Write a Blog >>
Tue 11 Jul 2017 13:45 - 14:10 at Bren 1414 - Dynamic Analysis Chair(s): Tao Xie

Modern applications are often split into separate client and server tiers that communicate via message passing over the network. One well-understood threat to privacy for such applications is the leakage of sensitive user information either in transit or at the server. In response, an array of defensive techniques have been developed to identify or block unintended or malicious information leakage. However, prior work has primarily considered privacy leaks originating at the client directed at the server, while leakage in the reverse direction – from the server to the client – is comparatively under-studied. The question of whether and to what degree this leakage constitutes a threat remains an open question. We answer this question in the affirmative with Hush, a technique for semi-automatically identifying Server-based InFormation OvershariNg (SIFON) vulnerabilities in multi-tier applications. In particular, the technique detects SIFON vulnerabilities using a heuristic that overshared sensitive information from server-side APIs will not be displayed by the application’s user interface. The technique first performs a scalable static program analysis to screen applications for potential vulnerabilities, and then attempts to confirm these candidates as true vulnerabilities with a partially-automated dynamic analysis. Our evaluation over a large corpus of Android applications demonstrates the effectiveness of the technique by discovering several previously-unknown SIFON vulnerabilities in eight applications.

Tue 11 Jul

issta-2017-research
13:20 - 15:00: Technical Papers - Dynamic Analysis at Bren 1414
Chair(s): Tao XieUniversity of Illinois at Urbana-Champaign
issta-2017-research13:20 - 13:45
Talk
Yizhen ChenSUNY Albany, USA, Ming YingSUNY Albany, USA, Daren LiuSUNY Albany, USA, Adil AlimSUNY Albany, USA, Feng ChenSUNY Albany, USA, Mei-Hwa ChenSUNY Albany, USA
DOI
issta-2017-research13:45 - 14:10
Talk
William KochBoston University, USA, Abdelberi ChaabaneNortheastern University, USA, Manuel EgeleBoston University, USA, William RobertsonNortheastern University, USA, Engin KirdaNortheastern University, USA
DOI
issta-2017-research14:10 - 14:35
Talk
Yonghwi KwonPurdue University, Weihang WangPurdue University, Yunhui ZhengIBM T.J. Watson Research Center, Xiangyu ZhangPurdue University, Dongyan XuPurdue University, USA
DOI
issta-2017-research14:35 - 15:00
Talk
Marija SelakovicTU Darmstadt, Germany, Thomas GlaserTU Darmstadt, Germany, Michael PradelTU Darmstadt
DOI