WOOT & IEEE S&P: Jordy Gennissen

A while back, I had the pleasure of joining IEEE Security & Privacy (S&P / Oakland) and the Workshop On Offensive Technologies (WOOT) on behalf of Royal Holloway.

In part, this was to present my latest research project at WOOT: an online puzzle game where solutions off-load exploit writers and aid vulnerability severity analysis.


In S&P, Royal Holloway presented multiple more projects.

Guido from the S3Lab presented his work on the formal analysis of web payment APIs. Through their analysis, they found two vulnerabilities that could be leveraged by online vendors to overcharge the customer, e.g. by forcing to pay the required amount with multiple payment methods. The vulnerabilities have been acknowledged and patched, making the world a safer place.

We also had a great (online) presentation from Lenka on security properties of Telegram.They studied the non-conventional symmetric cryptography used in Telegram under normal usage, exploited the flaws, and both propose a fix and prove the effectiveness of their fix.If you're still unsure whether to read their paper: they received the best paper award!


S&P is a known venue that presents good research, but WOOT is not as well known.To give some idea about the atmosphere, I consider it a smaller, more academically focused version of Blackhat: the focus is on practical and clever attacks. In WOOT, the novelty is often in the ingenuity and creativity of the solution, paired with a large amount of work.To illustrate, I'll quickly discuss one presentation from this year called "Interactive History Sniffing with Dynamically-Generated QR Codes and CSS Difference Blending".

In HTML/CSS, we can set the colour of URLs. More interestingly, we can change the text colour based on whether the person visiting the website has already been to that URL. As a CAPTCHA, this has been used to turn 'visited' links to the same colour as the background, rendering the link invisible.With about 10 characters inside the CAPTCHA, each containing one unique link, the CAPTCHA response will tell us exactly what links have been previously visited by our victim.


The paper they presented this year took this idea to the next level.Instead of creating a CAPTCHA, they created a QR code with potentially hundreds of links.Through a clever xor operation built with relative CSS colourisation, the authors managed to create a correct QR code including error-correcting code - no matter what links you have and haven't visited.When scanning the QR code, the attacker knows exactly what links you visited prior (and what computer/smartphone combination has the same user).Although conceptually rather simple, it is very creative and the amount of effort is huge.Truthfully, it inspired me to return to WOOT and enjoy everyone's wit.


Last but not least, I didn't discuss my own research project. I could explain for hours (as I certainly have to some people) but the basic concept lies around solving the heap layout manipulation problem (which is done for heap exploits). We do so by presenting a visual, interactive online puzzle game called Hack the Heap.You can play the game at https://hacktheheap.io/ - where you can find the paper and additional information too.Happy puzzling!



Comments

Popular posts from this blog

Remote working and Cyber Security: Georgia Crossland and Amy Ertan

New Publication: Remote Working and (In)Security?: Amy Ertan

The Artificial Intelligence Monster: Nicola Bates