UI and security: two sides of the story

In this talk, I will mainly discuss the (in)security of UI as well as how UI can be leveraged to improve systems security.
New UI features often introduce security vulnerabilities in the underlying operating systems. I will describe an evaluation of accessibility support for four of the most popular computing platforms: Windows, Linux, iOS, and Android. I will outline new attacks that can bypass state-of-the-art defense mechanisms deployed on these OSs, including User Account Control, the Yama security module, the iOS sandbox, and the Android sandbox.

I will then describe a new systems mechanism called the security overlay, which can intercept user input and application output and display relevant data on an overlay window right on top of the application's UI. For example, the security overlay of a web-based email client can ensure that user sees and agrees that the text on the overlay display is really his message, and that the outgoing email payload matches that text. We call this the "what you see is what you send (WYSIWYS)" policy.

I will also give a brief overview of my (other) research projects and future directions.