Written on 27.09.22 by Philip Lukert
Dear all,
for the winter semester we will move to the new course which you can find here.
Please switch to that one. The announcements will stop to be posted here and we expect that you will from now on submit the talk descriptions to the new course.
Best, Philip
|
Written on 24.09.22 (last change on 26.09.22) by Mang Zhao
Update:
To simplify the seminar organization on 28.09, we merge two sessions into one, i.e., Session A.
Please do NOT join Session B.
Dear All,
The next seminar(s) take place on 28.09 at 14:00 (Session A).
Session A: (RA 1,4,5) (14:00-15:30) … Read more
Update:
To simplify the seminar organization on 28.09, we merge two sessions into one, i.e., Session A.
Please do NOT join Session B.
Dear All,
The next seminar(s) take place on 28.09 at 14:00 (Session A).
Session A: (RA 1,4,5) (14:00-15:30)
Abdullah Imad Malallah, Erfan Balazadeh, Norman Ziebal
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session A:
14:00-14:30
Speaker: Abdullah Imad Malallah
Type of talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Exploring API behaviour in android applications using Word2Vec
Research Area: RA4
Abstract:
Most of android applications use services embedded in the mobile phone e.g. WiFi, Bluetooth, GPS, Camera, etc. To interact with these services you should use something called API.
An API is a type of program that contains code, which could be called into your application. This code normally allows you to add certain functionalities to your application. Since these APIs interact with the hardware services like GPS, they can retrieve sensitive information about the user (e.g. location of the user).
The ability to verify whether an Android application performs as advertised has long been a challenge for analysts. How do we know that an application use these APIs in a good behavior? Does this application harm the privacy of the user for example by leaking their location?
The problem is not whether an app's behavior fits a certain pattern or not, but rather, if the program behaves as promised. In this work, we make an effort to compare actual app behavior to that which has been advertised. We use android apps as a data set for this work, because of its market share and history of attacks. The main idea is to cluster APIs based on their code context and combine those with the app descriptions and rationales to detect outliers by using Word2Vec.
14:30-15:00
Speaker: Erfan Balazadeh
Type of talk: Bachelor Final
Advisor: Dr. Lucjan Hanzlik
Title: Timed-Release Cryptography using a Proof-of-Stake Blockchain
Research Area: 1
Abstract: Imagine a scenario where you want to encrypt a message, but you don't want it to be able to be decrypted by the receiving party right away.
The concept of "encrypting a message to the future" is not new and has been around for many years. The proposed solutions so far, like time-lock puzzles or verifiable delay functions, for instance,
are not perfect however. They require a lot of computing power and the speed can vary drastically depending on the hardware being used.
The thesis' goal was to implement a new encryption scheme, which is efficiently computable and which gets rid of the previously mentioned solutions' weaknesses, inside of a real-world setting.
The idea is to make use of the existing Proof-of-Stake architecture in the Ethereum 2.0 consensus protocol, where so called committees vote on new blocks by using an aggregatable signature scheme named BLS. One of the implementation tasks of the thesis was to see if it is possible to listen to the unaggregated BLS signatures and the signed message, which are necessary for the encryption scheme. Once enough of these unaggregated signatures are accumulated, we can go on to decrypt the message. Basically, a receiving party can only decrypt the message once certain conditions are met that the encrypter knows will happen in a desired amount of time in the future.
This talk will present the results and the findings of the thesis.
15:00-15:30
Speaker: Norman Ziebal
Type of talk: Bachelor Final
Advisor: Prof. Andreas Zeller, Dr. Dominic Steinhoefel
Title: Bidirectional Conversion between Context-Free Grammars and Binary Templates
Research Area: RA5
Abstract: Most programs expect highly structured inputs, which makes black-box fuzzing rather inefficient because inputs get rejected very early in the program flow.
Grammar-based fuzzing is a common technique to provide much better inputs to programs based on a specification.
FormatFuzzer is a generator for format-specific fuzzers. It takes a Binary Template as input, a format specification for a binary format,
and produces a highly efficient and fast parser and generator, which is conform to the provided specification.
Hundreds of Binary Templates already exist for various formats, but they can not be utilized by other grammar-based fuzzing tools,
due to Binary Templates being written in an imperative C-Style.
Grammar-based fuzzing tools commonly rely on a more declarative type of specification, like context-free grammars.
Context-free grammars are widely used when it comes to grammar-based fuzzing. They are easy to read and write for humans and have proven to be a good way of specifying a format.
Therefore many grammar-based fuzzing tools work well with context-free grammars as input.
This work aims to combine the benefits of context-free grammars and Binary Templates for fuzzing.
We will implement a framework for bidirectional conversion between context-free grammars and binary templates.
With this framework, we will, on one hand, be able to leverage the vast quantity of existing binary templates with already existing fuzzing tools and techniques
and on the other hand, combine the simplicity of context-free grammars with the speed and efficiency of FormatFuzzer.
|
Written on 11.09.22 by Mang Zhao
Dear All,
The next seminar(s) take place on 14.09. at 14:00 (Session A) and 15:00 (Session B).
Session A: (RA 3, 4) (14:00 - 14:30 && 15:00 - 15:30)
Julian Augustin, Niklas Flentje
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841 … Read more
Dear All,
The next seminar(s) take place on 14.09. at 14:00 (Session A) and 15:00 (Session B).
Session A: (RA 3, 4) (14:00 - 14:30 && 15:00 - 15:30)
Julian Augustin, Niklas Flentje
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 5) (15:00-15:30)
Johanna Girndt
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Julian Augustin
Type of talk: Bachelor Intro
Advisor: Andreas Zeller
Title: Hierarchical Delta Debugging and DDSet on context-sensitive Inputs
Research Area: RA4
Abstract:
Fuzzing is a well-known technique to find inputs that trigger bugs in programs.
A good way to fix the bug is to have a look at the usually very large failure-inducing input and see which part of it actually triggers the bug.
Delta debugging is an algorithm used to minimize the input as much as possible while still preserving the error.
Using delta debugging on context-sensitive data is often not successful because wrong length fields or checksums often throw errors before the actual problem gets parsed.
I am going to use FormatFuzzer a framework that can fuzz context-sensitive data and use its mutation functions to implement a more refined version of delta debugging namely hierarchical delta debugging for context-sensitive inputs.
New work has gone even further. Instead of just minimizing the error-inducing input, DDSet is able to give a grammar for all inputs that create this error.
I will also implement the key functions of this approach for context-sensitive data using FormatFuzzer.
15:00-15:30
Speaker: Niklas Flentje
Type of talk: Bachelor Intro
Advisor: Michael Schwarz
Title: Elimination of Optimization: breaking Supersingular Isogeny Key Encapsulation with Zero Store Elimination
Research Area: RA3
Abstract: Performance is one of the fundamental goals modern computers aim to achieve. While a CPU's frequency is restricted due to space and heat constraints, microarchitectural optimizations are developed and deployed to increase a computer's performance further. With the discovery of side-channel attacks, we have seen that such optimizations may introduce various security vulnerabilities.
In many cases, the resulting performance gains triumph over the desire for security, leading to the optimizations being deployed with more or less successful mitigations against the respective security vulnerabilities (e.g., in the case of caches). But there are other cases where the optimization disappears without disclosing much or any information about possible security vulnerabilities. One of these cases is Zero Store Elimination.
This talk is meant to introduce the concept of Zero Store Elimination and outline how we plan to analyze the resulting security vulnerability by breaking one of NIST's 4th round candidates for quantum-safe cryptography: SIKE.
Session B:
15:00-15:30
Speaker: Johanna Girndt
Type of talk: Bachelor Intro
Advisor: Prof. Andreas Zeller, Dr. Dominic Steinhoefel
Title: Conversion of ISLa Constraints into Binary Templates
Research Area: RA5
Abstract:
Grammar-based fuzzing is an effective method to generate structured inputs for testing programs. Efficient fuzzers exist for this purpose, but they are usually not precise enough since context-free grammars are not sufficient to specify all input formats. To overcome this lack of precision, the input description language ISLa was built. It is easy to adapt for developers, due to the fact that it is based on context-free grammars, but it has a slow working speed. For its turn, the grammar-based fuzzer and parser generator Format Fuzzer is much more time efficient, but the binary template language used by Format Fuzzer is complicated for humans to write.
In order to provide both a commonly accepted way to describe a broad variety of input formats and generate inputs at a fast pace, this work is dedicated to the translation of ISLa constraints to binary template language based on an existing LL1 parser generator that generates Binary Templates from context-free grammars.
We plan to evaluate the effectiveness of the tool by comparing it to the reference implementation, the ISLa solver, in terms of time savings, generation versatility, and precision as a parser and generator.
|
Written on 26.08.22 by Mang Zhao
Dear All,
The next seminar(s) take place on 31.08. at 14:00 (Session A) and 14:00 (Session B).
Session A: (RA3,5) (14:00-15:30)
Lisa Hoffmann, Simon Hasir, Philipp Baus
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode:… Read more
Dear All,
The next seminar(s) take place on 31.08. at 14:00 (Session A) and 14:00 (Session B).
Session A: (RA3,5) (14:00-15:30)
Lisa Hoffmann, Simon Hasir, Philipp Baus
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA2,5)(14:00-15:30)
Philipp Dewald, Omar Renawi, Simon Ochsenreither
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Lisa Hoffmann
Type of talk: Bachelor Final
Advisor: Dr. Katharina Krombholz
Title: A User-Study on the Usability of a Cookie-Banner Violation Reporting Tool
Research Area: RA5
Abstract:
Cookie banners make a daily appearance in the internet usage of many.
The purpose of these pop-ups is to allow users of the website the opportunity to provide informed consent on the use of their personal data.
This is a result of the data privacy laws of the European Union (EU) and the countries inside the EU themselves.
The data privacy laws not only state that the users need to provide informed consent before the use of their personal data but also provide guidelines on how this consent has to be collected.
Some of the cookie banners maliciously or unconsciously violate those guidelines.
This thesis aims to create a violation reporting tool design and test users’ ability without further education in informatics or law to report these violations after a brief instruction with the tool’s help.
During the study, the participants were confronted with an introduction on which violations they could expect.
Afterwards, the participants were confronted with six example cookie banners, some of which had violations of the privacy law in their design.
The results indicate that the overall knowledge about cookie banners and the privacy law they base on is slight, and plenty of misconceptions were discovered, but with the proper introduction, the participants were able to recognise a modest amount of the violations.
With the information collected through the study and with the focus on the insecurities and problems the participants encountered, a user-friendly design of the reporting tool can be approached.
14:30-15:00
Speaker: Simon Hasir
Type of talk: Bachelor Intro
Advisor: Andreas Zeller and Rahul Gopinath
Title: Mining Output Grammars
Research Area: RA3: Threat Detection and Defenses
Abstract:
A formal specification of the in- and output language is crucial in research areas like intrusion and vulnerability detection. Our tool constructs Context-free grammars, which capture the syntactical structure of the output. We used instrumentation and tainting to reconstruct the dynamic control dependency graph (dynamic-CDG) and track each character's origin. Our results promise to reflect the intended structure and stay human-readable and solve the problem of missing syntactical output specifications.
15:00-15:30
Speaker: Philipp Baus
Type of talk: Bachelor Final
Advisor: Ben Stock
Title: Do you trust your Types? A qualitative Study on the Usability of Trusted Types to prevent Client-Side XSS vulnerabilities
Research Area: RA5
Abstract:
Cross-site scripting (XSS) is a web vulnerability that allows attackers to execute arbitrary JavaScript code in a victim’s browser. Although a lot of time has passed since the discovery in 1999, XSS is still a huge problem for websites on the internet nowadays. With the current trend of shifting the code of web applications to the client-side and the rising complexity of client-side code, the prevalence of client-side XSS vulnerabilities is also getting more severe.
To mitigate these vulnerabilities, Google recently introduced a new web API, called Trusted Types. Trusted Types eliminate the root causes of client-side XSS vulnerabilities by locking dangerous DOM and JavaScript API functions to only allow input in the form of a Trusted Types object. However, from the top websites at the time only Facebook and Google are actively using Trusted Types to protect their services against client-side XSS vulnerabilities.
Therefore, this thesis aims to find common roadblocks for web developers when it comes to the implementation and the understanding of Trusted Types. To achieve this goal, we conducted a qualitative study on the usability of Trusted Types for web developers.
Session B:
14:00-14:30
Speaker: Philipp Dewald
Type of talk: Bachelor Final
Advisor: Dr. Katharina Krombholz
Title: End User Privacy Concerns about the Corona-Warn-App
Research Area: RA5
Abstract: When the Corona-Warn-App was launched on June 16, 2020, the expectations and hopes were quite high. Helge Braun, then Chancellery Minister and Federal Minister for Special Tasks, stated his convenience that it is the best corona app. Then Chancellor Angela Merkel declared it would be a milestone in the fight against Corona. However, it turned out that this was not the case. The lack of broad participation was one of the reasons for the app’s ineffectiveness. Although the baseline that 15% of the population must participate for the app to work was reached only eight days after launch, a much-discussed and to be regarded with caution Oxford study stated 60% of the population would need to participate in stopping the pandemic. This value is not even reached after nearly two years. Related work has shown that the most common reason for people not using contact tracing apps is privacy concerns, which was also found with the Corona-Warn-App. We investigate these and find out what they are and where they come from. Investigating privacy concerns becomes even more interesting as it has been shown that the app complies with the requirements of the GDPR, and user data is stored decentrally. The goal of conducting 15 semi-structured interviews is to shed light on the darkness and identify end-user privacy concerns, reasons, and fears regarding the Corona-Warn-App. We see that people have concerns about surveillance, data leaks, misuse, confidentiality, hackers, and technical features of the app. They are mainly due to previous experiences and lack of or wrong knowledge. Among other findings, we also learn why some people indicate that they have no privacy concerns. The conclusions indicate implications for the Corona-Warn-App but also for health-related mobile applications and apps that depend on voluntary participation.
14:30-15:00
Speaker: Omar Renawi
Type of talk: Master Intro
Advisor: Dr. Julian Loss
Title: A Modular Treatment of Abe's Blind Signature Scheme
Research Area: 2
Abstract: Digital payment services provide a great convenience, yet this convenience may cost the customers their privacy because centralized payment systems enable the banks to perform mass surveillance. To tackle this problem, Chaum proposed the notion of blind signatures to construct untraceable digital payment systems. One of the well-known blind signatures schemes is Abe's scheme (EUROCRYPT'01), which has been proven secure by Kastner (PKC'22) in the Random Oracle Model and the Algebraic Group Model (ROM + AGM). Unfortunately, the fact that the adversary may behave dishonestly made the proof rather complex. To address this issue, we provide a modular security analysis to provide a simplified security proof for Abe's scheme in the model (ROM + AGM), following a similar methodology to Hauck (EUROCRYPT'19).
15:00-15:30
Speaker: Simon Ochsenreither
Advisor: Julian Loss
Research Area: RA2
No Information is provided.
|
Written on 29.07.22 by Mang Zhao
Dear All,
The next seminar(s) take place on 03.08. at 14:00 (Session A) and 14:30 (Session B).
Session A: (RA4,5) (14:00-15:30)
Maximilian Jung, Jonas Cirotzki, Katharina Basters
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841 … Read more
Dear All,
The next seminar(s) take place on 03.08. at 14:00 (Session A) and 14:30 (Session B).
Session A: (RA4,5) (14:00-15:30)
Maximilian Jung, Jonas Cirotzki, Katharina Basters
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 3)(14:30-15:00)
Jorim Bechtle
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Maximilian Jung
Type of talk: Master Intro
Advisor: Valentin Dallmeier
Title: Automated Website Security Testing Based on Existing Selenium Tests with webmate
Research Area: RA5: Empirical and Behavioural Security
Abstract:
The web has become the most important platform of the internet and is used in all aspects of people's lives. It can be used for getting information, social interaction, online shopping and controlling smart homes or industry components. With the increasing amount of websites and features, there is a proportional rise in code complexity, which often results in more potential flaws. One of the most frequent flaws is Cross-Site Scripting (XSS), which allows attacker-controlled code execution in the context of the vulnerable application, as well as SQL injection, which allows attacker-controlled SQL code to be executed in the database to bypass logins, retrieve or alter information and even take over the whole database or server. We aim to alleviate this problem by automatically finding security vulnerabilities with automated test generation.
Unlike other automated website security testing approaches, we do not apply black-box fuzzing but are using an existing selenium test for a website as a basis by using webmate. Hence the security test is guided by the selenium test that is checking if the application works as intended. This enables us to test deeper paths in an application because the test knows how to get to a specific point of e.g. a multi-page form without fuzzing. The number of times we have to submit e.g. input fields are also greatly reduced by the fact that we know what data is expected in which fields because of the existing selenium test, which makes the testing more efficient and less invasive.
14:30-15:00
Speaker: Jonas Cirotzki
Advisor: Dr. Sven Bugiel
Research Area: RA4
No information is available.
15:00-15:30
Speaker: Katharina Basters
Advisor: Katharina Krombholz
Research Area: RA5
No information is available.
Session B:
14:30-15:00
Speaker: Jorim Bechtle
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz
Title: New Hardware - Old Vulnerabilities: Software-based Side-channel Attacks on RISC-V Architecture
Research Area: RA3
Abstract:
X86 systems have been around for quite some time and so has the idea of an open
instruction set architecture. It is only since recently that broadly available RISC-V
systems exist, posing the question of their security.
Software-based side-channel attacks are known since the late 90s and have been thor-
oughly researched on x86 as well as ARM platforms.
Combining these facts raises the question of how vulnerable RISC-V systems are to cache
attacks and what can be done to effectively defend against software-based side-channel attacks.
This thesis investigates basic techniques for exploiting the instruction cache (I-cache) and
data cache (D-cache) of RISC-V processors, mounting different Flush+Reload attacks on
both of them and finally trying to attack OpenSSL.
This serves as a basis for further research on the security of RISC-V processors, implementing building blocks for more sophisticated side-channel attacks.
Only presenting attacks without suggesting effective defenses is of little help, thus this
thesis also proposes defenses against cache attacks, evaluating them in terms of effectiveness on RISC-V processors.
The results suggest that RISC-V processors are vulnerable to side-channel attacks, only
the small-scale new architecture imposes some new challenges upon attackers and defenders.
|
Written on 19.07.22 by Mang Zhao
Dear All,
Please note that the type of Ole Heydt's talk is: Bachelor Final.
We are sorry for the mistakes in the previous notification.
Speaker: Ole Heydt
Type of talk: Bachelor Final
Advisor: Nils Ole Tippenhauer, Alessandro Erba, John Henry Alvarado
Title: Systematic… Read more
Dear All,
Please note that the type of Ole Heydt's talk is: Bachelor Final.
We are sorry for the mistakes in the previous notification.
Speaker: Ole Heydt
Type of talk: Bachelor Final
Advisor: Nils Ole Tippenhauer, Alessandro Erba, John Henry Alvarado
Title: Systematic Evaluation of Stealthy Attacks against Quadcopter Drones
Research Area: RA4
Abstract:
Drones, rovers or more generally Robotic Vehicles (RVs) have long since ceased to be science-fiction. The usability of cyber-physical
systems in customer industry or the military is widely known. Take for example the advances of Amazon with their "Prime Air" project
where the aim is to create a drone delivery system for customers that could potentially massively impact the delivery market as a whole.
With both the commercial but also political impact that RVs can potentially hold, one needs to develop security mechanisms which are
elaborate enough to defend against - on one hand commercial loss (e.g. delivery services), on the other the endangerment of human life (e.g. military drone missions).
The corruption of cyber-physical systems holds much power as past attacks like Stuxnet prove.
The main challenges of cyber-physical-system security originate from the generally complicated nature of such, as e.g. drones or rovers
operate on both cyber (software) and physical (robotics) layers. Previous work shows that there already exist various possible attacks
on RVs like GPS spoofing or acoustic attacks on e.g. gyroscopes that can significantly deviate the vehicles from their programmed paths
or even lead to crashes. Advances in physics as well as software development and maths are required to develop security mechanisms for RVs.
In our work we want to discuss and and evaluate attacks against drones (more specifically quad-copters) that were introduced in recent research efforts.
Additionally we aim to find and create a systematic way of testing and evaluating countermeasures against such attacks.
|
Written on 15.07.22 (last change on 20.07.22) by Mang Zhao
Dear All,
The next seminar(s) take place on 20.07. at 14:00 (Session A) and 14:30 (Session B).
Session A: (RA1,3,4) (14:00-15:30)
Christian Schumacher, Ole Heydt, Yassir Kozha
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841 … Read more
Dear All,
The next seminar(s) take place on 20.07. at 14:00 (Session A) and 14:30 (Session B).
Session A: (RA1,3,4) (14:00-15:30)
Christian Schumacher, Ole Heydt, Yassir Kozha
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 3,4)(14:30-15:30)
Ulysse Planta, Eric Minas
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Christian Schumacher
Type of talk: Bachelor Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Security Analysis of IoT Devices and Vulnerable User Notification
Research Area: RA3
Abstract:
IoT devices become more and more common in everyone's daily live. With every new device the chance that they are wrongly configured or outdated rises. I will analyze smart home devices (predominantly security cameras and routers) and check their currently implemented security features by inspecting their interfaces and their manuals. In addition, I plan to look at this also from a usable security standpoint to see if the manufacturers could help reduce the amount of badly secured devices by implementing known security ideas. I plan to systematically investigate such different solutions and to analyse what they would accomplish for the respective device.
Furthermore, I plan to address the question "How could someone contact affected people of wrongly configured or outdated devices?". Most of the time a security researcher would only have the IP address of the affected device. What are the steps one has to go through to contact the owner? Is it even possible to contact them knowing only their IP and how have other researchers dealt with the problem of reaching people of compromised devices in the past.
14:30-15:00
Speaker: Ole Heydt
Type of talk: Bachelor Final
Advisor: Nils Ole Tippenhauer, Alessandro Erba, John Henry Alvarado
Title: Systematic Evaluation of Stealthy Attacks against Quadcopter Drones
Research Area: RA4
Abstract:
Drones, rovers or more generally Robotic Vehicles (RVs) have long since ceased to be science-fiction. The usability of cyber-physical
systems in customer industry or the military is widely known. Take for example the advances of Amazon with their "Prime Air" project
where the aim is to create a drone delivery system for customers that could potentially massively impact the delivery market as a whole.
With both the commercial but also political impact that RVs can potentially hold, one needs to develop security mechanisms which are
elaborate enough to defend against - on one hand commercial loss (e.g. delivery services), on the other the endangerment of human life (e.g. military drone missions).
The corruption of cyber-physical systems holds much power as past attacks like Stuxnet prove.
The main challenges of cyber-physical-system security originate from the generally complicated nature of such, as e.g. drones or rovers
operate on both cyber (software) and physical (robotics) layers. Previous work shows that there already exist various possible attacks
on RVs like GPS spoofing or acoustic attacks on e.g. gyroscopes that can significantly deviate the vehicles from their programmed paths
or even lead to crashes. Advances in physics as well as software development and maths are required to develop security mechanisms for RVs.
In our work we want to discuss and and evaluate attacks against drones (more specifically quad-copters) that were introduced in recent research efforts.
Additionally we aim to find and create a systematic way of testing and evaluating countermeasures against such attacks.
15:00-15:30
Speaker: Yassir Kozha
Type of talk: Master Final
Advisor: Dr. Robert Künnemann
Title: Formalising Privilege Escalation Attacks in Kubernetes
Research Area: RA1
Abstract:
Analysing networks and systems has become a necessity in modern and big companies. Finding vulnerabilities and fixing them requires a solid knowledge of the network topology and a great consideration of the effort lying behind finding mitigation techniques. Tools scanning networks for susceptible hosts, rely on known vulnerabilities from public databases. However, the information on the impact of a an exploit is partially vague.
Network's topology and infrastructure integrates in many cases Kubernetes. Kubernetes is an open-source container-orchestration system that automate creating and managing containers. The spread of Kubernetes opens a new world for cybercriminals. Moreover, it adds new challenges for network scanning tools to consider Kubernetes components and their relations.
%Most implementations regard attacks with no regard to possible host-level privilege escalation.
In this thesis, we base on the work of Künnemann et al., which introduced a concept of scanning networks and using the information available to detect potential privilege escalations within nested access control contexts. Our approach is to extend their work to consider Kubernetes clusters. We analyse the Kubernetes structure and components and provide a mapping from Kubernetes descriptions to the model defined in their paper.
Session B:
14:30-15:00
Speaker: Ulysse Planta
Type of talk: Bachelor Intro
Advisor: Michael Schwarz
Title: Frequency Side-Channels on AMD Processors
Research Area: RA3
Abstract:
Traditionally, power side-channels were limited to an attack model with full physical access
and external hardware to measure the power consumption of the system under attack. With the
addition of software interfaces like RAPL, software-only power side-channels became feasible.
As a reaction to this new category of attacks, CPU vendors lowered the precision of reported energy
consumption and operating systems restricted access to energy measuring interfaces to
privileged programs only. Because modern processors continuously vary their operating
frequency depending on the workload, temperature, and energy constraints, we can draw a
conclusion about the type of workload solely from the frequency that the processor is operating at.
Using the RDPRU instruction introduced by AMD with its Zen 2 microarchitecture, an unprivileged
attacker can access two different processor internal registers, yielding a primitive, that allows for
frequency measurements with previously unreachable temporal resolution.
We investigate the resulting side channel on recent AMD processors to see what an attacker can
infer from frequency measurements on these processors and how these attacks can be mitigated.
15:00-15:30
Speaker: Eric Minas
Type of talk: Bachelor intro talk
Advisor: Marius Smytzek
Title: Structured Test Generation for Audio Formats
Research Area: 4
Abstract: Fuzzing is a great way to test programs on their inputs, but when the input is a file, it gets complicated. This is because most fuzzers are format-agnostic, meaning that they cannot generate structured data. Format Fuzzer is a program that lets its users write a template for files with a specific format and then generate these files with random data that still adheres to the specification and more importantly to the context and dependencies to other parts of the file, such as checksums.
I created two specifications for audio files, namely for the OGG and fLaC format. These chunk-based formats are quite similar in their structure, though, fLaC has more complex chunks that had to be implemented.
The generated files were then used to test open-source programs on their ability to parse these files with random data. The results of that were the compared to using American Fuzzy Lop (AFL).
|
Written on 30.06.22 by Mang Zhao
Dear All,
The next seminar(s) take place on 06.07. at 14:00 (Session A) and 14:30 (Session B).
Session A: (RA1,4,5) (14:00-15:30)
Kevin Theobald, Luc Seyler, Metodi Mitkov
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode:… Read more
Dear All,
The next seminar(s) take place on 06.07. at 14:00 (Session A) and 14:30 (Session B).
Session A: (RA1,4,5) (14:00-15:30)
Kevin Theobald, Luc Seyler, Metodi Mitkov
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 3)(14:30-15:00)
Fabian Thomas
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Kevin Theobald
Type of talk: Bachelor Intro
Advisor: Prof. Dr. Andreas Zeller
Title: How Test Sets Influence Automatic Program Repair
Research Area: RA4
Abstract:
Automatic program repair is a technique to automatically fix software defects by finding, analyzing and fixing the defects. After each loop in the technique, automated program repair generates a possible patch which needs to be verified. This verification process is done by a test suite. There are two colliding interests about the size of the test suite. On the one side, if the test suite has no or too few test cases, the result of the automatic program repair technique is inapplicable. On the other side, if the test suite is too large, the runtime of the automatic program repair technique is unfeasible.
In this study, I want to investigate on what a test suite needs to be a suited candidate for automatic program repair. I use established techniques from test generation to create various test suites and investigate on how automatic program repair behaves on these test suites.
I want to find out if there exists a minimum or maximum size of test suites which still produces a qualitative fix in automatic program repair. In addition, I want to investigate on how many failing and passing test cases the test suite needs.
The results of my study could help to improve automatic program repair by providing a reasoning about the trade between the quality of a fix and the runtime of automatic program repair.
14:30-15:00
Speaker: Luc S.
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Signing without Interaction - Anonymous EC Blind Signatures
Research Area: RA1
15:00-15:30
Speaker: Metodi Mitkov
Type of talk: Bachelor Intro
Advisor: Dr. -Ing Ben Stock
Title: Security Headers on the Web Post-Login
Research Area: 5
Abstract: Web sites are continuously growing in complexity - an ever-increasing codebase that relies heavily on third-party content is a common occurrence on the Web today. Developers have the difficult task of ensuring that each component on a Web site works correctly and does not cause conflicts or errors. While the main focus lies in ensuring that all components work correctly, the security of a Web site is often pushed to the side. For these reasons, we regularly hear about vulnerabilities on the Web. A multitude of browser-enforced defense mechanisms exists to protect against the possibility of a vulnerability in the ever-rising complexity of the Web. However, defense policies are frequently misused, leading to a false sense of protection. The usual culprit of security inconsistencies on the Web is CSP, widely known by developers for its difficulty to use. Even other defense mechanisms on the Web, which are supposedly easier to use, such as cookie security attributes, are misused across the board. While researchers have investigated the development of security mechanisms and their inconsistent use across the Web, some questions remain to be answered. For example an important aspect is the separated context between a registered and an unregistered session. A registered user could have access to other features and pages which are otherwise inaccessible.
I want to investigate the prominence of misused security headers in the context of a logged-in user and compare it to the pre-login counterpart. I want to understand why inconsistencies occur and what conclusions I can draw from the current state of the usage of security policies. What type of inconsistencies are there? Are there differences between the security guarantees for logged-in users and not logged-in visitors? Which security policies are misused the most? Are there any patterns?
Session B:
14:30-15:00
Speaker: Fabian Thomas
Type of talk: Bachelor Intro
Advisor: Michael Schwarz
Title: Meltdown as a Sidechannel
Research Area: RA3
Abstract:
As a response to the disclosure of the Meltdown vulnerability in 2017, which
essentially enables an attacker to read arbitrary kernel memory, all major
Operating Systems implemented software fixes to address this new kind of attack
on hardware. We present a novel way to leak sensitive data that is not protected
by these state of the art mitigations. Our new technique relies on the fact that
some data structures like the Interrupt Descriptor Table are required to be
mapped into user space on x86 CPUs. Therefore no software patches can be applied
to these memory regions. By interpreting a successful Meltdown read as a cache
hit we are able to leak the timing of hardware keyboard interrupts and legacy
system calls on CPUs without hardware fixes addressing these issues. We use a
custom Meltdown block to further improve the reliability of this caching side
channel. Additionally, we analyze the Meltdown mitigation kernel page-table
isolation (KPTI) to evaluate the severity of our findings.
|
Written on 17.06.22 by Mang Zhao
Dear All,
The next seminar(s) take place on 22.6. at 14:00.
Session A: (RA4,5) (14:00-15:30)
Joshua Steffensky, Antonios Gkiokoutai, Daniel Reinold
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA… Read more
Dear All,
The next seminar(s) take place on 22.6. at 14:00.
Session A: (RA4,5) (14:00-15:30)
Joshua Steffensky, Antonios Gkiokoutai, Daniel Reinold
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 1,2,3|4)(14:00-15:30)
Julian Biehl, Mirko Meinerzag, Sophie Wenning
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Joshua Steffensky
Type of talk: Master Final
Advisor: Dr. Sven Bugiel
Title: FIDO2 inside - Unifying digital and physical authentication
Research Area: 4
Abstract:
The FIDO2 authentication scheme was released by the FIDO Alliance in 2018 as the
successor of their Universal 2nd Factor (U2F) scheme. FIDO2 improves on U2F by
providing a usable, secure and open authentication scheme for both hardware backed
two-factor authentication, as well as complete passwordless authentication. While FIDO2
was, as the name “Fast IDentity Online” suggests, designed for web authentication, its
use of an asymmetric challenge-response scheme and the specification of an interface
for movable cryptographic security devices makes it amenable to being used in other
authentication contexts.
In this thesis we will explore this option. For this purpose we develop an adaptation
of the usability-deployablility-security (UDS) evaluation framework by Bonneau et al.
for physical authentication schemes. Our results show, that FIDO2 can be secured
for physical authentication and compares resonably well to existing schemes. However,
exposing the FIDO2 Authenticator to an untrusted access point breaks the protocol’s
unlinkability goal.
14:30-15:00
Speaker: Antonios Gkiokoutai
Type of talk: Bachelor Intro
Advisor: Dr. -Ing Ben Stock
Title: Dangerous Extension Updates
Research Area: 5
Abstract: Browser extensions have in recent years become very popular, with thousands of downloads
across different platforms. To be able to execute their tasks and improve user experience on
the web, they require access to special APIs. Example APIs include accessing the users
browsing history, or sending / intercepting network requests. Because of the nature of those
APIs being very powerful, access to them is restricted through permissions, which need to be
explicitly requested in the extensions manifest.
Similarly to the mobile ecosystem, it is recommended for extensions to request only
necessary permissions as per the Principle of Least privilege, meaning only the minimum set
of permissions that they absolutely need to carry out their tasks. However, past studies have
shown that extensions often request more permissions than they need. At the same
time, many permissions are coarse-grained and provide little information about their
capabilities to the user.
To ensure that extensions do not misuse their privileges, they go through a vetting process
conducted by major browser vendors before they are released. Multiple studies have
contributed into helping detect both malicious extensions as well as vulnerable ones, that slip
through the vetting process and end up being installed by users. Still, little research has
focused specifically on extension updates, which directly contribute to the creation of
malicious extensions in more subtle ways.
A common scenario that is of interest in this case, is a benign extension turning malicious
after a future update. Results in this case can be disastrous, given that the extension has
already been installed potentially by multiple users and earned their trust, before being
updated and turning malicious.
While all major browsers claim to review updates of extensions before releasing them, a
recent study confirms that many undetected malicious extensions turned malicious after
some update. This means the review process often fails to detect dangerous updates. To be
able to estimate how prevalent are such updates, we would like to conduct a large-scale study
on the Chrome Web Store across multiple versions of existing extensions. Key questions that
we want to answer are the following:
ï How often do extensions update and what is the nature of those updates? To answer
this, we intend to study the time between updates, as well as their content. We are
interested in changes in the number of API permissions requested, changes in the host
permissions (e.g. from a few host names to <all_URLs> or https wildcards, or vice
versa), or changes in the manifest to upgrade to the newer v3 [9] standard.
ï Are permissions over-requested, and if so to what extent and for how long? This
requires studying the actual usage of APIs across extensions and comparing it with
the corresponding permissions in the manifest. Naturally we want to observe changes
in those behaviors, and accordingly determine to what extent is the principle of least
privilege followed.
ï Finally, when can we label an extension update as suspicious and as a result how
many suspicious extensions can we detect in the wild? Suspicious in this case would
imply the introduction of changes which have direct and critical security implications
on the extension. We need to come up with a collective approach, which leverages
data from studies in combination with our observations, in order to determine if an
update is deemed indeed suspicious.
15:00-15:30
Speaker: Daniel Reinold
Type of talk: Bachelor Final
Advisor: Prof. Dr. Andreas Zeller
Title: Transpiling the Web Service Description Language
Research Area: RA4
Abstract:
Users want a lot of functionality and information from the modern web. Web services
provide an interface to request information and functionality from remote resources,
connecting clients and servers to each other. This interface can receive direct user input,
which makes it vulnerable to invalid or malicious requests. If a web service goes offline
due to an attack or bug, it can affect other peers, that rely on its functionality. Because
of this, it is essential, that web services are robust and secure.
Fuzzing is a technique to automatically test software for vulnerabilities and other unin-
tended behavior by generating random inputs. However, if completely random values
are being produced, the result will be primarily invalid calls. To make this approach
more efficient at creating valid inputs, a grammar can be used. Grammars are a way to
specify the structure of an input and can be used in grammar-based fuzzers, to generate
values for testing. A drawback is, that it can be difficult and time-consuming to create
a grammar from scratch for a target application. This can be avoided by deriving the
grammar from documents specifying the interface.
For web services, such a description exists in a specification called Web Services Descrip-
tion Language. These documents are usually publicly available, which enables us to test
our implementation on a wide range of live web services. Our approach is to convert the
Web Service Description Language into a so-called universal grammar. We then use it to
generate many random values that match the input structure and sent them in a request
to the web service. Our goal is to create a process to automatically fuzz web services,
even if they have structurally complex interfaces.
Session B:
14:00-14:30
Speaker: Julian Biehl
Type of talk: Master Intro
Advisor: Dr. Robert Künnemann
Title: Translating Multiset Rewrite Rules to ProVerif
Research Area: RA2
Abstract: Protocol verification tools are a means of modeling security protocols and checking whether they fulfill the desired security guarantees. One popular example for such a tool is Tamarin, which relies on multiset rewrite rules to model protocols. Another popular tool is ProVerif, where protocols are modeled in a process calculus, which is then translated to Horn clauses for the analysis. Since multiset rewrite (MSR) rules and Horn clauses share some common properties, translating MSR rules into Horn clauses is relatively straightforward, even though it introduces some overapproximation. In this thesis, we will propose such a translation, implemented as an extension to Tamarin. As ProVerif is generally known to be much faster than Tamarin, we suspect that this translation will allow to analyze many MSR models way faster than using only Tamarin. In order to verify this hypothesis, we will evaluate our translation using a variety of protocol models which were already written for Tamarin and compare the performance of the two. This evaluation will also be the main focus of the final thesis.
14:30-15:00
Speaker: Mirko Meinerzag
Type of talk: Bachelor Final
Advisor: Sven Bugiel
Title: Hardening Android's Task Management to Prevent Phishing
Research Area: RA3|4
Abstract:
Android's user interface has been frequently targeted by malware to perform attacks like phishing, denial of service, and more. These attacks often need little to no extra permissions but have devastating consequences for the user. One particular attack is called task hijacking. Task hijacking abuses the task management of Android to compromise the UI of benign applications. The vulnerability can then be used to launch follow-up attacks that leak sensitive information or deny crucial services.
This thesis continues previous work on task hijacking. One proposed solution is to enhance task management so that developers can protect their UI from being hijacked. In this work, the proposed solution is implemented as a prototype on Android 10. This is done by modifying the Android Open Source Project such that developers can declare in the manifest of their app which parts of the UI should be treated as sensitive and need further protection by a security-enhanced task management.
The prototype is evaluated against several proof-of-concept apps to show its effectiveness, usability, and performance compared to an unmodified Android version. Furthermore, we performed a small-scale analysis of top apps from Google Play. This work also presents the results of the apk analysis and compares them to previous, similar studies on the topic.
15:00-15:30
Speaker: Sophie Wenning
Advisor: Prof. Dr. Antoine Joux
Research Area: RA1
Abstract:
No information is provided.
|
Written on 02.06.22 by Philip Lukert
Dear All,
The next seminar(s) take place on 8.6. at 16:00 respectively 14:30.
Be aware that session A is at 16:00!
Session A: (RA4,5) (16:00-16:30)
Kai Glauber
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode:… Read more
Dear All,
The next seminar(s) take place on 8.6. at 16:00 respectively 14:30.
Be aware that session A is at 16:00!
Session A: (RA4,5) (16:00-16:30)
Kai Glauber
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 5)(14:30-15:30)
Pavithra Krishna, Jorim Bechtle
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
16:00-16:30
Speaker: Kai Glauber
Type of talk: Master Intro
Advisor: Prof. Dr. Giancarlo Pellegrino, Soheil Khodayari
Title: DORK: A Study on the Context, Prevalence and Cause of Open Redirects in today's Web
Research Area: RA5
Abstract:
Redirects are an essential part of today's internet workflow. While they are
often used as tool to seamlessly improve user experience, they are also quite
common in the context of authentication and advertisement. However, previous
work has shown, that developers often fail to secure their redirects properly.
An open redirect is a vulnerability that occurs when the target of a redirect
depends on untrusted user-controlled input, which is not properly validated.
While the impact of this vulnerability is generally considered to be low, it is
often used as a stepping stone for more sophisticated exploits, such as
stealing OAuth tokens, bypassing Content Security Policies or phising.
This thesis aims to provide an overview of the prevalence of open redirects in
today's web. As a first step, we manually analyze past CVEs to get a better
understanding of the context in which past vulnerabilities manifested. We do
so, by filtering CVEs based on access to source code, specifically references
to Github repositories, which often times contain valuable information about
the vulnerability at hand. Furthermore, we aim to identify common patterns,
that we can use to detect open redirects in the future by collecting data on
which mitigation was used and what went wrong. Finally, the collected data is
used in our prototype implementation DORK which is an acronym for "Detecting
Open Redirects at sKale". DORK automatically creates custom Google Dork
queries, to scan the Tranco top 10k most popular websites for open redirects.
This approach provides us with a list of candidates that DORK actively probes for
open redirects by replacing the target of the redirect with a domain under our
control which keeps track of incoming traffic.
Session B:
14:00-14:30
No talk this week
14:30-15:00
Speaker: Pavithra Krishna
Type of talk: Master Final talk
Advisor: Dr.Rahul Gopinath
Supervisor: Prof.Dr.Andreas Zeller
Title: Fuzzing the Extended Berkeley PacketFilter verifier using Grammars
Research Area:RA2
Background/Key terms:
i)eBPF: It is a sandbox/virtual machine within the Linux kernel to execute programs and obtain needed information. An interesting topic for security is that this feature allows a program defined in the user-space to be executed in the kernel. Furthermore, the usability and performance of this feature has gained a lot of attention in the recent years. As on date, there are around 100+ tools based on this feature developed only within a short span of few years.
ii)eBPF verifier: This is the security mechanism which guarentees that no ebpf program provided from the user-space can cause unintented behaviour within the kernel. It is quite complex in nature as it does static checking and register state simulation. The code which is over several thousand lines include several techniques like Directed acyclic graphs, Depth first search, register state monitoring etc., The eBPF programs approved by the verifier are only allowed to execute within the kernel.
iii)Fuzzing: It is a dynamic testing technique for software that examines the code response during run time to discover unexpected behavior. The techniques used to produce the test inputs have changed over the years and have become more sophisticated.
iv)Grammars: They are widely used to represent different input properties,specifically, the syntactic rules to define its structure.
v)Grammar-based Fuzzer: It is a generation based and a smart Fuzzer. This technique is beneficial to generate inputs with high efficiency. These inputs can surpass the parser, which does syntactic analysis on the inputs and, thus, deeper into the program.
Introduction:
The eBPF technology is ubiquitous within the Linux kernel world due to the enormous benefits such as performance and adaptability. The feature has critical priviledges such as leak kernel memory addresses, read-write access to arbitrary locations, filter system calls, monitor network packets, trace kernel processes and many more. It also has extended into security applications such as firewall(ip-tables), secure computing(seccomp), run-time security enforcement (tetragon/cilium).
Considering the time of development, it is evident that it was very rapid and enormous within a short period of time. The talks based on eBPF presented at recent conferences such as DEF CON29, Black hat 2021 reveals that security bugs are inevitable. This indicates that the claimed guarentees by the eBPF verifier can be falsified under certain scenarios. Furthermore, there exists a non-negligible gap between its development and testing.
The analysis indicate that every new kernel release is accompanied by functional tests which check for Pass/Fail criteria. It is also observed that certain tech giants such as Google, Netflix make use of AFL and Syzkaller to test eBPF. Eventhough such fuzzers help to improve security using mutation techniques or coverage guidance, they are also limited. The major reasons are either the instruction set used is not complete nor all possible combinations are considered.
Research contribution:
Given the complexity and the security criticality of the eBPF verifier, the aim of my thesis is to answer the following research questions:
RQ1. Can the eBPF verifier be tested using the entire instruction set?
RQ2. What percentage of the inputs generated using Grammars surpass the eBPF verifier and cause undefined behavior?
In order to realize it, the methodology chosen revolves around few objectives.First, to test the verifier against syntactically valid and varied eBPF programs. As second,to verify the behaviour of the loaded programs during run time. Then, to check the verifier's response against programs with code fragments of bugs identified in the past and last but not the least, to have a simple and easy to use interface with support for batch processing of eBPF programs.
The core technique combines several ideas from the Fuzzing book(created and maintained by CISPA experts), linux tools used for kernel debugging, Python libraries, C code, Bash scripting and GCC compiler. The infrastructure relies on a customly built Linux kernel that supports BPF compilation and execution, kernel for crash analysis and serial connection between cloned virtual machines. Furthermore the initially defined Grammar has been optimized with Kernel code coverage metrics, reusing code fragments from past buggy programs. The key metrics used are time for generation and execution, memory consumption, quality, usability and support debugging.
The results obtained are rated as direct or indirect based on how they are related to eBPF. As part of direct findings, leakage of kernel memory information, unreachable instructions being accepted, segmentation failures, program crashes, kernel traps were found. There are also indirect findings such as Windows blue screen of death(BSOD), system hangs, kernel oops.
Key take away:
Fuzzing is a versatile technique which has been researched for several years. On combining different techniques, it can unwrap deeper bugs and improve security. The eBPF technology is one of the several linux kernel features that are potential attack vectors. As indicated by the results of this work, using Grammars are very effective and efficient in dynamic security testing. Having provided with more memory and other observatory tools, this technique can scale to handle larger programs and other advanced features such as function calling between eBPF programs.The proposed framework can be used as stand-alone or in combination with existing testing methods.
15:00-15:30
Speaker: Jorim Bechtle
Type of talk: Bachelor Intro
Advisor: Michael Schwarz
Title: New Hardware - Old Vulnerabilities: Software-based Side-channel Attacks on RISC-V Architecture
Research Area: RA3
Abstract:
x86 and ARM systems have been around for quite some time, so has the idea of an open-source instruction set architecture. There have been FPGA emulations and prototype boards based on RISC-V, but it is only since recently that mass-produced RISC-V systems exist.
This raises the question which side-channel attacks developed for x86 or ARM are applicable to RISC-V and which of the recommendations to prevent side-channel attacks from the last decades have been applied.
The goal of this research is to explore the cache layout and function and create basic building blocks like timing and flushing for software-based side-channel attacks and ultimately to create a proof-of-concept exploit on for an old OpenSSL version.
|
Written on 19.05.22 (last change on 25.05.22) by Stella Wohnig
Dear All,
The next seminar(s) take place on 25.05. at 14:00 respectively 14:30.
Session A: (RA4,5) (14:00-15:00)
Norman Ziebal - Florian B.
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA… Read more
Dear All,
The next seminar(s) take place on 25.05. at 14:00 respectively 14:30.
Session A: (RA4,5) (14:00-15:00)
Norman Ziebal - Florian B.
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 5)(14:30-15:30)
Paul Frerichs - Raphael Maser
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Norman Ziebal
Type of talk: Bachelor Intro
Advisor: Prof. Andreas Zeller, Dr. Dominic Steinhoefel, Dr. Rafael Dutra
Title: Grammar meets Binary Template - Bidirectional conversion between context free grammars and binary templates
Research Area: RA4,5
Abstract:
Most programs expect highly structured inputs, which makes black-box fuzzing rather inefficient because inputs get rejected very early in the program flow.
Grammar-based fuzzing is a common technique to provide much better inputs to programs based on a specification.
FormatFuzzer is a generator for format-specific fuzzers. It takes a Binary Template as input, a format specification for a binary format,
and produces a highly efficient and fast parser and generator, which is conform to the provided specification.
Hundreds of Binary Templates already exist for various formats, but they can not be utilized by other grammar-based fuzzing tools,
due to Binary Templates being written in an imperative C-Style.
Grammar-based fuzzing tools commonly rely on a more declarative type of specification, like context-free grammars.
Context-free grammars are widely used when it comes to grammar-based fuzzing. They are easy to read and write for humans and have proven to be a good way of specifying a format.
Therefore many grammar-based fuzzing tools work well with context-free grammars as input.
This work aims to combine the benefits of context-free grammars and Binary Templates for fuzzing.
We will implement a framework for bidirectional conversion between context-free grammars and binary templates.
With this framework, we will, on one hand, be able to leverage the vast quantity of existing binary templates with already existing fuzzing tools and techniques
and on the other hand, combine the simplicity of context-free grammars with the speed and efficiency of FormatFuzzer.
14:30-15:00
Speaker: Florian B.
Type of talk: Bachelor Final
Advisor: Dr. Dominic Steinhöfel, Prof. Andreas Zeller
Title: Bidirectional Converter Between ANTLR, BGF and a Pivot Language
Research Area: RA5
Abstract:
Grammar-based fuzzing is a common technique to make fuzzers more program-specific. On the one hand, there are different fuzzers with different grammar formats as input and on the other hand, there are large grammar collections like the Grammar Zoo with its BGF format or repositories with many grammars in ANTLR format. The ability to convert different grammar formats into each other would allow to use existing grammar collections, and thus thousands of grammars without requiring additional work for each grammar.
Bidirectional conversion between these different formats is easiest accomplished using a pivot language.
This pivot language can then be used to convert ANTLR to BGF and vice versa, or to convert to any new format by simply developing a new converter for a different format while using he same pivot language.
In this thesis, a converter will be developed to convert ANTLR and BGF into a pivot language and vice versa.
15:00-15:30
no talk this week
Session B:
14:00-14:30
No talk this week
14:30-15:00
Speaker: Paul Frerichs
Type of talk: Bachelor Intro
Advisor: Dr. Sven Bugiel
Title: Local biometric prompt phishing on android devices
Research Area: 4
Abstract:
With FIDO2 and Webauthn on the rise, the relevance of biometric authentication is ever increasing. This is especially true for the mobile sector. This shift in authentication also comes with a change in the ways it is attacked. Most biometric authentication on mobile devices relies on the context it is shown in, requiring the user to identify harmful authentications based only on what the user can see on the screen or the knowledge what he has done just before. Malware with the correct set of permissions can perform phishing attacks on this kind of authentication scheme by starting authentication prompts in other applications. This reduces the means by which a user can identify a malicious authentication attempt. In this work we establish the basis on which future works will investigate how well users on Android devices are able to recognize dialogues outside of their context and thus prevent a possible phishing attack. We are developing a system to start out-of-context dialogues at strategic moments to simulate the behavior of malware installed on the user's device, testing the users' ability to detect and prevent this kind of phishing attacks.
15:00-15:30
Speaker: Raphael Maser
Type of talk: Bachelor Intro
Advisor: Prof. Mario Fritz, Dr. Andreas Husch (Uni Luxemburg)
Title: Confounding in Machine Learning Models
Research Area: RA1
Abstract:
Machine Learning has seen a lot of progress during the last decade and gained even more attention during the enduring COVID-19 epidemic. Despite this progress, the clinical relevance of ML in the medical domain is still rather low, mainly because models exhibiting good performance in the test environment fail when deployed in the real world. This is mainly caused by a gap between training data and real-world data, where bias and (hidden) confounders in training prevent the models trained from them to capture clinically relevant settings.
Working towards more robust models by utilizing domain adaptation techniques, we aim to reliably assess different de-confounding techniques. To achieve this a simple framework for the creation of synthetic confounded data and injection of confounders in real datasets will be written.
|
Written on 04.05.22 by Stella Wohnig
Dear All,
The next seminar(s) take place on 11.05. at 14:00.
Session A: (RA4,5)
Philipp Dewald - Ole Heydt - Birk Blechschmidt
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session A:
14:00-14:30… Read more
Dear All,
The next seminar(s) take place on 11.05. at 14:00.
Session A: (RA4,5)
Philipp Dewald - Ole Heydt - Birk Blechschmidt
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session A:
14:00-14:30
Speaker: Philipp Dewald
Type of talk: Bachelor Intro
Advisor: Dr. Katharina Krombholz
Title: End User Privacy Concerns about the Corona-Warn App
Research Area: RA5
Abstract: When the Corona-Warn App was launched on the 16th of June in 2020, the expectations and hopes were quite high. Helge Braun, then Chancellery Minister and Federal Minister for Special Tasks, stated he is "quite convinced that it is the best [corona app]" and then Chancellor Angela Merkel declared it will be "a milestone in the fight against Corona." However, it turned out that was not the case. The lack of broad participation was one of the main reasons for the app's ineffectiveness.
Related work has shown that the most common reason for people not using the app was privacy concerns. In this upcoming Bachelor Thesis, we want to have a look at these and find out what they look like and where they came from.
14:30-15:00
Speaker: Ole Heydt
Type of talk: Bachelor Intro
Advisor: Nils Ole Tippenhauer, Alessandro Erba, John Henry Alvarado
Title: Systematic Evaluation of Stealthy Attacks against Quadcopter Drones
Research Area: RA4
Abstract:
Drones, rovers or more generally Robotic Vehicles (RVs) have long since ceased to be science-fiction. The usability of cyber-physical
systems in customer industry or the military is widely known. Take for example the advances of Amazon with their "Prime Air" project
where the aim is to create a drone delivery system for customers that could potentially massively impact the delivery market as a whole.
With both the commercial but also political impact that RVs can potentially hold, one needs to develop security mechanisms which are
elaborate enough to defend against - on one hand commercial loss (e.g. delivery services), on the other the endangerment of human life (e.g. military drone missions).
The corruption of cyber-physical systems holds much power as past attacks like Stuxnet prove.
The main challenges of cyber-physical-system security originate from the generally complicated nature of such, as e.g. drones or rovers
operate on both cyber (software) and physical (robotics) layers. Previous work shows that there already exist various possible attacks
on RVs like GPS spoofing or acoustic attacks on e.g. gyroscopes that can significantly deviate the vehicles from their programmed paths
or even lead to crashes. Advances in physics as well as software development and maths are required to develop security mechanisms for RVs.
In our work we want to discuss and and evaluate attacks against drones (more specifically quad-copters) that were introduced in recent research efforts.
Additionally we aim to find and create a systematic way of testing and evaluating countermeasures against such attacks.
15:00-15:30
Speaker: Birk Blechschmidt
Type of talk: Master Intro
Advisor: Dr.-Ing. Ben Stock
Title: Extended Hell: A Study on the Current Support of Email Confidentiality and Integrity
Research Area: RA5
Abstract: The core specifications of electronic mail as used today date back as early as the 1970s. At that time, security did not play a major role in the development of communication protocols. These shortcomings still manifest itself today in the prevalence of phishing and the reliance on opportunistic encryption. Besides STARTTLS, various mechanisms such as SPF, DKIM, DMARC, DANE and MTA-STS have been proposed. However, related work has shown that they are not supported by all providers or that misconfiguration is common.
This thesis aims to provide an overview on the current state of email confidentiality and integrity measures and the effectiveness of their deployment. In particular, we are going to investigate the support of security mechanisms by popular email providers, thereby validating and extending previous work. Since MTA-STS has not yet been widely studied, we contribute an overview on the outbound support of MTA-STS. Furthermore, we try to find a lower bound of domains supporting DANE bindings for OpenPGP as well as DNSSEC-associated S/MIME certificates and measure their key strength.
|
Written on 27.04.22 by Stella Wohnig
Dear students,
To accomodate for a specific case of circumstances, we will have one of the sessions on 8.6. at 14-15:30 as regular and one session at 15-16:30.
I appologize for your inconvenience. The dates for the later session can be booked on https://calendly.com/bamaseminar2
Of course, if… Read more
Dear students,
To accomodate for a specific case of circumstances, we will have one of the sessions on 8.6. at 14-15:30 as regular and one session at 15-16:30.
I appologize for your inconvenience. The dates for the later session can be booked on https://calendly.com/bamaseminar2
Of course, if you can not attend the session after 15:30, you will not have to change plans, we are aware this might collide with lectures.
Please visit the earlier seminar in that case (=if you don't have time later), even if your research area talks are in the later slots.
Best regards, Stella
|
Written on 20.04.22 (last change on 24.04.22) by Stella Wohnig
Dear All,
The next seminar takes place on 27.04. at 14:30.
Session A: (RA1,5)
Nils Olze - Erfan Balazadeh
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session A:
14:00-14:30
No talk this… Read more
Dear All,
The next seminar takes place on 27.04. at 14:30.
Session A: (RA1,5)
Nils Olze - Erfan Balazadeh
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session A:
14:00-14:30
No talk this week.
14:30-15:00
Speaker: Nils Olze
Type of talk: Master Intro
Advisor: Sven Bugiel
Title: Is Your Password On Your Hard Drive? Impact of File System Access on Credential Access
Research Area: 5
Abstract: Passwords are an aging but still the most wide-spread way of user authentication. With the ever growing amount of online services, users are burdened to manage more and more credentials, often leading to insecure password management behavior. Password Reuse puts all accounts of a user at risk, once a single pair credentials is known to an attacker. While Password Managers offer a solution to this problem, they are still lacking adoption by users, especially less tech-savy ones. Simpler methods like Password Notebooks in physical or digital form are adopted instead. Physical notebooks on the one hand, the are often recommended as a valid strategy, but unsecured digital ones put credentials at risk to anyone who has access to the file.
In this work, we consider an attacker with access to the file system of a victim. Our goal is threefold. First, we seek to empirically validate the results of prior work concerning password management of users. Second, we determine whether it is feasible for an attacker to automatically detect credentials saved in unprotected text files in a file system. Lastly, we try to measure the impact of the available data on a tailored password cracking attempt.
15:00-15:30
Speaker: Erfan Balazadeh
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Timed-Release Cryptography using Proof-of-Stake Blockchain
Research Area: 1
Abstract: Imagine a scenario where you want to encrypt a message, but you don't want it to be able to be decrypted by the receiving party right away.
The concept of "encrypting a message to the future" is not new and has been around for many years. The proposed solutions so far, like time-lock puzzles or verifiable delay functions for instance,
are not perfect however. They require a lot of computing power and the speed can vary drastically depending on the hardware being used.
This thesis' goal is to implement a new encryption scheme, which is efficiently computable and which gets rid of the previously mentioned solutions' weaknesses, inside of a real world setting.
The idea is to make use of the existing Proof-of-Stake architecture in the Ethereum 2.0 consensus protocol, where so called committees vote on new blocks by using an aggregatable signature scheme named BLS. One of the implementation tasks of the thesis is to see if it is possible to listen to the unaggregated BLS signatures and the signed message, which are necessary for the encryption scheme. Once we have accumulated enough of these unaggregated signatures, we can go on to decrypt the message. Basically, a receiving party can only decrypt the message once certain conditions are met that the encrypter knows will happen in a desired amount of time in the future.
|
Written on 08.04.22 (last change on 09.04.22) by Stella Wohnig
Dear All,
Update 2022-04-09: Added Priyasha Chatterjee's talk information, which was missing due to technical difficulties. Sorry!
The next seminar(s) take place on 13.04. at 14:00.
Session A: (RA3,4)
Joshua Steffensky - Priyasha Chatterjee - Tom… Read more
Dear All,
Update 2022-04-09: Added Priyasha Chatterjee's talk information, which was missing due to technical difficulties. Sorry!
The next seminar(s) take place on 13.04. at 14:00.
Session A: (RA3,4)
Joshua Steffensky - Priyasha Chatterjee - Tom Baumeister
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session A:
14:00-14:30
Speaker: Joshua Steffensky
Type of talk: Master Intro
Advisor: Dr. Sven Bugiel
Title: FIDO2 inside - Unifying digital and physical authentication
Research Area: 4
Abstract:
The FIDO2 authentication scheme was released by the FIDO Alliance[1] in 2019 as the successor
of their Universal 2nd Factor (U2F) scheme. FIDO2 improves on U2F by providing a usable, secure and open
authentication scheme for both hardware backed two-factor authentication, as well as complete passwordless
authentication. While FIDO2 was, as the name ”Fast IDentity Online” suggests, designed for web authentic-
ation, its use of an asymmetric challenge-response scheme and the specification of an interface for movable
cryptographic security devices makes it amenable to being used in other authentication contexts. This thesis
aims to investigate the possibility of using FIDO2 authentication in the physical authentication context.
14:30-15:00
Speaker: Priyasha Chatterjee
Type of talk: Master Final
Advisor: Dr. Katharina Krombholz
Title: User-centric Privacy Design for Smart Speakers
Research Area: RA5
Abstract: As ubiquitous computing becomes more widespread, so does the market for voice-controlled smart devices which afford convenience like never before. Smart home systems allow smart devices to connect to a hub, such as Amazon's Alexa, or Google Nest, which are smart speakers allowing users to control them by voice. However, while users find that these systems offer great convenience, they also find that they need to settle on a trade-off between privacy and security, and convenience. There have been reports of many privacy incidents in recent years, and in 2019, 41% of all smart home users were found to have been apprehensive about privacy around their smart speakers.
While there already exist a few designs for privacy protecting solutions, to the best of my knowledge, none of these have taken a user-centric approach to the design problem. My thesis thus proposes to identify one or more effective designs for privacy enhancement solutions for smart speakers, designed with the users in mind.
This is achieved by conducting a brief mixed-methods study with smart speaker users. The study comprises a questionnaire, a semi-structured interview, and prototype evaluation, allowing for the collection of detailed and meaningful insights into users’ perceptions, requirements and preferences. Through this study, I observe patterns in user intentions and behaviours around their smart speakers, and elicit design preferences. Finally, I establish user-centric designs and present recommendations for the design and development of future privacy enhancement solutions.
15:00-15:30
Speaker: Tom Baumeister
Type of talk: Master Intro
Advisor: PD Dr.Swen Jacobs
Title: Parameterized Repair of Disjunctive Systems for Liveness Properties
Research Area: RA2 (Reliable Security Guarantees)
Abstract: Concurrent systems that are composed of an arbitrary number n of processes, are hard to get correct. For these systems, parameterized model checking can provide correctness guarantees that hold regardless of n. However, model checking gives the designer no information about a possible repair when detecting an incorrect behaviour. The parameterized repair problem is, for a given implementation, to find a deadlock-free refinement such that a given property is satisfied by the resulting parameterized system. We present a repair algorithm that uses a parameterized model checker to determine correctness of generated candidate repairs. By updating a constraint system, when detecting a violation, the algorithm returns a repair iff one exists. For general safety properties, this algorithm can be applied on classes of systems which can be represented as well-structured transition systems (WSTS), including disjunctive systems, pairwise rendezvous systems and broadcast protocols. However, the existing approach cannot guarantee correctness for liveness properties, like termination or the absence of undesired loops. Since verifying liveness properties for parameterized systems quickly leads to undecidability, we want to study the parameterized repair problem for disjunctive systems and general liveness properties.
|
Written on 25.03.22 by Stella Wohnig
Dear all,
welcome to the new course for the Bachelor and Master seminar in the summer term.
Right now the announcements will still be on the old Seminar page for 21/22, but we move here soon, so you may already register for the upcomming term :)
Best, Stella
|