Bachelor- and Master-Seminar

Dear All,

the next seminar(s) take place on 17.3. at 14:00.

Session A 14:00-15:00:
Lukas Kirschner - Jens Heyens

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B 14:00-15:00:
Matthias Stockmayer - Amir Heinisch

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Lukas Kirschner
Type of talk: Master Introduction Talk
Advisor: Ezekiel Soremekun
Supervisor: Prof. Dr. Andreas Zeller
Title: Feedback-Driven Grammar-Based Test Generation

Abstract:
Grammar-based test generation techniques allow to generate syntactically valid inputs for software testing. Grammar-based techniques generate inputs by employing the input grammar as a producer, typically, without obtaining any program feedback during test generation. However, program feedbacks (such as program failure) are necessary to achieve and target certain testing goals (e.g. fault exposure). To achieve such testing goals, it is necessary to generate test inputs that contain specific input structures that are relevant to the intended testing goal.

In this work, we propose a grammar-based test generation approach that uses a feedback loop to iteratively learn relevant input properties from generated inputs, in order to drive the generation of goal-specific test inputs. Concretely, we leverage a combination of evolutionary testing and grammar learning to determine the relevant input structures that achieve a target goal. The main idea of our approach is to learn the mapping between input structures and a specific testing goal, such mappings allow to generate inputs that target the goal at hand. Given a testing goal, our approach iteratively selects test inputs that are relevant to the goal, mutates such inputs and it learns the distribution of input elements in the resulting (mutated) inputs using a probabilistic grammar. The learned grammar is then employed as a producer to drive the generation of goal-specific inputs.

In our preliminary evaluation, we used the popular JSON input format, three subject programs and four testing goals namely unique code coverage, input complexity, program failures and long execution time. Overall, results show that our feedback-driven approach effectively achieves our testing goals in fewer generations and quicker than the baselines (i.e. random and probabilistic grammar-based test generation).

14:30-15:00

Speaker: Jens Heyens    
Type of talk: Bachelor Thesis final talk
Advisor: Dr. Katharina Krombholz
Title: Assisting Developers in Making Security Decisions

Abstract:
Static analysis tooling has been deployed in various contexts to assist developers
in making security decisions. While static analysis has been touted as a great
advance in ensuring secure coding practices, usability and efficacy studies have
been lacking. In this work, we will look at how to improve usability of these tools
and whether or not they have an impact on real-world vulnerabilities. Based on
previous work and recommendations, a tool for consolidation of multiple static
analysers has been developed to aid developers. We then chose the Bandit static
analyser to further evaluate its efficacy on a set of 79 real-world vulnerabilities
from 2018 and 2019, of which Bandit was able to correctly identify seven.

 

15:00-15:30

No talk this week.

 

Session B:

14:00-14:30

Speaker: Matthias Stockmayer
Type of talk: Master Final
Advisor: Dr. Robert Künnemann
Title: Unlinkability in FIDO2 Authentication

Abstract:
FIDO2 is an upcoming standard developed by the FIDO Alliance. As such, the standard
incorporates dedicated cryptographic hardware to replace password-based authentication
or to provide a strong second factor. This standard has the potential to become the
primary authentication method in web applications soon, so the claimed security and
privacy guarantees require a careful analysis—the privacy properties in particular have
not been rigorously analysed before.
In this work, we provide a formal analysis of security and privacy properties claimed
to be achieved by the standard. We will conduct our analysis concerning potentially
malware-infected execution environments as well as often overlooked cryptographic
attacks. Since authentication necessary requires human interaction, we also consider the
potential of human mistakes in using FIDO2 authenticator devices.
We model the FIDO2 related APIs in the applied pi calculus, such that an automated
analysis on fine-grained attacker and usage scenarios can be conducted. Our analysis
confirms existing authentication results and highlights novel findings on the claimed
unlinkability goal.

 

14:30-15:00

Speaker: Amir Heinisch
Type of talk: Bachelor Thesis Final Talk
Advisor: Dr. Nils Ole Tippenhauer
Title: Leveraging Trusted Execution Environments to Implement Trustworthy Motor Controls

Abstract:

Every modern vehicle nowadays contains a large scale of digital controllers.
Many new attack vectors arise. For physical attackers (especially tuners) there are
many new ways to manipulate vehicles (e.g. modify firmware to increase performance)
and with that violate the law (e.g. German StVZO). Successful attacks on vehicles
need to be prevented, as managing to circumvent limitations does not only put the
user in danger but also threatens everyone around. Protecting against these threats
requires technical mechanisms to verify regulations.

In this thesis we evaluate if Trusted Execution Environments can be used to verify
control decisions in a constrained real-time environment such as a motor controller.
In particular, we want to run code in a secure environment which is able to check control
decisions made by complex potentially manipulated motor control software. For this, we
build a Proof of Concept using the Arm TrustZone technology on a current
microcontroller. This allows us to evaluate such an approach and show its feasibility.

15:00-15:30

No talk this week.