Elie Bursztein

Elie Bursztein
Born France
Residence US
Nationality French
Fields Computer Security
Institutions Stanford University
Alma mater École Normale Supérieure de Cachan, 2008
Doctoral advisor Jean Goubault-Larrecq
Known for CAPTCHA security
Web security
Applied cryptography

Elie Bursztein is a French security researcher which focus on web[p 1], mobile[r 1] and offensive security[p 2] . He is most known for his work on CAPTCHA[p 3],[p 4], his novel attacks[p 5] and his creative use of applied cryptography[p 6]. Elie Bursztein is currently post-doctoral fellow at Stanford University in California, US.

Contents

Education

Elie Bursztein obtained his computer engineering degree from EPITA in 2004, his master degree in computer science from Paris 7/ ENS, in 2004 (under the supervision of Patrick Cousot) and his PhD in computer science from École Normale Supérieure de Cachan in 2008 (under the supervision of Jean Goubault-Larrecq). His PhD thesis tilted "Anticipation games. Théorie des jeux appliqués à la sécurité réseau" (Anticipation game. Game theory applied to network security) showed how to combine model-checking, temporal logic and game theory to find the optimal responses to network attacks.

Research

In addition to his work on CAPTCHA security, Bursztein's other contributions to the security field include the analysis of DPAPI and the invention of the XCS attacks[p 7] and HTTPS caching attacks[p 2]. In 2010 with Jocelyn Lagarenne he demonstrated at the Defcon 18 novel memory based attacks against games[r 2] and devised with Mike Hamburg and Dan Boneh the first defense against map hacking using homomorphic encryption[p 6] .

CAPTCHA

Bursztein's research on CAPTCHA aim at making CAPTCHAs easier for human and harder for computers. In 2009, Bursztein showed with Steven Bethard that eBay audio captchas were broken[p 4]. In 2010, he studied with S. Bethard, C. Fabry, D. Jurafsky and J. C. Mitchell how humans perform on real world CAPTCHAS by running a large scale study[p 3]. In 2011, he demonstrated with R Bauxis, H. Paskov, D. Perito, C. Fabry and J. Mitchell than every none-continous audio captchas are broken[p 8].

Web security

Some of his notable achievements in web security include:

Applied Cryptography

In 2009 Bursztein presented the first complete analysis of the Microsoft DPAPI with Jean Michel Picod.[p 5]. In 2011 with J. Lagarenne, M. Hamburg and D. Boneh he used private set intersection protocols to defend against game map hacking [p 6].

Awards

Elie 's awards: In 2010 Bursztein came 4th of the 2010 top ten web hacking techniques for his HTTPS caching attack technique,[r 6] and in 2008 he received the WISPT best paper Award.

Research publications

  1. ^ a b G. Aggarwal, E. Bursztein E., C. Jackson, D. Boneh (2010). "An Analysis of Private Browsing Modes in Modern Browsers". 19th Usenix Security Symposium. Usenix. http://ly.tl/p16. 
  2. ^ a b c Elie Bursztein, et al. (August 2009). "Bad memories". Blackhat USA 2010. http://elie.im/talks/bad-memories. 
  3. ^ a b E. Bursztein, S. Bethard, C. Fabry, D. Jurafsky, J. C. Mitchell (2010). "How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation". Symposium on Security and Privacy (S&P), 2010. IEEE. p. 399-413. doi:http://doi.ieeecomputersociety.org/10.1109/SP.2010.31. http://ly.tl/p11. 
  4. ^ a b E. Bursztein, S. Bethard (2009). "Decaptcha: Breaking 75% of eBay Audio CAPTCHAs". 3rd USENIX Workshop on Offensive Technologies. Usenix. http://ly.tl/p6a. 
  5. ^ a b Jean Michel Picod and Elie Bursztein (2010). "Reversing DPAPI and Stealing Windows Secrets Offline". Blackhat. http://ly.tl/t6. 
  6. ^ a b c E. Bursztein, M. Hamburg, J. Lagarenne, D. Boneh (2011). "OpenConflict: Preventing Real Time Map Hacks in Online Games". Symposium on Security and Privacy (S&P), 2011. IEEE. http://ly.tl/p19. 
  7. ^ a b H. Bojinov, E. Bursztein, D. Boneh (2009). "XCS: cross channel scripting and its impact on web applications". 16th ACM conference on Computer and communications security. ACM. p. 420 - 431. http://ly.tl/p7. 
  8. ^ E. Bursztein, R. Bauxis, H.Paskov, D. Perito, C. Fabry, J. C. Mitchell (2011). "The Failure of Noise-Based Non-Continuous Audio Captchas". Symposium on Security and Privacy (S&P), 2011. IEEE. http://ly.tl/p18. 
  9. ^ G. Rydstedt, E. Bursztein, D. Boneh, C. Jackson (2010). "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites". 3rd Web 2.0 Security and Privacy workshop. IEEE. http://ly.tl/p12. 

Other references

  1. ^ a b Lemos, Robert (11 August 2010). "Mobile Flaw Could Cloak Clicks". Technology Review (Boston). http://www.technologyreview.com/communications/26057/. 
  2. ^ "Kartograph at Defcon". https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Bursztein2. 
  3. ^ Ward, Mark (6 August 2010). "Private browsing modes leak data". BBC News (London). http://www.bbc.co.uk/news/technology-10891355. 
  4. ^ "Twitter Security Contributors List". http://apiwiki.twitter.com/w/page/22554667/Security-Contributors. 
  5. ^ "XCS attacks at BlackHat09". http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Bojinov. 
  6. ^ Grossman, Jeremiah. "Top Ten Web Hacking Techniques of 2010 (Official)". http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html. 

External links