Bachelor- and Master Seminar CISPA Staff

News



11.01.2022

Next Seminar on 19.1.2022

Dear All,

I hope you've had a great start to the new year and am happy to announce our first seminar sessions in 2022!
Please remember to upload your talk information on time :)
The next seminar(s) take place on 19.1. at 14:00.

Session A: (RA1,4)
Tim Walita... Read more

Dear All,

I hope you've had a great start to the new year and am happy to announce our first seminar sessions in 2022!
Please remember to upload your talk information on time :)
The next seminar(s) take place on 19.1. at 14:00.

Session A: (RA1,4)
Tim Walita - Jan Schmitz - Tobias Risch

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B: (RA 5)
Raoul Scholtes - Yassir Kozha - Tobias Berdin

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Tim Walita
Type of talk: Bachelor Intro
Advisor: Nils Ole Tippenhauer
Title: Backdoor Attacks on Autoencoders in the ICS Setting
Research Area: RA4

Abstract: Nowadays, state-of-the-art machine learning models, such as autoencoders, are in wide use and also have their application in the industrial control system (ICS) setting. ICSs are commonly cyber-physical systems (CPS) such as power grids, water supply systems, and autonomous vehicles. Hardware components such as sensors and actuators build the physical part of the system. They interact with the physical world to perceive and interpret environmental feedback which is then processed by the cyber part of the system.

An autoencoder developed for water distribution systems can be a very effective reconstruction
based anomaly detection system. It is trained on a dataset containing sensor readings of a water
distribution system during normal operating conditions to learn the standard behavior of it.
However, recent research conducted at CISPA has shown that autoencoders are susceptible to backdoor
attacks. In this type of attack, the attacker is assumed to have control over the training process
of the target model and thereby introduce a hidden behavior that will only be executed by an
attacker chosen trigger.

Since backdoor attacks are mainly researched in the domain of learning based authentication
systems, such as face recognition, we would like to further expand the research on this topic to
find out whether it is possible to transfer this type of attack to the specialized setting of industrial control systems.

 

14:30-15:00

Speaker: Jan Schmitz
Type of talk: Bachelor Final
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Michaël Mera
Title: On the Impact of Model preserving Program Transformations on Fuzzing
Research Area: RA4

Abstract: Fuzzing is a useful technique to automatically discover bugs in software with almost no
human intervention involved. However, complex checks, nested predicates and magic
byte value comparisons make it quite difficult for a fuzzer to progress in a program.
Therefore, existing solutions try to solve, bypass or disable these checks. Some of them
rely on input models to do so.
But using input models causes redundancy because they already handle input checks
that are present in the target program. This slows down the fuzzer unnecessarily, in
particular if it also relies on some kind of code analysis.
To overcome this problem the redundant checks have to be removed. I propose a method
based on genetic algorithms for producing an optimized version of the target program
and have built a prototype that shows the impact of this proposal on the fuzzing process.

 

 

15:00-15:30

Speaker: Tobias Risch
Advisor: Dr. Andreas Zeller , Rafael Dutra
Research Area: RA1/4

Abstract:

not provided

 

Session B:

14:00-14:30

Speaker: Raoul Scholtes
Type of talk: Bachelor Intro
Advisor: Dr. Cristian-Alexandru Staicu, Dr. Giancarlo Pellegrino
Title: Applying Code Property Graphs for Cross-Language Vulnerability Analysis
Research Area: RA5

Abstract:
Since the dawn of the internet, websites have evolved from simple document browsing interfaces to complex web applications, handling a large number of operations and taking multiple sources of user input. While these applications are often developed in scripting languages like PHP, Python or JavaScript (Node.js), many additionally rely on native extensions written in low-level code.

In the past, multiple vulnerability types have been uncovered affecting web applications. These vulnerabilities typically reside in the high-level application code and can be exploited via specifically crafted web requests by an attacker. However, if unsanitized user input flows into the low-level extension code, there is an additional possibility that a low-level vulnerability like a buffer overflow or memory corruption can be triggered by malicious website interactions.

To efficiently find zero-day vulnerabilities, many automated vulnerability scanning techniques have been developed by security researchers. An example of such a technique is the Code Property Graph by Yamaguchi et al. This static approach models the application code as an extensive combination of graphs, and vulnerabilities can be discovered very efficiently by querying these graphs. However, this approach has the limitation that the graphs can only contain code written in the same programming language. In the context of native extensions, this implies that we cannot model a continuous flow of attacker-controlled data from the high-level source to the low-level sink functions, making automated detection of addon vulnerabilities infeasible.

In this thesis, we propose a workaround for this limitation. By building separate graphs for extension and main code, intercepting the low-level results and dynamically creating high-level queries, we create an automated analysis framework that connects dataflow sources of the extension to the respective sinks in the high-level code, thus bypassing above limitation. We implement the approach for the Node.js ecosystem and its various extension APIs and, in a first set of tests, evaluate its reliability, scalability and performance. Additionally, we evaluate how well the framework is adaptable to different sets of programming languages and ecosystems. Finally, we download packages containing low-level code from NPM and use our Node.js prototype to detect previously unknown vulnerabilities in native extensions, reachable by attacker input from JavaScript.

 

14:30-15:00

Speaker: Yassir Kozha
Supervisor: Robert Künnemann
Research Area: RA1

Abstract:
None provided

 
15:00-15:30

Speaker: Tobias Berdin
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Anonymous Web Authentication using Intel EPID
Research Area: RA1

Abstract: Many of the modern websites offer the possibility of login for users to access special features that cannot be accessed without a login. To this end, a simple login and password approach is used. However, this comes with some disadvantages. One main concern is privacy, as activities related to some shared resources can be traced back to a specific user. In particular, an adversary can track which resources an individual is using which is not always desirable and can be considered a privacy violation.
The second problem relates to passwords that can be forgotten, compromised via database breaches, or easily guessed by an adversary.
This thesis aims to solve both of these problems by introducing a passwordless authentication method for websites that also maintains the anonymity of an individual user within a group.
Two components are used for this: the WebAuthn standard for public key-based web authentication, and Intel EPID, with which we certify the membership of a user to a group.
An implementation that brings these concepts together is presented in the form of a Chrome browser extension.

13.12.2021

Next Seminar on 22.12.2021

Dear All,

The next seminar takes place on 22.12. at 14:00. As an exception this time there will only be one seminar which lasts until 16:00.
Below most of the talks' summaries are still missing - you can find an updated version a few days prior to the talks on... Read more

Dear All,

The next seminar takes place on 22.12. at 14:00. As an exception this time there will only be one seminar which lasts until 16:00.
Below most of the talks' summaries are still missing - you can find an updated version a few days prior to the talks on the CMS page, but I wanted to post this already as the changed timing might be a relevant information to all of you.

I wish you Happy Hollidays and a great start to the new year - There will be no seminar on 5.1. so we will reconvene at 19.1. in 2022!


Session A: (RA1,4,5) 14:00-16:00
Alexander Mohr - Katharina Basters - Rayhanul Islam Rumel - Banji Joseph Olorundare

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 


Session A:

14:00-14:30 

Speaker: Alexander Mohr
Type of talk: Master Intro
Advisor: Rafael Dutra
Title: Metamorphic Testing of Binary File Formats
Research Area: RA4
Abstract: In this thesis we propose an approach to apply Metamorphic Testing to binary file formats to discover logic bugs in programs. We first discuss what metamorphic testing is and define metamorphic transformations of binary file formats. Then we explain FormatFuzzer and its features, which we utilize to implement the transformations. We then show the different possible transformations we implemented with the help of FormatFuzzer. Lastly, we show how we evaluate our findings and how to decide whether or not we have discovered a logic bug with our approach.

 

14:30-15:00

Speaker: Katharina Basters
Type of talk: Bachelor Intro
Advisor: Katharina Krombholz represented by Alexander Ponticello
Title: How Blind People Use Mobile Password Managers
Research Area: RA5

Abstract:
Concerning authentication methods, research has shown that many users have a tendency to insecure behaviour. Security experts recommend the usage of password managers for several years, but the adaption rates are not rising significantly. There are studies about expectations, mental models, and usability of password managers to learn the reasons for that and as a follow-up improve the adaptation. In the line of this research it is especially important to take in the concerns of marginalized people like disabled people. Considering the very visual nature of contemporary digital content, especially blind and visually disabled people are in need of assistive technology, which makes accesibility for them a highly requested research topic. While the accessibility of different authentication methods is already relatively well covered, in the field of password managers there can be done more, especially taking in the trend of recent years away from desktop computers to mobile devices. The goal of this thesis is to gain a new perspective by conducting an usability test of a popular iOS password manager with blind and visually disabled people.

 

15:00-15:30

Speaker: Rayhanul Islam Rumel
Advisor: Yang Zhang
Research Area: RA1

 

15:30-16:00

Speaker: Banji Joseph Olorundare
Advisor: Rahul Gopinath
Research Area: RA4

06.12.2021

Next Seminar on 8.12.2021

Dear All,

The next seminar(s) take place on 8.12. at 14:00.


Session A: (RA3,5)
Jannis Rautenstrauch - Peter Stolz - Alaeddine Abroug

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:... Read more

Dear All,

The next seminar(s) take place on 8.12. at 14:00.


Session A: (RA3,5)
Jannis Rautenstrauch - Peter Stolz - Alaeddine Abroug

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B: (RA 2,4)
Stanimir Iglev - Tim Speicher - Yavor Ivanov

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Jannis Rautenstrauch
Type of talk: Master Final
Advisor: Dr. Ben Stock, Dr. Giancarlo Pellegrino
Title: XS-Leaks - How affected are browsers and the web?
Research Area: RA5: Empirical and Behavioural Security

Abstract: Cyberattacks causing considerable damages to businesses and users are in the news almost every week. Cross-Site information leaks (XS-Leaks) are one type of web attack targeting users. In such attacks, victims visit a malicious website that infers information about them on other sites by abusing browser side-channels. Inferred information can reach from access detection to deanonymization. The scientific community has known XS-Leaks since the 2000s. Still, there is not enough information available to estimate how big of an issue such attacks are for the web ecosystem today.

This thesis aims to close this knowledge gap with two approaches. One approach is evaluating how different browser side-channels behave in modern web browsers by observing several channels for 387,072 responses. The other approach is scanning as many websites as possible for vulnerable URLs using a newly created fully automated pipeline.

The results show that browser behavior significantly differs. Studying the differences, we discovered ten security-relevant bugs and reported them to two browser vendors. With the does-it-leak pipeline, we detected vulnerable URLs on 258 out of 352 tested sites, presenting the largest study of XS-Leaks to date.
Based on the results of this thesis, we conclude that XS-Leaks pose a considerable problem for the web ecosystem, as most websites are currently vulnerable, and millions of users could be heavily affected. However, the results also show that websites have the means to be XS-Leak-free and that getting rid of differing edge case behavior in browsers could reduce the attack surface by about 50%.

 

14:30-15:00

Speaker: Peter Stolz
Type of talk: Bachelor Final
Advisor: Dr. Ben Stock
Title: To hash or not to hash: Asecurity assessment of the CSP directive unsafe-hashes
Research Area: RA3|5
Abstract: Content Security Policy (CSP) is a great way to mitigate Cross-site scripting (XSS) if used correctly. CSP has the experimental directive "unsafe-hashes" to whitelist certain inline event handlers and style attributes.
Before browsers add support for it we analysed how many event handlers can be abused to trigger XSS if an attacker reuses them on a malicious tag.
We built an analysis pipeline using dynamic analysis with taint tracking and forced execution to find flows from the attacker controlled tag to dangerous functions.
This allowed us to determine if it is a useful feature or if it should be abandoned because it implies a false sense of security for the most part.
We found 0.06% of distinct handlers to have dangerous flows among the Alexa Top 1000 and through manual analysis verfified their exploitability.
As only a low portion of event handlers contain such issues we conclude that unsafe-hashes is an easily adaptable method to harden a website against XSS and it can be used in a process to a robust CSP.

 

 

15:00-15:30

Speaker: Alaeddine Abroug
Type of talk: Intro Bachelor
Advisor: Dr. Michael Schwarz
Title: Automated Reverse Engineering of LLC Addressing
Research Area: RA3

Abstract:

Caches have proven themselves as an integral component when in the design of high performance processors. Modern cache architectures provide a multi-level structure, where the Last Level Cache (L3) is further subdivided into cache slices.  Those slices are shared and distributed among all cores in multi-core processors. Each slice is assigned a fraction of the address space for load balancing. A side effect of this performance optimization is that it made cache side-channel attacks across cores more complex. As the mapping from addresses to slices is undocumented, attacks cannot simply target specific cache parts. In this bachelor thesis, we implement a fully automated methodology to reverse engineer this undocumented mapping function. Reverse engineering the address-to-slice mapping function is key to constructing reliable cache-eviction sets in a fast way. Based on our reverse engineering, we show the first Prime+Probe attack on SGX on 6-core CPUs. Due to the non-linearity of the mapping function for these CPUs, such attacks were previously not possible.

 

Session B:

14:00-14:30

Speaker: Stanimir Iglev
Type of talk: Bachelor Intro
Advisors: Björn Mathis, Leon Bettscheider
Supervisor: Prof. Dr. Andreas Zeller
Title: Transpiling Schema Languages to Grammars
Research Area: RA4

Abstract:
Testing programs, which expect highly-structured inputs, has proven to be a challenging problem. Grammar-based fuzzing is a promising approach to address this issue. The idea behind it is to enhance the fuzzer with a grammar, which describes the input language of the program under test, and use it to produce syntactically valid inputs. However, due to the diversity of data format languages, it is hard to construct a universal grammar representation which is able to express the variety of restrictions that are applicable to the inputs.

As a result, fuzzers are very often tailored to work with a specific format or application and use a representation of grammar that is designed to function effectively with the targeted data format. This creates a layer of incompatibility between different fuzzer implementations. We present an approach to reduce this problem by creating a set of transpilers for the conversion of input specifications. More precisely, we convert schema documents to grammars.

Schema languages are very often used to define the structure and later validate the data accepted by programs. These languages allow the developers to assert that the input data satisfies certain conditions, thus they specify exactly what constitutes valid inputs. Most well-established data formats provide such schema vocabularies. By translating these input specifications into grammars, we can use them not only for input validation, but also for input generation. Hence, we believe that being able to convert different input languages to a single grammar format will enhance already existing fuzzers and provide a strong candidate for a unified grammar representation.

We propose a set of transpilers which make use of these schema documents to generate an input grammar for the program under test. Our tools are able to translate the constraints described by the schema, to production rules in the resulting grammar by utilizing an intermediate tree representation. We focus our attention on the two most widely used data interchange formats and their schema languages, namely JSON Schema and W3C XML Schema Definition Language (XSD).

We plan to evaluate the correctness and viability of our tools against real-world applications with the intention to guarantee that they can be used to enhance fuzzers and aid developers in finding defects in their programs. In order to assess the correctness of produced grammars, we perform a set of checks, which ensure that all symbols are defined and reachable from the start symbol. Furthermore, we evaluate the validity of documents, produced by generated grammars. To do so, we enhance a fuzzer with such a grammar and generate a vast amount of documents, which are then validated against the original input schema. Moreover, we conduct a comparative analysis between a fuzzer, augmented with a grammar generated by our tools, and other fuzzers. Our plan is to run them against a set of real-world applications and track metrics such as code coverage and depth of explored paths.

We believe that the proposed tools can be powerful instruments for the generation of complex test inputs and that they belong in the arsenal of every software tester. To the best of our knowledge, we present a novel way to translate input specifications into grammars for the production of highly-structured inputs.

 

14:30-15:00

Speaker: Tim Speicher
Type of talk: Bachelor Intro
Supervisor: Prof. Zeller
Advisor: Rafael Dutra
Title: Targeted Fuzzing using FormatFuzzer
Research Area: RA4

Abstract:
One big limitation of most modern fuzzer is the lack of controllability in terms of where and what exactly they are fuzzing. In many cases you want to focus the fuzzing on a small part of the hole functionalty, instead of testing all at once. Most modern fuzzer cannot distinguish between lower and higher prioritized fuzzing targets.
The goal of this thesis is to implement a mechanism to support targeted fuzzing, to concentrate the fuzzing on especially definded targets. We will implement this strategy in the FormatFuzzer, which is a structure-aware fuzzing tool. Having a specification for a file format in this case a binary template, the Format Fuzzer can be used as generator as well as parser and mutator for files of this format. When parsing a file, it produces a parse tree, which defines an order and hierachy of chunks in the file. Chunks in this context is generally spoken to refer to any struct or variable of the binary template. Format Fuzzer can mutate each chunk individually, without changing the rest of the file. This can be used to concentrate the fuzzing on chunks, that are related to our target of fuzzing.

 
15:00-15:30

Speaker: Yavor Ivanov
Type of talk: Bachelor Introduction
Advisor: Dr. Robert Künnemann, Kevin Morio
Title: Existential lemmas in Tamarin: towards more efficient sanity checks
Research Area: RA2

Abstract: Tamarin is a symbolic verification tool for security protocols. It can be used to
automatically prove that a protocol fulfills certain security properties specified as lemmas.
The majority of protocol models also contain lemmas that check if a protocol is executable.
Tamarin is optimized for proving security properties, which affects the constraint-reduction steps,
the selection heuristics used, and the traversal order of the proof tree.
Consequently, the resolution of sanity checks is not as efficient as it could be.
This work’s goal is to increase the efficiency with which sanity checks are performed.
We propose a solution consisting of three components: a modification of Tamarin’s
constraint-reduction steps, an optimization of the utilized heuristics, and using sequential
DFS as the default proof tree traversal strategy. Afterwards, we are going to evaluate each
of the new features with the help of a script to determine if they produce a substantial
performance increase.

18.11.2021

Next Seminar on 24.11.2021

Dear All,

Welcome to the new seminar page!

The next seminar(s) take place on 24.11. at 14:00. Due to time constraints I couldn't make all RA4 and 5 talks go in a seperate session, so please choose the session you are most interested in.


Session A: (RA4,5)
... Read more

Dear All,

Welcome to the new seminar page!

The next seminar(s) take place on 24.11. at 14:00. Due to time constraints I couldn't make all RA4 and 5 talks go in a seperate session, so please choose the session you are most interested in.


Session A: (RA4,5)
Lisa Hoffmann - Dañiel Gerhardt - Gunnar Heide

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B: (RA 4,5)
Dominik Kempter - Abhilash Gupta - Marc Schuegraf

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Lisa Hoffmann
Type of talk: Bachelor Intro
Advisor: Dr. Katharina Krombholz, Carolyn Guthoff (Assistent)
Title: Development and Evaluation of a ​Dark Pattern Reporting Tool
Research: RA5 (Empirical and Behavioural Security)

Abstract:
There are a lot of papers published that deal with the topic of cookie banners and the problems and violations of the GDPR that occur with them.
Most papers give a limited and only temporary insight on this problem since data is collected only during a specific time period and on specific websites.
As mentioned by Fassl et al. [1], the topic is widely researched, but we are still in need of a solution that helps to solve the issue on a large scale in terms of data collection,
which is not restricted to a time frame or number of websites.
For that purpose, I aim to design a Chrome extension that collects violations of the GDPR in a publicly available list, which is updated with the help of end-users of browsers.

[1] Matthias Fassel, Lea Gröber, Katharina Krombholz. 2021. Stop the Consent Theater.

 

14:30-15:00

Speaker: Dañiel Gerhardt
Type of talk: Bachelor Intro
Advisor: Katharina Krombholz
Title: Mental models of EU Digital COVID Certificate Validation
Research Area: RA5

Abstract: The pandemic caused by COVID-19 has required us to quickly come up with solutions for this new and sudden problem of a rapidly spreading disease around the world. After a relatively short time vaccinations were made available but since it cannot be assumed that everyone has received a vaccine a convenient and accessible method for proving someone’s vaccination status was needed. In the European Union the EU Digital COVID Certificate was introduced in July 2021 to tackle this problem by allowing citizens to carry a digital certificate proving their vaccination status or that they recovered from the disease. This certificate, usually stored and presented as a QR code, can then quickly and easily be validated by staff at public places that require that visitors are either vaccinated or recovered from the disease to be allowed to enter. Recent anecdotal evidence has shown that this validation is often not done correctly and the person responsible for validating the authenticity of a given vaccination certificate often simply looks at a holder’s QR code stored in an app like CovPass or the Corona-Warn-App instead of scanning the QR code with an app like the CovPassCheck-App and cross-checking the identity of the certificate holder with the identity of the person presenting it using a government-issued ID. This incorrect validation might make the digital certificate less secure than a traditional paper vaccine passport as presenting any QR code may arguably be easier than forging a paper vaccine passport. It can also lead to unvaccinated people entering restricted areas where everyone present is under the assumption that everyone else around them is vaccinated or recovered and carries a valid vaccination certificate. The reason why it is so commonplace to incorrectly validate the EU Digital COVID Certificate is unknown so in this study, I will explore the mental models of professional users in regards to the validation process of the EU Digital COVID Certificate to find out.

 

 

15:00-15:30

Speaker: Gunnar Heide
Advisor: Lucjan Hanzlik
Title: no info
Research Area: 4

 

Session B:

14:00-14:30

Speaker: Dominik Kempter
Type of talk: Bachelor Final
Advisor: Dr. Giancarlo Pellegrino
Title: LighDTA - Lightweight Dynamic Taint Flow Analysis for State-Changing Operations
Research Area: RA5: Empirical and Behavioural Security

Abstract:
Many web applications trust data located in persistent storage. The disregard of proper sanitization leads to a variety of second-order vulnerabilities like Stored-XSS.
Dynamic Taint Analysis is one solution to this problem. Pre-defined data sources are tainting input, while security-critical functions can check for taints. The problem with this approach is propagating taints through persistent storage like databases. State-of-the-art propositions are highly dependent on the underlying persistent storage. This requires developers to restructure the database and applications to handle taints.
This bachelor thesis intends to explore the effectiveness of a lightweight approach to connect database input sinks to output sinks. This allows dynamic taint analysis to be performed independent of the underlying database and requires no restructuring of the web application.
We implemented a prototype that matches a database interface's read and write functions based on generated function traces. Those matches allow tracking the data flow within an application through persistent storage. We tested the prototype on six applications and found that our lightweight approach is capable to perform dynamic taint analysis without keeping track of taint markings and runtime checks on taints with proper parsing and data extraction.

 

14:30-15:00

Speaker: Abhilash Gupta
    Type of talk: Masters thesis final presentation
    Advisor: Dr. Rahul Gopinath
    Supervisor: Prof. Dr. Andreas Zeller
    Title: Grammar Fuzzing Command-line utilities in Linux
    Research Area: RA4

Abstract:
Command-line (CLI) utilities are popular programs invoked on the command-line interface. Their execution is determined by the configuration options and arguments passed in its invocation. The options activate various code segments and the arguments are its input. It is imperative to utilise both options and arguments while fuzzing to search for failures.

However, options have been always excluded from previous fuzzing CLI utilities experiments. In this thesis, we describe a method to integrate both options and arguments into the fuzzing process via the use of context-free grammars (CFG). Our approach takes a utility and automatically constructs a human-readable CFG capturing the entire syntax of its invocation. Once extracted, the grammar can be saved and reused again for that utility.

This thesis employs this approach to fuzz test 44 CLI utilities in Linux. It evaluates the number of failures found in those utilities. Furthermore, it also evaluates the code coverage achieved by this approach. The results demonstrate that this approach discovers more failures in CLI utilities than the best reported literature. Furthermore, this approach is observed to generally achieve better code coverage than a state-of-the-art feedback driven fuzzer.

 
15:00-15:30

Speaker: Mark Schuegraf
Type of talk: Master Final
Advisor: Prof. Dr. Andreas Zeller
Title: Fuzzing With Grammar Variants
Research Area: RA4

Abstract:
Fuzzing is the execution of a system under test with unexpected inputs. In generating these inputs, fuzzers may rely on a grammar to model the input language. However, such grammar-based fuzzers are only as good as the grammar they use.

We therefore investigated whether structural changes to grammars affect the performance of grammar-based fuzzers: First, we derived variants of existing grammars using transformations that preserve the modeled input language. Second, we empirically evaluated these grammar variants on real test subjects. In most tested configurations, we saw changes in the fuzzing performance of a fuzzer when using a particular grammar variant.

04.11.2021

Next Seminar on 10.11.2021

Dear All,

The order of talks has changed!

The next seminar(s) take place on 10.11. at 14:00.


Session A: (RA4)
Konstantin Holz - Tristan Hornetz - Joshua Renckens... Read more

Dear All,

The order of talks has changed!

The next seminar(s) take place on 10.11. at 14:00.


Session A: (RA4)
Konstantin Holz - Tristan Hornetz - Joshua Renckens

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B:  no talk this week


Session A:

14:00-14:30 

Speaker: Konstantin Holz
Type of Talk: Bachelor Final
Advisor: Dr. Nils Ole Tippenhauer
Title: Security Assessment of IPv6 Implementations of Home Routers
Research Area: Secure mobile and autonomous systems

Abstract: The successor of IPv4, IPv6 is slowly reaching into the commercial area and into the households to replace IPv4. ISP begin providing a native IPv6 for end-users to utilize for their internet connection.
In this thesis, we examine the IPv6 implementation in commercially available routers, for differences in features and security mechanisms. In particular, we want to find out to which degree various manufacturers implemented IPv6 and which security guarantees it provides in contrast to its IPv4 implementation. For this, we run various tests on chosen devices for packet routing as well as look into features provided to the user and also look into the provided source code.

 

14:30-15:00

Speaker: Tristan Hornetz
Type of talk: Bachelor Final
Supervisor: Prof. Dr. Andreas Zeller
Title: Evaluating the Effectiveness of Automated Fault Localization in Python
Research Area: RA4

Abstract:

Automated fault localization describes a group of techniques that can aid a
programmer in locating the cause of bugs during software development. There
exists an abundance of past research on the topic, with countless approaches
being proposed and evaluated. Among the most popular techniques are
Statistical Debugging (SD) and Spectrum Based Fault Localization (SBFL), which
utilize dynamically recorded execution data to produce rankings of suspicious
program elements.
However, there is very little research about the applicability and general
usefulness of automated fault localization in the Python programming language.
This is surprising, given Python's high popularity and powerful introspection
capabilities. In this thesis, I present a configurable hybrid model of SBFL
and SD, and evaluate its performance on 300 bugs in real-world Python programs
from the BugsInPy database. The results demonstrate that configurations
resembling SBFL are generally superior to SD-like configurations. Moreover, I
demonstrate that a combination of SBFL and SD can yield better results than
both techniques individually.

15:00-15:30

Speaker: Joshua Renckens

Type of talk: Bachelor Final

Advisors: Dr. Rafael Dutra, Nikolas Havrikov

Supervisor: Prof. Dr. Andreas Zeller

Title: 0KFuzzer: Applying Systematic Exploration to FormatFuzzer

Research Area: RA4

Abstract:
Fuzzing is a technique used to test the robustness of programs by automatically generating inputs and feeding them into programs under test. However, using only randomly generated inputs is not a good way to achieve great code coverage. Most will immediately fail at the beginning of the program execution due to not matching the structure that is expected of the input.
Ways to mitigate this are grammar-based fuzzers. They take grammars that specify languages first and then base the input generation on the specified language. This makes sure that a certain input structure is maintained, reaching parts of the test programs random fuzzing wouldn’t be able to reach. However there is no guarantee that the entirety of a grammar can be covered reliably even when using grammar-based fuzzers.
The k-path algorithm improves on these grammar-based fuzzers bytaking care of the aforementioned issue. The goal of the k-path algorithm is to make sure that all of the grammar is systematically covered. It does so by building a list of k-paths from the grammar and generating inputs that cover these k-paths. Covering all of the k-paths should result in covering all of the productions of the grammar under test and by extension all of it’s terminals and non-terminals as well.
FormatFuzzer has an idea similar to grammar-based fuzzers but it takes binary templates, a format specification used by the 010 Editor, that  specify  file  formats  as  inputs instead  of grammars. It compiles them into C++ code that then acts as a generator of inputs according to the format specification described in said templates. However a similar problem to the grammar-based fuzzers can be found here as well, there is no guarantee that the entirety of the specification can be reliably covered and that’s where implementing the k-path algorithm into FormatFuzzer comes into play.
This thesis aims to improve on the FormatFuzzer by combining it with the k-path algorithm, taking the systematic coverage of grammars and using it on format specifications, with the goal being to systematically cover as much of the specification as possible. This combination of FormatFuzzer and the k-path algorithm, which we named the 0KFuzzer, will then be evaluated against the default FormatFuzzer to compare template coverage and code coverage

 

21.10.2021

Next Seminar on 27.10.2021

Dear All,

The next seminar(s) take place on 27.10. at 14:00.


Session A: (RA3,4)
Christoph Steuer - Jonathan Busch - Jonas Büchner

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:... Read more

Dear All,

The next seminar(s) take place on 27.10. at 14:00.


Session A: (RA3,4)
Christoph Steuer - Jonathan Busch - Jonas Büchner

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B:

no talk this week


Session A:

14:00-14:30 

Speaker: Christoph Steuer
Type of talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Seamless installation of Trustlets with third-party application in Android
Research Area: RA4

Abstract:
In the modern world, the need for trusted computing is increasing. Whether it be cryptography, access control or credential validation, being able to trust a piece of software to do what it is supposed to do and not leak sensitive information is a very important step towards a more secure world.
From the hardware side, there are several platforms to support trusted computing, with technologies such as Intel Software Guard Extensions (Intel-SGX), Arm TrustZone or AMD Secure Encrypted Virtualization(SEV). However, this support has to be utilized by software to become useful to the end user.
In Android, there is support for the Trusted Execution Environment OP-TEE, however the range of operations of trusted computing is severely limited due to the infeasibility for applications to ship custom Trusted Applications as there is no support during the app installation process to handle them. In case of OP-TEE, users attempting to install trusted applications first need to have access to a root shell. However, unlike on other commonly used Linux distributions, obtaining root privileges on Android is a complex and made difficult operation that, if attempted by inexperienced people, has a non-negligible chance to fail and potentially make the installed operating system inoperable. The only trusted computing that applications installed without root have access to comes in form of features of Android such as key store that function as Application Programming Interface(API) to pre-defined trusted applications.
The goal of the thesis is to extend the Android app installation process to allow for installation of Trusted Applications for OP-TEE without compromising currently available security guarantees.

 

14:30-15:00

Speaker: Jonathan Busch
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz
Title: Power-ups for Chromium: Facilitate Side-Channel Research
Research Area: RA3

Abstract: In recent years, side-channel based attacks have gained more and more importance. Instead of exploiting bugs, these novel attacks use side effects caused by software or hardware to infer secret information.
Low-level programming languages such as C or C++ are predominantly used to develop side-channel exploits, since they allow for controlling and measuring the microarchitectural state.
However, access to these low-level functions is not available for every programming language. For instance, JavaScript lacks some crucial functions used in side-channel attacks. Instead, one must use highly laborious workarounds to realize the same attacks. This makes testing, whether a newly found side-channel attack works in JavaScript, a time-consuming task.
In this work, we add low-level functions to Chromium’s JavaScript engine in order to facilitate this process. This allows researchers to build proof-of-concept scripts to check, whether a new side-channel attack is feasible in JavaScript, to avoid developing expensive workarounds in vain. Additionally, we provide proof-of-concepts of well-known side-channel-based attacks such as Flush+Reload and Spectre utilizing our extended version of Chromium.

 

 

15:00-15:30

Speaker: Jonas Büchner
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz
Title: (M)WAIT for It: Secret MONITORing using CPU Features
Research Area: RA3

Abstract: There is a plethora of attacks on the microarchitecture of current CPUs, of which side channels are among the most important. They not only leak cryptographic keys, but are used as building block of the powerful Meltdown and Spectre attacks. Prominent examples of side channels, like Flush+Reload or Prime+Probe, exploit the timing differences between cache hits and cache misses. While these are well-demonstrated and strong attack primitives, they are inherently limited. By relying on the execution and timing of their own cache operations, they are susceptible to noise and, even more importantly, suffer from a "blind window": if a victim access occurs during the reloading phase, they cannot observe it.
We overcome this with the MONITOR/MWAIT instructions that are contained in the SSE3 extensions of all modern x86 CPUs. This pair of instructions is meant for power management and thread optimization. Its primary use is to wait for a change on a monitored address range and continue execution once a write, or other triggering events, occur. While this aims at lock acquisition and synchronization, it seems to be meant to be exploited. We construct a side-channel from the native behaviour of this instruction pair by using it on victim addresses.
This thesis presents a new deterministic side-channel primitive that does not rely on caches. It is more robust than common cache side channels and allows for monitoring victim memory without ever missing an access. We demonstrate its usability in proof-of-concept controlled-channel attacks against Intel's Software Guard Extensions, achieving an attack accuracy of 100%. We furthermore construct a double-fetch detection mechanism which reliably detects double-fetches above a threshold of a few thousand cycles. Finally, we evaluate the use of our primitive as a covert channel, indicating resistance of most systems against this attack.

 

07.10.2021

Next Seminar on 13.10.2021

Dear All,

Welcome to the new seminar page!

The next seminar(s) take place on 13.10. at 14:00. Since there is RA4 talks in both sessions, if you are from RA4, you can choose which session you want to join this week :)


Session A: (RA4)
Vera Resch - Jonas... Read more

Dear All,

Welcome to the new seminar page!

The next seminar(s) take place on 13.10. at 14:00. Since there is RA4 talks in both sessions, if you are from RA4, you can choose which session you want to join this week :)


Session A: (RA4)
Vera Resch - Jonas Cirotzki - John Schmitt

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session B: (RA 1,3,4)
Markus Bever - Anirudh Upadhya - Lorenz Hetterich

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 


Speaker: Vera Resch
Type of talk: Master Final Talk
Supervisor: Prof. Zeller
Advisors: Rahul Gopinath, Nikolas Havrikov
Title: Grammar-based URL Fuzzing: Field Study Exploring the WHATWG URL Standard
Research Area: 4

Abstract: Uniform Resource Locators (URLs) allow to quickly and precisely navigate today's web. Similar to the specifications of other web standards, such as HTML, the WHATWG maintains the URL specification as a living standard. However, because different applications use URLs for a multitude of purposes, there exists a variety of implementations of URL parsers, most of which claim to follow the URL standard.
This thesis uses grammar-based fuzzing together with a grammar of the current URL standard to examine how close the relationship between URL parsers and the standard is. In detail, this consists of testing the URL parsers included in the browsers Firefox and Chromium, as well as a selection of stand-alone URL parsers with inputs generated by executing a grammar-based fuzzer with a URL grammar based on the current standard and a URL grammar based on the RFC standard.
Finally, this thesis evaluates the number of errors encountered during test execution as well as the code coverages achieved in the selected URL parsers.
Results include that higher code coverages are reachable with inputs generated according to the current specification in comparison to inputs generated according to the RFC specification in ten out of eleven tested URL parsers. Furthermore, eight out of eleven tested URL parsers reject inputs based on the current specification less often than those based on the RFC specification.

 

14:30-15:00

Speaker: Jonas Cirotzki
Advisor: Sven Bugiel
Research Area: RA4

Abstract:missing info

 

 

15:00-15:30

Speaker: John Schmitt
Type of talk: Bachelor Final
Advisor: Dr. Sven Bugiel
Title: Implementing Certificate Transparency Inside Android Open Source Project
Research Area: 4

Abstract: Today the internet usage is as high as ever and gets more diverse every day. Therefore the security of the web is very important. One major point in security is the identity verification of web servers. To verify the identity of a web server, a web client has to rely on the validity of the provided certificate. As a result, web clients blindly trust in the integrity of the certificate authority to properly issue certificates. But what happens if a certificate authority is compromised, goes rogue, or issues flawed certificates?
In case of such a certificate misissuance, certificate transparency helps by providing a secure append-only log that documents every certificate issuance and thus enables accountability for certificate authorities.
Mobile devices are a major source of network traffic to web servers. Additionally, Android currently holds the biggest market share of mobile operating systems but does not present any solution to a certificate transparency implementation. With our work, we provide a proof of concept for an implementation of certificate transparency in the Android Open Source Project and make use of its benefits to protect Android users from certificate misissuance and thus Man-in-the-Middle attacks. Our evaluation has shown, that common apps are not negatively influenced by the prototypical implementation which, in our opinion, makes certificate transparency a very useful Android extension.

 

Session B:

14:00-14:30

Speaker: Markus Bever
Type of talk: Bachelor Final
Advisor: Antoine Joux, Anand Kunar Naranayan
Title: On parallelization for public key cryptanalysis
Research Area: RA1: Trustworthy Information Processing

Abstract:
Verifiable delay functions are exciting and new primitives in cryptography, especially
in the field of blockchains. The goal of this thesis is to study different approaches
to undermine the security of verifiable delay functions. For this we will try different
setups where the attackers control parts of a network and try to attack the verifiable
delay function in parallel. The current implementations of verifiable delay functions are
typically built based on number theoretical assumptions. There is a group underlying
the security of verifiable delay functions. We will focus on the example of a RSA-group.
Other candidates for the group include the ideal class group of quadratic imaginary
extensions. Verifiable delay functions are easily broken if the group order is known, in our
case this can be achieved by factoring. The fastest algorithm for factoring is the number
field sieve, which is part of the index calculus family and uses a lot of linear algebra. All
this candidates for breaking verifiable delay functions by finding the group order involve
index calculus methods. Here, the bottleneck is the linear algebra step. Also, we will
discuss Lenstra’s elliptic curve method for factoring. Our primary motivation was to
speed this up using parallelization. In this direction we investigated a new approach
from Fouque and Kirchner to calculate the group order in a black-box ring. This is an
extension of Maurers algorithm investigating the congruence between discrete logarithms
and the Diffie-Hellmann cryptosystem.

 

14:30-15:00

Speaker: Anirudh Upadhya
Type of talk: Master Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Safety and Security Critical Function Identification and Monitoring for Motor Controllers
Research Area: RA4

Abstract: Eletric scooters are becoming very popular recently and have been widely used. Most of these e-scooters and hoverboards are of cheap quality and buggy software without standardization. The firmwares of these scooters can be hacked to tweak scooter paramters. If the attacker has near access to the device he can maliciously tamper the sensor reading which can lead to wrong calculation torque vectors and then leading to a unintended acceleration or deceleration.​ The attacker can also increase the performance of the hoverboard with respect to its maximum speed etc or add additional functionalities to it.​
In this theses, we want to identify critical functions based on various currently available e-scooter architectures and find the impact on the e-scooter and thus the rider. We also want to implement runtime monitoring of these types of motor controllers. Monitoring software layer is used to check for errors in software or any unintended behavior from the user and curb them while bringing the system back to safe state or fail safe as defined in the architecture.​ Based on the critical functionalities the monitoring code is added. This code can utilize the existing TEE (Trusted Execution Environment) or run on a different core which has checker core feature (for example : Infineon AURIX 32 bit Tricore).​

 

 
15:00-15:30

Speaker:
Lorenz Hetterich

Type of talk:
Bachelor Final

Advisor:
Dr. Michael Schwarz

Title:
Exploting Spectre on IOS

Abstract:
Most CPUs don't stall execution when they encounter control flow instructions, but use predictors to make educated guesses on the destination (e.g. whether a branch is taken or not).
This allows them to speculatively continue execution resulting in a major time save upon correct predictions.
On incorrect predictions, speculatively executed instructions are not retired, the pipeline is flushed, and execution continues at the correct destination.
Whilst speculatively executed instructions are not visible on an architectural level, they may leave microarchitectural traces that can be observed using a side channel.
Spectre abuses this by mistraining predictors and observing microarchitectural state changes caused by speculative execution.
Even though research on Spectre has been done on most major platforms, Apple devices have hardly received any attention.
In my thesis, I evaluated the primitives required for cache side-channels on three Apple devices: An iPhone 7, an iPhone 8 Plus, and a M1 Mac Mini and successfully developed a simple Spectre proof of concept.
This talk will give an overview of the building blocks required for a simple Spectre attack and what difficulties we faced on Apple devices compared to other platforms.



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators