BFTDetector: Automatic Detection of Business Flow Tampering for Digital Content Service
Digital content services provide users with a wide range of content, such as news, articles, or movies, while monetizing their content through various business models and promotional methods. Unfortunately, poorly designed or unprotected business logic can be circumvented by malicious users, which is known as business flow tampering. Such flaws can severely harm the businesses of digital content service providers.
In this paper, we propose an automated approach that discovers business flow tampering flaws. Our technique automatically runs a web service to cover different business flows (e.g., a news website with vs. without a subscription paywall) to collect execution traces. We perform differential analysis on the execution traces to identify divergence points that determine how the business flow begins to differ, and then we test to see if the divergence points can be tampered with. We assess our approach against 352 real-world digital content service providers and discover 315 flaws from 204 websites, including TIME, Fortune, and Forbes. Our evaluation result shows that our technique successfully identifies these flaws with low false-positive and false-negative rates of 0.49% and 1.44%, respectively.
Wed 17 MayDisplayed time zone: Hobart change
13:45 - 15:15 | Software security and privacyTechnical Track / Journal-First Papers at Meeting Room 103 Chair(s): Wei Yang University of Texas at Dallas | ||
13:45 15mTalk | BFTDetector: Automatic Detection of Business Flow Tampering for Digital Content Service Technical Track I Luk Kim Purdue University, Weihang Wang University of Southern California, Yonghwi Kwon University of Virginia, Xiangyu Zhang Purdue University | ||
14:00 15mTalk | FedSlice: Protecting Federated Learning Models from Malicious Participants with Model Slicing Technical Track Ziqi Zhang Peking University, Yuanchun Li Institute for AI Industry Research (AIR), Tsinghua University, Bingyan Liu Peking University, Yifeng Cai Peking University, Ding Li Peking University, Yao Guo Peking University, Xiangqun Chen Peking University | ||
14:15 15mTalk | PTPDroid: Detecting Violated User Privacy Disclosures to Third-Parties of Android Apps Technical Track Zeya Tan Nanjing University of Science and Technology, Wei Song Nanjing University of Science and Technology Pre-print | ||
14:30 15mTalk | AdHere: Automated Detection and Repair of Intrusive Ads Technical Track Yutian Yan University of Southern California, Yunhui Zheng , Xinyue Liu University at Buffalo, SUNY, Nenad Medvidović University of Southern California, Weihang Wang University of Southern California | ||
14:45 15mTalk | Bad Snakes: Understanding and Improving Python Package Index Malware Scanning Technical Track | ||
15:00 7mTalk | DAISY: Dynamic-Analysis-Induced Source Discovery for Sensitive Data Journal-First Papers Xueling Zhang Rochester Institute of Technology, John Heaps University of Texas at San Antonio, Rocky Slavin The University of Texas at San Antonio, Jianwei Niu University of Texas at San Antonio, Travis Breaux Carnegie Mellon University, Xiaoyin Wang University of Texas at San Antonio | ||
15:07 7mTalk | Assessing the opportunity of combining state-of-the-art Android malware detectors Journal-First Papers Nadia Daoudi SnT, University of Luxembourg, Kevin Allix CentraleSupelec Rennes, Tegawendé F. Bissyandé SnT, University of Luxembourg, Jacques Klein University of Luxembourg |