short-paper

Mediums: visual integrity preserving framework

Authors:

Wenliang DuAuthors Info & Claims

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Pages 309 - 316

https://doi.org/10.1145/2435349.2435394

Published: 18 February 2013 Publication History

Abstract

The UI redressing attack and its variations have spread across several platforms, from web browsers to mobile systems. We study the fundamental problem underneath such attacks, and formulate a generic model called the container threat model. We believe that the attacks are caused by the system's failure to preserve visual integrity. From this angle, we study the existing countermeasures and propose a generic approach, Mediums framework, to develop a Trusted Display Base (TDB) to address this type of problems. We use the side channel to convey the lost visual information to users. From the access control perspective, we use the dynamic binding policy model to allow the server to enforce different restrictions based on different client-side scenarios.

References

[1]

A. Chaitrali, S. Kapil, V. Arunabh, and P. Traynor. On the disparity of display security in mobile and traditional web browsers. In SCS Technical Report.

[2]

T. Close. The confused deputy rides again!http://waterken.sourceforge.net/clickjacking/.

[3]

R. Hansen. Clickjacking. http://ha.ckers.org/blog/20080915/clickjacking/.

[4]

L. Huang, A., H. Wang, S. Schechter, and C. Jackson. Clickjacking: Attacks and defenses. In USENIX Security Symposium, 2012.

Digital Library

[5]

C. Jackson. Improving browser security policies. PhD thesis, Stanford, CA, USA, 2009. AAI3382749.

Digital Library

[6]

K. Kotowicz. Cursorjacking. http://blog.kotowicz.net/2012/01/cursorjacking-again.html.

[7]

K. Kotowicz. Filejacking: How to make a file server from your browser (with html5 of course), 2011.

[8]

E. Lawrence. Ie8 security part vii: Clickjacking defenses. http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx.

[9]

T. Luo and W. Du. Contego: capability-based access control for web browsers. In Proceedings of the 4th international conference on Trust and trustworthy computing (TRUST 2011).

Digital Library

[10]

T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on webview in the android system. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 11.

Digital Library

[11]

T. Luo, X. Jin, A. Ajai, and W. Du. Touchjacking attacks on web in android, ios, and windows phone. In Proceedings of 5TH International Symposium on Foundations & Practice of Security (FPS 2012).

Digital Library

[12]

M. Mahemoff. Explaining the "don't click" clickjacking tweetbomb. 2009.

[13]

G. Maone. Hello clearclick, goodbye clickjacking! http://hackademix.net/2008/10/08/helloclearclick-goodbye-clickjacking/.

[14]

Mozilla Developer Network. The x-frame-options response header.

[15]

M. Niemietz. Ui redressing: Attacks and countermeasures revisited. In in CONFidence 2011.

[16]

J. Ruderman. Bug 154957 - iframe content background defaults to transparent., 2002.

[17]

G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010).

[18]

G. Rydstedt, E.e Bursztein, and D. Boneh. Framing attacks on smart phones and dumb routers: Tap-jacking and geo-localization. In in Usenix Workshop on Offensive Technologies (wOOt 2010).

Digital Library

[19]

SophosLabs. Facebook worm - likejacking. 2010.

Cited By

Tang JLi RXiong ZHan HGu X(2021)Detecting Privacy Leaks in Android Hybrid Applications Based on Dynamic Taint Tracking2021 IEEE 19th International Conference on Embedded and Ubiquitous Computing (EUC)10.1109/EUC53437.2021.00036(193-200)Online publication date: Oct-2021
https://doi.org/10.1109/EUC53437.2021.00036
Shahriar HHaddad HWainwright RCorchado JBechini AHong J(2015)Security assessment of clickjacking risks in web applicationsProceedings of the 30th Annual ACM Symposium on Applied Computing10.1145/2695664.2695946(791-797)Online publication date: 13-Apr-2015
https://dl.acm.org/doi/10.1145/2695664.2695946
Luo TJin XAnanthanarayanan ADu W(2012)Touchjacking attacks on web in android, iOS, and windows phoneProceedings of the 5th international conference on Foundations and Practice of Security10.1007/978-3-642-37119-6_15(227-243)Online publication date: 25-Oct-2012
https://dl.acm.org/doi/10.1007/978-3-642-37119-6_15

Index Terms

Mediums: visual integrity preserving framework
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
D-ward: source-end defense against distributed denial-of-service attacks
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

February 2013

400 pages

ISBN:9781450318907

DOI:10.1145/2435349

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Lujo Bauer
Carnegie Mellon University, USA
,
Publications Chair:
Jaehong Park
University of Texas at San Antonio, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 February 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CODASPY'13

Sponsor:

SIGSAC

CODASPY'13: Third ACM Conference on Data and Application Security and Privacy

February 18 - 20, 2013

Texas, San Antonio, USA

Acceptance Rates

CODASPY '13 Paper Acceptance Rate 24 of 107 submissions, 22%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
124
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tang JLi RXiong ZHan HGu X(2021)Detecting Privacy Leaks in Android Hybrid Applications Based on Dynamic Taint Tracking2021 IEEE 19th International Conference on Embedded and Ubiquitous Computing (EUC)10.1109/EUC53437.2021.00036(193-200)Online publication date: Oct-2021
https://doi.org/10.1109/EUC53437.2021.00036
Shahriar HHaddad HWainwright RCorchado JBechini AHong J(2015)Security assessment of clickjacking risks in web applicationsProceedings of the 30th Annual ACM Symposium on Applied Computing10.1145/2695664.2695946(791-797)Online publication date: 13-Apr-2015
https://dl.acm.org/doi/10.1145/2695664.2695946
Luo TJin XAnanthanarayanan ADu W(2012)Touchjacking attacks on web in android, iOS, and windows phoneProceedings of the 5th international conference on Foundations and Practice of Security10.1007/978-3-642-37119-6_15(227-243)Online publication date: 25-Oct-2012
https://dl.acm.org/doi/10.1007/978-3-642-37119-6_15

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents