News
Next Seminar on 31.3.2020
Written on 25.03.2021 15:32 by Stella Wohnig
Dear All,
the next seminar(s) take place on 31.3. at 14:00. Afterwards we wish you a Happy Easter and resume on the 14th of April as regularly.
Session A 14:00-15:30:
Daniel Emmel - Moritz Wilhelm - Jannis Rautenstrauch
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B 14:00-15:00:
Mara Schulze - Dominik Kempter
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Daniel Emmel
Type of talk: Bachelor Final Talk
Advisor: Ben Stock, Giancarlo Pellegrino
Title: SynthTT: Jamming Client-Side XSS with synthesized TrustedTypes sanitizers
Abstract: With the great importance and popularity of the web to today’s world, it is an
unfortunate truth that there exist many malicious entities who try to take advantage
of common web vulnerabilities to make profit from damaging innocent users.
One of the most common web vulnerabilities is client-side Cross-site-scripting
(XSS), which can occur when a website’s code uses dangerous, JavaScript executing
sinks with user-controllable input, as an attacker may also be able to manipulate
the executed value. This vulnerability in particular can be devastating to the user,
as it allows an attacker to execute arbitrary JavaScript in the authorization context
of the user, potentially allowing leakage of sensitive user data.
One new proposed mitigation to this problem is called Trusted Types. Its main
idea is that each input that a sink is called with must pass through a Trusted
Types sanitizer, where it can be filtered to no longer be problematic. This idea,
however, raises the immediate challenge that third-party content in the wild will
often write a lot of dynamic HTML, JavaScript and URLs into the main site’s
document via the problematic sinks. Still, since this usage is benign, the Trusted
Types sanitizer should allow it, while non-intended sink inputs should be prohibited
to prevent an attacker from executing JavaScript at their will.
In this thesis, we enforce the principle of least privilege on third-party scripts by
auto-generating policies for them based on their previously observed benign sink
usage behavior. In particular, we collected sink input data from the top 100 Tranco
domains and generated configs that describe what sink inputs should be allowed
in the future. Further, we built a library to enforce these configs on a given site
and evaluated its functionality-preservation as well as its overhead. We found that
over a period of 10 days, functionality was preserved well, never going below 94%,
and that the runtime overhead exhibited was generally low, being less than 4% for
the average load time of a site. Overall, we show that Trusted Types is indeed
feasibly usable in an automated manner to reduce the attack surface exposed by
third-party code on a site.
14:30-15:00
Speaker: Moritz Wilhelm
Type of talk: Bachelor Final
Advisor: Ben Stock
Title: retroCSP: Retrofitting Web Security on the Client Side by Reinforcing Widespread CSP Support
Abstract:
The Content Security Policy (CSP) is a well-researched security mechanism that tries to mitigate the effects of Cross-Site Scripting (XSS) attacks. Although it was quite well adopted by the research community, it still lacks widespread deployment on the Web. Even when deployed, a CSP is more often than not configured in an insecure manner that defies its initial purpose of complicating injection attacks. To this day, browsers fail to implement the CSP standard consistently. The behavioral inconsistencies caused by the lack of widespread browser support of all CSP features complicate the deployment of secure CSPs because developers cannot rely on their policies being enforced to the same extent for every client.
In this thesis, we attempt to counter this issue by retrofitting Web security on the client side. We introduce retroCSP, a modular and browser-independent retrofitting architecture, that successfully re-implements non-universally supported CSP features on the client side, thereby proving the feasibility of client-side retrofitting. By re-establishing consistent enforcement of the CSP specification, the architecture enables developers to utilize newest extensions of the CSP standard. Due to the successful implementation of retroCSP, we infer that the insufficient browser support cannot be justified by the infeasibility of enforcing the CSP standard.
In addition to that, we present several standard violations we encountered among all browsers that we documented and reported if appropriate. Restrained reactions indicated that browser vendors assign a low priority to CSP in general due to its limited use. Furthermore, we conducted a small-scale study based on 10,000 top-ranking domains according to Tranco, finding that even after about a decade since its initial standardization, CSP appears to have limited deployment. Our analysis shows that 81.1% of the policies aiming to restrict script content are configured insecurely. Moreover, only 39 domains make use of the ’strict-dynamic’ source expression, revealing that newest CSP features are hardly to never used by developers. We argue that inconsistent browser behavior and insufficient support of newest CSP additions affect this development, too.
Despite the success of client-side retrofitting, we conclude that browsers still have to provide standard compliance when enforcing security mechanisms on the Web. Otherwise, developers are prevented from protecting their Web site reliably in the best possible way.
15:00-15:30
Speaker: Jannis Rautenstrauch
Type of talk: Master Introduction Talk
Advisor: Ben Stock, Giancarlo Pellegrino
Title: XS-Leaks; Does your browser tell me on which sites you are currently logged in?
Abstract:
Are you currently logged into Facebook? Have you recently visited Pornhub? Did you search for "how to cheat in online exams" on Google?
These are all questions attackers shouldn't be able to get answers to in the background while you are visiting their cute-kittens.saarland website.
However, using so-called cross-site (XS) leaks an attacker might be able to get answers to such questions and use them for various malicious activities (e.g., blackmailing, deanonymization, stalking, etc.).
In recent years, many new built-in (e.g., Cross-Origin Read Blocking, state partitioning, etc.) as well as opt-in (e.g., SameSite Cookies, Cross-Origin-Opener-Policy, etc.) security features emerged in browsers and web applications.
These security features were not designed to protect against XS leaks but to protect against other types of attacks (e.g., spectre-like attacks, CSRF attacks, cross-site user tracking, etc.).
Still, most of them affect XS leaks in one way or another. Either by making certain types of XS leaks impossible or by enabling new ones based on the configuration of these features.
In this thesis, I want to study two questions:
1. Which XS leak types work in which browser, and what are the exact requirements (server response for both states, browser leak code) for it to work?
2. How prevalent are which types of XS-leaks in real web applications?
To answer these questions, I will build a leaky web application that leaks in all known ways and another application that automatically checks whether the leak is exploitable for specific browsers.
Then, I will use the knowledge gained from answering the first question to automatically search and confirm XS-leaks on some of the most popular real web applications.
Session B:
14:00-14:30
Speaker: Mara Schulze
Type of talk: Bachelor Intro Talk
Advisor: Prof. Christian Rossow
Title: Detecting Cryptojacker Malware in Sandnet purely through network indicators
Abstract:
Many cryptocurrencies require great computational work in order to verify their block chain. This is computationally expensive, and as an incentive to participate in the verification process a small reward is being given to the person who solves a mathematical riddle first, thus "mines" the block. Malware authors exploit that by letting the computations run on the victim's computer and then claiming the reward for themselves.
Sandnet is a dynamic analysis environment, belonging to CISPA. It runs Malware for a long time (ca. one hour) and puts out network based indicators like the domains the malware specimen connects to, the packet size, the connection time etc.
I want to detect Cryptojacker malware purely by the statistics that Sandnet is producing.
14:30-15:00
Speaker: Dominik Kempter
Type of talk: Bachelor Introduction Talk
Advisor: Giancarlo Pellegrino
Title: Lightweight Dynamic Taint Flow Analysis for State-Changing Operations
Abstract:
Many web applications trust in data located in persistent storage. The disregard of proper sanitization leads to a variety of 2nd order vulnerabilities like Stored-XSS.
Dynamic Taint Analysis is one solution to this problem. Pre-defined data sources are tainting input, while security-critical functions can check for taints. The problem with this approach is propagating taints through persistent storage like databases. State-of-the-art propositions are highly dependent on the underlying persistent storage. This requires developers to restructure the database and applications to handle taints.
This bachelor thesis intends to explore the effectiveness of a lightweight approach to connect database input sinks to output sinks. This allows dynamic taint analysis to be performed independent of the underlying database and requires no restructuring of the web application.
15:00-15:30No talk this week.