CySec members contribute to S&P 2024
The 45th IEEE Symposium on Security and Privacy (S&P) was held in San Francisco from May 20-22, 2024. Established in 1980, it remains the leading forum for showcasing advancements in computer security and electronic privacy. This year, members of CySec contributed to three presentations at this prestigious event.
Philipp Beer presented “Tabbed Out: Subverting the Android Custom Tab Security Model”, a paper co-authored with Marco Squarcina, Lorenzo Veronese, and Martina Lindorfer. This pioneering study represents the first systematic security evaluation of Android’s Custom Tab component — a widely used component for displaying web content within apps. Their research uncovered significant flaws in the security design of Custom Tabs, posing severe threats to user security and privacy. These flaws could enable malicious applications to extract sensitive browsing data, violate web session integrity, and facilitate phishing attacks. The impact of their findings extends beyond theoretical concerns: following responsible disclosure, Google implemented several mitigations to address the discovered attack vectors. In recognition of their contributions, the researchers received a $10,000 bug bounty. Additionally, their ongoing collaboration with Google has resulted in significant updates to the Chrome Custom Tabs Security FAQ, enhancing clarifications to its security model.
SecInt and SPyCoDe student Simon Jeanteur presented “CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model,” based on the corresponding published paper. This joint work with other TU Wien researchers, Laura Kovács, Matteo Maffei, and Michael Rawson, introduces the new home-brewed tool, CryptoVampire. This tool breaks new ground in protocol verification by enabling the first fully automated proofs using the innovative Computationally Complete Symbolic Attacker (CCSA) model. This advancement allows for the automatic verification of protocols in a stronger model than was previously possible.
Sebastian Roth contributed to the study “Where Are the Red Lines? Towards Ethical Server-Side Scans in Security and Privacy Research,” alongside Florian Hantke, Rafael Mrowczynski, Christine Utz, and Ben Stock from CISPA Helmholtz Center for Information Security. This study focuses on server-side scanning (3S) on the Web, a crucial but under-researched area for understanding security and privacy risks online. The research team tackled the complexities and ethical dilemmas associated with large-scale server-side vulnerability investigations that can potentially harm servers, disrupt services, and cause financial and reputational damage.
Roth and his colleagues developed five typical scenarios for 3S and conducted extensive qualitative analysis by interviewing 23 legal experts, members of Research Ethics Committees, and website and server operators, primarily using German law as the framework for their study. The team aimed to identify which types of server-side scans are considered acceptable and which actions might cross ethical ‘red lines.’ Furthermore, the team proposes best practices for future 3S research and a pre-registration process to address challenges related to the absence of judicial decisions and clear ethical guidelines. This approach aims to establish a more reliable and transparent environment for server-side scanning research, reducing uncertainty for both researchers and operators and fostering a safer web ecosystem.