Bachelor- and Master-Seminar

Dear All,

the next seminar(s) take place on 14.4. at 14:00.

Session A 14:30-15:30:
Florian Nawrath - Marco Schichtel

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B 14:00-15:30:
Mark Schuegraf - Nicolas Tran - Jan Schmitz

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

No talk this week
 

14:30-15:00

Speaker: Florian Nawrath
Type of talk: Bachelorthesis Final Talk
Advisor: Sven Bugiel
Title: Already logged in or still looking for your password? Quantitative testing of the users FIDO 2 client support

Abstract:
With the release of FIDO 2 (Fast Identity Online) integration of passwordless authentication methods has become easier to use. The general problem is the users acceptance and adaption of this password alternatives. Even when being properly integrated the problem is still the availability of suitable authenticators on the users side. This study aims to unveil the users possibility to make use of FIDO2 authentication methods. Therefore the goal is to provide insights into technical as well as hardware limitations and restrictions from every-day end users.

 

 

15:00-15:30

Speaker: Marco Schichtel
Type of talk: Bachelor Introduction Talk
Advisor: Sven Bugiel
Title: Biometric Authentification in FIDO2 via TPM
 
Abstract:
FIDO2 is a web standard that allows users to authenticate themselves against a webservice using hardware tokens.
One type of hardware token that can be used for authentification is a TPM (Trusted Platform Module).
The webservice can demand that the user authenticates themselves locally in order to make sure they are actually in possession of the hardware token.
However a TPM itself at most supports local authentication via a PIN or password.
The goal of this thesis is to implement a prototype that utilizes EAP (Extended Authorization Policy) to extend the authentification towards the TPM in order to enable
the use of biometric authentification when the TPM needs to authenticate itself against a webservice in FIDO2.
This could allow users to for example use their fingerprint-scanner on their smartphone to authenticate themselves instead of having to use a hardware token like YubiKey or a PIN.

 

Session B:

14:00-14:30

Speaker: Mark Schuegraf
Type of talk: Master Intro
Advisor: Prof. Dr. Andreas Zeller
Title: Fuzzing With Grammar Variants: The Impact of Grammar Structure on Fuzz Testing

Abstract: Fuzzing has proven to be an invaluable tool to test the robustness of software. Recent developments toward structured input generation using grammar models warrant an investigation of grammar structure in this context.

We therefore explore the fuzzing performance of a variety of grammar variants, which we derive through language-preserving transformations from available representations. Evaluation of numerous variants on a plethora of input formats helps us empirically address the question: Does grammar structure affect fuzzing performance?

 

 

14:30-15:00

Speaker: Nicolas Tran
Type of talk: Intro Talk
Advisor: Robert Künnemann
Title: Personalized Vulnerability Scores and Countermeasures

Abstract:
The security of a user account hinges on one or multiple factors, which can be passwords or security tokens, but also the access to other accounts, e.g., in case of single sign-on systems, e-mail based recovery procedures or if password managers are used. The browser configuration, password choice and account-specific setup are highly individual, hence it is near impossible for an average user to untangle these dependencies. Hammann et al. introduce User Account Access Graphs (UAAG), modeling these relationships between accounts, credentials, devices, etc. We aim to develop an extension that automatically constructs personalized UAAGs. Using the recently developed Stackelberg planing algorithm, we want to calculate security scores and even offer suggestions that improve the users' overall security with the least possible cost. The goal is to develop a largely automated method for users to understand how these accounts depend on each other and to minimize the overall risk of account compromise with highest-possible convenience.
 

15:00-15:30

Speaker: Jan Schmitz
Type of talk: Bachelor Introduction Talk
Advisor: Michael Mera
Title: On the Impact of Model preserving Program Transformations on Fuzzing

Abstract:
Fuzzing is a useful technique to automatically discover bugs in software with almost no
human intervention involved. However complex checks, nested predicates and magic byte
value comparisons make it quite difficult for a fuzzer to progress in a program. Therefore
existing solutions try to solve, bypass or disable these checks. Some of them rely on
input models to do that.
But using input models causes redundancy because they already handle input checks
that are present in the target program. This slows down the fuzzer unnecessarily, in
particular if it also relies on some kind of code analysis.
To overcome this problem the redundant checks have to be removed. I propose a method
based on genetic algorithms to produce an optimized version of the target program. This
version allows any fuzzer that uses the same input model to focus on the interesting
parts of the code, which should speed up the fuzzing process and simplify further code
analysis. In fact it might help other program analysis techniques like model extraction
and symbolic execution too, as long as they rely on the same input model.