News
Next Seminar on 16.3.2022
Written on 10.03.2022 16:26 by Stella Wohnig
Dear All,
The next seminar(s) take place on 16.3. at 14:00.
Session A: (RA3,4)
Alaeddine Abroug - Jonathan Busch - Christoph Steuer
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 5)(14:30-15:30)
Daniel Gerhardt - Philipp Baus
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Alaeddine Abroug
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz
Title: Automated Reverse Engineering of LLC Addressing
Research Area: RA3
Abstract:
Caches have proven themselves as an integral component when in the design of high performance processors. Modern cache architectures provide a multi-level structure, where the Last Level Cache (L3) is further subdivided into cache slices. Those slices are shared and distributed among all cores in multi-core processors. Each slice is assigned a fraction of the address space for load balancing. A side effect of this performance optimization is that it made cache side-channel attacks across cores more complex. As the mapping from addresses to slices is undocumented, attacks cannot simply target specific cache parts. In this bachelor thesis, we implement a fully automated methodology to reverse engineer this undocumented mapping function. Reverse engineering the address-to-slice mapping function is key to constructing reliable cache-eviction sets in a fast way. Based on our reverse engineering, we show the first Prime+Probe attack on SGX on 6-core CPUs. Due to the non-linearity of the mapping function for these CPUs, such attacks were previously not possible.
14:30-15:00
Speaker: Jonathan Busch
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz, Dr. Cristian-Alexandru Staicu
Title: Power-ups for Chromium: Facilitate Side-Channel Research
Research Area: RA3
Abstract: In recent years, side-channel based attacks have gained more and more importance. Instead of exploiting bugs, these novel attacks use side effects caused by software or hardware to infer secret information. Low-level programming languages such as C or C++ are predominantly used to develop side-channel exploits, since they allow for controlling and measuring the microarchitectural state. However, access to these low-level functions is not available for every programming language. For instance, JavaScript lacks some crucial functions used in side-channel attacks. Instead, one must use highly laborious workarounds to realize the same attacks. This makes testing, whether a newly found side-channel attack works in JavaScript, a time-consuming task. In this work, we add low-level functions to Chromium’s JavaScript engine in order to facilitate this process. This allows researchers to build Proof-of-Concept scripts to check whether a new side-channel attack is feasible in JavaScript, to avoid developing expensive workarounds. Additionally, we provide Proof-of-Concepts of well-known side-channel-based attacks such as Flush+Reload and Spectre utilizing our extended version of Chromium. We evaluate the reliability of the added power-ups of our Proof-of-Concepts by running them multiple times with randomly generated input strings. The results show high success rates for all Proof-of-Concepts, with results greater than 95.95%.
15:00-15:30
Speaker: Christoph Steuer
Type of talk: Bachelor Final
Advisor: Sven Bugiel
Title: Seamless installation of trustlets with third-party applications in Android
Research Area: RA4
Abstract:
In a computing system, the Rich Execution Environment (REE) and Trusted Execution Environment (TEE) are two hardware-isolated processing spaces,
provided by technologies such as Intel SGX or Arm TrustZone. While REEs execute untrusted applications from third-parties, TEEs execute minimal
code pieces that are considered secure. REEs provide plenty of features to their applications which usually interact with users, while TEEs have
as few features as possible to be more secure (more features usually introduce more vulnerabilities). However, there are human-imposed limitations
that hinder privacy and security. This is the case for the Trusted Execution Environment OP-TEE when paired with the rich mobile operating system
Android. Currently, the only way an Android application can leverage the benefits of any TEE is through Android’s own security features. This is
problematic as an attacker compromising one of those security features can potentially compromise a lot of Android applications. In this work, I
propose a way for Android applications to ship their own TEE applications by creating an installation process for TEE applications for Android and
OP-TEE. This mitigates the previously described problem. As a result, an attacker would either cause far less damage as most TEE applications only
interact with very few REE applications each or have to invest more time to compromise more TEE applications to cause the same amount of damage.
Additionally I perform a security analysis on my implementation to prove that my proposal does not compromise security in other ways.
Session B:
14:00-14:30
No talk this week
14:30-15:00
Speaker: Dañiel Gerhardt
Type of talk: Bachelor Outro
Advisor: Dr. Katharina Krombholz
Title: User Perceptions of EU Digital COVID Certificate Validation
Research Area: RA5
Abstract: The EU Digital COVID Certificate (EUDCC) was introduced to help control the spread of COVID-19 and facilitate free movement during the COVID-19 pandemic. It can be held and presented in a digital or paper format and consists of a QR code that can be scanned with a smartphone or similar device to validate the certificate. The validation process additionally requires the step of checking an ID to ensure the presented certificate belongs to the person showing it.
However, anecdotal evidence and media reports have shown that the validation of an EUDCC is performed incorrectly in many cases which can have significant consequences such as allowing malicious actors to bypass the validation process more easily and thus reducing the efficacy of the technology.
Therefore, I studied the user perceptions of the EUDCC validation process to find out how users perform the validation and what their underlying understanding of the validation process is. This is an important building block toward building an improved and more usable design that encourages proper validation.
I conducted semi-structured interviews with N = 5 users who validate EUDCCs at work that included validation scenarios and questions to help explore their underlying understanding. Among other things, I found that some participants leave out important steps of the validation process and rely on other aspects such as visual cues for their validation instead. My results also suggest that a majority of the participants do not have an intricate technical understanding of the EUDCC and its validation process. Based on these findings, I construct design recommendations for the EUDCC storage and validation apps to promote proper validation in more cases. I also propose future work that can broaden my findings and develop improved solutions for the EUDCC.
15:00-15:30
Speaker: Philipp Baus
Type of talk: Bachelor Intro
Advisor: Ben Stock, Sebastian Roth
Title: Do you trust your Types? A qualitative Study on the Usability of Trusted Types to prevent Client-Side XSS vulnerabilities
Research Area: RA5
Abstract:
Cross-site scripting (XSS) is a web vulnerability that allows attackers to execute arbitrary JavaScript code in a victim's browser. Although a lot of time passed since the discovery in 1999, XSS is still a huge problem for websites on the internet nowadays. With the current trend of shifting the code of web applications to the client-side and the rising complexity of client-side code, the possible impact of a client-side XSS vulnerability is getting more severe. To mitigate these vulnerabilities Google recently introduced a new Web API, called "Trusted Types". Trusted Types eliminate the root causes of client-side XSS vulnerabilities by locking dangerous DOM and JavaScript sinks to only allow input in the form of a Trusted Types object. However, from the top web sites at the time only Facebook and Google are actively using Trusted Types to protect their websites against client-side XSS vulnerabilities. Therefore, this thesis aims to find common roadblocks for web developers when it comes to the implementation and the understanding of Trusted Types. To answer these research goals we will conduct a qualitative study about the usability of Trusted Types for web developers.