News
Next Seminar on 15.9.2021
Written on 09.09.2021 13:56 by Stella Wohnig
Dear All,
The next seminar(s) take place on 15.9. at 14:00.
Session A: (RA1,2)
Nicolas Tran - Robin Gärtner
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 4,5)
Marco Schichtel - Konstantin Holz - Bachir Bendrissou
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Nicolas Tran
Type of talk: Bachelor Final
Advisor: Robert Künnemann, Patrick Speicher
Title: Automated in-browser generation, analysis and countermeasure selection for User Account Access Graphs
Research Area: 2
Abstract: The security of a user account hinges on one or multiple factors, which can be passwords or security tokens. This is also true for the access to other accounts, e.g., in case of single sign- on systems, e-mail based recovery procedures, or if password managers are used. Browser configuration, password choice, and account-specific setup are highly individual. Hence it is almost impossible for an average user to untangle these dependencies. Hammann et al. introduced User Account Access Graphs (UAAG), modeling these relationships between accounts, credentials, devices, and other potential factors such as house keys or documents. We develop an extension that automatically constructs personalized UAAGs. Using the recently developed Stackelberg planning algorithm, we calculate security scores and offer suggestions that improve the overall user security with the least possible effort. We provide an automated method for users to understand how their accounts depend on each other and to minimize the overall risk of account compromise with the highest-possible convenience. In addition, this method can be used by future research to conveniently collect user data in a comprehensive manner and to analyze today's user behavior.
14:30-15:00
Speaker: Robin Gärtner
Type of talk: Bachelor Final
Advisor: Nico Döttling
Title: Implementing Private Set Intersection
Research Area: RA1: Trustworthy Information Processing
Abstract:
In this thesis we analyse the efficiency of a newly proposed protocol for secure computation.
The goal of this protocol is to compute the size of the intersection of some input sets without revealing any other information to any party.
To do this I implemented the protocol as far as possible.
This way we can get an estimate on how fast the protocol can perform in different situations
and what input parameters have the biggest influence on the computation time.
15:00-15:30none this week
Session B:
14:00-14:30
Speaker: Marco Schichtel
Type of talk: Bachelor Final Talk
Advisor: Sven Bugiel
Title: Biometric Authentication in FIDO2 with TPM Authenticators
Research Area: 4
Abstract:
While the amount of websites and platforms offering support for FIDO2 steadily grows, some of the hardware authenticators used with FIDO2 only offer weak methods
for a user to authorize the use of an authenticator to be used for authentication. One of these authenticatos is a TPM which offers authorization via password and
extended authorization policy, however so far only the former is used with FIDO2. In this bachelor thesis, we deign an authentication scheme which allows the TPM
authorization to be combined with a biometric authenticator via extended authorization policies and which then can be used for WebAuthn authentication.
For this, we propose a way how this scheme can be realized. Based on this, as a proof-of-concept, we design a prototype in form of an Android app which implements
this scheme and can communicate with a WebAuthn server which we tailored to suit our scheme. THis app combines the biometric functionality of the Android Keystore
with a software TPM to show how this concept could work. Furthermore we conduct an evaluation of the authentication scheme and compare it to other authentication
schemes used with FIDO2 to gain insight into the advantages and disadvantages of our scheme.
The results show that this scheme is not usable for FIDO2 without modifying the WebAuthn process to suit multiple attestations from different hardware authenticators.
They do also show that combining a TPM with a biometric component would provide more resilience against internal attacks. Finally, they indicate that, since TPMs would
be integrated into every-day devices, this scheme could prove beneficial over a roaming authenticator, especially if the functionality of TPMs becomes more prevalent on
smartphones.
14:30-15:00
Speaker: Konstantin Holz
Type of Talk: Bachelor Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Security Assessment of IPv6 Implementations of Home Routers
Research Area: 4
Abstract: The successor of IPv4, IPv6 is slowly reaching into the commercial area and into the households to replace IPv4. ISP begin providing a native IPv6 for end-users to utilize for their internet connection.
In this thesis, we examine the IPv6 implementation in commercially available routers, for differences in features and security mechanisms. In particular, we want to find out to which degree various manufacturers implemented IPv6 and which security guarantees it provides in contrast to its IPv4 implementation. For this, we run various tests on chosen devices for packet routing as well as look into features provided to the user and also look into the provided source code.
15:00-15:30
Speaker: Bachir Bendrissou
Type of talk: Master Final
Advisor: Dr. Rahul Gopinath, Prof. Dr. Andreas Zeller
Title: Empirical Evaluation of GLADE
Research Area: RA5
Abstract:
Having a program input specification is crucial in various fields such as vulnerability analysis, reverse engineering, and software testing. However, in many cases, a formal input specification may be un-available, incomplete, or obsolete. When the program source is available, one may be able to mine the input specification from the source code itself. However, when the source code is unavailable, a blackbox approach becomes necessary.
Unfortunately, blackbox approaches to learning context free grammars are bounded in theory, and was shown to be as hard as reversing RSA. Hence, general context-free grammar recovery is thought to be computationally hard. Glade is a recent blackbox grammar synthesizer, which claims it can recover an accurate context-free input grammar of any given subject using only a small set of seed inputs, and a general oracle able to distinguish between valid and invalid inputs. It also claims to be fast for all programs tested. While an implementation of GLADE is available, the input grammar produced is in an undocumented format that is hard to reverse engineer. Furthermore, GLADE also uses custom parsers and fuzzers which are hard to verify.
This thesis attempts to first replicate GLADE independently by first implementing the GLADE algorithm in Python, then use this implementation to verify the reported GLADE experiment results, and further evaluate GLADE using new context-free grammars. This will provide us with precise information and insights about the limits and suitability of GLADE in diverse circumstances.