Research Preparation Exam: Martin Georgiev, October 11, 11 am CST, ACES 6.442

Contact Name: 
Lydia Griffith
Oct 11, 2012 11:00am

Research Preparation Exam: Martin Georgiev

Date: October 11, 2012
Time: 11 am CST
Place: ACES 6.442
RPE Committee: Vitaly Shmatikov (chair), Emmett Witchel, Brent Waters

Title: The Most Dangerous Code in the World: (In)secure Usage of Security Libraries

We analyze how popular software applications and application development
frameworks use security libraries.

The first part of this work focuses on SSL (Secure Sockets Layer), the
de facto standard for secure Internet communications.  Security of SSL
connections against an active network attacker depends on correctly
validating public-key certificates presented when the connection is
established.  We demonstrate that SSL certificate validation is completely
broken in many security-critical applications and libraries.  Vulnerable
software includes Amazon's EC2 Java library and all cloud clients based
on it; Amazon's and PayPal's merchant SDKs responsible for transmitting
payment details from e-commerce sites to payment gateways; integrated
shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop;
AdMob code used by mobile websites; Chase mobile banking and several other
Android apps and libraries; Java Web-services middleware - including
Apache Axis, Axis 2, Codehaus XFire, and Pusher library for Android -
and all applications employing this middleware.  Any SSL connection from
any of these programs is insecure against a man-in-the-middle attack.

In the second, ongoing part of this work, we analyze several layers of
the software stack on mobile platforms such as Android and show that
cryptographic libraries, security primitives, and development frameworks
are often misunderstood and/or misused by application developers.
This results in a wide variety of vulnerabilities.  Some of them allow
third-party websites (eg, malicious advertisers) to gain access to users'
private information, including location, phone audio and camera, local
files, and contact lists, while others enable malicious users to obtain
paid content for free.