Write a Blog >>
ASE 2021
Sun 14 - Sat 20 November 2021 Australia
Tue 16 Nov 2021 21:00 - 21:20 at Kangaroo - Fuzzing Applications Chair(s): Thuan Pham

Browsers use security policies to block malicious behaviors. Cross-Origin Read Blocking (CORB) is a browser security policy for preventing side-channel attacks such as Spectre. We propose a web browser security policy fuzzer called CorbFuzz for checking CORB and similar policies. In implementing a security policy, the browser only has access to HTTP requests and responses, and takes policy actions based solely on those interactions. In checking the browser security policies, CorbFuzz uses a policy oracle that tracks the web application behavior and infers the desired policy action based on the web application state. By comparing the policy oracle with the browser behavior, CorbFuzz detects weaknesses in browser security policies. CorbFuzz checks the web browser policy by fuzzing a set of web applications where the persistent layer queries are symbolically evaluated for increased coverage and automation. CorbFuzz collects type information from database queries and branch conditions in order to prevent the generation of inconsistent data values during fuzzing. We evaluated CorbFuzz on CORB and Opaque Response Blocking (ORB) policies on web applications collected from Github and found three classes of weaknesses in Chromium’s implementation of CORB.

Tue 16 Nov

Displayed time zone: Hobart change

21:00 - 22:00
Fuzzing ApplicationsResearch Papers / Industry Showcase / Tool Demonstrations at Kangaroo
Chair(s): Thuan Pham The University of Melbourne
CorbFuzz: Checking Browser Security Policies with Fuzzing
Research Papers
Chaofan Shou University of California, Santa Barbara, Ismet Burak Kadron University of California at Santa Barbara, Qi Su University of California Santa Barbara, Tevfik Bultan University of California, Santa Barbara
SMARTIAN : Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses
Research Papers
Jaeseung Choi KAIST, Doyeon Kim LINE Plus Corporation, Soomin Kim KAIST, Gustavo Grieco Trail of Bits, Alex Groce Northern Arizona University, Sang Kil Cha KAIST, South Korea
FinFuzzer: One Step Further in Fuzzing Fintech Systems
Industry Showcase
Qingshun Wang East China Normal University, Lihua Xu New York University Shanghai, Jun Xiao Ant Group Co. Ltd., Qi Guo Ant Group Co. Ltd., Haotian Zhang Ant Group Co. Ltd., Liang Dou East China Normal University, Liang He East China Normal University, Tao Xie Peking University
Scalable Fuzzing of Program Binaries with E9AFL
Tool Demonstrations
Xiang Gao National University of Singapore, Gregory J. Duck National University of Singapore, Abhik Roychoudhury National University of Singapore