Elie Bursztein's research publications

SessionJuggler: Secure Web Login from an Untrusted Terminal Using Session Hijacking

Sat, 31 Mar 2012 22:00:00 GMT

We use modern features of web browsers to develop a secure login system from an untrusted terminal. The system, called Session Juggler, requires no server-side changes and no special software on the terminal beyond a modern web browser. This important property makes adoption much easier than with previous proposals. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal. We show that Session Juggler works on all the Alexa top 100 sites except eight. Of those eight, ?ve failures were due to the site enforcing IP session binding. We also show that Session Juggler works ?awlessly with Facebook connect. Beyond login, Session Juggler also provides a secure logout mechanism where the trusted phone is used to kill the session. To validate the session juggling concept we conducted a number of web site surveys that are of independent interest. First, we survey how web sites bind a session token to a speci?c device and show that most use fairly basic techniques that are easily defeated. Second, we survey how web sites handle logout and show that many popular sites surprisingly do not properly handle logout requests.

Text-based CAPTCHA Strengths and Weaknesses

Fri, 30 Sep 2011 22:00:00 GMT

We carry out a systematic study of existing visual CAPTCHAs based on distorted characters that are augmented with anti-segmentation techniques. Applying a systematic evaluation methodology to 15 current CAPTCHA schemes from popular web sites, we find that 13 are vulnerable to automated attacks. Based on this evaluation, we identify a series of recommendations for CAPTCHA designers and attackers, and possible future directions for producing more reliable human/computer distinguishers.

Reclaiming the Blogosphere, TalkBack: A Secure LinkBack Protocol for Weblogs

Wed, 31 Aug 2011 22:00:00 GMT

A LinkBack is a mechanism for bloggers to obtain automatic notifications when other bloggers link to their posts. LinkBacks are an important pillar of the blogosphere because they allow blog posts to cross-reference each other. Over the last few years, spammers have consistently tried to abuse LinkBack mechanisms as they provide an automated way to inject spam into blogs. A recent study shows that a single blog may receive tens of thousands of spam LinkBack notifications per day. Therefore, there is a great need to develop defenses to protect the blogosphere from spammer abuses. To address this issue, we introduce TalkBack, a secure LinkBack mechanism. While previous methods attempt to detect LinkBack spam using content analysis, TalkBack uses distributed authentication and rate limiting to prevent spammers from posting LinkBack notifications.

Towards Secure Embedded Web Interfaces

Sun, 31 Jul 2011 22:00:00 GMT

We address the challenge of building secure embedded web interfaces by proposing WebDroid: the first framework specifically dedicated to this purpose. Our design extends the Android Framework, and enables developers to create easily secure web interfaces for their applications. To motivate our work, we perform an in-depth study of the security of web interfaces embedded in consumer electronics devices, uncover significant vulnerabilities in all the devices examined, and categorize the vulnerabilities. We demonstrate how our framework's security mechanisms prevent embedded applications from suffering the vulnerabilities exposed by our audit. Finally we evaluate the efficiency of our framework in terms of performance and security.

OpenConflict: Preventing Real Time Map Hacks in Online Games

Sat, 30 Apr 2011 22:00:00 GMT

We present a generic tool, Kartograph, that lifts the fog of war in online real-time strategy games by snooping on the memory used by the game. Kartograph is passive and cannot be detected remotely. Motivated by these passive attacks we set out to develop secure protocols for distributing game state among players so that each client only has data he or she is allowed to see. We show that we can run the game with distributed state with only a 22-millisecond overhead per state update on a single core machine. While this overhead is already below human perception, even lower latency can be obtained on multi-core machines. Before we built the OpenConflict system we conducted an extensive study of the amount of data and network traffic generated by a popular real-time game, Starcraft II. This data helped us predict the performance of OpenConflict before we built it. We present the results of the study for other researchers who wish to experiment with secure protocol design for online games.

The Failure of Noise-Based Non-Continuous Audio Captchas

Sat, 30 Apr 2011 22:00:00 GMT

Many websites use tests intended to distinguish humans from automated processes as part of account registration and other functions. Widely known as Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHA), such tests are generally intended to supply a visual or audio task that is relatively easy for humans but hard for computers. In this paper, we propose a generic approach for breaking audio CAPTCHAs based on advanced audio processing and machine learning algorithm. We show that our system is able to break all the popular audio CAPTCHA schemes, including Microsoft and Yahoo, that use non continuous speech.

Kamouflage: Loss-Resistant Password Management

Tue, 31 Aug 2010 22:00:00 GMT

We introduce Kamouflage: a new architecture for building theft-resistant password managers. An attacker who steals a laptop or cell phone with a Kamouflage-based password manager is forced to carry out a considerable amount of online work before obtaining any user credentials. We implemented our proposal as a replacement for the built-in Firefox password manager, and provide performance measurements and the results of user studies to evaluate the effectiveness of our approach. We expect Kamouflage to become the standard architecture for password managers on mobile devices.

An Analysis of Private Browsing Modes in Modern Browsers

Sat, 31 Jul 2010 22:00:00 GMT

We study the security and privacy of private browsing modes recently added to all major browsers. We first propose a clean definition of the goals of private browsing and survey its implementation in different browsers. We conduct a measurement study to determine how often it is used and on what categories of sites. Our results suggest that private browsing is used differently from how it is marketed. We then describe an automated technique for testing the security of private browsing modes and report on a few weaknesses found in the Firefox browser. Finally, we show that many popular browser extensions and plugins undermine the security of private browsing. We propose and experiment with a workable policy that lets users safely run extensions in private browsing mode.

The emergence of cross channel scripting

Wed, 30 Jun 2010 22:00:00 GMT

Lightweight, embedded Web servers are soon about to outnumber regular Internet Web servers. They reside in devices entrusted with personal and corporate data, and are typically used for configuration and management. We reveal a series of attacks on consumer and small office electronics, ranging from networked storage to digital photo frames. The attacks target Web server logic and are based on a new type of vulnerability that we call cross channel scripting (XCS). XCS is a sophisticated form of cross site scripting (XSS) in which the attack injection and execution are carried out via different protocols.

Webseclab Security Education Workbench

Sat, 31 Jul 2010 22:00:00 GMT

We have developed and tested a virtual-machine-based web-application security student laboratory, Webseclab, comprising a LAMP (Linux, Apache, MySQL, PHP) stack, a variety of development tools, and the three most popular browsers for the Linux platform. This environment, tested in weekly participatory labs and weekly homework, hosts a teaching framework, exercise sets and labs, and a sandboxed student development environment. Eighty incremental exercises based on recent security research, and challenge projects, including one based on real open-source applications, teach the major web application vulnerabilities and defenses, in an encapsulated environment that allows students to experiment freely without interfering with each other or with public networks. In contrast to problems experienced with hands-on projects used in previous years, student response to this platform and its contained exercises has been remarkably positive.

Recovering Windows Secrets and EFS Certificates Offline

Sat, 31 Jul 2010 22:00:00 GMT

In this paper we present the result of our reverse-engineering of DPAPI, the Windows API for safe data storage on disk. Understanding DPAPI was the major roadblock preventing alternative systems such as Linux from reading Windows Encrypting File System (EFS) files. Our analysis of DPAPI reveals how an attacker can leverage DPAPI design choices to gain a nearly silent backdoor. We also found a way to recover all previous passwords used by any user on a system. We implement DPAPI data decryption and previous password extraction in a free tool called DPAPIck. Finally, we propose a backward compatible scheme that addresses the issue of previous password recovery.

Framing Attacks on Smartphones, Dumb Routers and Social Sites: Tap-jacking, Geo-localization and Framing Leak Attacks

Sat, 31 Jul 2010 22:00:00 GMT

While many popular web sites on the Internet use frame busting to defend against clickjacking, very few mobile sites use frame busting. Similarly, few embedded web sites such as those used on home routers use frame busting. In this paper we show that framing attacks on mobile sites and home routers can have devastating effects. We develop a new attack called tap-jacking that uses features of mobile browsers to implement a strong clickjacking attack on phones. Tap-jacking on a phone is more powerful than traditional clickjacking attacks on desktop browsers. For home routers we show that framing attacks can result in theft of the wifi WPA secret key and a precise geo-localization of the wifi network. Finally, we leverage the recent scrolling technique of Stone to develop a framing attack that defeats the clever frame busting approach employed by Facebook. The attack exposes private user information.

Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites

Fri, 30 Apr 2010 22:00:00 GMT

Web framing attacks such as clickjacking use iframes to hijack a user's web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. We study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-specific while others work across browsers. We conclude with recommendations for proper frame busting.

How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation

Fri, 30 Apr 2010 22:00:00 GMT

Captchas are designed to be easy for humans but hard for machines. However, most recent research has focused only on making them hard for machines. In this paper, we present what is to the best of our knowledge the first large scale evaluation of captchas from the human perspective, with the goal of assessing how much friction captchas present to the average user. For the purpose of this study we have asked workers from Amazon's Mechanical Turk and an underground captcha-breaking service to solve more than 318 000 captchas issued from the 21 most popular captcha schemes (13 images schemes and 8 audio scheme). Analysis of the resulting data reveals that captchas are often difficult for humans, with audio captchas being particularly problematic. We also find some demographic trends indicating, for example, that non-native speakers of English are slower in general and less accurate on English-centric captcha schemes. Evidence from a week's worth of eBay captchas (14,000,000 samples) suggests that the solving accuracies found in our study are close to real-world values, and that improving audio captchas should become a priority, as nearly 1% of all captchas are delivered as audio rather than images. Finally our study also reveals that it is more effective for an attacker to use Mechanical Turk to solve captchas than an underground service.

State of the Art: Automated Black-Box Web Application Vulnerability Testing

Fri, 30 Apr 2010 22:00:00 GMT

Black-box web application vulnerability scanners are automated tools that probe web applications for security vulnerabilities. In order to assess the current state of the art, we obtained access to eight leading tools and carried out a study of: (i) the class of vulnerabilities tested by these scanners, (ii) their effectiveness against target vulnerabilities, and (iii) the relevance of the target vulnerabilities to vulnerabilities found in the wild. To conduct our study we used a custom web application vulnerable to known and projected vulnerabilities, and previous versions of widely used web applications containing known vulnerabilities. Our results show the promise and effectiveness of automated tools, as a group, and also some limitations. In particular, "stored" forms of Cross Site Scripting (XSS) and SQL Injection (SQLI) vulnerabilities are not currently found by many tools. Because our goal is to assess the potential of future research, not to evaluate specific vendors, we do not report comparative data or make any recommendations about purchase of specific tools.

Using Strategy Objectives for Network Security Analysis

Mon, 30 Nov 2009 23:00:00 GMT

The anticipation game framework is an extension of attack graphs based on game theory. It is used to anticipate and analyze intruder and administrator concurrent interactions with the network. Like attack-graph-based model checking, the goal of an anticipation game is to prove that a safety property holds. However using this kind of goal is tedious and error prone on large networks because it assumes that the analyst has prior and complete knowledge of critical network services. In this paper we address this issue by introducing a new kind of goal called "strategy objectives". Strategy objectives mixes logical constraints and numerical ones. Combining these two types allows to performs a new range of analysis. which is more usable for network security analysis purpose. In order to achieve these strategy objectives, we have extended the anticipation games framework with cost and reward. Additionally this extension allows us to take into account the financial dimension of attacks during the analysis. We prove that finding the optimal strategy is decidable and only requires linear space. Finally we show that anticipation games with strategy objectives can be used in practice even on large networks by evaluating the performance of our prototype.

TrackBack Spam: Abuse and Prevention

Sat, 31 Oct 2009 23:00:00 GMT

Contemporary blogs receive comments and TrackBacks, which result in cross-references between blogs. We conducted a longitudinal study of TrackBack spam, collecting and analyzing almost 10 million samples from a massive spam campaign over a one-year period. Unlike common delivery of email spam, the spammers did not use bots, but took advantage of an official Chinese site as a relay. Based on our analysis of TrackBack misuse found in the wild, we propose an authenticated TrackBack mechanism that defends against TrackBack spam even if attackers use a very large number of different source addresses and generate unique URLs for each TrackBack blog.

XCS: cross channel scripting and its impact on web applications

Sat, 31 Oct 2009 23:00:00 GMT

We study the security of embedded web servers used in consumer electronic devices, such as security cameras and photo frames, and for IT infrastructure, such as wireless access points and lights-out management systems. All the devices we examine turn out to be vulnerable to a variety of web attacks, including cross site scripting (XSS) and cross site request forgery (CSRF). In addition, we show that consumer electronics are particularly vulnerable to a nasty form of persistent XSS where a non-web channel such as NFS or SNMP is used to inject a malicious script. This script is later used to attack an unsuspecting user who connects to the device web server. We refer to web attacks which are mounted through a non-web channel as cross channel scripting (XCS). We propose a client-side defense against certain XCS which we implement as a browser extension.

Decaptcha: Breaking 75\% of eBay Audio CAPTCHAs

Fri, 31 Jul 2009 22:00:00 GMT

CAPTCHA tests aim at preventing attackers from performing automatic registration. In this paper we show that our prototype Decaptcha is able to successfully break 75% of eBay audio captchas. We compare its performance with the state of the art, readily available speech recognition system Sphinx and discuss the implications for eBay security.

NetQi: A Model checker for Anticipation Game

Tue, 30 Sep 2008 22:00:00 GMT

NetQi is a freely available model-checker designed to analyze network incidents such as intrusion. This tool is an implementation of the anticipation game framework, a variant of timed game tailored for network analysis. The main purpose of NetQi is to find, given a network initial state and a set of rules, the best strategy that fulfills player objectives by model-checking the anticipation game and comparing the outcome of each play that fulfills strategy constraints. For instance, it can be used to find the best patching strategy. NetQi has been successfully used to analyze service failure due to hardware, network intrusion, worms and multiple-site intrusion defense cooperation.

Extending Anticipation Games with Location, Penalty and Timeline

Tue, 30 Sep 2008 22:00:00 GMT

Over the last few years, attack graphs have became a well recognized tool to analyze and model complex network attack. The most advanced evolution of attack graphs, called anticipation games, is based on game theory. However even if anticipation games allow to model time, collateral effects and player interactions with the network, there is still key aspects of the network security that cannot be modeled in this framework. Theses aspects are network cooperation to fight unknown attack, the cost of attack based on its duration and the introduction of new attack over the time. In this paper we address these needs, by introducing a three-fold extension to anticipation games. We prove that this extension does not change the complexity of the framework. We illustrate the usefulness of this extension by presenting how it can be used to find a defense strategy against 0 days that use an honey net. Finally, we have implemented this extension into a prototype, to show that it can be used to analyze large networks security.

Probabilistic Protocol Identification for Hard to Classify Protocol

Wed, 30 Apr 2008 22:00:00 GMT

With the growing use of protocols obfuscation techniques, protocol identification for Q.O.S enforcement, traffic prohibition, and intrusion detection has became a complex task. This paper addresses this issue with a probabilistic identification analysis that combines multiples advanced identification techniques and returns an ordered list of probable protocols. It combines a payload analysis with a classifier based on several discriminators, including packet entropy and size. We show with its implementation, that it overcomes the limitations of traditional port-based protocol identification when dealing with hard to classify protocol such as peer to peer protocols. We also detail how it deals with tunneled session and covert channel.

A Logical Framework for Evaluating Network Resilience Against Faults and Attacks

Fri, 30 Nov 2007 23:00:00 GMT

We present a logic-based framework to evaluate the resilience of computer networks in the face of incidents, i.e., attacks from malicious intruders as well as random faults. Our model uses a two-layered presentation of dependencies between files and services, and of timed games to represent not just incidents, but also the dynamic responses from administrators and their respective delays. We demonstrate that a variant TATL of timed alternating-time temporal logic is a convenient language to express several desirable properties of networks, including several forms of survivability. We illustrate this on a simple redundant Web service architecture, and show that checking such timed games against the so-called TATL variant of the timed alternating time temporal logic TATL is EXPTIME-complete.

Time has something to tell us about network address translation.

Sun, 30 Sep 2007 22:00:00 GMT

In this paper we introduce a new technique to count the number of host behind a NAT. This technique based on TCP timestamp option, works with Linux and BSD system and therefore is complementary to the previous one base on IPID than does not work for those systems. Our implementation demonstrates the practicability of this method.