Bachelor- and Master Seminar

Dear All,

The next semester is soon starting, so if you're interested in staying in the seminar for the next term, please already register for the new course on CMS.
The link is: https://cms.cispa.saarland/bms2122/ and we will notify you another time about it.

The next seminar takes place on 29.9. at 14:00.

Session A: (RA4,5)
Dominic Troppman - Steven Dlucik

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session A:

14:00-14:30 

Speaker: Dominic Troppmann
Type of talk: Bachelor Final
Advisor: Dr. Ing. Cristian-Alexandru Staicu
Title: On the Prevalence of Native Extensions in Scripting Languages
Research Area: RA5

Abstract:
Scripting languages such as Python are known for their ease of learning, ease of use, and the open-source nature of the ecosystems surrounding them. It is therefore not surprising to see them gaining a lot of popularity in recent years.
While scripting languages strive to be, by design, safer to use than lower-level languages such as C and C++, they often allow developers to include native code in their scripts via a feature called native extensions.
On the one hand, using native extensions offers several benefits, such as superior performance and access to functionality otherwise unavailable in scripting languages.
On the other hand, they also allow developers to break the safety guarantees of the scripting language, i.e., memory-, type-, and crash-safety.
Thus if not implemented correctly, native extensions can quickly turn into a security risk, introducing entire categories of -particularly nasty- bugs and vulnerabilities into the scripting language environment.
Examples include but are not limited to buffer overflows, use-after-free vulnerabilities, or even hard crashes, which do not occur under normal circumstances.

In this thesis, we study how prevalent native extensions are in JavaScript, Python, and Ruby. We present our approach to performing a comprehensive analysis of npm, PyPI, and RubyGems, i.e., the three software ecosystems surrounding the studied scripting languages, to identify packages that use native extensions.
Furthermore, we determine the impact of native extensions on the studied ecosystems, that is, we measure how many packages (transitively) depend on them.
Finally, we assess how using native extensions affects a library's quality. We show that, while native extensions are not an extremely popular feature, they still influence large portions of the studied ecosystems.
Our findings furthermore indicate that native extensions, on top of being a considerable security risk for packages using them, also tend to diminish the package's overall quality.

14:30-15:00

Speaker: Steven Dlucik
Type of talk: Bachelor Intro
Advisor: Rafael Dutra
Title: Format Specific Fuzzers
Research Area: RA 4
Abstract: Compared to currently available fuzzers, which are not format-specific and therefore can be in-effective when a format calls for tighter restrictions, the BinaryFuzzer(FormatFuzzer) generates fuzzers tailored to the specific format under testing. The BinaryFuzzer uses binary templates, which is a format specification used by 010 Editor, to compile a parser, mutator and highly efficient generator combination in C++ language. This generated code will adhere to the rules and limitations of the format under testing, when parsing, mutating or generating files. We will implement new formats (WAV, BMP, MP3), by extending these from the 010 Editor to suit the usage by FormatFuzzer and test these by inputting generated files by the generated fuzzer, using programs such as ffmpeg as testing subject. We will compare these results with a combination of FormatFuzzer and AFL.

 

 

15:00-15:30

none this week