Bachelor- and Master-Seminar CISPA Staff

Registration for this course is open until Sunday, 02.10.2050 23:59.

News

31.07.2020

Next Seminar on 05.08.2020

Dear All,

the next seminar(s) take place on 5.8. at 14:00.
As a reminder: If you hold a talk you have to upload your information one week in advance which means on *Wednesday* before the talk.

Session A:
Annika Carolin Grieser - Finn Hermeling - Johannes... Read more

Dear All,

the next seminar(s) take place on 5.8. at 14:00.
As a reminder: If you hold a talk you have to upload your information one week in advance which means on *Wednesday* before the talk.

Session A:
Annika Carolin Grieser - Finn Hermeling - Johannes Lampel

https://zoom.us/j/95592194795?pwd=MUpKZHFoU0RUM05ZMjZUNldjUUJGQT09

Meeting-ID: 955 9219 4795
Kenncode: 0s^udk


Session B:
Daniel Weber - Noah Mauthe - Niklas Medinger

https://zoom.us/j/93291128233?pwd=UTJhU05PbXRhWmU0MWlXZDZEYk5EQT09

Meeting-ID: 932 9112 8233
Kenncode: 2z^GF+



Session A:

14:00-14:30 

Speaker: Annika Carolin Grieser

Title: Exploratory evaluation of a methodology of in-situ data collection using a modified Mycroft

Kind of Talk: Bachelor Thesis Intro Talk

Advisor: Dr. Katharina Krombholz

Abstract:

Artificial Intelligence is almost everywhere included in daily life. You can ask smart
speakers to do some shopping for you, to control smart homes or even to tell you some
news. This technique not only brings advantages but also carries some risks. Several
studies have shown possible attacks and privacy lacks of these devices. In-situ studies are
often conducted, to shed light on user behaviour in this context. The data collection is a
challenge for each in-situ study. It becomes even harder in smart speaker in-situ studies.
The huge challenge is the sensitivity of the data. Logging every user conversation is
inconceivable for ethical reasons. Other methodologies are not satisfactory either because
they have disadvantages such as a large time gap between usage and survey or the need
to artificially intervene in the in-situ process.
The presented Bachelor thesis performs an exploratory evaluation of a new tool which
should ease the data collection process in an in-situ study with a smart speaker. This
tool is integrated in an open-source smart speaker called ’Mycroft’. It offers the ability of
surveying the user in between his usage process with the smart speaker. The goal of this
thesis is to evaluate this tool with respect to its abilities, capabilities and configurations
in a security and privacy context.

 
14:30-15:00

Speaker: Finn Hermeling
Type of talk: Bachelor Thesis Outro Talk
Advisor: Stefan Nürnberger
Title: Automated Semantic Labeling For Unstructured And Unknown CAN Traffic

Abstract:
In automotive networking the Controller Area Network (CAN) standard is widely used. Car manufacturers use secret protocols to let devices communicate over this bus. Since all devices (including infotainment systems or telematic units) are physically connected to the same bus, attack vectors are being exposed and privacy concerns raised. In order to estimate the gravity of the situation and to solve these problems, it is necessary to reveal the obscure contents of CAN messages. The thesis will discuss challenges an automated labeling system for data in CAN messages faces and analyze the possibilities to solve them using machine learning. In this talk different aspects of solving these challenges are shown and various approaches evaluated and compared using both qualitative and quantitative methods.

 

15:00-15:30

Speaker: Johannes Lampel
Type of talk: Master Inro
Advisor: Sascha Just
Supervisor: Andreas Zeller
Title: Run Flake Run

Abstract:
Flaky tests and their manifestation in intermittent failures plaque the continuous integration process in small and large projects alike. In big companies like Google or Microsoft, the manifestation of an intermittent failure is especially costly since it causes builds, which can take several hours, to fail. To combat this problem, research and industry have come up with several approaches. Reruns, meaning a failing test is automatically rerun when it fails, are most commonly used in big companies today. In this talk, I will talk about our ideas on how we want to investigate the effectiveness of reruns in combatting intermittent failures, as well as ideas on how to make reruns more effective.

Session B:

14:00-14:30

Speaker: Daniel Weber
Type of talk: Bachelor Introduction
Advisor: Ahmad Ibrahim
Title:
Using Fuzzing to Identify x86 Leak Sequences for Timing Side Channels

Abstract:
In 2017 Meltdown and Spectre showed that we must not rely on the assumption that computer hardware is without vulnerabilities. Since then we saw various other attacks against CPU microarchitectures. These so-called transient execution attacks often rely on a covert or side channel to make microarchitectural state observable from the architectural world.

While mainly the CPU cache is abused as a side channel in such attacks, we are aware of the existence of other side channels.
Each new channel is a new way for adversaries to hide their traces and mitigate existing work to detect and prevent transient execution attacks. Therefore, identifying side channels is a key element to reliably defend against their exploitation.
To aid the ultimate goal of mitigating the threat coming from such attacks, this work tries to find
more microarchitectural side channels in an automated manner.
We develop a fuzzer that instead of testing a software component directly fuzzes the hardware it is running on.
Our fuzzer will execute various combinations of instructions from the x86 ISA and observe the behavior of these
with the ultimate goal of finding instructions that span novel timing side channels.

14:30-15:00

Speaker: Noah Mauthe
Type of talk: Bachelor Thesis final talk
Advisor: Ulf Kargén, Christian Rossow
Title:Studying the Prevalence of Anti-Decompilation Techniques in Malicious and Benign Android Applications


Abstract:

Android applications are comparatively easy to reverse engineer and are thus often
plagiarized. To protect against this threat, recent years have seen an overall increase
in obfuscation deployment in the Android ecosystem as well as numerous studies on
the subject. As most of these studies target obfuscation techniques that harden an
app against manual analysis, but not against decompilation per se, we investigate the
prevalence of anti-decompilation measures in Android applications in its current state
by employing decompilability as a proxy. By analyzing, respectively, commercial, open-
source and malware applications, we provide a comprehensive overview on the subject.
We discovered noticeable differences in decompilation failure rates between the three data
sources. Specifically, we note an increase in failure rates from open-source to commercial
and from commercial to malware applications. Nevertheless, our findings show an
unexpectedly small discrepancy in decompilability for all three datasets, warranting
further investigation in future work.

15:00-15:30

Speaker: Niklas Medinger

Title: Exploring Automatic Lemma Generation for the Tamarin Prover
Thesis Type: Bachelor Thesis
Talk Type: Intro Talk
Supervisor: Cas Cremers
Abstract:

Security protocols are all around us. Their applications range from securing the messages
we sent via Apps to protecting the passwords we use to log into our bank accounts.
As a result, these protocols need to be reliable and secure. One way to achieve this
is to formally model and verify protocols with verification tools such as ProVerif or
the Tamarin prover. Unfortunately, modeling a protocol and verifying its desired
security properties takes---depending on its complexity---up to months of work.
Since the desired security properties are often not automatically provable by the
tool, a major part of this process involves the step-wise refinement of intermediate
statements that, ultimately, imply the desired security properties. Aiming to cut down
the time and manual work needed to formally verify a protocol, this thesis identifies
common patterns in lemmas needed to verify protocols with the Tamarin prover, develops
an algorithm to automatically generate these lemmas, and evaluates its effect on the
time needed to prove the security properties of protocols.

17.07.2020

Next Seminar on 22.7.2020

Dear All,

the next seminar(s) take place on 22.7. at 14:00. There will now be two sessions run in parallel. (Updated date and zoom links!)

Session A:
Aftab Alam - Tsvetelina Ilieva - Askar Zaitov

https://zoom.us/j/95780486058


Session B:
Finn... Read more

Dear All,

the next seminar(s) take place on 22.7. at 14:00. There will now be two sessions run in parallel. (Updated date and zoom links!)

Session A:
Aftab Alam - Tsvetelina Ilieva - Askar Zaitov

https://zoom.us/j/95780486058


Session B:
Finn Hermeling - Vladislav Skripniuk - Virab Gevorgyan

https://zoom.us/j/94099172188



Session A:

14:00-14:30 

Speaker: Aftab Alam
Type of talk: Final Master thesis Talk
Advisor: Dr.-Ing. Sven Bugiel
Title: Studying and improving WebAuthn Usability

Abstract:
FIDO2 or FIDO2.0 is a new project that supersedes the previous U2F open standard,
developed jointly by the FIDO Alliance and the W3C to promote simpler and stronger
authentication on the web using public-key cryptography. WebAuthn — short for Web
Authentication, being a W3C standard, is the core component of FIDO2 protocol that
found rapid adoption among the major browser vendors as well as among the top web
services, like Google, Microsoft, Dropbox, and GitHub. Thus, FIDO2 is a very strong
contender for finally tackling the problem of insecure user authentication on the web.
However, there remain several open questions to be answered for FIDO2 to succeed
as expected. The past has, unfortunately, shown that software developers struggle
with correctly implementing or using security-critical APIs, such as TLS/SSL, password
storage, or cryptographic APIs. Based on our prior work which also resulted in a poster
CCS’19; we identified some of the perilous usability issues from the developers’ perspective.
As a result, these findings and developers’ problems in other domains motivated us of
studying and improving WebAuthn usability.

In this thesis, we present the first qualitative usability study with seven developers who
were recruited online and they attempted to configure the registration and authentication
parameters for a 2FA use case for WebAuthn. Through the collected data, we identified
potential usability issues that hindered them in this task. Our results show that the
usability issues are related to the scarcity of proper documentation and misconceptions
that developers have. They perceived that WebAuthn deployment is not an easy task
and demanded to have better developer support in terms of documentation, high-level
open-source libraries and additional tool support for establishing FIDO2 as a de-facto
authentication solution.

14:30-15:00

Speaker: Tsvetelina Ilieva
Type of talk: Intro Talk
Advisor: Prof. Andreas Zeller
Title: Accessible Classifier Decisions using SHAP

Abstract: Being  able  to  fully  interpret  a  classifier’s  prediction  has  many  benefits  -  increasing trust  in  the  model,  improving  the  model  and  last  but  not  least  extracting  previously unknown  patterns  from  the  data.  Luckily,  during  the  last  few  years  a  lot  of  progress has  been  made  in  the  field  of  Explainable  AI. Especially  approaches  like  SHAP  have took us one step closer to solving the difficult but crucial task of explaining a model’s decision.  It  is  however  just  as important  to  have  an  easily  understandable but still informative visualization of the model’s explanation. In this work, we identify the shortcomings and potential pitfalls in the existing visualization of SHAP and propose a new, more intuitive and more informative visualization. Our goal is to make the visualization easier to understand for non-professionals, and professionals alike in order to help them during feature engineering and pattern mining.

15:00-15:30

Speaker: Askar Zaitov
Title: Mitigating test flakiness through Record & Replay
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Jenny Rau
Talk type: Master Proposal talk

Abstract:
Flakiness is one of the most challenging problems in the test field. Dealing with the test flakiness can be annoying to any developer due to an unpredictable outcome (pass or fail) despite executing unaltered code. The reasons for flaky tests may be different: from problems with Android OS version or library compatibility to differences in environmental conditions (Advertisement, location, random numbers, some elements triggering on specific dates, with specific network responses, etc.) In this master thesis, we will try to address test flakiness using a record and replay approach, which focuses on non-deterministic behavior of Android application and environmental changes as factors causing test flakiness. Our approach suggests to record and save the environmental conditions and then replay trying to mock the previously recorded environment to see if applications' models changed between different runs.

Session B:

14:00-14:30

Speaker: Finn Hermeling
Type of talk: Bachelor Thesis Intro Talk
Advisor: Dr. Stefan Nürnberger
Title: Automated Semantic Labeling For Unstructured And Unknown CAN Traffic

Abstract:

In automotive networking the Controller Area Network (CAN) standard is widely used. Car manufacturers use secret protocols to let devices communicate over this bus. Since all devices (including infotainment systems or telemetric units) are physically connected to the same bus, attack vectors are being exposed and privacy concerns raised. In order to estimate the gravity of the situation and to solve these problems, it is necessary to reveal the obscure contents of CAN messages. The thesis will discuss challenges an automated labeling system for data in CAN messages faces and analyze the possibilities to solve them using machine learning. Furthermore a software is developed, that given segmented CAN messages, is able to correlate fields in messages of different cars.
 

14:30-15:00

Speaker: Vladislav Skripniuk
Type of talk: Introductory
Advisor: Prof. Dr. Mario Fritz
Title: Black-box Watermarking for Generative Adversarial Networks

Abstract: As companies start using deep learning to provide value to their customers, the demand for solutions to protect the ownership of trained models becomes evident. Several watermarking approaches have been proposed for protecting discriminative models. However, rapid progress in the task of photorealistic image synthesis, boosted by Generative Adversarial Networks (GANs), raises an urgent need for extending protection to generative models.

We propose the first watermarking solution for GAN models. We leverage steganography techniques to watermark GAN training dataset, transfer the watermark from the dataset to GAN models, and then verify the watermark from generated images. In the experiments, we show that the hidden encoding characteristic of steganography allows preserving generation quality and supports the watermark secrecy against steganalysis attacks. We validate that our watermark verification is robust in wide ranges against several image perturbations. Critically, our solution treats GAN models as an independent component: watermark embedding is agnostic to GAN details and watermark verification relies only on accessing the APIs of black-box GANs.

We further extend our watermarking applications to generated image detection and attribution, which delivers a practical potential to facilitate forensics against deep fakes and responsibility tracking of GAN misuse.

15:00-15:30

Speaker: Virab Gevorgyan
Type of talk: Introductory
Advisor: PD Dr. Swen Jacobs
Title: Cutoffs for Parameterized Broadcast Protocols

Abstract: The occurrence of growingly complex reactive systems in increasingly critical areas induce the necessity of automated verification techniques (e.g. model checking). Furthermore, the correctness of some designs needs to be verified independently of the system size. An important subclass of such designs used in a lot of distributed and parallel applications are the Parameterized Broadcast Protocols (PBPs): systems composed of a finite, but arbitrarily large number of identical processes that communicate with each other via broadcast messages.
We develop a software, to compute cutoffs (number of processes sufficient to prove or disprove a property of a parameterized system) for PBPs. We generate random samples of processes of different number of states and investigate their cutoffs for reachability and mutual exclusion properties. We see, though in general, cutoffs can be quite large, for most applications they are small. Moreover, we identify sufficient conditions and necessary conditions to achieve small cutoffs in PBPs.

 

Bachelor- and Master-Seminar

The seminar is currently held bi-weekly on Wednesdays in the even calender weeks and there will be two Zoom sessions from 14:00-15:30 in parallel. The upcomming talks will be announced here.

To book your date please use:
https://calendly.com/bamaseminar/
or
https://calendly.com/bamaseminar2/


If possible, simply book the time that suits you. If you don't need any specific time, you can try to book 14:30, as some students either need the 14:00 or 15:00 slot. In rare cases, we will sometimes have to move the talks in a day, so please indicate which times you would be available. Please manage the times with your advisor such that no two students of the same advisor book the same time.

It is required for you to upload information about your talk as a submission (see:Personal Stauts) up to one week before the time of the talk. You can find an info form to fill in the materials section. Submission as a .txt would be prefered.

 

Also let us explain the course modalities.

The conditions for passing the Bachelor- and Master-Seminar are:

  • A introductory talk
  • 5 attendances of the seminar
  • A finishing talk

You get a certificate and the grade for this course from your advisor. The advisor can contact us to check whether you meet all the passing conditions and to get a template for the certificate.



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators