Perplexed Messengers from the Cloud: Automated Security Analysis of Push-Messaging Integrations

Title: Perplexed Messengers from the Cloud: Automated Security Analysis of Push-Messaging Integrations
Time: 2016年1月27日(周三), 上午10:00-11:30
Speaker: 陈恺, 中科院信工所
Venue: 中科院计算所446会议室,北京市海淀区科学院南路6号
Organizer: 中科院计算所 武成岗老师,wucg[AT]ict.ac.cn
Kang

报告摘要

We report a large-scale, systematic study on the security qualities of emerging push-messaging services, focusing on their app-side service integrations. We identified a set of security properties different push messaging services (e.g., Google Cloud Messaging) need to have, and automatically verified them in different integrations using a new tool, called Seminal. Using this tool, we studied 30 leading services around the world, and scanned 35,173 apps. Our findings are astonishing: over 20% apps in Google Play and 50% apps in mainstream Chinese app markets are riddled with security-critical loopholes, putting a huge amount of sensitive user data at risk. Also, our research brought to light new types of security flaws never known before, which can be exploited to cause serious confusions among popular apps and services (e.g., Facebook, Skype, Yelp, Baidu Push). Taking advantage of such confusions, the adversary can post his content to the victim’s apps in the name of trusted parties and intercept her private messages.

主讲人简介:

陈恺:2010年于中国科学院研究生院获博士学位,美国宾州大学博士后,目前为中国科学院信息工程研究所信息安全国家重点实验室副研究员,主要研究领域包括软件安全、智能终端安全、安全测评和隐私保护。曾主持和参加国家自然科学基金、863计划、中科院战略性先导科技专项、部委项目等课题20余项;在USENIX Security, ACM CCS、ICSE、ASE、IEEE Trans on Reliability、《中国科学》等本领域重要刊物和会议上发表论文40余篇,多次在国际学术会议上做大会报告;获得与申请专利12项;《IEEE Trans on Dependable and Secure Computing》、《Computers & Security》等SCI期刊评审与AsiaCCS等多个国际会议委员会成员。主页:http://www.kaichen.org

论文(PDF)演讲Slides

 

Bookmark the permalink.

Comments are closed.