Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces

Presented at Kiwicon X: The Truth is In Here (2016), Nov. 17, 2016, 11:30 a.m. (30 minutes)

Graphical user interfaces (GUIs) contain a number of common visual elements or widgets such as labels, text fields, buttons, and lists. GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether they are writable. While these attributes are extremely useful to provide visual cues to users to guide them through an application's GUI, they can also be misused for purposes they were not intended. In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes are often misused as a mechanism for enforcing access control policies. In this session, we introduce GEMs, or instances of GUI element misuse, as a novel class of access control vulnerabilities in GUI-based applications. We present a classification of different GEMs that can arise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applications. We then present GEM Miner, an implementation of our GEM analysis for the Windows platform. We evaluate GEM Miner using real-world GUI-based applications that target the small business and enterprise markets, and demonstrate the efficacy of our analysis by finding numerous previously unknown access control vulnerabilities in these applications.


  • Collin Mulliner
    Collin Mulliner is a systems security researcher with focus on software components close to the operating system and kernel. In the past he spent most of his time working on mobile and embedded systems with an emphasis on mobile and smart phones. Collin is interested in vulnerability analysis and offensive security as he believes that in order to understand defense you first have to understand offense. Collin received a Ph.D. from the Technische Universitaet Berlin in 2011, and a M.S. and B.S. in computer science from UC Santa Barbara and FH-Darmstadt. Lately Collin switched his focus to the defensive side to work on mitigations and countermeasures. Collin is also co-author of The Android Hacker's Handbook.


Similar Presentations: