Bachelor- and Master-Seminar

Dear All,

the next seminar(s) take place on 20.1. at 14:00.

Session A 14:00-15:00:
Paul Szymanski - Mara Schulze - Leon Brettschneider

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B
Dominik Sautter - Marvin Hoffmann

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Paul Szymanski
Type of talk: Bachelor Intro
Advisor: Cristian-Alexandru Staicu
Title: A Study of State-of-the-Art Call Graph Creation Approaches for JavaScript

Call graph creation is an important stepping stone for building sophisticated static analyses, e.g., taint analysis. However, many state-of-the art tools perform poorly when faced with real-world code. That is, many of the available call graph creation tools for JavaScript are extremely fragile and thus, fail to produce a call graph when certain language constructs are present in the analysed code. For example, many such tools only support ECMAScript 5 features, while practitioners rely on more modern syntax. Some call graph creation tools solve this problem by performing a transpilation step, e.g., using Babel, on the code before processing it further. Although these transformations are assumed to be preserving the functionality of the code, the transformations might result in different call graphs. This might be the case for other kinds of transformations, like obfuscation and minification, as well.
The goal of this bachelor thesis is to study existing call graph creation algorithms and identify their limitations, i.e. which language constructs are the most difficult to analyse. Additionally, we are interested in identifying code transformation techniques with the highest impact on the performance of static call graph algorithms, both beneficial and detrimental.

14:30-15:00

Speaker: Mara Schulze
Type of talk: Bachelor Intro Talk
Advisor: Prof. Christian Rossow
Title: Detecting Cryptojacker Malware in Sandnet purely through network indicators

Abstract:
Many cryptocurrencies require great computational work in order to verify their block chain. This is computationally expensive, and as an incentive to participate in the verification process a small reward is being given to the person who solves a mathematical riddle first, thus "mines" the block. Malware authors exploit that by letting the computations run on the victim's computer and then claiming the reward for themselves.

Sandnet is a dynamic analysis environment, belonging to CISPA. It runs Malware for a long time (ca. one hour) and puts out network based indicators like the domains the malware specimen connects to, the packet size, the connection time etc.

I want to detect Cryptojacker malware purely by the statistics that Sandnet is producing.

 

 

15:00-15:30

Speaker: Leon Bettscheider
Type of talk: Master Final
Advisor: Prof. Dr. Andreas Zeller
Supervisor:Dr.Rahul Gopinath
Title: Concolic Grammar Refinement for Stateful Fuzzing
Abstract:
Fuzz testing is a widely deployed automated software testing technique which has been used to discover many security-critical software bugs.
Fuzzing probes the program under test for faulty behavior by running it repeatedly on automatically generated inputs.
One of the problems with fuzzing is that, to be effective, fuzzers need to generate plausible inputs that reach nontrivial parts of the program.

Effective fuzzing of stateful programs, such as database engines or web servers, is challenging because generated inputs need to be syntactically valid to be accepted by the parser, and semantically valid with respect to the current ephemeral program state in order to reach deep functionality.

While grammar-based fuzzing presents a method to generate syntactically valid inputs at a high rate, such inputs are typically not semantically valid in the case of stateful programs. For example, the validation of inputs may depend on the state of the program in question (such as session IDs), which are hard to produce using random chance.
    
To overcome this limitation, we propose a novel grammar refinement strategy for stateful programs.
We start with a context-free grammar, and leverage concolic execution of generated inputs to mine state-based constraints that need to be satisfied.
These constraints are then lifted to the grammar, which results in a grammar that automatically fine tunes itself towards inputs that can reach deeper and deeper code paths in the current execution.
    
We implement our grammar refinement technique on top of a concolic execution engine for the C programming language.
We demonstrate a proof of concept on SQLite that shows the ability of our approach to mine existing table and column names from the database.
In addition, we combine our approach with a state-of-the-art grammar fuzzer and compare it with grammar fuzzing alone in an experiment on SQLite.
Our evaluation suggests that grammar refinement enhances fuzzing if the targeted state information contains a sufficiently high level of entropy.

 

Session B:

14:00-14:30

Speaker: Dominik Sautter
Type of talk: Bachelor Intro
Advisor: Giancarlo Pellegrino
Title: Detecting Client-Side XSS via Code Property Graphs
Abstract:
The automated detection of web vulnerabilities is challenging and, to date, mostly performed by manually inspecting the source code. A promising idea to ease the automated detection of vulnerabilities is using canonical representations for programs via code-property graphs (CPG) and identify vulnerable behaviors via graph traversals.
CPGs for web applications are in their infancy, i.e., XSS/SQLi for PHP program (PHPJoern) or to detect a client-side CSRF (JAW), and we know very little about their generality and adequacy at detecting other client-side vulnerabilities. This thesis will start from the existing CPG for client-side JavaScript programs as implemented by JAW and evaluate its adequacy in detecting a severe and popular client-side vulnerability, i.e., client-side XSS. The evaluation of the implementation will be made on 10 applications which will be selected by their popularity and problem base. This talk will present a short overview of CPG and the success of it in PHP, C/C++ and JS, as well as an outlook how the upcoming work will be structured and evaluated.

 

14:30-15:00

Speaker: Marvin Hoffmann
Type of talk: Bachelor Final Talk
Advisor: Alfusainey Jallow, Dr.-Ing. Sven Bugiel
Title: Gamified Crowd-Sourcing the Security Classification of Stack Overflow Code Snippets

Abstract:Stack Overflow is the most widely used forum for developers and IT experts to solve programming issues. Since the answers often contain code snippets solving the problem, prior studies have shown that many snippets are copied and pasted into developer codebases without having a detailed look at it. This behavior causes security breaches in many software products because these code snippets often are insecure. For example,the posted solution could be out of date and not address recent security fixes.
To avoid insecure software, we want to provide a security indication of code snippets posted on Stack Overflow. We investigated if we can classify code snippets using a crowdsourcing approach. Therefore, we built to our knowledge the first web-based crowdsourcing platform to gamify code snippets’ security classification. We presented 150 Java code snippets to security-focused users during the test run and let them classify the snippets into secure or insecure by swiping right or left on our web page. Afterward, we evaluated the classification of the five most classified snippets by inspecting them manually again. With this approach, we can offer researchers an alternative way beneath machine learning approaches and experts classifying to categorize code on Stack Overflow and build the basis for helping developers to write more secure code.

 

15:00-15:30

No talk this week.