Reduction Semantics and Formal Analysis of Orc Programs
Electronic Notes in Theoretical Computer Science (ENTCS)
Characterizing insecure javascript practices on the web
Proceedings of the 18th international conference on World wide web
Teaching Formal Methods Based on Rewriting Logic and Maude
TFM '09 Proceedings of the 2nd International Conference on Teaching Formal Methods
An automatic HTTP cookie management system
Computer Networks: The International Journal of Computer and Telecommunications Networking
BLADE: an attack-agnostic approach for preventing drive-by malware infections
Proceedings of the 17th ACM conference on Computer and communications security
Trust and protection in the Illinois browser operating system
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Designing and Implementing the OP and OP2 Web Browsers
ACM Transactions on the Web (TWEB)
Mitigating cross-site form history spamming attacks with domain-based ranking
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
The web interface should be radically refactored
Proceedings of the 10th ACM Workshop on Hot Topics in Networks
An extensible and lightweight framework of game GUI
Proceedings of the 10th International Conference on Virtual Reality Continuum and Its Applications in Industry
XSS-Dec: a hybrid solution to mitigate cross-site scripting attacks
DBSec'12 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy
Establishing browser security guarantees through formal shim verification
Security'12 Proceedings of the 21st USENIX conference on Security symposium
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
Identification of potential malicious web pages
AISC '11 Proceedings of the Ninth Australasian Information Security Conference - Volume 116
Hi-index | 0.00 |
To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the human-computer interface is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic bugs in GUI design/implementation. Visual spoofing attacks that exploit these flaws can lure even securityconscious users to perform unintended actions. The focus of this paper is to formulate the problem of GUI logic flaws and to develop a methodology for uncovering them in software implementations. Specifically, based on an in-depth study of key subsets of Internet Explorer (IE) browser source code, we have developed a formal model for the browser GUI logic and have applied formal reasoning to uncover new spoofing scenarios, including nine for status bar spoofing and four for address bar spoofing. The IE development team has confirmed all these scenarios and has fixed most of them in their latest build. Through this work, we demonstrate that a crucial subset of visual spoofing vulnerabilities originate from GUI logic flaws, which have a well-defined mathematical meaning allowing a systematic analysis.