Speaker/Bio
Wil Koch received his BS from the University of Rhode and MS from Stevens Institute of Technology in Computer engineering with a focus in machine learning. After working in the aerospace industry as a software engineer, he returned to academia to pursue his PhD in computer science at Boston University. His research is primarily focused in cyber security, and multi-copter flight performance. He is the co-founder CT Hackerspace Inc, Connecticut's oldest and largest hackerspace as well as the founder of Boston Drone Racing, FPV quadcopter racing and hacking club in Boston. Personal webpage:
http://cs-people.bu.edu/wfkoch/
Abstract
Abstract: Modern applications are often split into separate client and server tiers that communicate via message passing over the network. One well-understood threat to privacy for such applications is the leakage of sensitive user information either in transit or at the server. In response, an array of defensive techniques have been developed to identify or block unintended or malicious information leakage. However, prior work has primarily considered privacy leaks originating at the client directed at the server, while leakage in the reverse direction -- from the server to the client -- is comparatively under-studied. The question of whether and to what degree this leakage constitutes a threat remains an open question. We answer this question in the affirmative with Hush, a technique for semi-automatically identifying Server-based InFormation OvershariNg (SIFON) vulnerabilities in multi-tier applications. In particular, the technique detects SIFON vulnerabilities using a heuristic that overshared sensitive information from server-side APIs will not be displayed by the application's user interface. The technique first performs a scalable static program analysis to screen applications for potential vulnerabilities, and then attempts to confirm these candidates as true vulnerabilities with a partially-automated dynamic analysis. Our evaluation over a large corpus of Android applications demonstrates the effectiveness of the technique by discovering several previously-unknown SIFON vulnerabilities in eight applications.