Rui Wang

How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores

Web applications increasingly integrate third-party services. The integration introduces new security challenges due to the complexity for an application to coordinate its internal states with those of the component services and the web client across the Internet. In this paper, we study the security implications of this problem to merchant websites that accept payments through third-party cashiers (e.g., PayPal, Amazon Payments and Google Checkout), which we refer to as Cashier-as-a-Service or CaaS. We found that leading merchant applications (e.g., NopCommerce and Interspire), popular online stores (e.g., Buy.com and JR.com) and a prestigious CaaS provider (Amazon Payments) all contain serious logic flaws that can be exploited to cause inconsistencies between the states of the CaaS and the merchant. As a result, a malicious shopper can purchase an item at an arbitrarily low price, shop for free after paying for one item, or even avoid payment. We reported our findings to the affected parties. They either updated their vulnerable software or continued to work on the fixes with high priorities. We further studied the complexity in finding this type of logic flaws in typical CaaS-based checkout systems, and gained a preliminary understanding of the effort that needs to be made to improve the security assurance of such systems during their development and testing processes.

Unauthorized origin crossing on mobile platforms: threats and mitigation

With the progress in mobile computing, web services are increasingly delivered to their users through mobile apps, instead of web browsers. However, unlike the browser, which enforces origin-based security policies to mediate the interactions between the web content from different sources, todays mobile OSes do not have a comparable security mechanism to control the cross-origin communications between apps, as well as those between an app and the web. As a result, a mobile users sensitive web resources could be exposed to the harms from a malicious origin. In this paper, we report the first systematic study on this mobile cross-origin risk. Our study inspects the main cross-origin channels on Android and iOS, including intent, scheme and web-accessing utility classes, and further analyzes the ways popular web services (e.g., Facebook, Dropbox, etc.) and their apps utilize those channels to serve other apps. The research shows that lack of origin-based protection opens the door to a wide spectrum of cross-origin attacks. These attacks are unique to mobile platforms, and their consequences are serious: for example, using carefully designed techniques for mobile cross-site scripting and request forgery, an unauthorized party can obtain a mobile users Facebook/Dropbox authentication credentials and record her text input. We report our findings to related software vendors, who all acknowledged their importance. To address this threat, we designed an origin-based protection mechanism, called Morbs, for mobile OSes. Morbs labels every message with its origin information, lets developers easily specify security policies, and enforce the policies on the mobile channels based on origins. Our evaluation demonstrates the effectiveness of our new technique in defeating unauthorized origin crossing, its efficiency and the convenience for the developers to use such protection.

Privacy-preserving genomic computation through program specialization

In this paper, we present a new approach to performing important classes of genomic computations (e.g., search for homologous genes) that makes a significant step towards privacy protection in this domain. Our approach leverages a key property of the human genome, namely that the vast majority of it is shared across humans (and hence public), and consequently relatively little of it is sensitive. Based on this observation, we propose a privacy-protection framework that partitions a genomic computation, distributing the part on sensitive data to the data provider and the part on the pubic data to the user of the data. Such a partition is achieved through program specialization that enables a biocomputing program to perform a concrete execution on public data and a symbolic execution on sensitive data. As a result, the program is simplified into an efficient query program that takes only sensitive genetic data as inputs. We prove the effectiveness of our techniques on a set of dynamic programming algorithms common in genomic computing. We develop a program transformation tool that automatically instruments a legacy program for specialization operations. We also demonstrate that our techniques can greatly facilitate secure multi-party computations on large biocomputing problems.

Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating

Android is a fast evolving system, with new updates coming out one after another. These updates often completely overhaul a running system, replacing and adding tens of thousands of files across Androids complex architecture, in the presence of critical user data and applications (apps for short). To avoid accidental damages to such data and existing apps, the upgrade process involves complicated program logic, whose security implications, however, are less known. In this paper, we report the first systematic study on the Android updating mechanism, focusing on its Package Management Service (PMS). Our research brought to light a new type of security-critical vulnerabilities, called Pileup flaws, through which a malicious app can strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system. Specifically, we found that by exploiting the Pileup vulnerabilities, the app can not only acquire a set of newly added system and signature permissions but also determine their settings (e.g., protection levels), and it can further substitute for new system apps, contaminate their data (e.g., cache, cookies of Android default browser) to steal sensitive user information or change security configurations, and prevent installation of critical system services. We systematically analyzed the source code of PMS using a program verification tool and confirmed the presence of those security flaws on all Android official versions and over 3000 customized versions. Our research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries. To mitigate this threat without endangering user data and apps during an upgrade, we also developed a new detection service, called SecUP, which deploys a scanner on the users device to capture the malicious apps designed to exploit Pileup vulnerabilities, based upon the vulnerability-related information automatically collected from newly released Android OS images.

ENDOPHTHALMITIS AFTER INTRAVITREAL INJECTION: Role of Prophylactic Topical Ophthalmic Antibiotics.

Purpose: To determine the rate of postintravitreal injection endophthalmitis and to assess microbiological features and outcomes with and without the use of peri-intravitreal injection topical ophthalmic antibiotics. Methods: Consecutive series of endophthalmitis cases retrospectively identified after intravitreal injection at a multicenter, retina-only referral practice (Retina Consultants of Houston) from January 1, 2011 to December 31, 2014. Prophylactic peri-intravitreal injection topical antibiotics were routinely used during the initial 12-month period (January 1, 2011–December 31, 2011) and not used in the final 24-month period (January 1, 2013–December 31, 2014). Main outcome measures were incidence of endophthalmitis, microbiology results, treatment strategies, and visual outcomes. Results: Of 90,339 intravitreal injections, 30 cases of endophthalmitis were identified (endophthalmitis rate = 0.033%; 95% confidence interval, 0.021–0.045%; or approximately 1 of 3,011 intravitreal injections). The most common organisms isolated were coagulase-negative staphylococci (n = 10, 33%), followed by Streptococcus mitis (n = 2, 7%). Fourteen cases (47%) were culture negative. Peri-intravitreal injection topical antibiotic prophylaxis did not decrease the rate of endophthalmitis (0.035% [95% CI, 0.007–0.064%] with antibiotic use versus 0.021% [95% CI, 0.008–0.033%] without antibiotic use; P = 0.261). Conclusion: The risk of endophthalmitis after intravitreal injection remains low, with coagulase-negative staphylococci and Streptococcus mitis the most common bacterial isolates identified. Prophylactic peri-intravitreal injection topical ophthalmic antibiotic use did not decrease the endophthalmitis rate.

Towards automatic reverse engineering of software security configurations

The specifications of an applications security configuration are crucial for understanding its security policies, which can be very helpful in security-related contexts such as misconfiguration detection. Such specifications, however, are often ill-documented, or even close because of the increasing use of graphic user interfaces to set program options. In this paper, we propose ConfigRE, a new technique for automatic reverse engineering of an applications access-control configurations. Our approach first partitions a configuration input into fields, and then identifies the semantic relations among these fields and the roles they play in enforcing an access control policy. Based upon such knowledge, ConfigRE automatically generates a specification language to describe the syntactic relations of these fields. The language can be converted into a scanner using standard parser generators for scanning configuration files and discovering the security policies specified in an application. We implemented ConfigRE in our research and evaluated it against real applications. The experiment results demonstrate the efficacy of our approach.

Securing Multiparty Online Services Via Certification of Symbolic Transactions

The prevalence of security flaws in multiparty online services (e.g., Single-sign-on, third-party payment, etc.) calls for rigorous engineering supported by formal program verification. However, the adoption of program verification faces several hurdles in the real world: how to formally specify logic properties given that protocol specifications are often informal and vague, how to precisely model the attacker and the runtime platform, how to deal with the unbounded set of all potential transactions. We introduce Certification of Symbolic Transaction (CST), an approach to significantly lower these hurdles. CST tries to verify a protocol-independent safety property jointly defined over all parties, thus avoids the burden of individually specifying every partys property for every protocol, CST invokes static verification at runtime, i.e., It symbolically verifies every transaction on-the-fly, and thus (1) avoids the burden of modeling the attacker and the runtime platform, (2) reduces the proof obligation from considering all possible transactions to considering only the one at hand. We have applied CST on five commercially deployed applications, and show that, with only tens (or 100+) of lines of code changes per party, the original implementations are enhanced to achieve the objective of CST. Our security analysis shows that 12 out of 14 logic flaws reported in the literature will be prevented by CST. We also stress-tested CST by building a gambling system integrating four different services, for which there is no existing protocol to follow. Because transactions are symbolic and cacheable, CST has near-zero amortized runtime overhead. We make the source code of these implementations public, which are ready to be deployed for real-world uses.

THE ASSOCIATION OF EPIRETINAL MEMBRANE WITH MACULAR HOLE FORMATION AFTER RHEGMATOGENOUS RETINAL DETACHMENT REPAIR

Purpose: To describe the clinical and optical coherence tomography findings associated with the development of full-thickness macular holes after rhegmatogenous retinal detachment (RRD) repair. Methods: Retrospective, interventional case series. All patients who developed full-thickness macular holes after successful RRD repair from 3 clinical practices were reviewed. All cases of combined/simultaneous full-thickness macular hole and RRD were excluded. The main outcome measure was the presence of an epiretinal membrane at time of diagnosis of macular hole. Results: Twenty-five full-thickness macular holes were diagnosed after successful retinal detachment repair. Surgical approach to RRD repair included pneumatic retinopexy (6, 24%), scleral buckle alone (5, 20%), pars plana vitrectomy only (8, 32%), and combined scleral buckle and pars plana vitrectomy (6, 24%). The preceding RRD involved the macula in 19 patients (76%) before the formation of the macular hole. The median time to full-thickness macular hole diagnosis after RRD repair was 63 days (range, 4–4,080 days). An epiretinal membrane was present in all 25 (100%) macular holes. Two macular holes (8%) spontaneously closed, whereas the other 23 (92%) were successfully closed with a single surgical procedure. Mean visual acuity improved by approximately 5 lines to 20/72 (range, 20/20 to counting fingers at 1 foot) from 20/240 (range, 20/30 to hand motions) after macular hole repair (P < 0.0001). Conclusion: Full-thickness macular hole formation can occur after all types of RRD repair and is associated with an epiretinal membrane. The epiretinal membrane may play a role in the pathogenesis of secondary macular hole formation after RRD repair.