Write a Blog >>
ICST 2020
Sat 24 - Wed 28 October 2020 Porto, Portugal
Tue 27 Oct 2020 10:30 - 11:00 at Farfetch (D. Maria) - IT3 - Safety & Security Chair(s): Rui Abreu
Tue 27 Oct 2020 21:30 - 22:00 at Farfetch (D. Maria) - IT3 - Safety & Security Chair(s): Rui Abreu

Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.

Tue 27 Oct

Displayed time zone: Lisbon change

10:00 - 11:00
IT3 - Safety & SecurityIndustry Track at Farfetch (D. Maria) +11h
Chair(s): Rui Abreu Faculty of Engineering, University of Porto, Portugal
10:00
30m
Talk
Generating Avoidable Collision Scenarios for Testing Autonomous Driving Systems
Industry Track
Alessandro Calò Technical University of Munich, Paolo Arcaini National Institute of Informatics , Shaukat Ali Simula Research Laboratory, Florian Hauer Technical University of Munich, Fuyuki Ishikawa National Institute of Informatics
Link to publication DOI
10:30
30m
Talk
Checking Security Properties of Cloud Service REST APIs
Industry Track
Vaggelis Atlidakis Columbia University, Patrice Godefroid Microsoft Research, USA, Marina Polishchuk Microsoft Research, USA
Link to publication DOI
21:00 - 22:00
IT3 - Safety & SecurityIndustry Track at Farfetch (D. Maria)
Chair(s): Rui Abreu Faculty of Engineering, University of Porto, Portugal
21:00
30m
Talk
Generating Avoidable Collision Scenarios for Testing Autonomous Driving Systems
Industry Track
Alessandro Calò Technical University of Munich, Paolo Arcaini National Institute of Informatics , Shaukat Ali Simula Research Laboratory, Florian Hauer Technical University of Munich, Fuyuki Ishikawa National Institute of Informatics
Link to publication DOI
21:30
30m
Talk
Checking Security Properties of Cloud Service REST APIs
Industry Track
Vaggelis Atlidakis Columbia University, Patrice Godefroid Microsoft Research, USA, Marina Polishchuk Microsoft Research, USA
Link to publication DOI