Shuo Chen Microsoft Research One Microsoft Way David Ross Security Technology Unit, Microsoft One Microsoft Way Yi-Min Wang Microsoft Research One Microsoft.

Slides:

Advertisements

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Anderson Quach (Microsoft) Tony Gentilcore (Google)

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Microsoft Office 2007 Microsoft Excel Collaboration Feature Using SharePoint and Excel Services.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Chromium OS Chase Rogers. User Interface Unobtrusive Use small amount of screen space Combine apps and web pages into one tab strip Floating Windows Search.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

Su Yong Kim. Contents Domain Isolation Real-World Attacks Script Accenting Mechanism Attack Scenarios Revisited Performance Conclusion 2.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

PREVIOUS GNEWS. 11 Patches – 5 Critical Affecting most everything Other updates, MSRT, Defender Definitions, Junk Mail Filter –MS IE, Remote Execution.

© 2007 IBM Corporation IBM Emerging Technologies Enabling an Accessible Web 2.0 Becky Gibson Web Accessibility Architect.

got ? Research Project – April 1998 Hang Xia, Mark Wang, Richard S. Chang Updated: R Norman, August 1999.

Publishing on the WWW Active X. Aims and Objectives To introduce the concept of embedding objects within web pages To show how Active X can be used to.

1 Owais Mohammad Haq Department of Computer Science Eastern Michigan University April, 2005 Java Script.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

Chapter 6 Methodology Conceptual Databases Design Transparencies © Pearson Education Limited 1995, 2005.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.

1 Audit-Enhanced Authentication in Kerberos Shuo Chen, Daniel R. Simon (mentor) (Shuo’s Internship Project in Microsoft Research) 9/15/2003 CRHC UIUC.

1 Shuo Chen ISRC, MSR March Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Virtual Cell Client Virtual Cell Daniel Small Undergraduate Research Assistant.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

CSC 2720 Building Web Applications JavaScript. Introduction  JavaScript is a scripting language most often used for client-side web development.  JavaScript.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Dr. XiaoFeng Wang © SpyShield: Preserving Privacy from Spy Add-ons Zhuowei Li, XiaoFeng Wang and Jong Youl Choi Indiana University at Bloomington.

HTML5 Application Development Fundamentals

Secure Encounter-based Mobile Social Networks: Requirements, Designs, and Tradeoffs.

Meir Botner David Ben-David. Project Goal Build a messenger that allows a customer to communicate with a service provider for a fee.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Virtual techdays INDIA │ 9-11 February 2011 Security Discussion: Ask the Experts M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation Anirudh.

Methodology - Conceptual Database Design Transparencies

Distributed Component Object Model (DCOM)

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Host and Application Security Lesson 20: How the Web Does not Work.

Methodology - Conceptual Database Design. 2 Design Methodology u Structured approach that uses procedures, techniques, tools, and documentation aids to.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

1 The current lesson plans provided for in Webgoatv2 include Http Basics How to Perform Database Cross Site Scripting (XSS) How to Spoof an Authentication.

5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA A Systematic Approach to Uncover Security Flaws in GUI Logic Shuo Chen †, José Meseguer ‡,

Web Application Programming Presented by: Mehwish Shafiq.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Ch 13 HTML and CSS Web Standards Solutions A Web Standardistas’ Approach.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.

1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

A Systematic Approach to Uncover Security Flaws in GUI Logic Distributed Multimedia Computing Lab. Minjae Cho

WebShield: Enabling Various Web User Defense Techniques without Client Side Modifications Yan Chen Lab for Internet and Security Technology (LIST) Northwestern.

1 Microsoft Access Security Warnings Note: This presentation was created with "Access 2002". You might have slightly different warnings with other versions.

Visit:- internet-explorer.htmlhttp:// internet-explorer.html.

Information Security and Algorithms Tae Kyu Lee

Software Security.

Severity and Exploitability Index

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

Shuo Chen Microsoft Research One Microsoft Way David Ross Security Technology Unit, Microsoft One Microsoft Way Yi-Min Wang Microsoft Research One Microsoft Way Presented By: Yasser Yahia Abd El-Fattah

 Problem description.  Related Work  XSS bugs in Java applications.  The Tahoma Virtual Machine Monitor (VMM).

 Exploiting the Interactions between IE and Windows Explorer.  Exploiting Function Aliasing.  Exploiting the Excessive Expressiveness of Frame Navigation Calls.  Exploiting the Semantics of User Events.

 The Accent Key.  Accenting and De-accenting.  Why the XOR operation.  How to implement the mechanism.

 The mechanism was tested on IE v6 and proved that it can defeat the different attacks described.  The mechanism is able to be implemented on IE v7 due to the no difference between the structure of the two versions.

 Browsers’ isolation mechanisms are critical to users’ safety and privacy on the web.  The implementation of IE’s domain-isolation mechanism and the previously reported attacks.  The proposed the script accenting technique as a light-weight transparent defense against these attacks.