Hidden GEMs: Automated Discovery of Access Control Vulnerabilities

  • 2016-02-05
  • Research

Graphical user interfaces (GUIs) are the predominant means by which users interact with modern programs.


Graphical user interfaces (GUIs) are the predominant means by which users interact with modern programs. GUIs contain a number of common visual elements or widgets such as labels, textfields, buttons, and lists, and GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether they are writable. While these attributes are extremely useful to provide visual cues to users to guide them through an application‘s GUI, they can also be misused for purposes they were not intended. In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes are often misused as a mechanism for enforcing access control policies. In this talk, I will present GEMs, or instances of GUI element misuse, as a novel class of access control vulnerabilities in GUI-based applications. I will present a classification of different GEMs that can arise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applications. I will then present GEM Miner, an implementation of our GEM analysis for the Windows platform.


Engin Kirda is Professor of Computer Science and Engineering at Northeastern University in Boston, and director of the Northeastern Information Assurance Institute. He is also a co-founder and Chief Architect at Lastline, Inc—a company specialized in advanced malware detection and defense. Before moving to the US, he held faculty positions at Institute Eurecom in the French Riviera and TU Wien where he co-founded the Secure Systems Lab that is now distributed over five institutions in Europe and US. Engin‘s research has focused on malware analysis (e.g., Anubis, Exposure, Fire) and detection, web application security, and automated vulnerability discovery and mitigation. He co-authored more than 100 peer-reviewed scholarly publications and served on program committees of numerous international conferences and workshops. In 2009, Engin was the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID), in 2010/11, Program Chair of the European Workshop on Systems Security (Eurosec), in 2012 the Program Chair of the USENIX Workshop on Large Scale Exploits and Emergent Threats, and chaired the flagship security conference NDSS in 2015. Engin will be chairing USENIX Security in 2017.


This talk is organized by the Information and Software Engineering Group at the Institute of Software Technology and Interactive Systems, and IEEE CS/SMCS Austria Chapter.


Note: This is one of the thousands of items we imported from the old website. We’re in the process of reviewing each and every one, but if you notice something strange about this particular one, please let us know. — Thanks!