News
Next Seminar on 25.11.2020
Written on 23.11.2020 17:20 by Stella Wohnig
Dear All,
the next seminar takes place on 25.11. at 14:00. There is only one session this week.
Session A 14:00-15:00:
Marvin Hoffmann - Huda Dawoud - Tobias Lorig
https://cispa-de.zoom.us/j/95888788125?pwd=ZWRCeGdqRnVRTnpsdnVPQVBiYzg5QT09
Meeting-ID: 958 8878 8125
Kenncode: ^nk14M
Session A:
14:00-14:30
Speaker: Marvin Hoffmann
Type of talk: Bachelor Intro Talk
Advisor: Alfusainey Jallow, Dr.-Ing. Sven Bugiel
Title: Gamified Crowd-Sourcing the Security Classification of Stack Overflow Code Snippets
Abstract: Stack Overflow is the most widely used forum for developers and IT experts to solve programming issues. Since the answers often contain code snippets solving the problem, prior studies have shown that many snippets are copied and pasted into developer codebases without having a detailed look at it. This behavior causes security breaches in many software products because these code snippets often are insecure. For example, the posted solution could be out of date and not address recent security fixes.
To avoid insecure software, we want to provide a security indication of code snippets posted on Stack Overflow. Therefore, we built the first web-based crowdsourcing platform to gamify the security classification of code snippets. We crawled code snippets from Stackoverflow, grouped them according to the programming language, and display the snippets to security-focused users to classify.
The game allows users to classify snippets into secure or insecure by swiping right or left on our web page. With this, we can offer researchers an alternative way to classify code on Stack Overflow and help developers to write more secure code.
14:30-15:00
Speaker: Huda Dawoud
Type of talk: Master Intro
Advisor: Sven Bugiel
Title: Detecting the Misuse of the Accessibility Service in Mobile Apps
Abstract:
The Accessibility Service is a very powerful service introduced by Google, which provides powerful capabilities to mobile applications such as allowing them to perform clicks on behave of user, retrieve window content, receive key events and many more. In other words, it is a way to override the security design of the Android system, in order to provide capabilities to assist users with disabilities, which is the only goal intended by introducing this service. However, developers do not hesitate to exploit any available services that may help them provide competitive features to users, even if by using them in a manner different from what they were designed for. Google has attempted to crack down on such apps by asking them to explain how they are using the Accessibility Service to help users with disabilities. Otherwise, they will be removed from the Google play. But it seems that Google eventually gave up by the fact that there are a lot of popular applications that use this service for purposes other than helping the disabled users such as Password Managers. This raises a great concern considering the powerful capabilities an app could gain when it convinces the user to enable the Accessibility service for it. Starting from this point, we will try in our thesis to come up with an approach that detect any app tries to misuse the accessibility service.
15:00-15:30
Speaker: Tobias Lorig
Type of talk: Bachelor Thesis Intro Talk
Advisor: Prof. Dr. Andreas Zeller
Title: Fuzzing Binary File Formats with Inputs from Hell
Abstract:
Fuzzing is a form of automated software testing. Inputs with specific properties are fed
into a target program, intended to trigger lines of code in unforeseen ways and provoking
unintended behavior. This may be expressed in the form of bugs, crashes or vulnerabilities.
Generational fuzzing heavily relies on information about the structure of inputs, expected
by the target program. This structure can be formulated as a grammar and then be utilized as
the basis for generating new inputs for fuzzing.
In this thesis a new approach on generational fuzzing is formulated, combining different ideas
from previous technologies, in order to generate context-dependent binary files. Because of the
vast amount of existing file formats and their property to always be highly structured,
binary files are excellent candidates for fuzzing. The proposed tool will be able to
automatically generate grammars of popular file extensions, while implementing all syntactic
and semantic constrains listed in their respective, official file format specifications.
Additionally, a so-called probability distribution is utilized to improve the quality of
generated files by raising the probability of accessing less popular branches and values
during file generation. These may be able to trigger less tested code in the target,
resulting in a higher chance of unexpected behavior.