Failures of Security APIs: A New Case
نویسندگان
چکیده
We report novel API attacks on a Captcha web service, and discuss lessons that we have learned. In so doing, we expand the horizon of security APIs research by extending it to a new setting. We also show that system architecture analysis is useful both for identifying vulnerabilities in security APIs and for fixing them.
منابع مشابه
Checking Applications using Security APIs with JOANA
JOANA is a tool for software security analysis, checking up to 100kLOC of full multithreaded Java. JOANA is based on sophisticated program analysis techniques and very precise. JOANA includes a new algorithm guaranteeing probabilistic noninterference, named RLSOD. JOANA needs few annotations, is open source, and was applied in several case studies. The current extended abstract discusses the an...
متن کاملUsing Cognitive Dimensions Questionnaire to Evaluate the Usability of Security APIs
School of Engineering and Information Technology University of New South Wales [email protected], [email protected], [email protected] Abstract Usability issues that exist in security APIs cause programmers to embed those security APIs incorrectly to the applications they develop. This results in introduction of security vulnerabilities to those applications. One of...
متن کاملDAA-Related APIs in TPM 2.0 Revisited
In TPM2.0, a single signature primitive is proposed to support various signature schemes including Direct Anonymous Attestation (DAA), U-Prove and Schnorr signature. This signature primitive is implemented by several APIs which can be utilized as a static DiffieHellman oracle. In this paper, we measure the practical impact of the SDH oracle in TPM2.0 and show the security strength of these sign...
متن کاملFormal Analysis of Security APIs
An Application Program Interface (API) is considered a security API when it is designed not only to offer access to functionality but also to enforce a security policy, i.e. no matter what commands are sent to the interface, some security properties continue to hold. They are used, for example, as interfaces to cryptographic hardware modules and smartcards. They are very difficult to design, an...
متن کاملA Generic Cognitive Dimensions Questionnaire to Evaluate the Usability of Security APIs
Programmers use security APIs to embed security into the applications they develop. Security vulnerabilities get introduced into those applications, due to the usability issues that exist in the security APIs. Improving usability of security APIs would contribute to improve the security of applications that programmers develop. However, currently there is no methodology to evaluate the usabilit...
متن کامل