Security of User Interfaces: Attacks and Countermeasures

OPEN ACCESS

Downloads

Full text (PDF, 6.94 MB)

Author / Producer

Malisa, Luka

Date

2017

Publication Type

Doctoral Thesis

ETH Bibliography

yes

Citations

Altmetric
OPEN ACCESS

Downloads

Full text (PDF, 6.94 MB)

Data

Rights / License

In Copyright - Non-Commercial Use Permitted north_east

Abstract

User interfaces (UIs) are the means through which we interact with computer systems, and users perform both simple, as well as critical task through such user interfaces. For example, users visit their daily news portals, but also perform e-banking payments through user interfaces. Medical doctors use them to operate safety-critical devices such as respirators, implanted medical device programmers, etc. Given that safety- and security-critical tasks are performed through such user interfaces, it is important to secure them against attacks. Therefore, the goal of this thesis is to (1) better understand the security problems of modern user interfaces, and (2) propose novel defenses against damaging user interface attacks. There is a plethora of known user interface attack approaches that launch attacks from, e.g., a malicious application running on the target device, or from malicious peripherals (e.g., a mouse or a keyboard). Such attacks can, for example, infer user input or inject malicious input into the system. However, they commonly suffer from accuracy issues or limited attack applicability. Different systems for detecting user interface attacks were also proposed. However, they are commonly vulnerable to evasion through simple obfuscation attacks. In this thesis, we address these shortcomings and make the following contributions. First, we propose two new user interface attacks that are accurate, hard to detect, and enable previously unreachable attack scenarios. Second, we propose two new systems for detecting a particularly damaging and effective user interface attack --- phishing. Our systems are based on visual similarity and are resilient to obfuscation.

Permanent link

https://doi.org/10.3929/ethz-b-000217453

Publication status

published

External links

Editor

Contributors

Examiner : Capkun, Srdjan
Examiner : Butler, Kevin
Examiner : Enck, William
Examiner : Kapadia, Apu
Examiner : Perrig, Adrian

Book title

Journal / series

Volume

Pages / Article No.

Publisher

ETH Zurich

Event

Edition / version

Methods

Software

Geographic location

Date collected

Date created

Subject

Organisational unit

03755 - Capkun, Srdan / Capkun, Srdan check_circle

Notes

Funding

Related publications and datasets

More

Show all metadata