Countering Automated Exploits with System Security CAPTCHAS

  • Dinan Gunawardena
  • Jacob Scott
  • Alf Zugenmaier
  • Austin Donnelly
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4631)


Many users routinely log in to their system with system administrator privileges. This is especially true of home users. The advantage of this setup is that these users can do everything necessary to fulfil their tasks with the computer. The disadvantage is that every program running in the users context can make arbitrary modifications to the system. Malicious programs and scripts often take advantage of this and silently change important parameters. We propose to verify that these changes were initiated by a human by a ceremony making use of a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart). We compare this approach with other methods of achieving the same goal, i.e. passwords, secure path and access control based on zone of origin of the code.


Access Control User Context Turing Test Leaky Bucket Secure Storage 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ellison, C.: UPnP Security Ceremonies Design Document (October 2003),
  2. 2.
    Turing, A.M.: Computing machinery and intelligence. Mind 59(236), 433–460 (1950)CrossRefMathSciNetGoogle Scholar
  3. 3.
    Ahn, L., von Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Telling humans and computers apart. In: Biham, E. (ed.) Advances in Cryptology – EUROCRPYT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Ahn, L., von Blum, M., Hopper, N.J., Langford, J.: The CAPTCHA Web page,
  5. 5.
    Rissanen, E., Firozabadi, B.S., Sergot, M.: Towards A Mechanism for Discretionary Overriding of Access Control. In: World Computer Congress (2004)Google Scholar
  6. 6.
    Wang, Y.-M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.-W., Huang, Y., Kuo, S.-Y.: Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management. In: Proc. Usenix LISA (November 2004)Google Scholar
  7. 7.
    Microsoft Corporation. 10 Immutable Laws of Security. Technet,

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Dinan Gunawardena
    • 1
  • Jacob Scott
    • 2
  • Alf Zugenmaier
    • 3
  • Austin Donnelly
    • 1
  1. 1.Microsoft Research CambridgeUK
  2. 2.UC Berkley, CAUSA
  3. 3.DoCoMo Euro-Labs, MunichGermany

Personalised recommendations