Bachelor- and Master Seminar

Dear students,
The new term has started, so please join https://cms.cispa.saarland/bms22/ where the seminar will continue.

This week's talks synopsis:

Session A: (RA1,5) 14:30-15:30
Nils Olze (RA5) - Erfan Balazadeh (RA1)

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

For more information join the new course.

Dear All,

Important: If you continue working on your thesis next semester, join the new course at https://cms.cispa.saarland/bms22 !
All communications will continue there in the new semester.

Update 2022-04-09: Added Priyasha Chatterjee's talk information, which was missing due to technical difficulties. Sorry!

The next seminar(s) take place on 13.04. at 14:00.

Session A: (RA3,4)
Joshua Steffensky - Priyasha Chatterjee - Tom Baumeister

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:00-14:30 

Speaker: Joshua Steffensky
Type of talk: Master Intro
Advisor: Dr. Sven Bugiel
Title: FIDO2 inside - Unifying digital and physical authentication
Research Area: 4

Abstract:
The FIDO2 authentication scheme was released by the FIDO Alliance[1] in 2019 as the successor
of their Universal 2nd Factor (U2F) scheme. FIDO2 improves on U2F by providing a usable, secure and open
authentication scheme for both hardware backed two-factor authentication, as well as complete passwordless
authentication. While FIDO2 was, as the name ”Fast IDentity Online” suggests, designed for web authentic-
ation, its use of an asymmetric challenge-response scheme and the specification of an interface for movable
cryptographic security devices makes it amenable to being used in other authentication contexts. This thesis
aims to investigate the possibility of using FIDO2 authentication in the physical authentication context.

 

14:30-15:00

Speaker: Priyasha Chatterjee
Type of talk: Master Final
Advisor: Dr. Katharina Krombholz
Title: User-centric Privacy Design for Smart Speakers
Research Area: RA5

Abstract: As ubiquitous computing becomes more widespread, so does the market for voice-controlled smart devices which afford convenience like never before. Smart home systems allow smart devices to connect to a hub, such as Amazon's Alexa, or Google Nest, which are smart speakers allowing users to control them by voice. However, while users find that these systems offer great convenience, they also find that they need to settle on a trade-off between privacy and security, and convenience. There have been reports of many privacy incidents in recent years, and in 2019, 41% of all smart home users were found to have been apprehensive about privacy around their smart speakers.
While there already exist a few designs for privacy protecting solutions, to the best of my knowledge, none of these have taken a user-centric approach to the design problem. My thesis thus proposes to identify one or more effective designs for privacy enhancement solutions for smart speakers, designed with the users in mind.
This is achieved by conducting a brief mixed-methods study with smart speaker users. The study comprises a questionnaire, a semi-structured interview, and prototype evaluation, allowing for the collection of detailed and meaningful insights into users’ perceptions, requirements and preferences. Through this study, I observe patterns in user intentions and behaviours around their smart speakers, and elicit design preferences. Finally, I establish user-centric designs and present recommendations for the design and development of future privacy enhancement solutions.

 

15:00-15:30

Speaker: Tom Baumeister
Type of talk: Master Intro
Advisor: PD Dr.Swen Jacobs
Title: Parameterized Repair of Disjunctive Systems for Liveness Properties
Research Area: RA2 (Reliable Security Guarantees)

Abstract: Concurrent systems that are composed of an arbitrary number n of processes, are hard to get correct. For these systems, parameterized model checking can provide correctness guarantees that hold regardless of n. However, model checking gives the designer no information about a possible repair when detecting an incorrect behaviour. The parameterized repair problem is, for a given implementation, to find a deadlock-free refinement such that a given property is satisfied by the resulting parameterized system. We present a repair algorithm that uses a parameterized model checker to determine correctness of generated candidate repairs. By updating a constraint system, when detecting a violation, the algorithm returns a repair iff one exists. For general safety properties, this algorithm can be applied on classes of systems which can be represented as well-structured transition systems (WSTS), including disjunctive systems, pairwise rendezvous systems and broadcast protocols. However, the existing approach cannot guarantee correctness for liveness properties, like termination or the absence of undesired loops. Since verifying liveness properties for parameterized systems quickly leads to undecidability, we want to study the parameterized repair problem for disjunctive systems and general liveness properties.

 

14:00-14:30 

Dear All,

The next seminar takes place on 30.3. at 14:00.

Session A: (RA3,4)
Stanimir Iglev - Tim Walita

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

 

14:00-14:30 

Speaker: Stanimir Iglev
Type of talk: Bachelor Final
Advisor: Prof. Dr. Andreas Zeller
Title: Transpiling Schema Languages to Grammars
Research Area: RA4

Abstract:
Testing programs, which expect highly-structured inputs, has proven to be a challenging problem. Grammar-based fuzzing is a promising approach to address this issue. The idea behind it is to enhance the fuzzer with a grammar, which describes the input language of the program under test, and use it to produce syntactically valid inputs. However, due to the diversity of data formats, it is hard to construct a universal grammar representation which is able to express the variety of restrictions
that are applicable to the inputs. As a result, fuzzers are very often tailored to work with a specific format or application and use a representation of grammar that is designed to function efficiently with the targeted data format. This creates a layer of incompatibility across different fuzzers. We present an approach to reduce this problem by creating a set of transpilers for the conversion of input specifications. More precisely, we convert schema specifications to context-free grammars.

Schema languages are often used to define the structure of documents accepted by programs. These languages allow the developers to assert that the input data satisfies certain conditions. Essentially, a schema defines the input language of the application. Most well-established data formats provide such schema vocabularies. By translating these input specifications into grammars, we can use them not only
to assert the validity of incoming data, but also to generate test inputs. Hence, we believe that being able to convert different input languages to a single grammar format will greatly enhance already existing grammar-based fuzzers and provide a strong candidate for a unified grammar representation.

This thesis describes the creation of a set of transpilers which use these schema documents to infer input grammars. The presented tools are able to translate the constraints, described by the schema, to production rules in the resulting grammar by constructing an intermediate representation, which depicts the structure of valid documents. We target the two most widely used data interchange formats and
their schema languages, namely JSON Schema and W3C XML Schema Definition Language. The grammars produced by our transpilers are able to generate XML and JSON documents, which fulfill all requirements depicted by the input schema.

We evaluate the correctness of produced grammars and the validity of generated inputs against schemas used by real-world applications. The results show that our transpilers produce correct grammars for a high-variety of schemas. Additionally, when paired with a grammar-based fuzzer, more than 90% of the inputs generated by the grammar are valid according to the corresponding schema. Furthermore, we compared the grammars against generic XML and JSON grammars by fuzzing a JSON Schema validator and an RSS parser. Fuzzing with generated grammars achieves more than double the amount of coverage that is obtained when using a generic grammar.

 

14:30-15:00

Speaker: Tim Walita
Type of talk: Bachelor Final
Advisor: Nils Ole Tippenhauer
Title: Backdoor Attacks on Autoencoder-based Attack Detectors for ICS
Research Area: RA4

Abstract: Industrial control systems (ICS) such as PLCs and SCADAs are a
valuable target for hackers which can attack these targets and cause a
tremendous amount of damage to critical infrastructures. Consequently,
security measures must be implemented into these systems. An autoencoder
for water distribution systems can be an effective reconstruction based
anomaly detection system. It is capable of learning the standard behavior
of a complex system and can detect attacks on it very reliably. Therefore,
we want to further explore the security of the model itself and find out
if further protection measures are required.
In this thesis, we test the autoencoder against a state-of-the-art
adversarial machine learning attack called backdoor attack. This type of
attack is commonly explored in the domain of image classification. A
successful backdoor attack embeds a hidden behavior into the target model
which allows an attacker to bypass any type of ML-based detection system.
In the course of this thesis, we developed multiple versions of the attack
and evaluate each one of them on our own test dataset. This makes it
possible to evaluate the success rate of the backdoor attack because it
helps us to analyze if the backdoor triggers are recognized by the model.
On the benign test datasets the backdoored autoencoders achieve the same
accuracy as the original autoencoder.

 

 

15:00-15:30

No talk this week

 

Dear All,

The next seminar(s) take place on 16.3. at 14:00.

Session A: (RA3,4)
Alaeddine Abroug - Jonathan Busch - Christoph Steuer

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 5)(14:30-15:30)
Daniel Gerhardt - Philipp Baus

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Alaeddine Abroug
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz
Title: Automated Reverse Engineering of LLC Addressing
Research Area: RA3

Abstract:

Caches have proven themselves as an integral component when in the design of high performance processors. Modern cache architectures provide a multi-level structure, where the Last Level Cache (L3) is further subdivided into cache slices.  Those slices are shared and distributed among all cores in multi-core processors. Each slice is assigned a fraction of the address space for load balancing. A side effect of this performance optimization is that it made cache side-channel attacks across cores more complex. As the mapping from addresses to slices is undocumented, attacks cannot simply target specific cache parts. In this bachelor thesis, we implement a fully automated methodology to reverse engineer this undocumented mapping function. Reverse engineering the address-to-slice mapping function is key to constructing reliable cache-eviction sets in a fast way. Based on our reverse engineering, we show the first Prime+Probe attack on SGX on 6-core CPUs. Due to the non-linearity of the mapping function for these CPUs, such attacks were previously not possible.

 

14:30-15:00

Speaker: Jonathan Busch
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz, Dr. Cristian-Alexandru Staicu
Title: Power-ups for Chromium: Facilitate Side-Channel Research
Research Area: RA3

Abstract: In recent years, side-channel based attacks have gained more and more importance. Instead of exploiting bugs, these novel attacks use side effects caused by software or hardware to infer secret information. Low-level programming languages such as C or C++ are predominantly used to develop side-channel exploits, since they allow for controlling and measuring the microarchitectural state. However, access to these low-level functions is not available for every programming language. For instance, JavaScript lacks some crucial functions used in side-channel attacks. Instead, one must use highly laborious workarounds to realize the same attacks. This makes testing, whether a newly found side-channel attack works in JavaScript, a time-consuming task. In this work, we add low-level functions to Chromium’s JavaScript engine in order to facilitate this process. This allows researchers to build Proof-of-Concept scripts to check whether a new side-channel attack is feasible in JavaScript, to avoid developing expensive workarounds. Additionally, we provide Proof-of-Concepts of well-known side-channel-based attacks such as Flush+Reload and Spectre utilizing our extended version of Chromium. We evaluate the reliability of the added power-ups of our Proof-of-Concepts by running them multiple times with randomly generated input strings. The results show high success rates for all Proof-of-Concepts, with results greater than 95.95%.

 

 

15:00-15:30

Speaker: Christoph Steuer
Type of talk: Bachelor Final
Advisor: Sven Bugiel
Title: Seamless installation of trustlets with third-party applications in Android
Research Area: RA4

Abstract:
In a computing system, the Rich Execution Environment (REE) and Trusted Execution Environment (TEE) are two hardware-isolated processing spaces,
provided by technologies such as Intel SGX or Arm TrustZone. While REEs execute untrusted applications from third-parties, TEEs execute minimal
code pieces that are considered secure. REEs provide plenty of features to their applications which usually interact with users, while TEEs have
as few features as possible to be more secure (more features usually introduce more vulnerabilities). However, there are human-imposed limitations
that hinder privacy and security. This is the case for the Trusted Execution Environment OP-TEE when paired with the rich mobile operating system
Android. Currently, the only way an Android application can leverage the benefits of any TEE is through Android’s own security features. This is
problematic as an attacker compromising one of those security features can potentially compromise a lot of Android applications. In this work, I
propose a way for Android applications to ship their own TEE applications by creating an installation process for TEE applications for Android and
OP-TEE. This mitigates the previously described problem. As a result, an attacker would either cause far less damage as most TEE applications only
interact with very few REE applications each or have to invest more time to compromise more TEE applications to cause the same amount of damage.
Additionally I perform a security analysis on my implementation to prove that my proposal does not compromise security in other ways.

 

Session B:

14:00-14:30

No talk this week

 

14:30-15:00

15:00-15:30

Speaker: Philipp Baus
Type of talk: Bachelor Intro
Advisor: Ben Stock, Sebastian Roth
Title: Do you trust your Types? A qualitative Study on the Usability of Trusted Types to prevent Client-Side XSS vulnerabilities
Research Area: RA5

Abstract:
Cross-site scripting (XSS) is a web vulnerability that allows attackers to execute arbitrary JavaScript code in a victim's browser. Although a lot of time passed since the discovery in 1999, XSS is still a huge problem for websites on the internet nowadays. With the current trend of shifting the code of web applications to the client-side and the rising complexity of client-side code, the possible impact of a client-side XSS vulnerability is getting more severe. To mitigate these vulnerabilities Google recently introduced a new Web API, called "Trusted Types". Trusted Types eliminate the root causes of client-side XSS vulnerabilities by locking dangerous DOM and JavaScript sinks to only allow input in the form of a Trusted Types object. However, from the top web sites at the time only Facebook and Google are actively using Trusted Types to protect their websites against client-side XSS vulnerabilities. Therefore, this thesis aims to find common roadblocks for web developers when it comes to the implementation and the understanding of Trusted Types. To answer these research goals we will conduct a qualitative study about the usability of Trusted Types for web developers.

Dear All,

The next seminar(s) take place on 2.3. at 14:00.

Session A: (RA1,4) (14:00-15:00)
Sophie Wenning - Anirudh Upadhya

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 1,2,5)
Tobias Berdin - Virab Gevorgyan - Lukas Kirschner

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Sophie Wenning
Type of talk: Bachelor Intro
Advisor: Prof. Antoine Joux
Title: Sampling in representation technique algorithms
Research Area: RA1

Abstract:
The representation technique of Howgrave-Graham and Joux is a highly acclaimed improvement to the cryptanalysis of the well-known NP-complete subset sum problem. This method makes it possible to artificially enlarge the search space and thus increase the performance of cryptanalytic algorithms beyond the previously known lower bounds. The abstract core idea of this divide-and-conquer algorithm is to compose a solution to a subset sum instance from a few sets that enumerate all possible representations of a sum of a few elements chosen among all the summands of the instance. Recently, Esser and May presented an improvement to this method, using a sample from a binomial distribution to randomly form the representation sets instead of deterministically enumerating the possibilities as in the original algorithm. However, the authors withdrew their paper, citing "problems with counting the number of representations" as explanatory statement. The aim of this thesis is to investigate the roots of the issue in Esser and Mays' method and to show its consequences for further applications of the representation technique.

 

14:30-15:00

Speaker: Anirudh Upadhya
Type of talk: Master Final
Advisor: Dr. Nils Ole Tippenhauer
Title: Safety and Security Critical Function Identification and Monitoring for Motor Controllers
Research Area: RA4

Abstract: In recent times, e-scooters and electric hoverboards are becoming more popular and getting all the headlines for their novelty factor. Due to a lack of trustable vendors and standard architecture, the security and safety of these vehicles are unaccounted for. Most of these e-scooters and hoverboards are of cheap quality and buggy software without standardization. The firmware of these scooters can be hacked to tweak scooter parameters. If the attacker has near access to the device he can maliciously tamper with the sensor reading which can lead to wrong calculation torque vectors and then leading to an unintended acceleration or deceleration. The attacker can also increase the performance of the hoverboard with respect to its maximum speed etc or add additional functionalities to it.
In this thesis, we identify most of the critical functions based on various currently available e-scooter architectures and find the impact on the e-scooter and thus the rider. We also implement run-time monitoring of these types of motor controllers. The additional monitoring software layer is used to check for errors in the control loop, sensors, or any unintended behavior from the user and curb them while bringing the system back to a safe state or fail-safe as defined in the architecture. Based on the critical functionalities the monitoring code is added.

 

 

 

15:00-15:30

No talk this week

 

Session B:

14:00-14:30

Speaker: Tobias Berdin
Type of talk: Bachelor Final
Advisor: Dr. Lucjan Hanzlik
Title: Anonymous Web Authentication using Intel EPID
Research Area: RA1

Abstract: Many of the modern websites offer the possibility of login for users to access special features that cannot be accessed without a login. To this end, a simple login and password approach is used. However, this comes with some disadvantages. One main concern is privacy, as activities related to some shared resources can be traced back to a specific user. In particular, an adversary can track which resources an individual is using which is not always desirable and can be considered a privacy violation. The second problem relates to passwords that can be forgotten, compromised via database breaches, or easily guessed by an adversary.
This thesis aims to solve both of these problems by introducing a passwordless authentication method for websites that also maintains the anonymity of an individual user within a group. Two components are used for this: the WebAuthn standard for public key-based web authentication, and Intel EPID, with which we certify the membership of a user to a group.
An implementation that brings these concepts together is presented in the form of a Chrome browser extension and two remote services.

 

14:30-15:00

15:00-15:30

Speaker: Lukas Kirschner
Type of talk: Master Final
Advisor: Prof. Dr. Andreas Zeller
Title: Feedback-Driven Grammar-Based Test Generation
Research Area: 5

Abstract:
Grammar-based test generation techniques allow to generate syntactically valid inputs for software testing. These techniques generate inputs by employing the input grammar as a producer, typically, without obtaining any program feedback during test generation. However, program feedbacks (such as program failure) are necessary to achieve and target certain testing goals (e.g. fault exposure). To achieve such testing goals, it is necessary to generate test inputs that contain specific input structures that are relevant to the intended testing goal.

In this work, we propose a grammar-based test generation approach that uses a feedback loop to iteratively learn relevant input properties from generated inputs, in order to drive the generation of goal-specific test inputs. Concretely, we leverage a combination of evolutionary testing and grammar learning to determine the relevant input structures that achieve a target goal. The main idea of our approach is to learn the mapping between input structures and a specific testing goal, such mappings allow to generate inputs that target the goal at hand. Given a testing goal, our approach iteratively selects test inputs that are relevant to the goal, mutates such inputs and learns the distribution of input elements in the resulting (mutated) inputs using a probabilistic grammar. The learned grammar is then employed as a producer to drive the generation of goal-specific inputs.

In our evaluation, we used three input formats (JSON, CSS and JavaScript), a total of 20 subject programs and four testing goals namely unique code coverage, input complexity, program failures and long execution time. Overall, our results show that our feedback-driven approach effectively achieves our testing goals in fewer generations and quicker than the baselines (i.e. random and probabilistic grammar-based test generation).

Dear All,

The next seminar(s) take place on 16.2. at 14:00.

Session A: (RA1,3,4)
Huda Dawoud - Mirco Meinerzag - Ali Alhasani

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 5)
Jeremy Rack - Julia Hess - Thomas Helbrecht

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Huda Dawoud
Type of talk: Master Final.
Advisor: Sven Bugiel, Andreas Zeller
Title: Detecting the Misuse of Accessibility Features on Android
Research Area: RA4: Secure Mobile and Autonomous Systems
Abstract:
With the responsibility of including all segments of society in modern technology, Google has introduced the Accessibility Service on Android to support people with disabilities in using mobile devices. The powerful accessibility features enable apps to monitor users' interactions with other applications, which is a requirement for screen readers. It also enables the automatic injection of actions, including clicks and swipes, into other applications, allowing developers to provide assisting tools such as voice-based input systems. However, Google has not explicitly stated that using this service for purposes other than assisting disabled users is forbidden. As a result, many popular applications that use the accessibility service do not particularly target people with disabilities, such as antiviruses, cleaners, password managers, launchers, and others. This raises the question of whether the functionality given by such applications is worth the powerful features they gain, as in many cases it may be considered as a violation of Android’s least privilege principle.
In this thesis, we attempted to bring an answer to the following research questions: First, is it possible to detect a pattern that distinguishes between benign and malicious use of the accessibility service? Second, depending on the answer to the prior question, how can we protect users from malicious accessibility service misuse? We used machine learning for analysis and trained several Support Vector Machine (SVM) models to distinguish between malicious and benign accessibility service usage, using different feature sets as predictors, which resulted in varied false negative and false positive values. Finally, we attempt to estimate the accessibility features required by an application based on the accessibility description provided by developers, analyze the accessibility features gained and used in the code, and later warn the user whenever an application uses accessibility features that are not explicitly declared in the accessibility description. From the 65 benign applications in our sample set, 30 received a warning, including one accessibility app called Sesame, which uses the screenshot feature without mentioning it in the accessibility service description it provides.

 

14:30-15:00

Speaker: Mirko Meinerzag
Type of talk: Bachelor Intro Talk
Advisor: Sven Bugiel
Title: Hardening Androids Task Management to prevent phishing
Research Area: RA3|4

Abstract: Android's user interface has been frequently targeted by malware to perform attacks like phishing, denial-of-service, and more. These attacks often need little to no extra permissions but have devastating consequences for the user. One particular attack is called task hijacking. Task hijacking abuses the task management of Android to compromise the UI of benign applications. This can then be used to launch follow-up attacks that leak sensitive information or deny crucial services.

In Android 12 a new API was introduced that prevents third-party overlays from being displayed over the UI. This way developers can secure their apps and UI against phishing attacks based on overlays. However, phishing by abusing task hijacking is not prevented with this API. This work proposes a similar approach against task hijacking. By extending the Android framework, App developers are able to decide whether other (potentially malicious) apps can interfere with their tasks or not.

 

 

15:00-15:30

Speaker: Ali Alhasani
Type of talk: Master Intro
Advisor: Johannes Lampel, Marius Smytzek
Title: Alhazen combined with statistical debugging
Research Area: RA1

Abstract:
Alhazen is a fault diagnoses approach that performs two main tasks. First, it predicts whether an input will fail or not based on a decision tree model. Second, it generates more failure-causing inputs, to identify the circumstances in which the bug occurs. For these two tasks, Alhazen’s learner uses features related to the input to predict the bug or no bug outcome.

However, Alhazen does not consider features related to the program execution, thus limiting the power of its fault-prediction capability and making Alhazen unable to identify runtime circumstances associated with program behavior. This thesis proposes enhancing Alhazen prediction by learning additional features over statistical debugging predicates derived from program runtime events.

In this work, we use SElogger to extract program runtime events. These events report a software’s progress and its essential data during the execution time. In addition, we apply statistical debugging to extract predicates from these program runtime events.

 

Session B:

14:00-14:30

Speaker: Jeremy Rack
Type of talk: Bachelor Intro talk
Advisor: Cristian-Alexandru Staicu
Title: Studying the role of JavaScript bundlers in modern web applications.
Research Area: RA5(empirical and Behavioral Security)

Abstract:
Modern web applications are steadily growing in complexity and third-party dependencies.
Ensuring that all the libraries are loaded in the correct order and avoiding naming collisions between them is a tedious task that can be solved by “bundlers”.
Javascript bundlers are development tools that consume a list of resources
and package them into a single file, called a "bundle".
Among these bundled resources could be vulnerable third-party dependencies that expose the web application to various attacks.

My work aims to set the foundation for further research on Javascript bundlers.
To that end I intend to answer four questions:
1. What are the code signatures of the various bundlers visible in the bundles they produce?
2. How prevalent are bundlers in modern web applications?
3. Under which circumstances is it possible to detect the libraries included in a bundle?
4. Which third-party libraries are contained in real-world bundles and how many of them are outdated?

I will begin with collecting features for each of the bundlers to be able to detect them. Then I will perform a crawl to analyze the prevalence of the different bundlers.
Afterwards I will assess the different build options of a subset of the bundlers to determine the feasibility of my last two research questions.

 

14:30-15:00

15:00-15:30

Speaker: Thomas Helbrecht
Type of talk: Bachelor Intro
Advisor: Ben Stock
Title: How is client-side XSS patched?
Research Area: 5

Abstract: Client-side cross-site scripting remains a severe issue in 2022. This XSS type resides in the client-side portion of a web page and allows dangerous flows from attacker-controllable sources to dangerous sinks. This thesis aims to investigate how developers worked with client-side XSS vulnerabilities in the past. Using the Internet Archive, we will inspect the evolution of vulnerable pages over time. From this historical data, our goal is to learn how client-side XSS is patched and understand developers' efforts when dealing with this threat.

We will use existing XSS detection mechanisms by Lekies et al. and extend them by a new backend. The main task of this backend will be observing the progression of dangerous flows within a vulnerable website over time. For this, it will be capable of storing website snapshots over multiple revisions, with the data coming from the Internet Archive. Furthermore, we aim to detect patches and reason about the patching process from the page's taint-flow evolution and client-side snapshots.

Common ways of fixing such flaws are sanitization or API hardening. However, there are many pitfalls developers can fall into (inadequate sanitization, etc.), especially when cooking up their own solutions instead of using standard mitigation techniques. Apart from the developers' perspective, browser vendors have also recognized the risks of (client-side) XSS. They also work on fixing such flaws by providing mechanisms such as the upcoming Sanitizer API to allow secure rendering of untrusted HTML input.

While previous work mainly looked at detecting these flows, our research will focus on understanding how developers tackled such vulnerabilities in the past. By inspecting the patching process, we aim to look at metrics such as the origin of the patch, vulnerability, complexity to further our understanding of developers' actions taken to mitigate this XSS type.

14:00-14:30… Read more

Dear All,

The next seminar(s) take place on 19.1. at 14:00.

Session A: (RA4,5)
Daniel Reinhold - Paul Kalbitzer - Florian B.

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

 

14:00-14:30 

Speaker: Daniel Reinold
Type of talk: Bachelor Intro
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Leon Bettscheider
Title: Transpiling the Web Service Description Language
Research Area: RA4

Abstract: Users want a lot of functionality and information from the modern web. Web services provide an interface to request information or functionality from remote resources, connecting clients and servers to each other. This interface can receive direct user input, which makes it vulnerable to invalid or malicious requests.
If a web service goes offline due to an attack or bug, it can affect other peers, that rely on its functionality. Because of this, it is essential, that web services are robust and secure.
Fuzzing is a technique to automatically test software for vulnerabilities and other unintended behavior by generating random inputs. However, if completely random values are being produced, the result will be primarily invalid calls. To make this approach more efficient at creating valid inputs, a grammar can be used. Grammars are a way to specify the structure of an input and can be used in grammar-based fuzzers, to generate values for testing. A drawback is, that it can be difficult and time-consuming to create a grammar from scratch for a target application. This can be avoided by deriving the grammar from documents specifying the interface.
For web services, description files in a specification called Web Services Description Language exist. They are usually publicly available, which enables us to test our approach on a wide range of live web services.
We use this strategy to convert the interface description file of web services to a universal grammar. Then we generate many random values that match the input structure and send them as a request to a web service, to see how it responds. Our goal is to create a process to automatically fuzz web services.

 

14:30-15:00

Speaker: Paul Kalbitzer

Type of talk: Bachelor Final
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Dr. Rafael Dutra

Title: Distribution-based fuzzing using FormatFuzzer

Research Area: RA4

Abstract: Fuzzing is an automated testing method that uses an immense number of
automatically generated inputs to examine the behaviour of the program under
test. These inputs are usually randomly generated to detect crashes or other
errors. When testing programs that receive files as input, the problem arises
that formats are very complex and that input that does not meet the structural
requirements is rejected by the program in an early parsing phase. This in turn
results in a low code coverage, which is tantamount to a fuzzing result without
meaningfulness.

The FormatFuzzer, a structure-aware approach, counters this problem by
using binary templates. In this way, it ensures that structural requirements for
inputs are met in order to be able to test programs with complex input requirements.
However, the FormatFuzzer does not yet allow to declare probabilities
in general, as well as for individual variables. This makes it impossible for example,
to focus on uncommon aspects of a format.

The goal of my thesis is to present a version of FormatFuzzer that supports
the use of statistics and probabilities, but does not depend on their existence.
The focus is on offering the possibility to generate files based on probability
distributions, to be able to direct test generation towards a specic direction.

 

 

15:00-15:30

Speaker: Florian B.
Type of talk: Bachelor Intro
Advisor: Dr. Dominic Steinhöfel, Prof. Andreas Zeller
Title: Bidirectional Converter Between ANTLR, BGF and a Pivot Language
Research Area: RA5

Abstract:
Grammar-based fuzzing is a common technique to make fuzzers more program-specific. On the one hand, there are different fuzzers with different grammar formats as input and on the other hand, there are large grammar collections like the Grammar Zoo with its BGF format or repositories with many grammars in ANTLR format. The ability to convert different grammar formats into each other would allow to use existing grammar collections, and thus thousands of grammars without requiring additional work for each grammar.
Bidirectional conversion between these different formats is easiest accomplished using a pivot language.
This pivot language can then be used to convert ANTLR to BGF and vice versa, or to convert to any new format by simply developing a new converter for a different format while using he same pivot language.
In this thesis, a converter will be developed to convert ANTLR and BGF into a pivot language and vice versa.

Dear All,

I hope you've had a great start to the new year and am happy to announce our first seminar sessions in 2022!
Please remember to upload your talk information on time :)
The next seminar(s) take place on 19.1. at 14:00.

Session A: (RA1,4)
Tim Walita - Jan Schmitz - Tobias Risch

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 5)
Raoul Scholtes - Yassir Kozha - Tobias Berdin

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Tim Walita
Type of talk: Bachelor Intro
Advisor: Nils Ole Tippenhauer
Title: Backdoor Attacks on Autoencoders in the ICS Setting
Research Area: RA4

Abstract: Nowadays, state-of-the-art machine learning models, such as autoencoders, are in wide use and also have their application in the industrial control system (ICS) setting. ICSs are commonly cyber-physical systems (CPS) such as power grids, water supply systems, and autonomous vehicles. Hardware components such as sensors and actuators build the physical part of the system. They interact with the physical world to perceive and interpret environmental feedback which is then processed by the cyber part of the system.

An autoencoder developed for water distribution systems can be a very effective reconstruction
based anomaly detection system. It is trained on a dataset containing sensor readings of a water
distribution system during normal operating conditions to learn the standard behavior of it.
However, recent research conducted at CISPA has shown that autoencoders are susceptible to backdoor
attacks. In this type of attack, the attacker is assumed to have control over the training process
of the target model and thereby introduce a hidden behavior that will only be executed by an
attacker chosen trigger.

Since backdoor attacks are mainly researched in the domain of learning based authentication
systems, such as face recognition, we would like to further expand the research on this topic to
find out whether it is possible to transfer this type of attack to the specialized setting of industrial control systems.

 

14:30-15:00

Speaker: Jan Schmitz
Type of talk: Bachelor Final
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Michaël Mera
Title: On the Impact of Model preserving Program Transformations on Fuzzing
Research Area: RA4

Abstract: Fuzzing is a useful technique to automatically discover bugs in software with almost no
human intervention involved. However, complex checks, nested predicates and magic
byte value comparisons make it quite difficult for a fuzzer to progress in a program.
Therefore, existing solutions try to solve, bypass or disable these checks. Some of them
rely on input models to do so.
But using input models causes redundancy because they already handle input checks
that are present in the target program. This slows down the fuzzer unnecessarily, in
particular if it also relies on some kind of code analysis.
To overcome this problem the redundant checks have to be removed. I propose a method
based on genetic algorithms for producing an optimized version of the target program
and have built a prototype that shows the impact of this proposal on the fuzzing process.

 

 

15:00-15:30

Speaker: Tobias Risch
Advisor: Dr. Andreas Zeller , Rafael Dutra
Research Area: RA1/4

Abstract:

not provided

 

Session B:

14:00-14:30

Speaker: Raoul Scholtes
Type of talk: Bachelor Intro
Advisor: Dr. Cristian-Alexandru Staicu, Dr. Giancarlo Pellegrino
Title: Applying Code Property Graphs for Cross-Language Vulnerability Analysis
Research Area: RA5

Abstract:
Since the dawn of the internet, websites have evolved from simple document browsing interfaces to complex web applications, handling a large number of operations and taking multiple sources of user input. While these applications are often developed in scripting languages like PHP, Python or JavaScript (Node.js), many additionally rely on native extensions written in low-level code.

In the past, multiple vulnerability types have been uncovered affecting web applications. These vulnerabilities typically reside in the high-level application code and can be exploited via specifically crafted web requests by an attacker. However, if unsanitized user input flows into the low-level extension code, there is an additional possibility that a low-level vulnerability like a buffer overflow or memory corruption can be triggered by malicious website interactions.

To efficiently find zero-day vulnerabilities, many automated vulnerability scanning techniques have been developed by security researchers. An example of such a technique is the Code Property Graph by Yamaguchi et al. This static approach models the application code as an extensive combination of graphs, and vulnerabilities can be discovered very efficiently by querying these graphs. However, this approach has the limitation that the graphs can only contain code written in the same programming language. In the context of native extensions, this implies that we cannot model a continuous flow of attacker-controlled data from the high-level source to the low-level sink functions, making automated detection of addon vulnerabilities infeasible.

In this thesis, we propose a workaround for this limitation. By building separate graphs for extension and main code, intercepting the low-level results and dynamically creating high-level queries, we create an automated analysis framework that connects dataflow sources of the extension to the respective sinks in the high-level code, thus bypassing above limitation. We implement the approach for the Node.js ecosystem and its various extension APIs and, in a first set of tests, evaluate its reliability, scalability and performance. Additionally, we evaluate how well the framework is adaptable to different sets of programming languages and ecosystems. Finally, we download packages containing low-level code from NPM and use our Node.js prototype to detect previously unknown vulnerabilities in native extensions, reachable by attacker input from JavaScript.

 

14:30-15:00

15:00-15:30

Speaker: Tobias Berdin
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Anonymous Web Authentication using Intel EPID
Research Area: RA1

Abstract: Many of the modern websites offer the possibility of login for users to access special features that cannot be accessed without a login. To this end, a simple login and password approach is used. However, this comes with some disadvantages. One main concern is privacy, as activities related to some shared resources can be traced back to a specific user. In particular, an adversary can track which resources an individual is using which is not always desirable and can be considered a privacy violation.
The second problem relates to passwords that can be forgotten, compromised via database breaches, or easily guessed by an adversary.
This thesis aims to solve both of these problems by introducing a passwordless authentication method for websites that also maintains the anonymity of an individual user within a group.
Two components are used for this: the WebAuthn standard for public key-based web authentication, and Intel EPID, with which we certify the membership of a user to a group.
An implementation that brings these concepts together is presented in the form of a Chrome browser extension.

Dear All,

The next seminar takes place on 22.12. at 14:00. As an exception this time there will only be one seminar which lasts until 16:00.
Below most of the talks' summaries are still missing - you can find an updated version a few days prior to the talks on the CMS page, but I wanted to post this already as the changed timing might be a relevant information to all of you.

I wish you Happy Hollidays and a great start to the new year - There will be no seminar on 5.1. so we will reconvene at 19.1. in 2022!

Session A: (RA1,4,5) 14:00-16:00
Alexander Mohr - Katharina Basters - Rayhanul Islam Rumel - Banji Joseph Olorundare

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:00-14:30 

Speaker: Alexander Mohr
Type of talk: Master Intro
Advisor: Rafael Dutra
Title: Metamorphic Testing of Binary File Formats
Research Area: RA4
Abstract: In this thesis we propose an approach to apply Metamorphic Testing to binary file formats to discover logic bugs in programs. We first discuss what metamorphic testing is and define metamorphic transformations of binary file formats. Then we explain FormatFuzzer and its features, which we utilize to implement the transformations. We then show the different possible transformations we implemented with the help of FormatFuzzer. Lastly, we show how we evaluate our findings and how to decide whether or not we have discovered a logic bug with our approach.

 

14:30-15:00

Speaker: Katharina Basters
Type of talk: Bachelor Intro
Advisor: Katharina Krombholz represented by Alexander Ponticello
Title: How Blind People Use Mobile Password Managers
Research Area: RA5

Abstract:
Concerning authentication methods, research has shown that many users have a tendency to insecure behaviour. Security experts recommend the usage of password managers for several years, but the adaption rates are not rising significantly. There are studies about expectations, mental models, and usability of password managers to learn the reasons for that and as a follow-up improve the adaptation. In the line of this research it is especially important to take in the concerns of marginalized people like disabled people. Considering the very visual nature of contemporary digital content, especially blind and visually disabled people are in need of assistive technology, which makes accesibility for them a highly requested research topic. While the accessibility of different authentication methods is already relatively well covered, in the field of password managers there can be done more, especially taking in the trend of recent years away from desktop computers to mobile devices. The goal of this thesis is to gain a new perspective by conducting an usability test of a popular iOS password manager with blind and visually disabled people.

 

15:00-15:30

Speaker: Rayhanul Islam Rumel
Advisor: Yang Zhang
Research Area: RA1

 

15:30-16:00

Speaker: Banji Joseph Olorundare
Advisor: Rahul Gopinath
Research Area: RA4

Dear All,

The next seminar(s) take place on 8.12. at 14:00.

Session A: (RA3,5)
Jannis Rautenstrauch - Peter Stolz - Alaeddine Abroug

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 2,4)
Stanimir Iglev - Tim Speicher - Yavor Ivanov

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Jannis Rautenstrauch
Type of talk: Master Final
Advisor: Dr. Ben Stock, Dr. Giancarlo Pellegrino
Title: XS-Leaks - How affected are browsers and the web?
Research Area: RA5: Empirical and Behavioural Security

Abstract: Cyberattacks causing considerable damages to businesses and users are in the news almost every week. Cross-Site information leaks (XS-Leaks) are one type of web attack targeting users. In such attacks, victims visit a malicious website that infers information about them on other sites by abusing browser side-channels. Inferred information can reach from access detection to deanonymization. The scientific community has known XS-Leaks since the 2000s. Still, there is not enough information available to estimate how big of an issue such attacks are for the web ecosystem today.

This thesis aims to close this knowledge gap with two approaches. One approach is evaluating how different browser side-channels behave in modern web browsers by observing several channels for 387,072 responses. The other approach is scanning as many websites as possible for vulnerable URLs using a newly created fully automated pipeline.

The results show that browser behavior significantly differs. Studying the differences, we discovered ten security-relevant bugs and reported them to two browser vendors. With the does-it-leak pipeline, we detected vulnerable URLs on 258 out of 352 tested sites, presenting the largest study of XS-Leaks to date.
Based on the results of this thesis, we conclude that XS-Leaks pose a considerable problem for the web ecosystem, as most websites are currently vulnerable, and millions of users could be heavily affected. However, the results also show that websites have the means to be XS-Leak-free and that getting rid of differing edge case behavior in browsers could reduce the attack surface by about 50%.

 

14:30-15:00

Speaker: Peter Stolz
Type of talk: Bachelor Final
Advisor: Dr. Ben Stock
Title: To hash or not to hash: Asecurity assessment of the CSP directive unsafe-hashes
Research Area: RA3|5
Abstract: Content Security Policy (CSP) is a great way to mitigate Cross-site scripting (XSS) if used correctly. CSP has the experimental directive "unsafe-hashes" to whitelist certain inline event handlers and style attributes.
Before browsers add support for it we analysed how many event handlers can be abused to trigger XSS if an attacker reuses them on a malicious tag.
We built an analysis pipeline using dynamic analysis with taint tracking and forced execution to find flows from the attacker controlled tag to dangerous functions.
This allowed us to determine if it is a useful feature or if it should be abandoned because it implies a false sense of security for the most part.
We found 0.06% of distinct handlers to have dangerous flows among the Alexa Top 1000 and through manual analysis verfified their exploitability.
As only a low portion of event handlers contain such issues we conclude that unsafe-hashes is an easily adaptable method to harden a website against XSS and it can be used in a process to a robust CSP.

 

 

15:00-15:30

Speaker: Alaeddine Abroug
Type of talk: Intro Bachelor
Advisor: Dr. Michael Schwarz
Title: Automated Reverse Engineering of LLC Addressing
Research Area: RA3

Abstract:

Caches have proven themselves as an integral component when in the design of high performance processors. Modern cache architectures provide a multi-level structure, where the Last Level Cache (L3) is further subdivided into cache slices.  Those slices are shared and distributed among all cores in multi-core processors. Each slice is assigned a fraction of the address space for load balancing. A side effect of this performance optimization is that it made cache side-channel attacks across cores more complex. As the mapping from addresses to slices is undocumented, attacks cannot simply target specific cache parts. In this bachelor thesis, we implement a fully automated methodology to reverse engineer this undocumented mapping function. Reverse engineering the address-to-slice mapping function is key to constructing reliable cache-eviction sets in a fast way. Based on our reverse engineering, we show the first Prime+Probe attack on SGX on 6-core CPUs. Due to the non-linearity of the mapping function for these CPUs, such attacks were previously not possible.

 

Session B:

14:00-14:30

Speaker: Stanimir Iglev
Type of talk: Bachelor Intro
Advisors: Björn Mathis, Leon Bettscheider
Supervisor: Prof. Dr. Andreas Zeller
Title: Transpiling Schema Languages to Grammars
Research Area: RA4

Abstract:
Testing programs, which expect highly-structured inputs, has proven to be a challenging problem. Grammar-based fuzzing is a promising approach to address this issue. The idea behind it is to enhance the fuzzer with a grammar, which describes the input language of the program under test, and use it to produce syntactically valid inputs. However, due to the diversity of data format languages, it is hard to construct a universal grammar representation which is able to express the variety of restrictions that are applicable to the inputs.

As a result, fuzzers are very often tailored to work with a specific format or application and use a representation of grammar that is designed to function effectively with the targeted data format. This creates a layer of incompatibility between different fuzzer implementations. We present an approach to reduce this problem by creating a set of transpilers for the conversion of input specifications. More precisely, we convert schema documents to grammars.

Schema languages are very often used to define the structure and later validate the data accepted by programs. These languages allow the developers to assert that the input data satisfies certain conditions, thus they specify exactly what constitutes valid inputs. Most well-established data formats provide such schema vocabularies. By translating these input specifications into grammars, we can use them not only for input validation, but also for input generation. Hence, we believe that being able to convert different input languages to a single grammar format will enhance already existing fuzzers and provide a strong candidate for a unified grammar representation.

We propose a set of transpilers which make use of these schema documents to generate an input grammar for the program under test. Our tools are able to translate the constraints described by the schema, to production rules in the resulting grammar by utilizing an intermediate tree representation. We focus our attention on the two most widely used data interchange formats and their schema languages, namely JSON Schema and W3C XML Schema Definition Language (XSD).

We plan to evaluate the correctness and viability of our tools against real-world applications with the intention to guarantee that they can be used to enhance fuzzers and aid developers in finding defects in their programs. In order to assess the correctness of produced grammars, we perform a set of checks, which ensure that all symbols are defined and reachable from the start symbol. Furthermore, we evaluate the validity of documents, produced by generated grammars. To do so, we enhance a fuzzer with such a grammar and generate a vast amount of documents, which are then validated against the original input schema. Moreover, we conduct a comparative analysis between a fuzzer, augmented with a grammar generated by our tools, and other fuzzers. Our plan is to run them against a set of real-world applications and track metrics such as code coverage and depth of explored paths.

We believe that the proposed tools can be powerful instruments for the generation of complex test inputs and that they belong in the arsenal of every software tester. To the best of our knowledge, we present a novel way to translate input specifications into grammars for the production of highly-structured inputs.

 

14:30-15:00

15:00-15:30

Speaker: Yavor Ivanov
Type of talk: Bachelor Introduction
Advisor: Dr. Robert Künnemann, Kevin Morio
Title: Existential lemmas in Tamarin: towards more efficient sanity checks
Research Area: RA2

Abstract: Tamarin is a symbolic verification tool for security protocols. It can be used to
automatically prove that a protocol fulfills certain security properties specified as lemmas.
The majority of protocol models also contain lemmas that check if a protocol is executable.
Tamarin is optimized for proving security properties, which affects the constraint-reduction steps,
the selection heuristics used, and the traversal order of the proof tree.
Consequently, the resolution of sanity checks is not as efficient as it could be.
This work’s goal is to increase the efficiency with which sanity checks are performed.
We propose a solution consisting of three components: a modification of Tamarin’s
constraint-reduction steps, an optimization of the utilized heuristics, and using sequential
DFS as the default proof tree traversal strategy. Afterwards, we are going to evaluate each
of the new features with the help of a script to determine if they produce a substantial
performance increase.

Dear All,

Welcome to the new seminar page!

The next seminar(s) take place on 24.11. at 14:00. Due to time constraints I couldn't make all RA4 and 5 talks go in a seperate session, so please choose the session you are most interested in.

Session A: (RA4,5)
Lisa Hoffmann - Dañiel Gerhardt - Gunnar Heide

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 4,5)
Dominik Kempter - Abhilash Gupta - Marc Schuegraf

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Lisa Hoffmann
Type of talk: Bachelor Intro
Advisor: Dr. Katharina Krombholz, Carolyn Guthoff (Assistent)
Title: Development and Evaluation of a ​Dark Pattern Reporting Tool
Research: RA5 (Empirical and Behavioural Security)

Abstract:
There are a lot of papers published that deal with the topic of cookie banners and the problems and violations of the GDPR that occur with them.
Most papers give a limited and only temporary insight on this problem since data is collected only during a specific time period and on specific websites.
As mentioned by Fassl et al. [1], the topic is widely researched, but we are still in need of a solution that helps to solve the issue on a large scale in terms of data collection,
which is not restricted to a time frame or number of websites.
For that purpose, I aim to design a Chrome extension that collects violations of the GDPR in a publicly available list, which is updated with the help of end-users of browsers.

[1] Matthias Fassel, Lea Gröber, Katharina Krombholz. 2021. Stop the Consent Theater.

 

14:30-15:00

Speaker: Dañiel Gerhardt
Type of talk: Bachelor Intro
Advisor: Katharina Krombholz
Title: Mental models of EU Digital COVID Certificate Validation
Research Area: RA5

Abstract: The pandemic caused by COVID-19 has required us to quickly come up with solutions for this new and sudden problem of a rapidly spreading disease around the world. After a relatively short time vaccinations were made available but since it cannot be assumed that everyone has received a vaccine a convenient and accessible method for proving someone’s vaccination status was needed. In the European Union the EU Digital COVID Certificate was introduced in July 2021 to tackle this problem by allowing citizens to carry a digital certificate proving their vaccination status or that they recovered from the disease. This certificate, usually stored and presented as a QR code, can then quickly and easily be validated by staff at public places that require that visitors are either vaccinated or recovered from the disease to be allowed to enter. Recent anecdotal evidence has shown that this validation is often not done correctly and the person responsible for validating the authenticity of a given vaccination certificate often simply looks at a holder’s QR code stored in an app like CovPass or the Corona-Warn-App instead of scanning the QR code with an app like the CovPassCheck-App and cross-checking the identity of the certificate holder with the identity of the person presenting it using a government-issued ID. This incorrect validation might make the digital certificate less secure than a traditional paper vaccine passport as presenting any QR code may arguably be easier than forging a paper vaccine passport. It can also lead to unvaccinated people entering restricted areas where everyone present is under the assumption that everyone else around them is vaccinated or recovered and carries a valid vaccination certificate. The reason why it is so commonplace to incorrectly validate the EU Digital COVID Certificate is unknown so in this study, I will explore the mental models of professional users in regards to the validation process of the EU Digital COVID Certificate to find out.

 

 

15:00-15:30

Speaker: Gunnar Heide
Advisor: Lucjan Hanzlik
Title: no info
Research Area: 4

 

Session B:

14:00-14:30

Speaker: Dominik Kempter
Type of talk: Bachelor Final
Advisor: Dr. Giancarlo Pellegrino
Title: LighDTA - Lightweight Dynamic Taint Flow Analysis for State-Changing Operations
Research Area: RA5: Empirical and Behavioural Security

Abstract:
Many web applications trust data located in persistent storage. The disregard of proper sanitization leads to a variety of second-order vulnerabilities like Stored-XSS.
Dynamic Taint Analysis is one solution to this problem. Pre-defined data sources are tainting input, while security-critical functions can check for taints. The problem with this approach is propagating taints through persistent storage like databases. State-of-the-art propositions are highly dependent on the underlying persistent storage. This requires developers to restructure the database and applications to handle taints.
This bachelor thesis intends to explore the effectiveness of a lightweight approach to connect database input sinks to output sinks. This allows dynamic taint analysis to be performed independent of the underlying database and requires no restructuring of the web application.
We implemented a prototype that matches a database interface's read and write functions based on generated function traces. Those matches allow tracking the data flow within an application through persistent storage. We tested the prototype on six applications and found that our lightweight approach is capable to perform dynamic taint analysis without keeping track of taint markings and runtime checks on taints with proper parsing and data extraction.

 

14:30-15:00

15:00-15:30

Speaker: Mark Schuegraf
Type of talk: Master Final
Advisor: Prof. Dr. Andreas Zeller
Title: Fuzzing With Grammar Variants
Research Area: RA4

Abstract:
Fuzzing is the execution of a system under test with unexpected inputs. In generating these inputs, fuzzers may rely on a grammar to model the input language. However, such grammar-based fuzzers are only as good as the grammar they use.

We therefore investigated whether structural changes to grammars affect the performance of grammar-based fuzzers: First, we derived variants of existing grammars using transformations that preserve the modeled input language. Second, we empirically evaluated these grammar variants on real test subjects. In most tested configurations, we saw changes in the fuzzing performance of a fuzzer when using a particular grammar variant.

Dear All,

The order of talks has changed!

The next seminar(s) take place on 10.11. at 14:00.

Session A: (RA4)
Konstantin Holz - Tristan Hornetz - Joshua Renckens

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B:  no talk this week

Session A:

14:00-14:30 

Speaker: Konstantin Holz
Type of Talk: Bachelor Final
Advisor: Dr. Nils Ole Tippenhauer
Title: Security Assessment of IPv6 Implementations of Home Routers
Research Area: Secure mobile and autonomous systems

Abstract: The successor of IPv4, IPv6 is slowly reaching into the commercial area and into the households to replace IPv4. ISP begin providing a native IPv6 for end-users to utilize for their internet connection.
In this thesis, we examine the IPv6 implementation in commercially available routers, for differences in features and security mechanisms. In particular, we want to find out to which degree various manufacturers implemented IPv6 and which security guarantees it provides in contrast to its IPv4 implementation. For this, we run various tests on chosen devices for packet routing as well as look into features provided to the user and also look into the provided source code.

 

14:30-15:00

Speaker: Tristan Hornetz
Type of talk: Bachelor Final
Supervisor: Prof. Dr. Andreas Zeller
Title: Evaluating the Effectiveness of Automated Fault Localization in Python
Research Area: RA4

Abstract:

Automated fault localization describes a group of techniques that can aid a
programmer in locating the cause of bugs during software development. There
exists an abundance of past research on the topic, with countless approaches
being proposed and evaluated. Among the most popular techniques are
Statistical Debugging (SD) and Spectrum Based Fault Localization (SBFL), which
utilize dynamically recorded execution data to produce rankings of suspicious
program elements.
However, there is very little research about the applicability and general
usefulness of automated fault localization in the Python programming language.
This is surprising, given Python's high popularity and powerful introspection
capabilities. In this thesis, I present a configurable hybrid model of SBFL
and SD, and evaluate its performance on 300 bugs in real-world Python programs
from the BugsInPy database. The results demonstrate that configurations
resembling SBFL are generally superior to SD-like configurations. Moreover, I
demonstrate that a combination of SBFL and SD can yield better results than
both techniques individually.

15:00-15:30

Speaker: Joshua Renckens

Type of talk: Bachelor Final

Advisors: Dr. Rafael Dutra, Nikolas Havrikov

Supervisor: Prof. Dr. Andreas Zeller

Title: 0KFuzzer: Applying Systematic Exploration to FormatFuzzer

Research Area: RA4

Abstract:
Fuzzing is a technique used to test the robustness of programs by automatically generating inputs and feeding them into programs under test. However, using only randomly generated inputs is not a good way to achieve great code coverage. Most will immediately fail at the beginning of the program execution due to not matching the structure that is expected of the input.
Ways to mitigate this are grammar-based fuzzers. They take grammars that specify languages first and then base the input generation on the specified language. This makes sure that a certain input structure is maintained, reaching parts of the test programs random fuzzing wouldn’t be able to reach. However there is no guarantee that the entirety of a grammar can be covered reliably even when using grammar-based fuzzers.
The k-path algorithm improves on these grammar-based fuzzers bytaking care of the aforementioned issue. The goal of the k-path algorithm is to make sure that all of the grammar is systematically covered. It does so by building a list of k-paths from the grammar and generating inputs that cover these k-paths. Covering all of the k-paths should result in covering all of the productions of the grammar under test and by extension all of it’s terminals and non-terminals as well.
FormatFuzzer has an idea similar to grammar-based fuzzers but it takes binary templates, a format specification used by the 010 Editor, that  specify  file  formats  as  inputs instead  of grammars. It compiles them into C++ code that then acts as a generator of inputs according to the format specification described in said templates. However a similar problem to the grammar-based fuzzers can be found here as well, there is no guarantee that the entirety of the specification can be reliably covered and that’s where implementing the k-path algorithm into FormatFuzzer comes into play.
This thesis aims to improve on the FormatFuzzer by combining it with the k-path algorithm, taking the systematic coverage of grammars and using it on format specifications, with the goal being to systematically cover as much of the specification as possible. This combination of FormatFuzzer and the k-path algorithm, which we named the 0KFuzzer, will then be evaluated against the default FormatFuzzer to compare template coverage and code coverage

 

Dear All,

The next seminar(s) take place on 27.10. at 14:00.

Session A: (RA3,4)
Christoph Steuer - Jonathan Busch - Jonas Büchner

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B:

no talk this week

Session A:

14:00-14:30 

Speaker: Christoph Steuer
Type of talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Seamless installation of Trustlets with third-party application in Android
Research Area: RA4

Abstract:
In the modern world, the need for trusted computing is increasing. Whether it be cryptography, access control or credential validation, being able to trust a piece of software to do what it is supposed to do and not leak sensitive information is a very important step towards a more secure world.
From the hardware side, there are several platforms to support trusted computing, with technologies such as Intel Software Guard Extensions (Intel-SGX), Arm TrustZone or AMD Secure Encrypted Virtualization(SEV). However, this support has to be utilized by software to become useful to the end user.
In Android, there is support for the Trusted Execution Environment OP-TEE, however the range of operations of trusted computing is severely limited due to the infeasibility for applications to ship custom Trusted Applications as there is no support during the app installation process to handle them. In case of OP-TEE, users attempting to install trusted applications first need to have access to a root shell. However, unlike on other commonly used Linux distributions, obtaining root privileges on Android is a complex and made difficult operation that, if attempted by inexperienced people, has a non-negligible chance to fail and potentially make the installed operating system inoperable. The only trusted computing that applications installed without root have access to comes in form of features of Android such as key store that function as Application Programming Interface(API) to pre-defined trusted applications.
The goal of the thesis is to extend the Android app installation process to allow for installation of Trusted Applications for OP-TEE without compromising currently available security guarantees.

 

14:30-15:00

Speaker: Jonathan Busch
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz
Title: Power-ups for Chromium: Facilitate Side-Channel Research
Research Area: RA3

Abstract: In recent years, side-channel based attacks have gained more and more importance. Instead of exploiting bugs, these novel attacks use side effects caused by software or hardware to infer secret information.
Low-level programming languages such as C or C++ are predominantly used to develop side-channel exploits, since they allow for controlling and measuring the microarchitectural state.
However, access to these low-level functions is not available for every programming language. For instance, JavaScript lacks some crucial functions used in side-channel attacks. Instead, one must use highly laborious workarounds to realize the same attacks. This makes testing, whether a newly found side-channel attack works in JavaScript, a time-consuming task.
In this work, we add low-level functions to Chromium’s JavaScript engine in order to facilitate this process. This allows researchers to build proof-of-concept scripts to check, whether a new side-channel attack is feasible in JavaScript, to avoid developing expensive workarounds in vain. Additionally, we provide proof-of-concepts of well-known side-channel-based attacks such as Flush+Reload and Spectre utilizing our extended version of Chromium.

 

 

15:00-15:30

Speaker: Jonas Büchner
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz
Title: (M)WAIT for It: Secret MONITORing using CPU Features
Research Area: RA3

Abstract: There is a plethora of attacks on the microarchitecture of current CPUs, of which side channels are among the most important. They not only leak cryptographic keys, but are used as building block of the powerful Meltdown and Spectre attacks. Prominent examples of side channels, like Flush+Reload or Prime+Probe, exploit the timing differences between cache hits and cache misses. While these are well-demonstrated and strong attack primitives, they are inherently limited. By relying on the execution and timing of their own cache operations, they are susceptible to noise and, even more importantly, suffer from a "blind window": if a victim access occurs during the reloading phase, they cannot observe it.
We overcome this with the MONITOR/MWAIT instructions that are contained in the SSE3 extensions of all modern x86 CPUs. This pair of instructions is meant for power management and thread optimization. Its primary use is to wait for a change on a monitored address range and continue execution once a write, or other triggering events, occur. While this aims at lock acquisition and synchronization, it seems to be meant to be exploited. We construct a side-channel from the native behaviour of this instruction pair by using it on victim addresses.
This thesis presents a new deterministic side-channel primitive that does not rely on caches. It is more robust than common cache side channels and allows for monitoring victim memory without ever missing an access. We demonstrate its usability in proof-of-concept controlled-channel attacks against Intel's Software Guard Extensions, achieving an attack accuracy of 100%. We furthermore construct a double-fetch detection mechanism which reliably detects double-fetches above a threshold of a few thousand cycles. Finally, we evaluate the use of our primitive as a covert channel, indicating resistance of most systems against this attack.

 

Dear All,

Welcome to the new seminar page!

The next seminar(s) take place on 13.10. at 14:00. Since there is RA4 talks in both sessions, if you are from RA4, you can choose which session you want to join this week :)

Session A: (RA4)
Vera Resch - Jonas Cirotzki - John Schmitt

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 1,3,4)
Markus Bever - Anirudh Upadhya - Lorenz Hetterich

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Vera Resch
Type of talk: Master Final Talk
Supervisor: Prof. Zeller
Advisors: Rahul Gopinath, Nikolas Havrikov
Title: Grammar-based URL Fuzzing: Field Study Exploring the WHATWG URL Standard
Research Area: 4

Abstract: Uniform Resource Locators (URLs) allow to quickly and precisely navigate today's web. Similar to the specifications of other web standards, such as HTML, the WHATWG maintains the URL specification as a living standard. However, because different applications use URLs for a multitude of purposes, there exists a variety of implementations of URL parsers, most of which claim to follow the URL standard.
This thesis uses grammar-based fuzzing together with a grammar of the current URL standard to examine how close the relationship between URL parsers and the standard is. In detail, this consists of testing the URL parsers included in the browsers Firefox and Chromium, as well as a selection of stand-alone URL parsers with inputs generated by executing a grammar-based fuzzer with a URL grammar based on the current standard and a URL grammar based on the RFC standard.
Finally, this thesis evaluates the number of errors encountered during test execution as well as the code coverages achieved in the selected URL parsers.
Results include that higher code coverages are reachable with inputs generated according to the current specification in comparison to inputs generated according to the RFC specification in ten out of eleven tested URL parsers. Furthermore, eight out of eleven tested URL parsers reject inputs based on the current specification less often than those based on the RFC specification.

 

14:30-15:00

Speaker: Jonas Cirotzki
Advisor: Sven Bugiel
Research Area: RA4

Abstract:missing info

 

 

15:00-15:30

Speaker: John Schmitt
Type of talk: Bachelor Final
Advisor: Dr. Sven Bugiel
Title: Implementing Certificate Transparency Inside Android Open Source Project
Research Area: 4

Abstract: Today the internet usage is as high as ever and gets more diverse every day. Therefore the security of the web is very important. One major point in security is the identity verification of web servers. To verify the identity of a web server, a web client has to rely on the validity of the provided certificate. As a result, web clients blindly trust in the integrity of the certificate authority to properly issue certificates. But what happens if a certificate authority is compromised, goes rogue, or issues flawed certificates?
In case of such a certificate misissuance, certificate transparency helps by providing a secure append-only log that documents every certificate issuance and thus enables accountability for certificate authorities.
Mobile devices are a major source of network traffic to web servers. Additionally, Android currently holds the biggest market share of mobile operating systems but does not present any solution to a certificate transparency implementation. With our work, we provide a proof of concept for an implementation of certificate transparency in the Android Open Source Project and make use of its benefits to protect Android users from certificate misissuance and thus Man-in-the-Middle attacks. Our evaluation has shown, that common apps are not negatively influenced by the prototypical implementation which, in our opinion, makes certificate transparency a very useful Android extension.

 

Session B:

14:00-14:30

Speaker: Markus Bever
Type of talk: Bachelor Final
Advisor: Antoine Joux, Anand Kunar Naranayan
Title: On parallelization for public key cryptanalysis
Research Area: RA1: Trustworthy Information Processing

Abstract:
Verifiable delay functions are exciting and new primitives in cryptography, especially
in the field of blockchains. The goal of this thesis is to study different approaches
to undermine the security of verifiable delay functions. For this we will try different
setups where the attackers control parts of a network and try to attack the verifiable
delay function in parallel. The current implementations of verifiable delay functions are
typically built based on number theoretical assumptions. There is a group underlying
the security of verifiable delay functions. We will focus on the example of a RSA-group.
Other candidates for the group include the ideal class group of quadratic imaginary
extensions. Verifiable delay functions are easily broken if the group order is known, in our
case this can be achieved by factoring. The fastest algorithm for factoring is the number
field sieve, which is part of the index calculus family and uses a lot of linear algebra. All
this candidates for breaking verifiable delay functions by finding the group order involve
index calculus methods. Here, the bottleneck is the linear algebra step. Also, we will
discuss Lenstra’s elliptic curve method for factoring. Our primary motivation was to
speed this up using parallelization. In this direction we investigated a new approach
from Fouque and Kirchner to calculate the group order in a black-box ring. This is an
extension of Maurers algorithm investigating the congruence between discrete logarithms
and the Diffie-Hellmann cryptosystem.

 

14:30-15:00

15:00-15:30

Speaker:
Lorenz Hetterich

Type of talk:
Bachelor Final

Advisor:
Dr. Michael Schwarz

Title:
Exploting Spectre on IOS

Abstract:
Most CPUs don't stall execution when they encounter control flow instructions, but use predictors to make educated guesses on the destination (e.g. whether a branch is taken or not).
This allows them to speculatively continue execution resulting in a major time save upon correct predictions.
On incorrect predictions, speculatively executed instructions are not retired, the pipeline is flushed, and execution continues at the correct destination.
Whilst speculatively executed instructions are not visible on an architectural level, they may leave microarchitectural traces that can be observed using a side channel.
Spectre abuses this by mistraining predictors and observing microarchitectural state changes caused by speculative execution.
Even though research on Spectre has been done on most major platforms, Apple devices have hardly received any attention.
In my thesis, I evaluated the primitives required for cache side-channels on three Apple devices: An iPhone 7, an iPhone 8 Plus, and a M1 Mac Mini and successfully developed a simple Spectre proof of concept.
This talk will give an overview of the building blocks required for a simple Spectre attack and what difficulties we faced on Apple devices compared to other platforms.