计算机网络和信息集成教育部重点实验室(东南大学)

 
   



2016年学术报告


--- 2016年学术报告
---
<strong>No CAPTCHA? No Tracking? Automatic Brute Forcing of Mobile Service Password</strong>

时间:2016年7月21日下午16:00 地点:九龙湖校区计算机楼213

报告简介:

   Most mobile apps today require access to remote services, and many of them also require users to be authenticated in order to use their services. While most apps do use cryptographic mechanisms such as encryption (e.g., HTTPS), hashing (e.g., MD5, SHA1), and signing (e.g., HMAC) to ensure the confidentiality and integrity of the network messages including in password authentication, they do not use other mechanisms such as CAPTCHA to stop adversaries keeping guessing password (part of the reason because CAPTCHA hurts the mobile user's experience), nor counting how many failed password attempts for a given user within a short period of time. Therefore, many mobile services are vulnerable to password brute forcing attack. A straightforward approach to brute force a password might just use a robot (e.g., a GUI fuzzer) to keep mutating the password field in the GUI interface of an app, and then observe whether a successful/failure login interface pops up. However, such an approach is neither scalable nor generic (e.g., different apps can have different successful/failure login interface). Therefore, in this talk, Dr. Lin will talk about a generic and scalable approach to brute-force mobile user's mobile service password (by using automatic protocol reverse engineering and program analysis techniques such as slicing and API replay). More specifically, he will talk about AutoForge, a system that can automatically forge valid request messages from the client side to test whether the server side of an app has ensured the password security of user accounts with sufficient checks. To enable the security testing, a fundamental challenge lies in how to forge a valid cryptographically consistent message (e.g., with a mutated password but valid MD5 or HMAC) such that it can still be consumed by the server. This challenge has been addressed with a set of automatic protocol reverse engineering and program analysis techniques. AutoForge has been tested with 76 mobile services (each of which has over 1,000,000 installs). Surprisingly, the experimental results show that 65 (86%) of the mobile app servers including CNN, Expedia, iHeartRadio, and Walmart are vulnerable to password brute-forcing attacks.

报告人简介:

  Dr. Zhiqiang Lin is an Assistant Professor of Computer Science at The University of Texas at Dallas. He earned his PhD from Computer Science Department at Purdue University in 2011. His primary research interests are systems and software security, with an emphasis of developing program analysis techniques and applying them to secure both application programs including mobile apps and the underlying operating systems. Dr. Lin is a recipient of the NSF CAREER Award and the AFOSR Young Investigator Award.
   

东南大学计算机网络和信息集成教育部重点实验室 版权所有