Tue 27 Oct 2020 10:30 - 11:00 at Farfetch (D. Maria) - IT3 - Safety & Security Chair(s): Rui Abreu
Tue 27 Oct 2020 21:30 - 22:00 at Farfetch (D. Maria) - IT3 - Safety & Security Chair(s): Rui Abreu
Tue 27 Oct 2020 21:30 - 22:00 at Farfetch (D. Maria) - IT3 - Safety & Security Chair(s): Rui Abreu
Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.
Tue 27 OctDisplayed time zone: Lisbon change
Tue 27 Oct
Displayed time zone: Lisbon change
10:00 - 11:00 | IT3 - Safety & SecurityIndustry Track at Farfetch (D. Maria) +11h Chair(s): Rui Abreu Faculty of Engineering, University of Porto, Portugal | ||
10:00 30mTalk | Generating Avoidable Collision Scenarios for Testing Autonomous Driving Systems Industry Track Alessandro Calò Technical University of Munich, Paolo Arcaini National Institute of Informatics
, Shaukat Ali Simula Research Laboratory, Florian Hauer Technical University of Munich, Fuyuki Ishikawa National Institute of Informatics Link to publication DOI | ||
10:30 30mTalk | Checking Security Properties of Cloud Service REST APIs Industry Track Vaggelis Atlidakis Columbia University, Patrice Godefroid Microsoft Research, USA, Marina Polishchuk Microsoft Research, USA Link to publication DOI |
21:00 - 22:00 | IT3 - Safety & SecurityIndustry Track at Farfetch (D. Maria) Chair(s): Rui Abreu Faculty of Engineering, University of Porto, Portugal | ||
21:00 30mTalk | Generating Avoidable Collision Scenarios for Testing Autonomous Driving Systems Industry Track Alessandro Calò Technical University of Munich, Paolo Arcaini National Institute of Informatics
, Shaukat Ali Simula Research Laboratory, Florian Hauer Technical University of Munich, Fuyuki Ishikawa National Institute of Informatics Link to publication DOI | ||
21:30 30mTalk | Checking Security Properties of Cloud Service REST APIs Industry Track Vaggelis Atlidakis Columbia University, Patrice Godefroid Microsoft Research, USA, Marina Polishchuk Microsoft Research, USA Link to publication DOI |