Bachelor- and Master-Seminar

Dear All,

the next seminar(s) take place on 19.8. at 14:00.

Session A:
Yannick Ramb - Markus Demmel - David Schäfer

https://zoom.us/j/92752645912?pwd=Qy9xNkUwQUY0cTFOVWRVVUxYUkplUT09

Meeting-ID: 927 5264 5912
Kenncode: 4S%N7n

Session B:
Sabine Houy - Yannik Schwindt - Martin Hodapp

https://zoom.us/j/96138694694?pwd=eXdkZTFJNFJOby9DM2o4M3A4QkRUdz09

Meeting-ID: 961 3869 4694
Kenncode: 6y@GYt

Session A:

14:00-14:30 

Speaker: Yannick Ramb
Type of talk: Bachelor Thesis Final Talk
Advisor: Stefan Nürnberger
Title: CAN Traffic Synthesis Algorithms for Automated Deductions

Abstract:
Throughout the years, the importance of automotive cybersecurity in modern vehicles has been gradually increasing. As can be seen in many recent reports, the majority of cyber-attacks against modern vehicles exploit weaknesses in the vehicle’s internal communication network. Nowadays, the Controller Area Network (CAN) bus has become widely accepted as the de facto standard for in-vehicle communication networks. However, while the CAN protocol itself is publicly available, information on the exact data that is sent over the network is not. This is a great burden to research in this field since to detect flaws and vulnerabilities in the system, researchers need to manually reverse engineer CAN data collected from different vehicles. Albeit existing approaches to automate this task, one must manually reverse engineer the CAN data beforehand to develop and evaluate such algorithms. Aiming to address this issue, this thesis presents CANsimu, a tool for simulation of CAN bus networks and automatic generation of CAN data. The data produced by the tool is meant to facilitate development, evaluation and improvement of security analysis algorithms and tools by relieving researchers from performing the tedious and labor-intensive reverse engineering process.

 

14:30-15:00

Speaker: Markus Demmel
Type of talk: Bachelor Introduction Talk
Advisor: Rahul Gopinath
Title: Differential Testing

Abstract: We live in a well-connected world in which almost any device is connected to the internet and able to communicate with other devices. This exchange of communication is based on standards like different protocols and data exchange formats. One of these exchange formats is JavaScript Object Notation (JSON). JSON is a popular way to exchange data due to it being very efficient and language independently. That means that any developer can use JSON easily to exchange data with others regardless of the program language or the operating system. The first specification of JSON was published by Douglas Crockford at the beginning of this millennium. Meanwhile, there are several specifications that describe how JSON should be parsed. However, these specifications are not unambiguous as they leave some implementation details up to the interpretation of the developers. As a result, there are no two parsers that accept the same language.

This bachelor thesis will investigate the consequences of multiple specifications with room of interpretation on the most popular and widespread parsers. We will use Fuzzing, a technique that uses random text generation to find bugs and unpredictable behavior, to determine if these unambiguous specification result in vulnerabilities by interpreting the given JSON incorrectly.

15:00-15:30

Speaker: David Schäfer
Type of talk: Bachelor Intro Talk
Advisor: Dr.-Ing. Sven Bugiel
Title: System Support for Attesting Apps to Services

Abstract:
Android is the most used mobile operating system in the world, with a numerous amount of applications. Often, these applications use remote services to request or send certain data that needs to be kept confidential. But, attacks like 'Application Repackaging' make it hard for developers to ensure the confidential treatment of data exchange between app and remote service. Because the application installation packages can be signed by self-signed certificates and therefore do not provide a chain-of-trust, they can be manipulated and published by everyone. For a remote service it is hard to determine, if it is currently communicating with the original application or an manipulated version. Therefore, I want to create a system internal solution in this thesis, to provide an attestation of applications to services, which can be used to verify the integrity of an app and prevent data access by unauthorized applications.

Session B:

14:00-14:30

Speaker: Sabine Houy
Type of talk: Final Talk

Advisor: Matthias Fassl
Supervisor: Katharina Krombholz
Title:Comparing User Perceptions of Anti-Spyware
Apps with the Technical Reality

Abstract:
Nowadays we store an increasing amount of sensitive data like text
messages, contacts, pictures, etc. on our mobile phones. This data is
a prominent target, not only for outsiders but especially for people in
our immediate social environment, such as partners and family. These
so-called insiders are often not considered in threat models. This thesis
aims to evaluate how e ective these apps are regarding their detection ca-
pabilities and how trustworthy they appear to users. Thus, I will reverse
engineer two prominent anti-spyware applications available on the Google
PlayStore to identify their detection techniques. I will then apply qual-
itative data analysis on the reviews to compare the users' perception of
e ectiveness with the technical reality obtained through reverse engineer-
ing. The results show that both applications are capable of identifying
installed spyware applications with varying degrees of accuracy in terms
of the information provided about the detected spyware. Furthermore,
most users feel safer with anti-spyware apps and trust them, which is
appropriate in terms of technical evaluation.

14:30-15:00

Speaker: Yannik Schwindt
Type of talk: Bachelor Introductory Talk
Advisor: Jenny Rau
Title: Extending DroidMate-2 with phash state identification

Abstract:
Automated Testing is important for app developers to ensure that their apps work properly. Increasing complexity of applications leads to the need of more efficient testing platforms. A common problem for automated test engines like DroidMate-2 is recognizing already seen states
while modeling the GUI of the app under test. This decreases the efficiency since already seen states are examined as new.
In this Bachelor thesis I will try to tackle the state duplication problem by introducing phash identification to the DroidMate exploration engine and check if states are perceptually equal.

15:00-15:30

Speaker: Martin Hodapp
Type of talk: Introduction Talk
Advisor: Katharina Krombholz
Title: Should I post or should I not?

Abstract: The meaning of privacy is more and more important in all fields of our daily life. Many researchers investigated how end-user and developer try to protect their privacy and private information. Also the behavior of online user was invastigated in many papers. Most of these works focused on the technical implemantation of cryptography, data transmission and storage but not really how users see possible effects of their online behavior (for themselfe or associated people or even their employer). This work address the question, how people out of system critical public services, see or notice effects from what they post, comment or like in social media. In particular how notice german soldiers risks, impacts or threats for their comrades and the employer (the deutsche Bundeswehr) in respect to their behavior.