Bachelor- and Master-Seminar

Dear All,

the next seminar(s) take place on 11.10. at 14:00 or 14:30 respectively, see below.

Session A 14:00-15:00:
Jens Heyens - Annika Caroline Grieser

https://cispa-de.zoom.us/j/94706374076?pwd=WExQVVNmUEdMZG54Um0xbHU2emVBdz09

Meeting-ID: 947 0637 4076
Kenncode: 7J#EiW

Session B 14:30-15:30:
Daniel Emmel - Moritz Wilhelm

https://cispa-de.zoom.us/j/98241395646?pwd=YTNIbDFjYml5K25hOTFFV0V0WjJBQT09

Meeting-ID: 982 4139 5646
Kenncode: 7M?vug

Session A:

14:00-14:30 

Speaker: Jens Heyens    
Type of talk: Bachelor Thesis final talk
Advisor: Dr. Katharina Krombholz
Title: Assisting Developers in Making Security Decisions

Abstract:
Static analysis tooling has been deployed in various contexts to assist developers
in making security decisions. While static analysis has been touted as a great
advance in ensuring secure coding practices, usability and efficacy studies have
been lacking. In this work, we will look at how to improve usability of these tools
and whether or not they have an impact on real-world vulnerabilities. Based on
previous work and recommendations, a tool for consolidation of multiple static
analysers has been developed to aid developers. We then chose the Bandit static
analyser to further evaluate its efficacy on a set of 79 real-world vulnerabilities
from 2018 and 2019, of which Bandit was able to correctly identify seven.

14:30-15:00

Speaker: Annika Carolin Grieser
Type of talk: Bachelor Thesis Final Talk
Advisor: Dr. Katharina Krombholz
Title: Exploratory evaluation of the methodology of in-situ data collection using a modified Mycroft

Abstract:
 Smart speaker try to ease daily life tasks. However, they carry risks, because they are integrated into our daily lives and are equipped with microphones.
Users are often unaware of these risks and use smart speakers without any privacy precautions.
In-situ studies are a method of obtaining more detailed information on the application of smart speakers, on security precautions and the general usage process.
In contrast to other methods, such as laboratory studies, they offer the advantage of observing user behaviour with smart speakers in the user's everyday environment.
For in-situ studies with smart speakers, data collection is a challenge because the data is sensitive. For ethical reasons, it is inconceivable to record every user conversation.
The presented bachelor thesis conducts an exploratory evaluation of a modified open-source smart speaker called 'Mycroft' to enable targeted data acquisition in in-situ studies with smart speakers.
It contains a tool that allows to intervene in user processes and to collect data, e.g. through surveys.
This bachelor thesis evaluates this tool iteratively regarding its capabilities, possibilities and configurations in the context of security and privacy.
The results reveal that it can be used in many different ways, integrated into a usage scenario including context-specified questions or as a user-controlled functionality asking general questions.
 Furthermore, the tool's questions should be precise and short. During the iterative evaluation of the tool, I solved major user challenges and improved the tool's capabilities.

 

15:00-15:30

No talk this week.

 

Session B:

14:00-14:30

No talk this week.
 

14:30-15:00

Speaker: Daniel Emmel
Type of talk: Bachelor Intro Talk
Advisor: Ben Stock
Title: SynthTT: Jamming Client-Side XSS with synthesized TrustedTypes sanitizers

Abstract: With the great importance and popularity of the web to today's world, it is an unfortunate truth that
there exist many malicious entities who try to take advantage of common web vulnerabilites to make profit from damaging innocent users.

One of the most common web vulnerabilites is client-side Cross-site-scripting (XSS), which can occur when a website's code uses
dangerous, DOM modifying sinks with attacker-controllable input. This vulnerability in particular can be devastating to the user,
as it allows an attacker to execute arbitrary Javascript in the authorization context of the user.
One new proposed mitigation is called Trusted Types. Essentially, it follows an allowlist based approach: Each input that a DOM modifying sink
is called with must pass through a Trusted Types sanitizer, where it can be filtered to no longer be problematic.

Though this may seem like a good idea, it raises the immediate challenge that third-party content in the wild will often write a lot
of dynamic HTML, Javascript and URLs into the document via the problematic sinks. Since this usage is however benign, the Trusted Types
sanitizer should allow it, while non-intended sink calls should be prohobited.

In this thesis, I attempt to automate this process by auto-generating sanitizers for third-party content based on their previously observed
benign sink usage behaviour.

15:00-15:30

Speaker: Moritz Wilhelm
Type of talk: Bachelor Intro
Advisor: Ben Stock
Title: Enabling Widespread Deployment of CSP through Retrofitting

Abstract:
As the last decade has shown, the web has won - and with it the countless attackers and scammers who are trying to make a profit by attacking users and website operators around the world.

The most fundamental security mechanism on the web is the same-origin-policy (SOP) which restricts the capabilities of JavaScript. It only allows two websites to access each other via the Document Object Model (DOM) if their origins match. Thus, a malicious script on one website cannot easily steal sensitive user data originating from another website using the DOM.
However, cross-site scripting (XSS) vulnerabilities undoubtedly belong to the biggest threats on the web. These code injection vulnerabilities, typically found within web applications, enable an attacker to bypass the SOP and execute potentially arbitrary code within the current user's context.

The Content Security Policy (CSP) is one of the various mechanisms which try to mitigate XSS attacks. In principle, it attempts to alleviate the effects of such attacks by restricting which resources may be loaded on the website. In particular, this is achieved through specifying allowed scripting resources, either by their URL, via hashes of trusted JavaScript code, or by adding nonces.
Over the years, CSP has undergone several developments and has been continuously expanded with new directives. Nevertheless, not all browsers support all of the newest additions to CSP and fail to integrate them without a significant delay or at all. For this reason, web developers cannot rely on the current standard of CSP. These browser inconsistencies make it very challenging to impossible to create a CSP that reliably behaves in the same way for all users.

In this thesis, I try to tackle these inconsistencies by re-implementing unsupported CSP functionalities dynamically and re-establishing the intended browser behavior on the client-side without having to patch any browsers. Thereby, I try to find out if and to what extent it is possible to retrofit the security on the web without a disproportionate complexity and overhead.