News
Next Seminar on 16.2.2022
Written on 11.02.2022 13:22 by Stella Wohnig
Dear All,
The next seminar(s) take place on 16.2. at 14:00.
Session A: (RA1,3,4)
Huda Dawoud - Mirco Meinerzag - Ali Alhasani
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 5)
Jeremy Rack - Julia Hess - Thomas Helbrecht
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Huda Dawoud
Type of talk: Master Final.
Advisor: Sven Bugiel, Andreas Zeller
Title: Detecting the Misuse of Accessibility Features on Android
Research Area: RA4: Secure Mobile and Autonomous Systems
Abstract:
With the responsibility of including all segments of society in modern technology, Google has introduced the Accessibility Service on Android to support people with disabilities in using mobile devices. The powerful accessibility features enable apps to monitor users' interactions with other applications, which is a requirement for screen readers. It also enables the automatic injection of actions, including clicks and swipes, into other applications, allowing developers to provide assisting tools such as voice-based input systems. However, Google has not explicitly stated that using this service for purposes other than assisting disabled users is forbidden. As a result, many popular applications that use the accessibility service do not particularly target people with disabilities, such as antiviruses, cleaners, password managers, launchers, and others. This raises the question of whether the functionality given by such applications is worth the powerful features they gain, as in many cases it may be considered as a violation of Android’s least privilege principle.
In this thesis, we attempted to bring an answer to the following research questions: First, is it possible to detect a pattern that distinguishes between benign and malicious use of the accessibility service? Second, depending on the answer to the prior question, how can we protect users from malicious accessibility service misuse? We used machine learning for analysis and trained several Support Vector Machine (SVM) models to distinguish between malicious and benign accessibility service usage, using different feature sets as predictors, which resulted in varied false negative and false positive values. Finally, we attempt to estimate the accessibility features required by an application based on the accessibility description provided by developers, analyze the accessibility features gained and used in the code, and later warn the user whenever an application uses accessibility features that are not explicitly declared in the accessibility description. From the 65 benign applications in our sample set, 30 received a warning, including one accessibility app called Sesame, which uses the screenshot feature without mentioning it in the accessibility service description it provides.
14:30-15:00
Speaker: Mirko Meinerzag
Type of talk: Bachelor Intro Talk
Advisor: Sven Bugiel
Title: Hardening Androids Task Management to prevent phishing
Research Area: RA3|4
Abstract: Android's user interface has been frequently targeted by malware to perform attacks like phishing, denial-of-service, and more. These attacks often need little to no extra permissions but have devastating consequences for the user. One particular attack is called task hijacking. Task hijacking abuses the task management of Android to compromise the UI of benign applications. This can then be used to launch follow-up attacks that leak sensitive information or deny crucial services.
In Android 12 a new API was introduced that prevents third-party overlays from being displayed over the UI. This way developers can secure their apps and UI against phishing attacks based on overlays. However, phishing by abusing task hijacking is not prevented with this API. This work proposes a similar approach against task hijacking. By extending the Android framework, App developers are able to decide whether other (potentially malicious) apps can interfere with their tasks or not.
15:00-15:30
Speaker: Ali Alhasani
Type of talk: Master Intro
Advisor: Johannes Lampel, Marius Smytzek
Title: Alhazen combined with statistical debugging
Research Area: RA1
Abstract:
Alhazen is a fault diagnoses approach that performs two main tasks. First, it predicts whether an input will fail or not based on a decision tree model. Second, it generates more failure-causing inputs, to identify the circumstances in which the bug occurs. For these two tasks, Alhazen’s learner uses features related to the input to predict the bug or no bug outcome.
However, Alhazen does not consider features related to the program execution, thus limiting the power of its fault-prediction capability and making Alhazen unable to identify runtime circumstances associated with program behavior. This thesis proposes enhancing Alhazen prediction by learning additional features over statistical debugging predicates derived from program runtime events.
In this work, we use SElogger to extract program runtime events. These events report a software’s progress and its essential data during the execution time. In addition, we apply statistical debugging to extract predicates from these program runtime events.
Session B:
14:00-14:30
Speaker: Jeremy Rack
Type of talk: Bachelor Intro talk
Advisor: Cristian-Alexandru Staicu
Title: Studying the role of JavaScript bundlers in modern web applications.
Research Area: RA5(empirical and Behavioral Security)
Abstract:
Modern web applications are steadily growing in complexity and third-party dependencies.
Ensuring that all the libraries are loaded in the correct order and avoiding naming collisions between them is a tedious task that can be solved by “bundlers”.
Javascript bundlers are development tools that consume a list of resources
and package them into a single file, called a "bundle".
Among these bundled resources could be vulnerable third-party dependencies that expose the web application to various attacks.
My work aims to set the foundation for further research on Javascript bundlers.
To that end I intend to answer four questions:
1. What are the code signatures of the various bundlers visible in the bundles they produce?
2. How prevalent are bundlers in modern web applications?
3. Under which circumstances is it possible to detect the libraries included in a bundle?
4. Which third-party libraries are contained in real-world bundles and how many of them are outdated?
I will begin with collecting features for each of the bundlers to be able to detect them. Then I will perform a crawl to analyze the prevalence of the different bundlers.
Afterwards I will assess the different build options of a subset of the bundlers to determine the feasibility of my last two research questions.
14:30-15:00
Speaker: Julia Hess
Type of talk: Bachelor Intro
Advisor: Dr. Katharina Krombholz (Supervised by Matthias Fassl)
Title: User Perceptions of their Online Identities and Surveillance Capitalism
Research Area: RA5
Abstract:
Around the world, 4.95 billion people are using the internet. We create accounts on websites, accept or deny cookies, let Google Maps guide us to the next restaurant, and post pictures of our pets on Instagram.
On the one hand, we are consciously shaping how other internet users perceive us. But on the other hand, while browsing the web we are often not aware that no matter how well we sometimes try to protect our personal data and hide who we are:
We are constantly and inevitably leaving traces. And these traces can often be merged into one or multiple digital profiles of us, that third parties keep track of. As soon as the information has been collected, we cannot control anymore what happens with these unconsciously created traces of ours, and how they are used (by whom?) to influence what we get presented with online to predict, shape, and modify our behavior.
Currently, it is unclear to what extent web users are aware of these issues, how they make them feel, and how they think these issues should be handled on an individual, social, and political level.
In my thesis, I will conduct an interview study to understand how browser users perceive the privacy implications of the online identities they have created consciously and unconsciously, and how they feel about the commercial use of their (online) identities.
15:00-15:30
Speaker: Thomas Helbrecht
Type of talk: Bachelor Intro
Advisor: Ben Stock
Title: How is client-side XSS patched?
Research Area: 5
Abstract: Client-side cross-site scripting remains a severe issue in 2022. This XSS type resides in the client-side portion of a web page and allows dangerous flows from attacker-controllable sources to dangerous sinks. This thesis aims to investigate how developers worked with client-side XSS vulnerabilities in the past. Using the Internet Archive, we will inspect the evolution of vulnerable pages over time. From this historical data, our goal is to learn how client-side XSS is patched and understand developers' efforts when dealing with this threat.
We will use existing XSS detection mechanisms by Lekies et al. and extend them by a new backend. The main task of this backend will be observing the progression of dangerous flows within a vulnerable website over time. For this, it will be capable of storing website snapshots over multiple revisions, with the data coming from the Internet Archive. Furthermore, we aim to detect patches and reason about the patching process from the page's taint-flow evolution and client-side snapshots.
Common ways of fixing such flaws are sanitization or API hardening. However, there are many pitfalls developers can fall into (inadequate sanitization, etc.), especially when cooking up their own solutions instead of using standard mitigation techniques. Apart from the developers' perspective, browser vendors have also recognized the risks of (client-side) XSS. They also work on fixing such flaws by providing mechanisms such as the upcoming Sanitizer API to allow secure rendering of untrusted HTML input.
While previous work mainly looked at detecting these flows, our research will focus on understanding how developers tackled such vulnerabilities in the past. By inspecting the patching process, we aim to look at metrics such as the origin of the patch, vulnerability, complexity to further our understanding of developers' actions taken to mitigate this XSS type.