We study real-world systems, such as browsers and web applications, that have very big user bases; we identify classes of new security and privacy threats; we construct convincing end-to-end attacks to show these threats intuitively so that the industry must take actions to address them.
A "field study" of commercially deployed single-sign-on (SSO) schemes
We studied many websites that use popular web-based SSO schemes. We discovered 8 types of different logic flaws that allow an attacker to sign in as a victim. The study was based on a tool call BRM Analyzer, which we launched at http://sso-analysis.org. Our paper can be downloaded here.
How to shop for free online
We studied many merchant websites that accept third-party payments, such as through PayPal, Amazon Payments and Google Checkout. Many logic flaws were identified, which allowed us to shop for free! All 9 flaws that we reported were fixed promptly. The paper and the slide deck are archived here. The paper won the "best practical paper" award in the Oakland conference. The work had a lot of news coverage, such as CNNMoney, CNET, etc. The work was in collaboration with Rui Wang and XiaoFeng Wang of Indiana University Bloomington.
X.commerce Innovate Developer Conference 2011
PayPal had a 44-minute talk about our free-shopping work in its developers' conference.
Side-channel leaks in web applications
We demonstrated that by observing side-channel characteristics of encrypted web traffic, an eavesdropper can infer surprisingly detailed information about a user. The information includes health records, family income, investment details and search queries, which imposes a serious privacy threat to Software-as-a-Service. Our Oakland paper and its slide deck are archived here. The work was described in several articles, including ones by Network World, The Register, Ed Felten and Bruce Schneier. It is a joint work with Rui Wang, XiaoFeng Wang and Kehuan Zhang of Indiana University Bloomington.
We focused on a specific adversary named “Pretty-Bad-Proxy” (PBP). PBP is a malicious proxy targeting browsers’ rendering modules above the HTTP/HTTPS layer. It attempts to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme. We discovered a set of vulnerabilities exploitable by a PBP: in many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server.
All major browsers, such as IE, Firefox, Chrome, Opera and Safari, were vulnerable to some of the bugs we reported. Most bugs have been fixed. MSDN posted an article explaining one of the changes that IE8 made. The paper and the slide deck can be obtained here. The work was covered by Technology Review, Computer World and ZDNet.
We built a formal model for IE6's GUI behaviors, specifically for the status bar and the address bar. We checked the model and found 13 logic bugs which resulted in GUI spoofing (an example), 11 of which were fixed before IE7 was shipped. Our paper can be downloaded here.
- Rui Wang, Shuo Chen, and XiaoFeng Wang, Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society, May 2012
- Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer, How to Shop for Free Online – Security Analysis of Cashier-as-a-Service Based Web Stores, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (Best Practical Paper award), IEEE Computer Society, May 2011
- Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang, Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society, May 2010
- Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang, Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society, May 2009
- Shuo Chen, Jose Meseguer, Ralf Sasse, Helen J. Wang, and Yi-Min Wang, A Systematic Approach to Uncover Security Flaws in GUI Logic, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society, May 2007
- Shuo Chen, David Ross, and Yi-Min Wang, An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), Association for Computing Machinery, Inc., 31 October 2007