查看文章

User interfaces (UIs) are the means through which we interact with computer systems, and users perform both simple, as well as critical task through such user interfaces. For example, users visit their daily news portals, but also perform e-banking payments through user interfaces. Medical doctors use them to operate safety-critical devices such as respirators, implanted medical device programmers, etc. Given that safety- and security-critical tasks are performed through such user interfaces, it is important to secure them against attacks. Therefore, the goal of this thesis is to (1) better understand the security problems of modern user interfaces, and (2) propose novel defenses against damaging user interface attacks. There is a plethora of known user interface attack approaches that launch attacks from, e.g., a malicious application running on the target device, or from malicious peripherals (e.g., a mouse or a keyboard). Such attacks can, for example, infer user input or inject malicious input into the system. However, they commonly suffer from accuracy issues or limited attack applicability. Different systems for detecting user interface attacks were also proposed. However, they are commonly vulnerable to evasion through simple obfuscation attacks. In this thesis, we address these shortcomings and make the following contributions. First, we propose two new user interface attacks that are accurate, hard to detect, and enable previously unreachable attack scenarios. Second, we propose two new systems for detecting a particularly damaging and effective user interface attack --- phishing. Our systems are based on visual similarity and are resilient to …