Abstract
We report novel API attacks on a Captcha web service, and discuss lessons that we have learned. In so doing, we expand the horizon of security APIs research by extending it to a new setting. We also show that system architecture analysis is useful both for identifying vulnerabilities in security APIs and for fixing them.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anderson, R.: The correctness of crypto transaction sets. In: Christianson, B., Malcolm, J.A., Crispo, B., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 128–141. Springer, Heidelberg (2001). doi:10.1007/3-540-44810-1_18
Berkman, O., Ostrovsky, O.M.: The unbearable lightness of PIN cracking. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 224–238. Springer, Heidelberg (2007). doi:10.1007/978-3-540-77366-5_20
Bond, M.: Understanding Security APIs. Ph.D. thesis, University of Cambridge (2004)
Bond, M., Anderson, R.: API level attacks on embedded systems. IEEE Comput. Mag. 34, 67–75 (2001)
Bursztein, E., Martin, M., Mitchell, J.C.: Text-based CAPTCHA strengths and weaknesses. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM (2011)
Chen, L.: Personal Communications (2014)
Chen, L., Juang, D., Zhu, W., Yu, H., Chen, F.: CAPTCHA AND reCAPTCHA WITH SINOGRAPHS. Patent US20120023549 A1 (2012)
Clulow, J.: On the security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45238-6_32
Cortier, V., Steel, G.: A generic security API for symmetric key management on cryptographic devices. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 605–620. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04444-1_37
Gao, H., Wang, W., Qi, J., Wang, X., Liu, X., Yan, J.: The robustness of hollow CAPTCHAs. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security - CCS 2013, New York, USA, pp. 1075–1086 (2013)
Gao, H., Yan, J., et al.: A simple generic attack on text Captchas. In: Proceedings Network and Distributed System Security Symposium (NDSS), San Diego, USA (2016)
Watson, R.N.M.: Exploiting concurrency vulnerabilities in system call wrappers. In: First USENIX Workshop on Offensive Technologies (WOOT 07) (2007)
Yan, J., El Ahmad, A.S.: Breaking visual CAPTCHAs with naïve pattern recognition algorithms. In: 23rd Annual Computer Security Applications Conference - ACSAC 2007, USA (2007)
Yan, J., El Ahmad, A.S.: A low-cost attack on a Microsoft Captcha. In: Proceedings of the 15th ACM Conference on Computer and Communications Security - CCS 2008, New York, USA, pp. 543–554 (2008)
Acknowledgement
We thank Butler Lampson for inspiring conversations, Yu Guan for assistances, and anonymous reviewers for helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Algwil, A., Yan, J. (2017). Failures of Security APIs: A New Case. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_17
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)