53 Hits in 0.36 sec


Sooel Son, Kathryn S. McKinley, Vitaly Shmatikov
2011 SIGPLAN notices  
The idea of analyzing consistency of checks on critical variables was first proposed by Son and Shmatikov [20] .  ... 
doi:10.1145/2076021.2048146 fatcat:sho2vfdbujbhdabtb5shr6h5sq


Sooel Son, Vitaly Shmatikov
2011 Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security - PLAS '11  
Web applications are vulnerable to semantic attacks such as denial of service due to infinite loops caused by malicious inputs and unauthorized database operations due to missing security checks. Unlike "conventional" threats such as SQL injection and cross-site scripting, these attacks exploit bugs in the logic of the vulnerable application and cannot be discovered using data-flow analysis alone. We give the first characterization of these types of vulnerabilities in PHP applications, develop
more » ... ovel inter-procedural algorithms for discovering them in PHP source code, and implement these algorithms as part of SAFERPHP, a framework for static security analysis of PHP applications. SAFER-PHP uncovered multiple, previously unreported vulnerabilities in several popular Web applications.
doi:10.1145/2166956.2166964 dblp:conf/pldi/SonS11 fatcat:u5pvzalydnegtkwtcivddc4mje

Pharewell to Phishing [chapter]

Taehwan Choi, Sooel Son, Mohamed G. Gouda, Jorge A. Cobb
2008 Lecture Notes in Computer Science  
The conventional wisdom has always been that users should refrain from entering their sensitive data (such as usernames, passwords, and credit card numbers) into http(or white) pages, but they can enter these data into https (or yellow) pages. Unfortunately, this assumption is not valid as it became clear recently that, through human mistakes or Phishing or Pharming attacks, a displayed yellow page may not be the same one that the user has intended to request in the first place. In this paper,
more » ... e propose to add a third class of secure web pages called brown pages. We show that brown pages are more secure than yellow pages especially in face of human mistakes and Phishing and Pharming attacks. Thus users can enter their sensitive data into brown pages without worry.
doi:10.1007/978-3-540-89335-6_19 fatcat:7cm2naibqffiblzoz6lufaebxq


Sooel Son, Kathryn S. McKinley, Vitaly Shmatikov
2013 Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS '13  
Code injection attacks continue to plague applications that incorporate user input into executable programs. For example, SQL injection vulnerabilities rank fourth among all bugs reported in CVE, yet all previously proposed methods for detecting SQL injection attacks suffer from false positives and false negatives. This paper describes the design and implementation of DIGLOS-SIA, a new tool that precisely and efficiently detects code injection attacks on server-side Web applications generating
more » ... QL and NoSQL queries. The main problems in detecting injected code are (1) recognizing code in the generated query, and (2) determining which parts of the query are tainted by user input. To recognize code, DIGLOSSIA relies on the precise definition due to Ray and Ligatti. To identify tainted characters, DIGLOSSIA dynamically maps all application-generated characters to shadow characters that do not occur in user input and computes shadow values for all input-dependent strings. Any original characters in a shadow value are thus exactly the taint from user input. Our key technical innovation is dual parsing. To detect injected code in a generated query, DIGLOSSIA parses the query in tandem with its shadow and checks that (1) the two parse trees are syntactically isomorphic, and (2) all code in the shadow query is in shadow characters and, therefore, originated from the application itself, as opposed to user input. We demonstrate that DIGLOSSIA accurately detects both SQL and NoSQL code injection attacks while avoiding the false positives and false negatives of prior methods. By recasting the problem of detecting injected code as a string propagation and parsing problem, we gain substantial improvements in efficiency and precision over prior work. Our approach does not require any changes to the databases, Web servers, or Web browsers, adds virtually unnoticeable performance overhead, and is deployable today.
doi:10.1145/2508859.2516696 dblp:conf/ccs/SonMS13 fatcat:zqtrbdccw5bs5kwmqzq3n7gsty

Evaluating the Robustness of Trigger Set-Based Watermarks Embedded in Deep Neural Networks [article]

Suyoung Lee, Wonho Song, Suman Jana, Meeyoung Cha, Sooel Son
2021 arXiv   pre-print
Trigger set-based watermarking schemes have gained emerging attention as they provide a means to prove ownership for deep neural network model owners. In this paper, we argue that state-of-the-art trigger set-based watermarking algorithms do not achieve their designed goal of proving ownership. We posit that this impaired capability stems from two common experimental flaws that the existing research practice has committed when evaluating the robustness of watermarking algorithms: (1) incomplete
more » ... adversarial evaluation and (2) overlooked adaptive attacks. We conduct a comprehensive adversarial evaluation of 10 representative watermarking schemes against six of the existing attacks and demonstrate that each of these watermarking schemes lacks robustness against at least two attacks. We also propose novel adaptive attacks that harness the adversary's knowledge of the underlying watermarking algorithm of a target model. We demonstrate that the proposed attacks effectively break all of the 10 watermarking schemes, consequently allowing adversaries to obscure the ownership of any watermarked model. We encourage follow-up studies to consider our guidelines when evaluating the robustness of their watermarking schemes via conducting comprehensive adversarial evaluation that include our adaptive attacks to demonstrate a meaningful upper bound of watermark robustness.
arXiv:2106.10147v1 fatcat:yhhhpgwndzdgheltof6uretd5u

Model checking invariant security properties in OpenFlow

Sooel Son, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, Guofei Gu
2013 2013 IEEE International Conference on Communications (ICC)  
The OpenFlow (OF) switching specification represents an innovative and open standard for enabling the dynamic programming of flow control policies in production networks. Unfortunately, thus far researchers have paid little attention to the development of methods for verifying that dynamic flow policies inserted within an OpenFlow network do not violate the network's underlying security policy. We introduce FLOVER, a model checking system which verifies that the aggregate of flow policies
more » ... tiated within an OpenFlow network does not violate the network's security policy. We have implemented FLOVER using the Yices SMT solver, which we then integrated into NOX, a popular OpenFlow network controller. FLOVER provides NOX a formal validation of the OpenFlow network's security posture.
doi:10.1109/icc.2013.6654813 dblp:conf/icc/SonSYPG13 fatcat:uifcjesd7vgw7msyft3zoag5jq


Sooel Son, Kathryn S. McKinley, Vitaly Shmatikov
2011 Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications - OOPSLA '11  
The idea of analyzing consistency of checks on critical variables was first proposed by Son and Shmatikov [20] .  ... 
doi:10.1145/2048066.2048146 dblp:conf/oopsla/SonMS11 fatcat:w2gwct5ryng77gborszbqptkva

Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer [article]

Suyoung Lee, HyungSeok Han, Sang Kil Cha, Sooel Son
2020 arXiv   pre-print
JavaScript (JS) engine vulnerabilities pose significant security threats affecting billions of web browsers. While fuzzing is a prevalent technique for finding such vulnerabilities, there have been few studies that leverage the recent advances in neural network language models (NNLMs). In this paper, we present Montage, the first NNLM-guided fuzzer for finding JS engine vulnerabilities. The key aspect of our technique is to transform a JS abstract syntax tree (AST) into a sequence of AST
more » ... s that can directly train prevailing NNLMs. We demonstrate that Montage is capable of generating valid JS tests, and show that it outperforms previous studies in terms of finding vulnerabilities. Montage found 37 real-world bugs, including three CVEs, in the latest JS engines, demonstrating its efficacy in finding JS engine bugs.
arXiv:2001.04107v2 fatcat:22cptrylmrfthh6sua3jqnzaxy

The Hitchhiker's Guide to DNS Cache Poisoning [chapter]

Sooel Son, Vitaly Shmatikov
2010 Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering  
DNS cache poisoning is a serious threat to today's Internet. We develop a formal model of the semantics of DNS caches, including the bailiwick rule and trust-level logic, and use it to systematically investigate different types of cache poisoning and to generate templates for attack payloads. We explain the impact of the attacks on DNS resolvers such as BIND, MaraDNS, and Unbound and their implications for several defenses against DNS cache poisoning.
doi:10.1007/978-3-642-16161-2_27 fatcat:de64fyqzmvhfrdyrwmvztfy2gy

Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement Learning

Soyoung Lee, Seongil Wi, Sooel Son
2022 Proceedings of the ACM Web Conference 2022  
Black-box web scanners have been a prevalent means of performing penetration testing to find reflected cross-site scripting (XSS) vulnerabilities. Unfortunately, off-the-shelf black-box web scanners suffer from unscalable testing as well as false negatives that stem from a testing strategy that employs fixed attack payloads, thus disregarding the exploitation of contexts to trigger vulnerabilities. To this end, we propose a novel method of adapting attack payloads to a target reflected XSS
more » ... rability using reinforcement learning (RL). We present Link, a general RL framework whose states, actions, and a reward function are designed to find reflected XSS vulnerabilities in a black-box and fully automatic manner. Link finds 45, 213, and 60 vulnerabilities with no false positives in Firing-Range, OWASP, and WAVSEP benchmarks, respectively, outperforming state-of-the-art web scanners in terms of finding vulnerabilities and ending testing campaigns earlier. Link also finds 43 vulnerabilities in 12 real-world applications, demonstrating the promising efficacy of using RL in finding reflected XSS vulnerabilities. CCS CONCEPTS • Security and privacy → Web application security.
doi:10.1145/3485447.3512234 fatcat:nmy2npjj5jar3hr4lzpuooujca

Revisiting Binary Code Similarity Analysis using Interpretable Feature Engineering and Lessons Learned [article]

Dongkwan Kim, Eunsoo Kim, Sang Kil Cha, Sooel Son, Yongdae Kim
2022 arXiv   pre-print
Binary code similarity analysis (BCSA) is widely used for diverse security applications such as plagiarism detection, software license violation detection, and vulnerability discovery. Despite the surging research interest in BCSA, it is significantly challenging to perform new research in this field for several reasons. First, most existing approaches focus only on the end results, namely, increasing the success rate of BCSA, by adopting uninterpretable machine learning. Moreover, they utilize
more » ... their own benchmark sharing neither the source code nor the entire dataset. Finally, researchers often use different terminologies or even use the same technique without citing the previous literature properly, which makes it difficult to reproduce or extend previous work. To address these problems, we take a step back from the mainstream and contemplate fundamental research questions for BCSA. Why does a certain technique or a feature show better results than the others? Specifically, we conduct the first systematic study on the basic features used in BCSA by leveraging interpretable feature engineering on a large-scale benchmark. Our study reveals various useful insights on BCSA. For example, we show that a simple interpretable model with a few basic features can achieve a comparable result to that of recent deep learning-based approaches. Furthermore, we show that the way we compile binaries or the correctness of underlying binary analysis tools can significantly affect the performance of BCSA. Lastly, we make all our source code and benchmark public and suggest future directions in this field to help further research.
arXiv:2011.10749v3 fatcat:2ejtyrb23fg6fcrlg24rbbsaku

What Mobile Ads Know About Mobile Users

Sooel Son, Daehyeok Kim, Vitaly Shmatikov
2016 Proceedings 2016 Network and Distributed System Security Symposium   unpublished
We analyze the software stack of popular mobile advertising libraries on Android and investigate how they protect the users of advertising-supported apps from malicious advertising. We find that, by and large, Android advertising libraries properly separate the privileges of the ads from the host app by confining ads to dedicated browser instances that correctly apply the same origin policy. We then demonstrate how malicious ads can infer sensitive information about users by accessing external
more » ... torage, which is essential for media-rich ads in order to cache video and images. Even though the same origin policy prevents confined ads from reading other apps' externalstorage files, it does not prevent them from learning that a file with a particular name exists. We show how, depending on the app, the mere existence of a file can reveal sensitive information about the user. For example, if the user has a pharmacy price-comparison app installed on the device, the presence of external-storage files with certain names reveals which drugs the user has looked for. We conclude with our recommendations for redesigning mobile advertising software to better protect users from malicious advertising.
doi:10.14722/ndss.2016.23407 fatcat:mvgmnyzd75ch7irstgyiloznze

Page 8 of Puck Vol. 43, Issue 1118 [page]

1898 Puck  
Why, a bald HENRY LINDENMEYR & SONS, headed barber sold him two bottles of PAPER WAREHOUSE hair restorer the other day!”  ...  Do you believe in ‘ P Prva ) sooel TESS SECOND TRAMP, — Yes, I do. I eamt, last night, I was in clover. has unexcelled facilities for the pro- FirsST TRAMP. —Well?  ... 

Page 520 of Calcutta Journal, or Political, Commercial and Literary Gazette Vol. 1, Issue 32 [page]

1821 Calcutta Journal, or Political, Commercial and Literary Gazette  
Fitzgerald ; Sir R Wil- son, M. P.; Sir F. Bardett; J.C. Hobboase, Esq ; C, Calvert, E-q. ; and EB. Ellice, Esq. M, P.” Sir G.  ...  ant manbay anand, SEE half past 4a m. the Castle at the mouth of Douro announced. by a reyah salme, destined to give liber:y to Portugal... “ day-break the troops of the line and militia assembled por sooel  ... 

Page 147 of Journal of Education Vol. 60, Issue 8 [page]

1904 Journal of Education  
Putnam’s Sons, N. Y. 1.75 A Journey in the Seaboard Slave States............. Olmsted os m4 ” 5.00 The Heart Of thE OTrieM’. ..6 02. sccesecccccscccvcces ...  ...  .- WERICAN,<,:,; TEACHERS’ AGENGY SSci7¥: or every department of instruction; r recommends goed sooels ae saleaie” Call on oraddiees” : Mrs. M. J. YOUNG-FULTON, 23 Union Square, New York.  ... 
« Previous Showing results 1 — 15 out of 53 results