News

Next Seminar on 13.10.2021

Written on 07.10.21 by Stella Wohnig

Dear All,

The next seminar(s) take place on 13.10. at 14:00. Since there is RA4 talks in both sessions, if you are from RA4, you can choose which session you want to join this week :) As a reminder: please join https://cms.cispa.saarland/bms2122 for the next semester seminar.


Session A:… Read more

Dear All,

The next seminar(s) take place on 13.10. at 14:00. Since there is RA4 talks in both sessions, if you are from RA4, you can choose which session you want to join this week :) As a reminder: please join https://cms.cispa.saarland/bms2122 for the next semester seminar.


Session A: (RA4)
Vera Resch - Jonas Cirotzki - John Schmitt

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B: (RA 1,3,4)
Markus Bever - Anirudh Upadhya - Lorenz Hetterich

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 


Speaker: Vera Resch
Type of talk: Master Final Talk
Supervisor: Prof. Zeller
Advisors: Rahul Gopinath, Nikolas Havrikov
Title: Grammar-based URL Fuzzing: Field Study Exploring the WHATWG URL Standard
Research Area: 4

Abstract: Uniform Resource Locators (URLs) allow to quickly and precisely navigate today's web. Similar to the specifications of other web standards, such as HTML, the WHATWG maintains the URL specification as a living standard. However, because different applications use URLs for a multitude of purposes, there exists a variety of implementations of URL parsers, most of which claim to follow the URL standard.
This thesis uses grammar-based fuzzing together with a grammar of the current URL standard to examine how close the relationship between URL parsers and the standard is. In detail, this consists of testing the URL parsers included in the browsers Firefox and Chromium, as well as a selection of stand-alone URL parsers with inputs generated by executing a grammar-based fuzzer with a URL grammar based on the current standard and a URL grammar based on the RFC standard.
Finally, this thesis evaluates the number of errors encountered during test execution as well as the code coverages achieved in the selected URL parsers.
Results include that higher code coverages are reachable with inputs generated according to the current specification in comparison to inputs generated according to the RFC specification in ten out of eleven tested URL parsers. Furthermore, eight out of eleven tested URL parsers reject inputs based on the current specification less often than those based on the RFC specification.

 

14:30-15:00

Speaker: Jonas Cirotzki
Advisor: Sven Bugiel
Research Area: RA4

Abstract:missing info

 

 
15:00-15:30

Speaker: John Schmitt
Type of talk: Bachelor Final
Advisor: Dr. Sven Bugiel
Title: Implementing Certificate Transparency Inside Android Open Source Project
Research Area: 4

Abstract: Today the internet usage is as high as ever and gets more diverse every day. Therefore the security of the web is very important. One major point in security is the identity verification of web servers. To verify the identity of a web server, a web client has to rely on the validity of the provided certificate. As a result, web clients blindly trust in the integrity of the certificate authority to properly issue certificates. But what happens if a certificate authority is compromised, goes rogue, or issues flawed certificates?
In case of such a certificate misissuance, certificate transparency helps by providing a secure append-only log that documents every certificate issuance and thus enables accountability for certificate authorities.
Mobile devices are a major source of network traffic to web servers. Additionally, Android currently holds the biggest market share of mobile operating systems but does not present any solution to a certificate transparency implementation. With our work, we provide a proof of concept for an implementation of certificate transparency in the Android Open Source Project and make use of its benefits to protect Android users from certificate misissuance and thus Man-in-the-Middle attacks. Our evaluation has shown, that common apps are not negatively influenced by the prototypical implementation which, in our opinion, makes certificate transparency a very useful Android extension.

 

Session B:

14:00-14:30

Speaker: Markus Bever
Type of talk: Bachelor Final
Advisor: Antoine Joux, Anand Kunar Naranayan
Title: On parallelization for public key cryptanalysis
Research Area: RA1: Trustworthy Information Processing

Abstract:
Verifiable delay functions are exciting and new primitives in cryptography, especially
in the field of blockchains. The goal of this thesis is to study different approaches
to undermine the security of verifiable delay functions. For this we will try different
setups where the attackers control parts of a network and try to attack the verifiable
delay function in parallel. The current implementations of verifiable delay functions are
typically built based on number theoretical assumptions. There is a group underlying
the security of verifiable delay functions. We will focus on the example of a RSA-group.
Other candidates for the group include the ideal class group of quadratic imaginary
extensions. Verifiable delay functions are easily broken if the group order is known, in our
case this can be achieved by factoring. The fastest algorithm for factoring is the number
field sieve, which is part of the index calculus family and uses a lot of linear algebra. All
this candidates for breaking verifiable delay functions by finding the group order involve
index calculus methods. Here, the bottleneck is the linear algebra step. Also, we will
discuss Lenstra’s elliptic curve method for factoring. Our primary motivation was to
speed this up using parallelization. In this direction we investigated a new approach
from Fouque and Kirchner to calculate the group order in a black-box ring. This is an
extension of Maurers algorithm investigating the congruence between discrete logarithms
and the Diffie-Hellmann cryptosystem.

 

14:30-15:00

Speaker: Anirudh Upadhya
Type of talk: Master Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Safety and Security Critical Function Identification and Monitoring for Motor Controllers
Research Area: RA4

Abstract: Eletric scooters are becoming very popular recently and have been widely used. Most of these e-scooters and hoverboards are of cheap quality and buggy software without standardization. The firmwares of these scooters can be hacked to tweak scooter paramters. If the attacker has near access to the device he can maliciously tamper the sensor reading which can lead to wrong calculation torque vectors and then leading to a unintended acceleration or deceleration.​ The attacker can also increase the performance of the hoverboard with respect to its maximum speed etc or add additional functionalities to it.​
In this theses, we want to identify critical functions based on various currently available e-scooter architectures and find the impact on the e-scooter and thus the rider. We also want to implement runtime monitoring of these types of motor controllers. Monitoring software layer is used to check for errors in software or any unintended behavior from the user and curb them while bringing the system back to safe state or fail safe as defined in the architecture.​ Based on the critical functionalities the monitoring code is added. This code can utilize the existing TEE (Trusted Execution Environment) or run on a different core which has checker core feature (for example : Infineon AURIX 32 bit Tricore).​

 

 
15:00-15:30

Speaker:
Lorenz Hetterich

Type of talk:
Bachelor Final

Advisor:
Dr. Michael Schwarz

Title:
Exploting Spectre on IOS

Abstract:
Most CPUs don't stall execution when they encounter control flow instructions, but use predictors to make educated guesses on the destination (e.g. whether a branch is taken or not).
This allows them to speculatively continue execution resulting in a major time save upon correct predictions.
On incorrect predictions, speculatively executed instructions are not retired, the pipeline is flushed, and execution continues at the correct destination.
Whilst speculatively executed instructions are not visible on an architectural level, they may leave microarchitectural traces that can be observed using a side channel.
Spectre abuses this by mistraining predictors and observing microarchitectural state changes caused by speculative execution.
Even though research on Spectre has been done on most major platforms, Apple devices have hardly received any attention.
In my thesis, I evaluated the primitives required for cache side-channels on three Apple devices: An iPhone 7, an iPhone 8 Plus, and a M1 Mac Mini and successfully developed a simple Spectre proof of concept.
This talk will give an overview of the building blocks required for a simple Spectre attack and what difficulties we faced on Apple devices compared to other platforms.

Next Seminar on 29.9.2021 + Announcement

Written on 24.09.21 (last change on 24.09.21) by Stella Wohnig

Dear All,

The next semester is soon starting, so if you're interested in staying in the seminar for the next term, please already register for the new course on CMS.
The link is: https://cms.cispa.saarland/bms2122/ and we will notify you another time about it.

The next seminar takes place on… Read more

Dear All,

The next semester is soon starting, so if you're interested in staying in the seminar for the next term, please already register for the new course on CMS.
The link is: https://cms.cispa.saarland/bms2122/ and we will notify you another time about it.

The next seminar takes place on 29.9. at 14:00.


Session A: (RA4,5)
Dominic Troppman - Steven Dlucik

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session A:

14:00-14:30 

Speaker: Dominic Troppmann
Type of talk: Bachelor Final
Advisor: Dr. Ing. Cristian-Alexandru Staicu
Title: On the Prevalence of Native Extensions in Scripting Languages
Research Area: RA5

Abstract:
Scripting languages such as Python are known for their ease of learning, ease of use, and the open-source nature of the ecosystems surrounding them. It is therefore not surprising to see them gaining a lot of popularity in recent years.
While scripting languages strive to be, by design, safer to use than lower-level languages such as C and C++, they often allow developers to include native code in their scripts via a feature called native extensions.
On the one hand, using native extensions offers several benefits, such as superior performance and access to functionality otherwise unavailable in scripting languages.
On the other hand, they also allow developers to break the safety guarantees of the scripting language, i.e., memory-, type-, and crash-safety.
Thus if not implemented correctly, native extensions can quickly turn into a security risk, introducing entire categories of -particularly nasty- bugs and vulnerabilities into the scripting language environment.
Examples include but are not limited to buffer overflows, use-after-free vulnerabilities, or even hard crashes, which do not occur under normal circumstances.

In this thesis, we study how prevalent native extensions are in JavaScript, Python, and Ruby. We present our approach to performing a comprehensive analysis of npm, PyPI, and RubyGems, i.e., the three software ecosystems surrounding the studied scripting languages, to identify packages that use native extensions.
Furthermore, we determine the impact of native extensions on the studied ecosystems, that is, we measure how many packages (transitively) depend on them.
Finally, we assess how using native extensions affects a library's quality. We show that, while native extensions are not an extremely popular feature, they still influence large portions of the studied ecosystems.
Our findings furthermore indicate that native extensions, on top of being a considerable security risk for packages using them, also tend to diminish the package's overall quality.

14:30-15:00

Speaker: Steven Dlucik
Type of talk: Bachelor Intro
Advisor: Rafael Dutra
Title: Format Specific Fuzzers
Research Area: RA 4
Abstract: Compared to currently available fuzzers, which are not format-specific and therefore can be in-effective when a format calls for tighter restrictions, the BinaryFuzzer(FormatFuzzer) generates fuzzers tailored to the specific format under testing. The BinaryFuzzer uses binary templates, which is a format specification used by 010 Editor, to compile a parser, mutator and highly efficient generator combination in C++ language. This generated code will adhere to the rules and limitations of the format under testing, when parsing, mutating or generating files. We will implement new formats (WAV, BMP, MP3), by extending these from the 010 Editor to suit the usage by FormatFuzzer and test these by inputting generated files by the generated fuzzer, using programs such as ffmpeg as testing subject. We will compare these results with a combination of FormatFuzzer and AFL.

 

 
15:00-15:30
none this week

 

Next Seminar on 15.9.2021

Written on 09.09.21 by Stella Wohnig

Dear All,

The next seminar(s) take place on 15.9. at 14:00.


Session A: (RA1,2)
Nicolas Tran - Robin Gärtner

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B: (RA 4,5)
Marco Schichtel - Konstantin… Read more

Dear All,

The next seminar(s) take place on 15.9. at 14:00.


Session A: (RA1,2)
Nicolas Tran - Robin Gärtner

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B: (RA 4,5)
Marco Schichtel - Konstantin Holz - Bachir Bendrissou

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Nicolas Tran
Type of talk: Bachelor Final
Advisor: Robert Künnemann, Patrick Speicher
Title: Automated in-browser generation, analysis and countermeasure selection for User Account Access Graphs
Research Area: 2
Abstract: The security of a user account hinges on one or multiple factors, which can be passwords or security tokens. This is also true for the access to other accounts, e.g., in case of single sign- on systems, e-mail based recovery procedures, or if password managers are used. Browser configuration, password choice, and account-specific setup are highly individual. Hence it is almost impossible for an average user to untangle these dependencies. Hammann et al. introduced User Account Access Graphs (UAAG), modeling these relationships between accounts, credentials, devices, and other potential factors such as house keys or documents. We develop an extension that automatically constructs personalized UAAGs. Using the recently developed Stackelberg planning algorithm, we calculate security scores and offer suggestions that improve the overall user security with the least possible effort. We provide an automated method for users to understand how their accounts depend on each other and to minimize the overall risk of account compromise with the highest-possible convenience. In addition, this method can be used by future research to conveniently collect user data in a comprehensive manner and to analyze today's user behavior.

 

14:30-15:00

Speaker: Robin Gärtner
Type of talk: Bachelor Final
Advisor: Nico Döttling
Title: Implementing Private Set Intersection
Research Area: RA1: Trustworthy Information Processing

Abstract:
In this thesis we analyse the efficiency of a newly proposed protocol for secure computation.
The goal of this protocol is to compute the size of the intersection of some input sets without revealing any other information to any party.
To do this I implemented the protocol as far as possible.
This way we can get an estimate on how fast the protocol can perform in different situations
and what input parameters have the biggest influence on the computation time.

 

 
15:00-15:30
none this week

 

Session B:

14:00-14:30

Speaker: Marco Schichtel        
Type of talk: Bachelor Final Talk
Advisor: Sven Bugiel
Title: Biometric Authentication in FIDO2 with TPM Authenticators
Research Area: 4
Abstract:
While the amount of websites and platforms offering support for FIDO2 steadily grows, some of the hardware authenticators used with FIDO2 only offer weak methods
for a user to authorize the use of an authenticator to be used for authentication. One of these authenticatos is a TPM which offers authorization via password and
extended authorization policy, however so far only the former is used with FIDO2. In this bachelor thesis, we deign an authentication scheme which allows the TPM
authorization to be combined with a biometric authenticator via extended authorization policies and which then can be used for WebAuthn authentication.

For this, we propose a way how this scheme can be realized. Based on this, as a proof-of-concept, we design a prototype in form of an Android app which implements
this scheme and can communicate with a WebAuthn server which we tailored to suit our scheme. THis app combines the biometric functionality of the Android Keystore
with a software TPM to show how this concept could work. Furthermore we conduct an evaluation of the authentication scheme and compare it to other authentication
schemes used with FIDO2 to gain insight into the advantages and disadvantages of our scheme.

The results show that this scheme is not usable for FIDO2 without modifying the WebAuthn process to suit multiple attestations from different hardware authenticators.
They do also show that combining a TPM with a biometric component would provide more resilience against internal attacks. Finally, they indicate that, since TPMs would
be integrated into every-day devices, this scheme could prove beneficial over a roaming authenticator, especially if the functionality of TPMs becomes more prevalent on
smartphones.

 

14:30-15:00

Speaker: Konstantin Holz
Type of Talk: Bachelor Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Security Assessment of IPv6 Implementations of Home Routers
Research Area: 4

Abstract: The successor of IPv4, IPv6 is slowly reaching into the commercial area and into the households to replace IPv4. ISP begin providing a native IPv6 for end-users to utilize for their internet connection.
In this thesis, we examine the IPv6 implementation in commercially available routers, for differences in features and security mechanisms. In particular, we want to find out to which degree various manufacturers implemented IPv6 and which security guarantees it provides in contrast to its IPv4 implementation. For this, we run various tests on chosen devices for packet routing as well as look into features provided to the user and also look into the provided source code.

 
15:00-15:30

Speaker: Bachir Bendrissou
Type of talk: Master Final
Advisor: Dr. Rahul Gopinath, Prof. Dr. Andreas Zeller
Title: Empirical Evaluation of GLADE
Research Area: RA5

Abstract:
Having a program input specification is crucial in various fields such as vulnerability analysis, reverse engineering, and software testing.  However, in many cases, a formal input specification may be un-available, incomplete, or obsolete. When the program source is available, one may be able to mine the input specification from the source code itself. However, when the source code is unavailable, a blackbox approach becomes necessary.

Unfortunately, blackbox approaches to learning context free grammars are bounded in theory, and was shown to be as hard as reversing RSA. Hence, general context-free grammar recovery is thought to be computationally hard. Glade is a recent blackbox grammar synthesizer, which claims it can recover an accurate context-free input grammar of any given subject using only a small set of seed inputs, and a general oracle able to distinguish between valid and invalid inputs. It also claims to be fast for all programs tested. While an implementation of GLADE is available, the input grammar produced is in an undocumented format that is hard to reverse engineer. Furthermore, GLADE also uses custom parsers and fuzzers which are hard to verify.

This thesis attempts to first replicate GLADE independently by first implementing the GLADE algorithm in Python, then use this implementation to verify the reported GLADE experiment results, and further evaluate GLADE using new context-free grammars. This will provide us with precise information and insights about the limits and suitability of GLADE in diverse circumstances.

Next Seminar on 1.9.2021

Written on 20.08.21 (last change on 23.08.21) by Stella Wohnig

Dear All,

As all slots for the next seminar are already booked and I will be on vacation here is the announcement for the next seminar on 1.9. If you need any changes to this make sure to only contact bamaseminar@cispa.saarland.

Update 2021-08-23: Update information on talk 2.

Session A
Atul… Read more

Dear All,

As all slots for the next seminar are already booked and I will be on vacation here is the announcement for the next seminar on 1.9. If you need any changes to this make sure to only contact bamaseminar@cispa.saarland.

Update 2021-08-23: Update information on talk 2.

Session A
Atul Anand Jha - Tejumade Afonja - An Vinh Nguyen Dinh

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session A:

14:00-14:30

Speaker: Atul Anand Jha
Type of talk: MAster Thesis presentation    
Advisor: Dr. Sven Bugiel, Prof. Dr. Cas Cremers
Title: Device Identification and Mutual Attestation     
Research Area: Secure and Trusted Computing

Abstract:

In this thesis we propose Device Identification and Mutual Attestation,
DIMA- a hardware-software co-design with minimalist trust
anchor and elaborate key derivation and attestation scheme to prove device identity and
firmware integrity. We perform detailed requirement analysis for implementing DIMA on
generic embedded device and realize a PoC implementation. Along with point-to-point
implementation, we also propose DIMA for device networks with peer-to-peer distributed
attestation models which is the first of it’s kind to the best of our knowledge.

 

14:30-15:00

Speaker: Tejumade Afonja
Type of talk: Master Intro
Supervisor: Prof. Mario Fritz
Advisor: Dingfan Chen
Title: Learning Generative Models for Tabular Data based on Small Samples
Research Area: Trustworthy Information Processing

Abstract: 

Data sharing is vital for the development of machine learning applications in numerous domains but is often hindered by privacy concerns. In many sensitive domains such as banking and healthcare, data is not allowed to be shared in its original form due to privacy regulations. Recent advances in generative modeling have shown promising results in capturing statistical characteristics and generating high-fidelity samples of real-world tabular datasets, presenting a compelling solution to the data privacy challenges – sharing a synthetic dataset instead of the original one. However, existing approaches typically lose their effectiveness in terms of both privacy and utility when dealing with a small-size dataset. It becomes even more problematic when the dataset contains missing values. To this end, a hybrid approach that naturally handles missing values is adopted to leverage external datasets from related but different sources. In this thesis, recent literature on tabular data generation is reviewed. Moreover, a systematic evaluation of state-of-the-art approaches is conducted.

 

15:00-15:30

Speaker: An Vinh Nguyen Dinh
Type of talk: Master Final
Advisor: Prof. Mario Fritz
Title: Certification of Neural Network Reinforcement Learning Policies based on Randomized Smoothing
Research Area: Trustworthy information processing

Abstract: Although neural networks perform remarkably well on many machine learning tasks, they are shown to be highly vulnerable to adversarial inputs, which are made to fool them while staying natural to humans. Against the attacks, comes the notion of defense: fortifying networks with properties to repel the attacks or to improve their overall robustness to all attacks. This motivates the notion of certification, which is to bound the effect of all attacks against a given network and to help enhance its robustness. Among various certification methods, Randomized Smoothing with its theoretical richness and practical simplicity has arisen as one of the most efficient methods.

While adversarial competition takes place in the field of supervised learning, the domain of Reinforcement Learning has extensively adapted neural networks to its policies. Once more, neural network advantages come with the burden of adversarial competition, as proven by many attacks and defenses on policies emerging in recent years. Unfortunately, robustness certification on policies is still lacking in the literature. With that motivation, we propose several techniques to apply and adapt the Randomized Smoothing method to Reinforcement Learning policies, firstly in a simple environment. We validate our techniques with the robustness of the resulting policies, also in comparison with a standard certification technique. In addition, we discuss several trade-offs and problems we have encountered during adaptation and evaluation.

 

Next Seminar on 18.8.2021

Written on 30.07.21 (last change on 13.08.21) by Stella Wohnig

Dear All,

The next seminar takes place on 18.8. at 15:00. This week only one student presents, free spots still available. Due to other responsibilities, there is only one seminar on 1.9. so if you want a spot please register quickly.


Session A:
Atul Anand… Read more

Dear All,

The next seminar takes place on 18.8. at 15:00. This week only one student presents, free spots still available. Due to other responsibilities, there is only one seminar on 1.9. so if you want a spot please register quickly.


Session A:
Atul Anand Jha

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Speaker: Atul Anand Jha
Type of talk: MAster Thesis presentation    
Advisor: Dr. Sven Bugiel, Prof. Dr. Cas Cremers
Title: Device Identification and Mutual Attestation     
Research Area: Secure and Trusted Computing

Abstract:

In this thesis we propose Device Identification and Mutual Attestation,
DIMA- a hardware-software co-design with minimalist trust
anchor and elaborate key derivation and attestation scheme to prove device identity and
firmware integrity. We perform detailed requirement analysis for implementing DIMA on
generic embedded device and realize a PoC implementation. Along with point-to-point
implementation, we also propose DIMA for device networks with peer-to-peer distributed
attestation models which is the first of it’s kind to the best of our knowledge.

 

Next Seminar on 21.7.2021

Written on 16.07.21 by Stella Wohnig

Dear All,

The next seminar(s) take place on 21.7. at 14:00.

This week the submission of information worked poorly! Remember that you should upload your talk information by Wednesday night. The research area you write in should actually include the number 1-5 as provided in our last post - I… Read more

Dear All,

The next seminar(s) take place on 21.7. at 14:00.

This week the submission of information worked poorly! Remember that you should upload your talk information by Wednesday night. The research area you write in should actually include the number 1-5 as provided in our last post - I have made a guess which number applies for you if you didn't provide it this week, but for the other students to find your talk it is essential that you put in your area codes in the future! Ask your advisor in doubt!

I also made a new submission form for proposals, don't be confused, this will come in in the future.


Session A:
Tristan Hermanns - Tristan Hornetz - Leon Trampert

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B:
Anania Tesfaye - Yannik Schwindt - David Butscher

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Tristan Hermanns
Type of talk: Bachelor Intro
Advisor: Prof. Dr. Christian Rossow
Title: Automatic Exploitation of Vulnerable ERC20 Contracts (An Extension of TeEther)
Research Area: RA3

With their recent increase in popularity, cryptocurrencies like Bitcoin and Ethereum are on the rise. In Ethereum, so called smart contracts can be deployed, allowing for programmatic control of funds. These smart contracts can not be patched or updated and therefore software vulnerabilities are directly coupled with financial loss.

With teEther, Rossow et al. created a tool that is capable of automatically finding and exploiting vulnerable smart contracts. For this, the EVM bytecode is scanned for critical paths that cause an extraction of funds to the attacker controlled address.

We plan to extend this tool to not only extract Ether, but also arbitrary ERC20-Tokens. ERC20 Tokens are standardized Cryptocurrencies implemented using Ethereum smart contracts. Because this standard eases tracking and fungibility of Tokens, new Cryptocurrencies are often deployed as ERC20 Tokens. Previous work on automated contract analysis has only focused on Ether-related vulnerabilites, but there is a need for automated ERC20 analysis.

 

14:30-15:00

Speaker: Tristan Hornetz
Type of talk: Bachelor Intro
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Marius Smytzek
Title: Evaluating the Effectiveness of Automated Fault Localization in Python
Research Area: RA4 - Secure Mobile and Autonomous Systems

Abstract: Automated fault localization describes a group of techniques that can aid a programmer in locating the cause of bugs during software development. An abundance of research has been performed on the topic, with Statistical Debugging (SD) and Spectrum Based Fault Localization (SBFL) being two of the most popular approaches. However, there is surprisingly little research about the applicability and general usefulness of automated fault localization in the Python programming language. With its powerful introspection and ever-growing popularity, Python seems like the optimal programming language to apply these techniques. As such, the goal of my Bachelor's Thesis is to research the effectiveness of automated fault localization in Python. For this purpose, I will conduct an empirical study on bugs in real-world software.

 

 
15:00-15:30

Speaker: Leon Trampert
Type of talk: Bachelor Intro
Advisor: Prof. Dr. Christian Rossow, Dr. Michael Schwarz
Title: Browser-based CPU Fingerprinting
Research Area: RA3

Abstract:

As of January 2021, almost 60 percent of the global population is connected to the internet.
In most cases, a web browser is used to access the internet.
Using JavaScript and WebAssembly an attacker can execute sandboxed code on the system of a potential victim visiting his malicious site.
This sandboxed code execution does not give the attacker full control over the instructions executed, as the JavaScript and WebAssembly code will be JIT-compiled by the browser engine to the instruction set architecture (ISA) of the particular CPU.

Research in recent years has revealed multiple critical CPU bugs related to speculative execution and other optimization techniques.
Most of these vulnerabilites are CPU-specific and only found in recent CPU generations, whilst some of the latest generations may already include fixes against some of them.
Some attacks, such as RIDL  and Spectre  have successfully been implemented in the browser, opening new attack vectors.
Identifying potential victims or even choosing the most effective attack for a concrete target may be valuable to an attacker.

We plan to collect a multitude of different CPU-specific properties and behaviors, which may ultimately lead to the identification of the concrete CPU model.
The implications of this are worrisome, as they pose a direct threat to the security of everyone browsing the web.

 

Session B:

14:00-14:30

Speaker: Anania Tesfaye
Advisor: Ben Stock
RA: 5
No info provided yet!

 

14:30-15:00
Speaker: Yannik Schwindt
Advisor: Jaqueline Brendel
RA: 2
No info provided yet!
 
15:00-15:30

Speaker: David Butscher
Type of talk: Bachelor Final
Advisor: Dr. Ben Stock, Dr. Giancarlo Pellegrino
Title: Measuring the Impact of the Crawling Context on the Results of Web Scanners
Research Area: 5? Web Security

Abstract:
Web scanners are essential tools for security researchers. They are used to measure the
occurrence of security flaws in the known web. Unfortunately, their efficiency suffers from
multiple limitations. One limitation is that in the first phase - the crawling phase - the
crawling module needs to explore as many resources of a domain as possible. The found
URLs are the input for the attack modules in the second phase. Hence the efficiency of
the whole web scanner depends on the efficiency of the crawler module. This work
aims to identify factors that influence the success of web scanners, especially in the
crawling phase. To reach this goal, we have changed the context of the crawling process
and examined the crawling results for differences. We targeted four factors in detail:

1. IP address: the change of the IP addresses could mitigate the countermeasures of
web application firewalls against known attackers. There is also a possibility that
some sites are only accessible from particular locations.
2. Language: the web is accessible from around the globe, so site owners may serve
their websites in different languages. There might be a chance that they deliver
different web applications for different languages.
3. User-Agent: site owners may deliver multiple versions of their site customized for
the end-user device.
4. Authentication: signed up users may access pages that unknown users will never
be able to reach. Since authentication in an automated fashion is not trivial, we
mainly focused on websites that offer SSO.

We have used a limited set of top domains listed by Tranco for our experiments. For
our evaluation, we have built a crawler that loaded a special crawling profile. We ran
one crawler without modifications and one crawler for each of the first 3 modified factors
in parallel. Afterward, we have counted the number of detected security indicators. In
this way, we could measure the direct influence of single changes to the crawling context.
We also extended our crawler to find social login buttons and to automatically log in to
these websites leveraging the found buttons.

Next Seminar on 7.7.2021

Written on 02.07.21 by Stella Wohnig

Dear All,

I had accidentally deleted the seminar announcement :) Here it is back up. Please check the post about changes!


Session A
Joshua Renckes - Paul Kalbitzer - Paul Szymanski

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Read more

Dear All,

I had accidentally deleted the seminar announcement :) Here it is back up. Please check the post about changes!


Session A
Joshua Renckes - Paul Kalbitzer - Paul Szymanski

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session A:

14:00-14:30

Speaker: Joshua Renckens

Type of talk: Bachelor Intro

Advisor: Prof. Andreas Zeller

Title: 0KFuzzer: Applying Systematic Exploration to Binary Templates

Abstract:
Fuzzing is a technique used to test the robustness of programs by automatically generating inputs and feeding them into programs under test. However, using only randomly generated inputs is not a good way to achieve great code coverage. Most will immediately fail at the beginning of the program execution due to not matching the structure that is expected of the input.

Ways to mitigate this are grammar-based fuzzers. They take grammars that specify languages first and then base the input generation on the specified language. This makes sure that a certain input structure is maintained, reaching parts of the test programs random fuzzing wouldn't be able to reach. The k-path algorithm improves on these grammar-based fuzzers by making sure that all of the grammar is systematically covered.

The FormatFuzzer has an idea similar to grammar-based fuzzers but it takes binary templates that specify file formats as inputs instead of grammars. It compiles them into C++ code that then acts as a generator of inputs according to the format specification described in said templates. This thesis aims to improve on the FormatFuzzer by combining it with the k-path algorithm, taking the systematic coverage of grammars and using it on format specifications. This combination of the FormatFuzzer and the k-path algorithm will then be evaluated against the default FormatFuzzer to compare language coverage and program coverage.

 

14:30-15:00

 

Speaker: Paul Kalbitzer

Type of talk: Bachelor Intro
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Dr. Rafael Dutra

Title: Statistics-based testing with the Format Fuzzer

Abstract: Fuzzing is an automated testing method that uses an immense number of
automatically generated inputs to examine the behaviour of the program under
test. These inputs are usually randomly generated to detect crashes or other
errors. When testing programs that receive files as input, the problem arises
that formats are very complex and that input that does not meet the structural
requirements is rejected by the program in an early parsing phase. This in turn
results in a low code coverage, which is tantamount to a fuzzing result without
meaningfulness.

The FormatFuzzer, a structure-aware approach, counters this problem by
using binary templates. In this way, it ensures that structural requirements for
inputs are met in order to be able to test programs with complex input requirements.
However, the FormatFuzzer does not yet allow to declare probabilities
in general, as well as for individual variables. This makes it impossible for example,
to focus on uncommon aspects of a format.

The goal of my thesis is to present a version of FormatFuzzer that supports
the use of statistics and probabilities, but does not depend on their existence.
The focus is on offering the possibility to generate files based on probability
distributions, to be able to direct test generation towards a specic direction.

15:00-15:30

Speaker: Paul Szymanski
Type of talk: Bachelor Intro
Advisor: Cristian-Alexandru Staicu
Title: A Study of State-of-the-Art Call Graph Creation Approaches for JavaScript

Call graph creation is an important stepping stone for building sophisticated static analyses, e.g., taint analysis. However, many state-of-the art tools perform poorly when faced with real-world code. That is, many of the available call graph creation tools for JavaScript are extremely fragile and thus, fail to produce a call graph when certain language constructs are present in the analysed code. For example, many such tools only support ECMAScript 5 features, while practitioners rely on more modern syntax. Some call graph creation tools solve this problem by performing a transpilation step, e.g., using Babel, on the code before processing it further. Although these transformations are assumed to be preserving the functionality of the code, the transformations might result in different call graphs. This might be the case for other kinds of transformations, like obfuscation and minification, as well.
The goal of this bachelor thesis is to study existing call graph creation algorithms and identify their limitations, i.e. which language constructs are the most difficult to analyse. Additionally, we are interested in identifying code transformation techniques with the highest impact on the performance of static call graph algorithms, both beneficial and detrimental.

 

Changes to the seminar

Written on 29.06.21 (last change on 02.07.21) by Stella Wohnig

Dear All,

There will be a change to the seminar organisation. From now on, we will track the research area of your topics, as this clusters people of similar research interests and facilitates discussion of your results.

What you need to do now:

  1. Find out what your research area is (by… Read more

Dear All,

There will be a change to the seminar organisation. From now on, we will track the research area of your topics, as this clusters people of similar research interests and facilitates discussion of your results.

What you need to do now:

  1. Find out what your research area is (by going here: https://cispa.de/de/research and or checking in with your advisor)
  2. Provide this info in your future calendly registrations
  3. For all talks after the 7.7. use the new template for the talk information uploaded before your talk, which is found in the Materials section. State your area as "RA1" or "RA5" for example.

Furthermore this affects attention. During the time of your thesis work, you are expected to attend and participate in discussions of the talks on all days with talks within your research area (1-2 absences for sickness etc. will be accepted naturally smiley, also this obviously only applies to future talks).

In case you are unsure, the areas are

  • RA1: Trustworthy Information Processing
  • RA2: Reliable Security Guarantees
  • RA3: Threat Detection and Defenses
  • RA4: Secure Mobile and Autonomous Systems
  • RA5: Empirical and Behavioural Security
     

Best regards,
Stella Wohnig

 

Next Seminar on 23.6.2020

Written on 17.06.21 (last change on 23.06.21) by Stella Wohnig

Dear All,

The next seminar takes place on 23.6. at 14:00.


Session A
Gunnar Heide - Jonas Büchner - Philipp Zimmermann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session A:

14:00-14:30

Speaker:… Read more

Dear All,

The next seminar takes place on 23.6. at 14:00.


Session A
Gunnar Heide - Jonas Büchner - Philipp Zimmermann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session A:

14:00-14:30

Speaker: Gunnar Heide
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik, CISPA
Title: Implementing SFIDO - Improving FIDO2 with pairing-based cryptography
    
Abstract:
FIDO - "Fast IDentity Online" is a set of standard specifications published by the FIDO
Alliance for online authentication using hardware tokens. Based on traditional public
key cryptography it allows for passwordless authentication. In doing so it alleviates the
major issues of password database breaches, which are exacerbated by rampant password
reuse. It further curbs many types of phishing.
However, it is limited by its design since new features like anonymous attestation require
support for entirely new cryptographic operations on the hardware token.
SFIDO is a protocol developed by research group of L. Hanzlik at CISPA, that provides
a less complex solution leveraging pairing-based cryptography. With a fixed single cryp-
tographic primitive executed on the hardware token it provides not only authentication
and attestation, but is also extendable to a full anonymous credential system.
In this thesis a proof-of-concept implementation of the SFIDO client will be developed and benchmarked. Ideally, this will result in execution times which are comparable to FIDO2. Therefore, the goal of this thesis is to show that SFIDO represents a new, effective and efficient tool for secure online authentication using hardware tokens.

14:30-15:00

 

Speaker: Jonas Büchner
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz
Title: MONITORing Secrets with Hardware Features
Abstract: There is a plephora of attacks on the microarchitecture of current CPUs. They rely on a side channel for extractring (meta-)information. Prominent examples, like Flush+Reload or Prime+Probe, use the timing differences between cache hits and cache misses, which restricts the scope of those side channels to CPUs, where caches are shared.  
We try to overcome this, by replacing the side channel with the MONITOR/MWAIT instructions, which are contained in the SSE3 extensions of all modern x86 CPUs. This pair of instructions is meant for power managment and thread optimization. Its primary use is to wait for a change on a monitored address range and continue execution, once a write (or other triggering events) occur. While this aims at things like lock acquisation, it seems to be perfectly exploitable as a side channel. Since it does not rely on caches but is meant to wake up on any write to memory, it could potentially even be used as a cross-CPU side-channel. Moreover, it can be used to implement controlled channel attacks, without relying on caches. In current implementations, it is only available in kernel space, which requires a strong attacker. This is no problem in the attack scenario of SGX.  
We evaluate to what extent different attacks on SGX can make use of the MONITOR/MWAIT side channel. If the needed hardware arrives in time, we will also analyze the new UMONITOR/UMWAIT, which allows the monitoring from user space.

15:00-15:30
Speaker: Philipp Zimmermann
Type of Talk: Bachelor Intro
Advisor: Dr. Yang Zhang
Title: Link Stealing Attacks on Inductive Trained Graph Neural Networks
Abstract:
Since nowadays graphs are a common way to store and visualize data, Machine Learning algorithms have been improved to directly operate on them.
In most cases the graph itself can be deemed confidential, since the owner of the data often spends much time and resources collecting and preparing the data.
In our work, we show, that so called inductive trained graph neural networks can reveal sensitive information about their training graph.
We focus on extracting information about the edges of the target graph by observing the predictions of the target model in so called link stealing attacks.
In prior work, He et al. proposed the first link stealing attacks on graph neural networks, focusing on the transductive learning setting.
More precisely, given a black box access to a graph neural network, they were able to predict, whether two nodes of a graph that was used for training the model, are linked or not.
In our work, we now focus on the inductive setting.
Specifically, given a black box access to a graph neural network model that was trained inductively, we aim to predict whether there exists a link between any two nodes of the training graph or not.

 

Next Seminar on 9.6.2020

Written on 02.06.21 (last change on 03.06.21) by Stella Wohnig

Dear All,

The next seminar takes place on 26.5. at 14:30.


Session A 14:30-15:30
Banji Olorundare - Lorenz Hetterich

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 


Session… Read more

Dear All,

The next seminar takes place on 26.5. at 14:30.


Session A 14:30-15:30
Banji Olorundare - Lorenz Hetterich

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 


Session A:

14:30-15:00

 

Speaker: Banji Olorundare.
Type of talk: Master Intro.
Supervisor: Prof. Dr. Andreas Zeller.
Advisor: Dr. Rahul Gopinath.
Title: Inferring Input Grammar from Binary Programs using String Inclusion
Abstract: Knowing the input language of a program is important for fuzzing. While
there are tools that learn an input language from a program with or without
samples, most of these tools rely on dynamic taints. However, obtaining dynamic
taints involves using instrumented binaries. Unfortunately, such instrumentation
may be unavailable in many cases. Hence, tracking information flow using dynamic
taint information can be challenging. This can be especially hard in stripped
binaries where no debug information is present.
In this work, we present a technique that can extract the grammar from a given
program. Our technique takes a binary program and a small set of sample inputs
and identifies the structural decomposition of the input using the string inclusion
technique.
The result of this process is context-free grammar that forms the complete input
specification of the program. In our evaluation, our prototype automatically
produces readable and structurally accurate grammars from different evaluation
subjects. The resulting grammars produced can be used as input in test generators
for comprehensive automated testing.

15:00-15:30

Speaker:
Lorenz Hetterich

Type of talk:
Bachelor Intro

Advisor:
Dr. Michael Schwarz

Title:
Spectre on IOS

Abstract:
Most CPU don't stall execution when they encounter control flow instructions, but use predictors to make educated guesses on the destination (e.g. whether a branch is taken or not).
This allows them to speculatively continue execution resulting in a major time save upon correct predictions.
On incorrect predictions, speculatively executed instructions are not retired, the pipeline is flushed, and execution continues at the correct destination.
Whilst speculatively executed instructions are not visible on an architectural level, they may leave microarchitectural traces that can be observed using a side-channel.
Spectre abuses this by miss-training predictors and observing microarchitectural state changes caused by speculative execution.
Even though research has been done on Spectre on most major platforms, IOS Mobile Devices have hardly received any attention.
We want to evaluate the primitives required for cache side-channels on IOS Devices and explore whether Spectre type attacks are practical.
This talk will give an overview of the building blocks for a simple Spectre attack and what difficulties we expect compared to other platforms.

 

Next Seminar on 26.5.2021

Written on 24.05.21 (last change on 26.05.21) by Stella Wohnig

Dear All,
 

Due to limited avaiability of the advisors we will sadly not be able to make a nice block of talks this week, so there will be a break in one of the blocks. If any of the participants still change their mind and want to opt for 14.30 please inform me ASAP at… Read more

Dear All,
 

Due to limited avaiability of the advisors we will sadly not be able to make a nice block of talks this week, so there will be a break in one of the blocks. If any of the participants still change their mind and want to opt for 14.30 please inform me ASAP at bamaseminar@cispa.saarland - I think this will greatly increase the chance that people will listen to your talks!
The next seminar(s) take place on 26.5. at 14:00/15:00


Session A 14:00-15:30: (break 14:30-15:00)
Dominic Troppman - Xaver Fabian

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B 15:00-15:30:
Abhilash Gupta

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Dominic Troppmann
Type of talk: Bachelor Intro    
Advisor: Dr. Ing. Cristian-Alexandru Staicu
Title: On the Prevalence of Native Extensions in Scripting Languages

Abstract:
Native extensions are modules written in low-level C/C++ code that one can conveniently invoke from higher-level scripting languages like JavaScript, Python, or Ruby. Using native extensions offers several benefits such as superior performance and access to functionality otherwise unavailable in these scripting languages. Unfortunately, they also allow developers to break certain safety guarantees present in the higher-level languages, such as memory- and crash-safety. Thus, if not implemented correctly, native extensions can quickly turn into a security risk, acting as a backdoor for entire categories of -particularly nasty- bugs and vulnerabilities. Examples include but are not limited to buffer overflows, use-after-free vulnerabilities, or even hard crashes, which would not occur under normal circumstances.
The main goal of this thesis is to measure the prevalence of native extensions in JavaScript, Python, and Ruby. Furthermore, we want to understand the role they play in the ecosystems surrounding these three languages. To this end, we aim to conduct a comprehensive study of npm, PyPI, and RubyGems, the three largest software ecosystems backing up the scripting languages mentioned above. To detect usage of native extensions APIs, we perform static analysis on each packages' source code. Finally, we will use this information in combination with package metadata to answer our research questions.
 

 

14:30-15:00
coffee break

 

 
15:00-15:30

Speaker: Xaver Fabian
Type of talk: Master Intro
Advisor: Prof. Jan Reineke und Dr. Marco Patrignani
Title: Detecting (more) Spectre vulnerabilities

Abstract:
Speculative Execution is an optimization technique of processors that gives a significant speed-up by
predicting the outcome of branching (and other) instructions and continues execution based on these predictions.
If a prediction was incorrect, the processor rolls back the effect of the speculated instructions on the CPU
architectural state, which consists of registers and main memory. However, side effects on the microarchitectural state,
e.g., cache content, are not rolled back.
The Spectre attacks demonstrated how an attacker can exploit the side effects of these speculatively-executed instructions
by abusing different prediction mechanisms of the CPU. Several tools were developed to automatically detect Spectre vulnerabilities,
but most tools can only detect up to one or two variants of Spectre.
We want to extend one of these tools, called Spectector, to detect more Spectre vulnerabilities.
In this talk, I give an overview of Spectre and explain how Spectector finds these speculative vulnerabilities.
I then present our approach to extending Spectector to support additional Spectre variants and give an outlook
of what further is possible with this extended version of the tool.

 

Session B:

14:00-14:30

no talk this week.

 

 

14:30-15:00
no talk this week.
 
15:00-15:30

Speaker: Abhilash Gupta
Type of Talk: Master Intro
Advisor: Dr. Rahul Gopinath
Supervisor: Prof. Dr. Andreas Zeller
Title: Grammar Fuzzing Command lineutilities in Linux
Abstract: The execution of command-line (CLI) utilities is determined by both configuration options and arguments passed in its invocation. Configuration options activate specific code segments in the utility while arguments are the utility’s input. It is imperative to utilise both arguments and configuration options to fuzz these utilities.

We describe a method to integrate configuration options and arguments into the fuzzing process via the use of context-free grammars (CFG). We present a general technique that takes any utility and automatically constructs a readable CFG capturing the syntax of its invocation. We use these grammars in our fuzzing tool to fuzz command-line utilities to search for failures. We plan to evaluate the results obtained by our fuzzer and inspect its results with respect to previously observed fuzzing results.  We will also evaluate the coverage attained by our fuzzer compared to other fuzzing attempts on CLI utilities.

Next Seminar on 12.5.2021

Written on 06.05.21 (last change on 06.05.21) by Stella Wohnig

Dear All,
 

Please use this new page for your submissions from now on!
Hope you're all having a good semester.
The next seminar(s) take place on 12.5. at 14:00./14:30


Session A 14:00-15:00:
Pit Jost - Joshua… Read more

Dear All,
 

Please use this new page for your submissions from now on!
Hope you're all having a good semester.
The next seminar(s) take place on 12.5. at 14:00./14:30


Session A 14:00-15:00:
Pit Jost - Joshua Sonnet

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B 14:30-15:30:
Robin Gärtner - Bachir Bendrissou

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Pit Jost
Type of talk: Bachelor Final
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Dr. Rafael Dutra
Title: Automated generation of format-aware Fuzzers using FormatFuzzer

Abstract: Fuzzing is an automated testing technique used to execute computer programs with a high number of automatically generated, often ill-formed inputs in order to trigger unexpected behavior such as hangs, crashes or undesired outputs which can be a sign for the presence of vulnerabilities that can be exploited. As file formats tend to be very complex, programs often validate the structure of their inputs at an early parsing stage. Randomly generated files will likely not match the expected structure, thus are discarded during this early stage. Due to this, purely random fuzzing only reaches low code coverage, making it inefficient.

In this thesis, the novel fuzzing technique FormatFuzzer is used. FormatFuzzer uses a structure-aware approach that works by compiling descriptions of binary file formats, referred to as binary templates, into executables that can be used to parse, generate and mutate binary files compliant to their respective format specifications. These binary templates contain all information required to generate and parse structurally valid files of a given format. The files generated by FormatFuzzer are expected to perform better than conventional fuzzing approaches, as due to their structure-awareness, the files are most likely to pass the parsing stage of a given program, thus reaching higher code coverage.

The main focus in this thesis will be on developing reliable binary templates in order to support formats for which no binary templates optimized for generation with FormatFuzzer exist. As a starting point, existing templates made publicly available by 010 Editor are used. These templates work fine for parsing, but are not intended for file generation, as they are missing important information about specific values that need to be present at specific positions in the generated files in order for them to be valid, such as magic bytes. To tackle this issue, this information is added to the existing templates. Furthermore, the process of developing binary templates will be facilitated for future work by the introduction of new features into the binary template language, by automating parts of the process or by using new procedures. The efficiency of the resulting templates will finally be evaluated, and the results will be compared with related work.

14:30-15:00

Speaker: Joshua Sonnet
Type of talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Towards Decentralised Access Control in Thread-based Home IoT

Abstract: With the ever-emerging smart home systems today, convenience is the main aspect for IoT (Internet of Things) devices. But this oftentimes excludes contextual factors for authorisation of the respective device. This includes policies like children should only be allowed to control the TV, when parents are nearby to supervise them on what they are watching or remotely controlled lights should only be allowed to be turned on when someone is present in that room.
The goal of this thesis is to implement an access control layer for IoT devices build on Thread. Due to it being a mesh powered network without a true central hub, the authorisation of each device will also be decentralised, s.t. each one will decide about its own access control policy. As Thread allows for concurrent application layers, this model will run beside Thread and the controlling application of the device.

 

 
15:00-15:30

No talk this week.

 

Session B:

14:00-14:30

no talk this week.

 

 

14:30-15:00

Speaker:          Robin Gärtner
Type of talk:     Bachelor Intro
Advisor:           Nico Döttling
Title:                Multiparty Cardinality Testing for Threshold Private Set Intersection

Abstract: Threshold Private Set Intersection (PSI) allows multiple parties to compute the intersection of their
input sets if the intersection is larger than (n − t), where n is the size of the sets and t is some threshold.
The main appeal of the new protocol is that, in contrast to standard PSI, upper-bounds on the communication
complexity only depend on the threshold t and not on the sizes of the input sets. This way we can reduce the
communication complexity especially in the multiparty case.
The goal of this bachelor thesis is to implement this protocol for the first time so it can be used in
research studies. Additionally implementing the protocol might lead to a better understanding of it,
which could lead to further improvements in efficiency of the protocol.

15:00-15:30
Speaker:          Bachir Bendrissou
Advisor: Rahul Gopinath, Andreas Zeller
Type of talk: Master Intro talk

Title: Sample-Free Blackbox Grammar Synthesis

Abstract:
Having a program input specification is crucial in various fields such as vulnerability analysis, reverse engineering, and software testing.  However, in many cases, a formal input specification may be un-available, incomplete, or obsolete. When the program source is available, one may be able to mine the input specification from the source code itself. However, when the source code is unavailable, a blackbox approach becomes necessary.

Unfortunately, blackbox approaches to learning context free grammars are bounded in theory, and was shown to be as hard as reversing RSA. Hence, general context-free grammar recovery is thought to be computationally hard. Glade is a recent blackbox grammar synthesizer, which claims it can recover an accurate context-free input grammar of any given subject using only a small set of seed inputs, and a general oracle able to distinguish between valid and invalid inputs. It also claims to be fast for all programs tested. While an implementation of GLADE is available, the input grammar is produced is in an undocumented format that is hard to reverse engineer. Furthermore, GLADE also uses custom parsers and fuzzers which are hard to verify.

This thesis attempts to first replicate GLADE independently by first implementing the GLADE algorithm in Python and using this implementation to verify the reported GLADE experiments, and further evaluate GLADE using new context-free grammars. This will provide us with precise information and insights about the limits and suitability of GLADE in diverse circumstances.

The second part of our thesis will extend GLADE by pairing it with our bFuzzer tool. Bfuzzer generates and monotonically extends syntactically valid input prefixes until it finds valid inputs. Hence, in this pairing, bFuzzer will provide the syntactically valid sample inputs that GLADE requires to infer the grammar. We will evaluate the combined fuzzer against diverse subjects.

Next Seminar on 28.4.2020

Written on 22.04.21 by Stella Wohnig

Dear All,
 

Great that you found the new semesters page :)
The next seminar(s) take place on 28.4. at 14:00.


Session A 14:00-15:00:
Muhammad Bilal Latif - John Schmitt

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,
 

Great that you found the new semesters page :)
The next seminar(s) take place on 28.4. at 14:00.


Session A 14:00-15:00:
Muhammad Bilal Latif - John Schmitt

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B 14:00-15:00:
Peter Stolz - Marc Katz

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Muhammad Bilal Latif.
Type of talk: Master Intro.
Advisor: Dr. Ing. Cristian-Alexandru Staicu.
Title: Empirical Study of Full-Stack JavaScript Web Applications.
Abstract: Traditionally, most web applications were using Java or PHP on the server-side and JavaScript on the client-side. However, in recent years, we have seen a rise of interest in running JavaScript on the server-side as well, i.e., full-stack JavaScript web applications. The reason for this shift is multifold, e.g., uniform tools usage, easier skills transfer across the stack, etc. Recent work warns about the security practices in server-side JavaScript and in particular in its package manager, npm, supposedly the largest software ecosystem in the world.
However, judging the security of a given dependency in isolation is hard and it often leads to over-reporting security vulnerabilities. For example, let us consider the CVE-2019-1010266 vulnerability, which affects the method camelCase of the popular lodash package. In the associated bug report, it is speculated that an attacker can take advantage of the input to this method, without providing any empirical evidence, e.g., a GitHub project in which this is indeed possible. As a result of the issued CVE, all the clients of lodash were warned that they are at risk and that they should upgrade to the newest library version, independent of whether in their particular case, user input can reach the vulnerable method or even the package. To provide a more realistic view of the security of full-stack JavaScript web applications, one should consider the entire code of the application, i.e., client-side and server-side code together with third-party code.
The goal of this project is to perform an empirical study of open-source, full-stack JavaScript web applications. To this end, a testing infrastructure should be developed that allows both dynamic and static program analysis of realistic web applications. The infrastructure should be used to answer various research questions about (the security of) the analyzed web applications.

14:30-15:00

Speaker: John Schmitt
Type of talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Implementing Certificate Transparency Into Android Open Source Project

Abstract: To verify the identity of a web server, a web client has to rely on the validity of the provided certificate. As a result, web clients blindly trust in the integrity of the certificate authority to properly issue certificates. But what happens if a certificate authority is compromised, goes rogue, or issues flawed certificates? In case of such a certificate misissuance, certificate transparency helps by providing a secure append-only log that documents every certificate issuance and thus enforces accountability for certificate authorities. Mobile devices are a major source of network traffic to web servers. Additionally, Android currently holds the biggest market share of mobile operating systems but does not present any solution to a certificate transparency implementation. Our goal is to provide a proof of concept for an implementation of certificate transparency in the Android Open Source Project and make use of its benefits to protect Android users from certificate misissuance and thus man-in-the-middle attacks.

 

 
15:00-15:30

No talk this week.

 

Session B:

14:00-14:30

Speaker: Peter Stolz
Type of talk: Bachelor Intro
Advisor: Ben Stock
Title: To hash or not to hash
Abstract:
Content Security Policy (CSP) is a great way to mitigate Cross-site scripting (XSS) if used correctly. CSP has the experimental directive "unsafe-hashes" to whitelist certain inline event handlers and style attributes.
Before more browsers than chromium add support for it we want to analyse how many event handlers can be abused to trigger XSS if an attacker reuses them on a malicious tag.
This allows us to determine if it is a useful feature or if it should be abandoned because it implies a false sense of security for the most part.
How would the results change if we add a none to each tag, so an attacker can't inject arbitrary tags.

 

 

14:30-15:00
Speaker: Marc Katz
Type of talk: Bachelor Final
Advisor: Ben Stock
Title: Malicious Tag Soup: How the HTML standard undermines web security
Abstract: The HyperText Markup Language (HTML) is one of the first technologies that came with the invention of the internet and evolved around the last 30 years, sometimes in more than one direction. Today, with HTML 5 as the current version, the standard itself acknowledges that faulty implementations are common and can even influence the specification itself.
Modern browsers, on the one hand, feel the need to deliver a great user experience, including the ability to display very old or faulty webpages, while on the other hand, need to keep pace with the fast development of today’s web technologies.
The goal of this bachelor’s thesis is to analyze how this dilemma between backward-compatibility, gracious HTML parsing, and the implementation of new features affects web security. We use example attack vectors to investiage how different aspects negatively impact web security and propose a new parsing mode to create a benefit for security aware web developers.
15:00-15:30
No talk this week.

New page for summer term

Written on 13.04.21 by Stella Wohnig

Dear all,

this will be the new page for the new summer term 2021.
The migration will also be announced in the old group in due time, so do not worry.

Show all

Bachelor- and Master-Seminar

The bachelor/master seminar is a stage for all talks related to bachelor or master theses at CISPA.

The seminar is currently held bi-weekly on Wednesdays in odd-numbered calendar weeks. It takes place throughout the year, regardless of the lecture periods. You can join at any time. There are two parallel Zoom sessions from 14:00 to 15:30 with up to three talks each. The upcoming talks will be announced in the News section above.

Requirements for the course certificate

To pass the seminar, you have to

  • give an introductory talk where you present your thesis proposal

Furthermore, it is expected that you attend all talks of your own research area and participate in discussion during the time of your thesis work. You get a certificate and a grade for this course from your advisor. The advisor can contact us (bamaseminar@cispa.saarland) to check whether you meet all the passing conditions and to get a template for the certificate.

Further, you are required to hold a final talk about the results as a part of your thesis. While this talk is technically not part of the seminar but of the thesis work, you can still present it in the context of the seminar.

Attending a seminar session

Simply join one of the two parallel Zoom sessions. Choose the session with the talks you are most interested in. We welcome active participation and encourage you to ask questions and give helpful comments in the discussion after each talk.

During the seminar, we will share a link to an attendance sheet. Make sure to add your name to this document. We use these documents to track who attended which sessions.

Giving a talk in the seminar

Each talking slot is 30 minutes long. Your presentation should last about 20 minutes, so we have about 10 minutes left for discussion.

If you want to give a talk, you can book a time slot in one of the sessions. Use one of the following links for booking:

Please coordinate time and date with your advisor so that no two students of the same advisor present at the same time.

If you don't need a specific time slot, you can try to book 14:30, as some students either need the 14:00 or 15:00 slot. In rare cases, we will have to move the talks in a day, so please indicate which times you would be available. The final schedule will be announced in the News section a few days before the sessions take place.

To list your talk in the announcement, you will have to hand in some information about it, namely:

  • Speaker: Your name.
  • Type of talk: Bachelor Intro, Bachelor Final, Master Intro, or Master Final.
  • Advisor: The name of your advisor. If multiple advisors wish to attend the session, please list all of them so we can make sure that there are no collisions.
  • Title: Title of your talk.
  • Research Area: the number of your area. (In doubt check https://cispa.de/de/research or ask your advisor)
  • Abstract: Abstract of your talk.

Refer to previous announcements for examples.

Please submit this information at least one week in advance (until 23:59 on the Wednesday before your talk). Upload your information as a submission to CMS (see Personal Status), preferably as a plain text file (.txt). You can find a template in the materials section.

Contact the organizers

If there are any questions left, please use the mail address bamaseminar@cispa.saarland to contact the organizers.

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.