Jump to ContentJump to Main Navigation
Show Summary Details
More options …

it - Information Technology

Methods and Applications of Informatics and Information Technology

Editor-in-Chief: Molitor, Paul

6 Issues per year

Online
ISSN
2196-7032
See all formats and pricing
More options …
Volume 59, Issue 2 (Apr 2017)

Issues

On the misuse of graphical user interface elements to implement security controls

Collin Mulliner
  • Corresponding author
  • Secure Systems Lab, Northeastern University, 360 Huntington Ave, Boston, MA, 02115 United States of America
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
/ William Robertson / Engin Kirda
Published Online: 2017-03-15 | DOI: https://doi.org/10.1515/itit-2016-0036

Abstract

GUIs are the predominant means by which users interact with modern programs. GUIs contain a number of common visual elements widgets such as buttons, textfields, and lists, and GUIs typically provide the ability to change attributes on these widgets to control their visibility and behavior. While these attributes are extremely useful to provide visual cues to users to guide them through an application's GUI, they can also be misused for purposes they were not intended. In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes may be misused as a mechanism for enforcing access control policies. This work presents a method to detect misuse of user interface elements to implement access control, it is based on our earlier work1 that introduced the vulnerability class the we refer to as GEMs, or instances of GUI element misuse. Using our GEM detection method we discovered unknown vulnerabilities in several applications.

Keywords: Vulnerability analysis; graphical user interfaces; access control

ACM CCS: Security and privacy→Software and application security→Software security engineering

About the article

Collin Mulliner

Collin Mulliner is a sofware engineer and security researcher. His main interests are operating system security and mobile device security. Collin received a Ph.D. from the Technische Universität Berlin in 2011, and a M. S. and B. S. in computer science from UC Santa Barbara and FH-Darmstadt.

Secure Systems Lab, Northeastern University, 360 Huntington Ave, Boston, MA, 02115, United States of America

William Robertson

William Robertson is an Assistant Professor of computer science at Northeastern University and co-directs the Northeastern Systems Security Lab. Professor Robertson's research revolves around improving the security of operating systems, mobile devices, and the web, as well as making use of techniques such as security by design, program analysis, and anomaly detection.

Secure Systems Lab, Northeastern University, 360 Huntington Ave, Boston, MA, 02115, United States of America

Engin Kirda

Engin Kirda is a Professor of Computer Science and Engineering at Northeastern University in Boston, and the director of the Northeastern Information Assurance Institute. He is also a co-founder and Chief Architect at Lastline, Inc – a company specialized in advanced malware detection and defense.

Secure Systems Lab, Northeastern University, 360 Huntington Ave, Boston, MA, 02115, United States of America


Revised: 2016-11-30

Accepted: 2016-12-14

Received: 2016-08-01

Published Online: 2017-03-15

Published in Print: 2017-04-20


Citation Information: it - Information Technology, ISSN (Online) 2196-7032, ISSN (Print) 1611-2776, DOI: https://doi.org/10.1515/itit-2016-0036.

Export Citation

©2017 Walter de Gruyter Berlin/Boston. Copyright Clearance Center

Comments (0)

Please log in or register to comment.
Log in