluation  
over a large corpus of Android applications demonstrates the effectiveness  
of the technique by discovering several previously-unknown SERIAL  
vulnerabilities in five applications. We have reported these  
vulnerabilities to the developers of the affected applications, and have  
received confirmation for two of them. Furthermore, one developer already  
patched their cloud-backend to prevent the SERIAL vulnerability we reported.
When: Mon Dec 7, 2015 11am - 12pm Eastern Time
Where: MSC 148
Calendar: NRG at BU
     * Nabeel Akhtar - creator

Event details:  

Invitation from Google Calendar: https://www.google.com/calendar/

You are receiving this email at the account nrg-l at cs.bu.edu because you are  
subscribed for notifications on calendar NRG at BU.

To stop receiving these emails, please log in to  
https://www.google.com/calendar/ and change your notification settings for  
this calendar.

Forwarding this invitation could allow any recipient to modify your RSVP  
response. Learn more at  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/nrg-l/attachments/20151206/eeead6d4/attachment.html>

More information about the NRG-L mailing list