Bachelor- and Master Seminar CISPA Staff

 

Dear All,

Please note that the type of Ole Heydt's talk is: Bachelor Final. 

We are sorry for the mistakes in the previous notification.

 

Speaker: Ole Heydt
Type of talk: Bachelor Final
Advisor: Nils Ole Tippenhauer, Alessandro Erba, John Henry Alvarado
Title: Systematic Evaluation of Stealthy Attacks against Quadcopter Drones
Research Area: RA4

Abstract:
Drones, rovers or more generally Robotic Vehicles (RVs) have long since ceased to be science-fiction. The usability of cyber-physical 
systems in customer industry or the military is widely known. Take for example the advances of Amazon with their "Prime Air" project 
where the aim is to create a drone delivery system for customers that could potentially massively impact the delivery market as a whole.

With both the commercial but also political impact that RVs can potentially hold, one needs to develop security mechanisms which are 
elaborate enough to defend against - on one hand commercial loss (e.g. delivery services), on the other the endangerment of human life (e.g. military drone missions). 
The corruption of cyber-physical systems holds much power as past attacks like Stuxnet prove.

The main challenges of cyber-physical-system security originate from the generally complicated nature of such, as e.g. drones or rovers 
operate on both cyber (software) and physical (robotics) layers. Previous work shows that there already exist various possible attacks 
on RVs like GPS spoofing or acoustic attacks on e.g. gyroscopes that can significantly deviate the vehicles from their programmed paths 
or even lead to crashes. Advances in physics as well as software development and maths are required to develop security mechanisms for RVs. 
In our work we want to discuss and and evaluate attacks against drones (more specifically quad-copters) that were introduced in recent research efforts. 
Additionally we aim to find and create a systematic way of testing and evaluating countermeasures against such attacks. 
 

Dear All,

The next seminar(s) take place on 20.07. at 14:00 (Session A) and 14:30 (Session B).

Session A: (RA1,3,4) (14:00-15:30)
Christian Schumacher, Ole Heydt, Yassir Kozha

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 3,4)(14:30-15:30)
Ulysse Planta, Eric Minas

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Christian Schumacher
Type of talk: Bachelor Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Security Analysis of IoT Devices and Vulnerable User Notification
Research Area: RA3

Abstract: 
IoT devices become more and more common in everyone's daily live. With every new device the chance that they are wrongly configured or outdated rises. I will analyze smart home devices (predominantly security cameras and routers) and check their currently implemented security features by inspecting their interfaces and their manuals. In addition, I plan to look at this also from a usable security standpoint to see if the manufacturers could help reduce the amount of badly secured devices by implementing known security ideas. I plan to systematically investigate such different solutions and to analyse what they would accomplish for the respective device.

Furthermore, I plan to address the question "How could someone contact affected people of wrongly configured or outdated devices?". Most of the time a security researcher would only have the IP address of the affected device. What are the steps one has to go through to contact the owner? Is it even possible to contact them knowing only their IP and how have other researchers dealt with the problem of reaching people of compromised devices in the past.
 

 

14:30-15:00

Speaker: Ole Heydt
Type of talk: Bachelor Final
Advisor: Nils Ole Tippenhauer, Alessandro Erba, John Henry Alvarado
Title: Systematic Evaluation of Stealthy Attacks against Quadcopter Drones
Research Area: RA4

Abstract:
Drones, rovers or more generally Robotic Vehicles (RVs) have long since ceased to be science-fiction. The usability of cyber-physical 
systems in customer industry or the military is widely known. Take for example the advances of Amazon with their "Prime Air" project 
where the aim is to create a drone delivery system for customers that could potentially massively impact the delivery market as a whole.

With both the commercial but also political impact that RVs can potentially hold, one needs to develop security mechanisms which are 
elaborate enough to defend against - on one hand commercial loss (e.g. delivery services), on the other the endangerment of human life (e.g. military drone missions). 
The corruption of cyber-physical systems holds much power as past attacks like Stuxnet prove.

The main challenges of cyber-physical-system security originate from the generally complicated nature of such, as e.g. drones or rovers 
operate on both cyber (software) and physical (robotics) layers. Previous work shows that there already exist various possible attacks 
on RVs like GPS spoofing or acoustic attacks on e.g. gyroscopes that can significantly deviate the vehicles from their programmed paths 
or even lead to crashes. Advances in physics as well as software development and maths are required to develop security mechanisms for RVs. 
In our work we want to discuss and and evaluate attacks against drones (more specifically quad-copters) that were introduced in recent research efforts. 
Additionally we aim to find and create a systematic way of testing and evaluating countermeasures against such attacks. 

 

15:00-15:30

Speaker: Yassir Kozha
Type of talk: Master Final
Advisor: Dr. Robert Künnemann
Title: Formalising Privilege Escalation Attacks in Kubernetes
Research Area: RA1

Abstract:
Analysing networks and systems has become a necessity in modern and big companies. Finding vulnerabilities and fixing them requires a solid knowledge of the network topology and a great consideration of the effort lying behind finding mitigation techniques. Tools scanning networks for susceptible hosts, rely on known vulnerabilities from public databases. However, the information on the impact of a an exploit is partially vague.

Network's topology and infrastructure integrates in many cases Kubernetes. Kubernetes is an open-source container-orchestration system that automate creating and managing containers. The spread of Kubernetes opens a new world for cybercriminals. Moreover, it adds new challenges for network scanning tools to consider Kubernetes components and their relations.
%Most implementations regard attacks with no regard to possible host-level privilege escalation.

In this thesis, we base on the work of Künnemann et al., which introduced a concept of scanning networks and using the information available to detect potential privilege escalations within nested access control contexts. Our approach is to extend their work to consider Kubernetes clusters. We analyse the Kubernetes structure and components and provide a mapping from Kubernetes descriptions to the model defined in their paper.

 

Session B:

14:30-15:00

Speaker: Ulysse Planta
Type of talk: Bachelor Intro
Advisor: Michael Schwarz
Title: Frequency Side-Channels on AMD Processors
Research Area: RA3

Abstract: 

Traditionally, power side-channels were limited to an attack model with full physical access
and external hardware to measure the power consumption of the system under attack. With the
addition of software interfaces like RAPL, software-only power side-channels became feasible.
As a reaction to this new category of attacks, CPU vendors lowered the precision of reported energy
consumption and operating systems restricted access to energy measuring interfaces to
privileged programs only. Because modern processors continuously vary their operating
frequency depending on the workload, temperature, and energy constraints, we can draw a
conclusion about the type of workload solely from the frequency that the processor is operating at.
Using the RDPRU instruction introduced by AMD with its Zen 2 microarchitecture, an unprivileged
attacker can access two different processor internal registers, yielding a primitive, that allows for
frequency measurements with previously unreachable temporal resolution.
We investigate the resulting side channel on recent AMD processors to see what an attacker can
infer from frequency measurements on these processors and how these attacks can be mitigated.
 

15:00-15:30

Speaker: Eric Minas
Type of talk: Bachelor intro talk
Advisor: Marius Smytzek
Title: Structured Test Generation for Audio Formats
Research Area: 4

Abstract: Fuzzing is a great way to test programs on their inputs, but when the input is a file, it gets complicated. This is because most fuzzers are format-agnostic, meaning that they cannot generate structured data. Format Fuzzer is a program that lets its users write a template for files with a specific format and then generate these files with random data that still adheres to the specification and more importantly to the context and dependencies to other parts of the file, such as checksums.
I created two specifications for audio files, namely for the OGG and fLaC format. These chunk-based formats are quite similar in their structure, though, fLaC has more complex chunks that had to be implemented.
The generated files were then used to test open-source programs on their ability to parse these files with random data. The results of that were the compared to using American Fuzzy Lop (AFL). 

 

Dear All,

The next seminar(s) take place on 06.07. at 14:00 (Session A) and 14:30 (Session B).

Session A: (RA1,4,5) (14:00-15:30)
Kevin Theobald, Luc Seyler, Metodi Mitkov

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 3)(14:30-15:00)
Fabian Thomas

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Kevin Theobald
Type of talk: Bachelor Intro
Advisor: Prof. Dr. Andreas Zeller
Title: How Test Sets Influence Automatic Program Repair
Research Area: RA4

Abstract: 
Automatic program repair is a technique to automatically fix software defects by finding, analyzing and fixing the defects. After each loop in the technique, automated program repair generates a possible patch which needs to be verified. This verification process is done by a test suite. There are two colliding interests about the size of the test suite. On the one side, if the test suite has no or too few test cases, the result of the automatic program repair technique is inapplicable. On the other side, if the test suite is too large, the runtime of the automatic program repair technique is unfeasible.

In this study, I want to investigate on what a test suite needs to be a suited candidate for automatic program repair. I use established techniques from test generation to create various test suites and investigate on how automatic program repair behaves on these test suites.

I want to find out if there exists a minimum or maximum size of test suites which still produces a qualitative fix in automatic program repair. In addition, I want to investigate on how many failing and passing test cases the test suite needs.

The results of my study could help to improve automatic program repair by providing a reasoning about the trade between the quality of a fix and the runtime of automatic program repair.

 

14:30-15:00

Speaker: Luc S.
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Signing without Interaction - Anonymous EC Blind Signatures
Research Area: RA1

 

15:00-15:30

Speaker: Metodi Mitkov
Type of talk: Bachelor Intro
Advisor: Dr. -Ing Ben Stock
Title: Security Headers on the Web Post-Login
Research Area: 5

Abstract: Web sites are continuously growing in complexity - an ever-increasing codebase that relies heavily on third-party content is a common occurrence on the Web today. Developers have the difficult task of ensuring that each component on a Web site works correctly and does not cause conflicts or errors. While the main focus lies in ensuring that all components work correctly, the security of a Web site is often pushed to the side. For these reasons, we regularly hear about vulnerabilities on the Web. A multitude of browser-enforced defense mechanisms exists to protect against the possibility of a vulnerability in the ever-rising complexity of the Web. However, defense policies are frequently misused, leading to a false sense of protection. The usual culprit of security inconsistencies on the Web is CSP, widely known by developers for its difficulty to use. Even other defense mechanisms on the Web, which are supposedly easier to use, such as cookie security attributes, are misused across the board. While researchers have investigated the development of security mechanisms and their inconsistent use across the Web, some questions remain to be answered. For example an important aspect is the separated context between a registered and an unregistered session. A registered user could have access to other features and pages which are otherwise inaccessible.

I want to investigate the prominence of misused security headers in the context of a logged-in user and compare it to the pre-login counterpart. I want to understand why inconsistencies occur and what conclusions I can draw from the current state of the usage of security policies. What type of inconsistencies are there? Are there differences between the security guarantees for logged-in users and not logged-in visitors? Which security policies are misused the most? Are there any patterns?

 

Session B:

14:30-15:00

Speaker:        Fabian Thomas
Type of talk:   Bachelor Intro
Advisor:        Michael Schwarz
Title:          Meltdown as a Sidechannel
Research Area:  RA3

Abstract:
As a response to the disclosure of the Meltdown vulnerability in 2017, which
essentially enables an attacker to read arbitrary kernel memory, all major
Operating Systems implemented software fixes to address this new kind of attack
on hardware. We present a novel way to leak sensitive data that is not protected
by these state of the art mitigations. Our new technique relies on the fact that
some data structures like the Interrupt Descriptor Table are required to be
mapped into user space on x86 CPUs. Therefore no software patches can be applied
to these memory regions. By interpreting a successful Meltdown read as a cache
hit we are able to leak the timing of hardware keyboard interrupts and legacy
system calls on CPUs without hardware fixes addressing these issues. We use a
custom Meltdown block to further improve the reliability of this caching side
channel. Additionally, we analyze the Meltdown mitigation kernel page-table
isolation (KPTI) to evaluate the severity of our findings.

Dear All,

The next seminar(s) take place on 22.6. at 14:00.

Session A: (RA4,5) (14:00-15:30)
Joshua Steffensky, Antonios Gkiokoutai, Daniel Reinold

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 1,2,3|4)(14:00-15:30)
Julian Biehl, Mirko Meinerzag, Sophie Wenning

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Joshua Steffensky
Type of talk: Master Final
Advisor: Dr. Sven Bugiel
Title: FIDO2 inside - Unifying digital and physical authentication
Research Area: 4

Abstract: 
The FIDO2 authentication scheme was released by the FIDO Alliance in 2018 as the
successor of their Universal 2nd Factor (U2F) scheme. FIDO2 improves on U2F by
providing a usable, secure and open authentication scheme for both hardware backed
two-factor authentication, as well as complete passwordless authentication. While FIDO2
was, as the name “Fast IDentity Online” suggests, designed for web authentication, its
use of an asymmetric challenge-response scheme and the specification of an interface
for movable cryptographic security devices makes it amenable to being used in other
authentication contexts.
In this thesis we will explore this option. For this purpose we develop an adaptation
of the usability-deployablility-security (UDS) evaluation framework by Bonneau et al.
for physical authentication schemes. Our results show, that FIDO2 can be secured
for physical authentication and compares resonably well to existing schemes. However,
exposing the FIDO2 Authenticator to an untrusted access point breaks the protocol’s
unlinkability goal.

 

14:30-15:00

Speaker: Antonios Gkiokoutai
Type of talk: Bachelor Intro
Advisor: Dr. -Ing Ben Stock
Title: Dangerous Extension Updates
Research Area: 5

Abstract: Browser extensions have in recent years become very popular, with thousands of downloads
across different platforms. To be able to execute their tasks and improve user experience on
the web, they require access to special APIs. Example APIs include accessing the users
browsing history, or sending / intercepting network requests. Because of the nature of those
APIs being very powerful, access to them is restricted through permissions, which need to be
explicitly requested in the extensions manifest.

Similarly to the mobile ecosystem, it is recommended for extensions to request only
necessary permissions as per the Principle of Least privilege, meaning only the minimum set
of permissions that they absolutely need to carry out their tasks. However, past studies have
shown that extensions often request more permissions than they need. At the same
time, many permissions are coarse-grained and provide little information about their
capabilities to the user.

To ensure that extensions do not misuse their privileges, they go through a vetting process
conducted by major browser vendors before they are released. Multiple studies have
contributed into helping detect both malicious extensions as well as vulnerable ones, that slip
through the vetting process and end up being installed by users. Still, little research has
focused specifically on extension updates, which directly contribute to the creation of
malicious extensions in more subtle ways. 

A common scenario that is of interest in this case, is a benign extension turning malicious
after a future update. Results in this case can be disastrous, given that the extension has
already been installed potentially by multiple users and earned their trust, before being
updated and turning malicious.

While all major browsers claim to review updates of extensions before releasing them, a
recent study confirms that many undetected malicious extensions turned malicious after
some update. This means the review process often fails to detect dangerous updates. To be
able to estimate how prevalent are such updates, we would like to conduct a large-scale study
on the Chrome Web Store across multiple versions of existing extensions. Key questions that
we want to answer are the following:
ï How often do extensions update and what is the nature of those updates? To answer
this, we intend to study the time between updates, as well as their content. We are
interested in changes in the number of API permissions requested, changes in the host
permissions (e.g. from a few host names to <all_URLs> or https wildcards, or vice
versa), or changes in the manifest to upgrade to the newer v3 [9] standard.
ï Are permissions over-requested, and if so to what extent and for how long? This
requires studying the actual usage of APIs across extensions and comparing it with
the corresponding permissions in the manifest. Naturally we want to observe changes
in those behaviors, and accordingly determine to what extent is the principle of least
privilege followed.
ï Finally, when can we label an extension update as suspicious and as a result how
many suspicious extensions can we detect in the wild? Suspicious in this case would
imply the introduction of changes which have direct and critical security implications
on the extension. We need to come up with a collective approach, which leverages
data from studies in combination with our observations, in order to determine if an
update is deemed indeed suspicious.

 

15:00-15:30

Speaker: Daniel Reinold
Type of talk: Bachelor Final
Advisor: Prof. Dr. Andreas Zeller
Title: Transpiling the Web Service Description Language
Research Area: RA4

Abstract:
Users want a lot of functionality and information from the modern web. Web services
provide an interface to request information and functionality from remote resources,
connecting clients and servers to each other. This interface can receive direct user input,
which makes it vulnerable to invalid or malicious requests. If a web service goes offline
due to an attack or bug, it can affect other peers, that rely on its functionality. Because
of this, it is essential, that web services are robust and secure.
Fuzzing is a technique to automatically test software for vulnerabilities and other unin-
tended behavior by generating random inputs. However, if completely random values
are being produced, the result will be primarily invalid calls. To make this approach
more efficient at creating valid inputs, a grammar can be used. Grammars are a way to
specify the structure of an input and can be used in grammar-based fuzzers, to generate
values for testing. A drawback is, that it can be difficult and time-consuming to create
a grammar from scratch for a target application. This can be avoided by deriving the
grammar from documents specifying the interface.
For web services, such a description exists in a specification called Web Services Descrip-
tion Language. These documents are usually publicly available, which enables us to test
our implementation on a wide range of live web services. Our approach is to convert the
Web Service Description Language into a so-called universal grammar. We then use it to
generate many random values that match the input structure and sent them in a request
to the web service. Our goal is to create a process to automatically fuzz web services,
even if they have structurally complex interfaces.

 

Session B:

14:00-14:30

Speaker: Julian Biehl
Type of talk: Master Intro
Advisor: Dr. Robert Künnemann
Title: Translating Multiset Rewrite Rules to ProVerif
Research Area: RA2

Abstract: Protocol verification tools are a means of modeling security protocols and checking whether they fulfill the desired security guarantees. One popular example for such a tool is Tamarin, which relies on multiset rewrite rules to model protocols. Another popular tool is ProVerif, where protocols are modeled in a process calculus, which is then translated to Horn clauses for the analysis. Since multiset rewrite (MSR) rules and Horn clauses share some common properties, translating MSR rules into Horn clauses is relatively straightforward, even though it introduces some overapproximation. In this thesis, we will propose such a translation, implemented as an extension to Tamarin. As ProVerif is generally known to be much faster than Tamarin, we suspect that this translation will allow to analyze many MSR models way faster than using only Tamarin. In order to verify this hypothesis, we will evaluate our translation using a variety of protocol models which were already written for Tamarin and compare the performance of the two. This evaluation will also be the main focus of the final thesis.
 

 

14:30-15:00

Speaker: Mirko Meinerzag
Type of talk: Bachelor Final
Advisor: Sven Bugiel
Title: Hardening Android's Task Management to Prevent Phishing
Research Area: RA3|4

Abstract: 
Android's user interface has been frequently targeted by malware to perform attacks like phishing, denial of service, and more. These attacks often need little to no extra permissions but have devastating consequences for the user. One particular attack is called task hijacking. Task hijacking abuses the task management of Android to compromise the UI of benign applications. The vulnerability can then be used to launch follow-up attacks that leak sensitive information or deny crucial services. 

This thesis continues previous work on task hijacking. One proposed solution is to enhance task management so that developers can protect their UI from being hijacked. In this work, the proposed solution is implemented as a prototype on Android 10. This is done by modifying the Android Open Source Project such that developers can declare in the manifest of their app which parts of the UI should be treated as sensitive and need further protection by a security-enhanced task management.

The prototype is evaluated against several proof-of-concept apps to show its effectiveness, usability, and performance compared to an unmodified Android version. Furthermore, we performed a small-scale analysis of top apps from Google Play. This work also presents the results of the apk analysis and compares them to previous, similar studies on the topic.

 

15:00-15:30

Speaker: Sophie Wenning
Advisor: Prof. Dr. Antoine Joux
Research Area: RA1

Abstract:

No information is provided.

Dear All,

The next seminar(s) take place on 8.6. at 16:00 respectively 14:30.

Be aware that session A is at 16:00!

Session A: (RA4,5) (16:00-16:30)
Kai Glauber

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 5)(14:30-15:30)
Pavithra Krishna, Jorim Bechtle

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

16:00-16:30 

Speaker: Kai Glauber
Type of talk: Master Intro
Advisor: Prof. Dr. Giancarlo Pellegrino, Soheil Khodayari
Title: DORK: A Study on the Context, Prevalence and Cause of Open Redirects in today's Web
Research Area: RA5

Abstract:

Redirects are an essential part of today's internet workflow. While they are
often used as tool to seamlessly improve user experience, they are also quite
common in the context of authentication and advertisement. However, previous
work has shown, that developers often fail to secure their redirects properly.
An open redirect is a vulnerability that occurs when the target of a redirect
depends on untrusted user-controlled input, which is not properly validated.
While the impact of this vulnerability is generally considered to be low, it is
often used as a stepping stone for more sophisticated exploits, such as
stealing OAuth tokens, bypassing Content Security Policies or phising.

This thesis aims to provide an overview of the prevalence of open redirects in
today's web. As a first step, we manually analyze past CVEs to get a better
understanding of the context in which past vulnerabilities manifested. We do
so, by filtering CVEs based on access to source code, specifically references
to Github repositories, which often times contain valuable information about
the vulnerability at hand. Furthermore, we aim to identify common patterns,
that we can use to detect open redirects in the future by collecting data on
which mitigation was used and what went wrong. Finally, the collected data is
used in our prototype implementation DORK which is an acronym for "Detecting
Open Redirects at sKale". DORK automatically creates custom Google Dork
queries, to scan the Tranco top 10k most popular websites for open redirects.
This approach provides us with a list of candidates that DORK actively probes for
open redirects by replacing the target of the redirect with a domain under our
control which keeps track of incoming traffic.

 

 

Session B:

14:00-14:30

No talk this week

 

14:30-15:00

15:00-15:30

Speaker: Jorim Bechtle
Type of talk: Bachelor Intro
Advisor: Michael Schwarz
Title: New Hardware - Old Vulnerabilities: Software-based Side-channel Attacks on RISC-V Architecture
Research Area: RA3

Abstract:
x86 and ARM systems have been around for quite some time, so has the idea of an open-source instruction set architecture. There have been FPGA emulations and prototype boards based on RISC-V, but it is only since recently that mass-produced RISC-V systems exist.
This raises the question which side-channel attacks developed for x86 or ARM are applicable to RISC-V and which of the recommendations to prevent side-channel attacks from the last decades have been applied.
The goal of this research is to explore the cache layout and function and create basic building blocks like timing and flushing for software-based side-channel attacks and ultimately to create a proof-of-concept exploit on for an old OpenSSL version.

 

 

Dear All,

The next seminar(s) take place on 25.05. at 14:00 respectively 14:30.

Session A: (RA4,5) (14:00-15:00)
Norman Ziebal - Florian B.

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (RA 5)(14:30-15:30)
Paul Frerichs - Raphael Maser

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Norman Ziebal
Type of talk: Bachelor Intro
Advisor: Prof. Andreas Zeller, Dr. Dominic Steinhoefel, Dr. Rafael Dutra
Title: Grammar meets Binary Template - Bidirectional conversion between context free grammars and binary templates
Research Area: RA4,5

Abstract:
Most programs expect highly structured inputs, which makes black-box fuzzing rather inefficient because inputs get rejected very early in the program flow.
Grammar-based fuzzing is a common technique to provide much better inputs to programs based on a specification.
FormatFuzzer is a generator for format-specific fuzzers. It takes a Binary Template as input, a format specification for a binary format,
and produces a highly efficient and fast parser and generator, which is conform to the provided specification.

Hundreds of Binary Templates already exist for various formats, but they can not be utilized by other grammar-based fuzzing tools,
due to Binary Templates being written in an imperative C-Style.
Grammar-based fuzzing tools commonly rely on a more declarative type of specification, like context-free grammars.
Context-free grammars are widely used when it comes to grammar-based fuzzing. They are easy to read and write for humans and have proven to be a good way of specifying a format.
Therefore many grammar-based fuzzing tools work well with context-free grammars as input.

This work aims to combine the benefits of context-free grammars and Binary Templates for fuzzing.
We will implement a framework for bidirectional conversion between context-free grammars and binary templates.
With this framework, we will, on one hand, be able to leverage the vast quantity of existing binary templates with already existing fuzzing tools and techniques
and on the other hand, combine the simplicity of context-free grammars with the speed and efficiency of FormatFuzzer.

 

14:30-15:00

Speaker: Florian B.
Type of talk: Bachelor Final
Advisor: Dr. Dominic Steinhöfel, Prof. Andreas Zeller
Title: Bidirectional Converter Between ANTLR, BGF and a Pivot Language
Research Area: RA5

Abstract:
Grammar-based fuzzing is a common technique to make fuzzers more program-specific. On the one hand, there are different fuzzers with different grammar formats as input and on the other hand, there are large grammar collections like the Grammar Zoo with its BGF format or repositories with many grammars in ANTLR format. The ability to convert different grammar formats into each other would allow to use existing grammar collections, and thus thousands of grammars without requiring additional work for each grammar.
Bidirectional conversion between these different formats is easiest accomplished using a pivot language.
This pivot language can then be used to convert ANTLR to BGF and vice versa, or to convert to any new format by simply developing a new converter for a different format while using he same pivot language.
In this thesis, a converter will be developed to convert ANTLR and BGF into a pivot language and vice versa.

 

15:00-15:30

no talk this week
 

Session B:

14:00-14:30

No talk this week

 

14:30-15:00

15:00-15:30

Speaker: Raphael Maser
Type of talk: Bachelor Intro
Advisor: Prof. Mario Fritz, Dr. Andreas Husch (Uni Luxemburg)
Title: Confounding in Machine Learning Models
Research Area: RA1

Abstract:
Machine Learning has seen a lot of progress during the last decade and gained even more attention during the enduring COVID-19 epidemic. Despite this progress, the clinical relevance of ML in the medical domain is still rather low, mainly because models exhibiting good performance in the test environment fail when deployed in the real world. This is mainly caused by a gap between training data and real-world data, where bias and (hidden) confounders in training prevent the models trained from them to capture clinically relevant settings.
Working towards more robust models by utilizing domain adaptation techniques, we aim to reliably assess different de-confounding techniques. To achieve this a simple framework for the creation of synthetic confounded data and injection of confounders in real datasets will be written.

 

Dear All,

The next seminar(s) take place on 11.05. at 14:00.

Session A: (RA4,5)
Philipp Dewald - Ole Heydt - Birk Blechschmidt

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session A:

14:00-14:30 

Speaker: Philipp Dewald
Type of talk: Bachelor Intro
Advisor: Dr. Katharina Krombholz
Title: End User Privacy Concerns about the Corona-Warn App
Research Area: RA5

Abstract: When the Corona-Warn App was launched on the 16th of June in 2020, the expectations and hopes were quite high. Helge Braun, then Chancellery Minister and Federal Minister for Special Tasks, stated he is "quite convinced that it is the best [corona app]" and then Chancellor Angela Merkel declared it will be "a milestone in the fight against Corona." However, it turned out that was not the case. The lack of broad participation was one of the main reasons for the app's ineffectiveness.
Related work has shown that the most common reason for people not using the app was privacy concerns. In this upcoming Bachelor Thesis, we want to have a look at these and find out what they look like and where they came from.

 

14:30-15:00

Speaker: Ole Heydt
Type of talk: Bachelor Intro
Advisor: Nils Ole Tippenhauer, Alessandro Erba, John Henry Alvarado
Title: Systematic Evaluation of Stealthy Attacks against Quadcopter Drones
Research Area: RA4

Abstract:
Drones, rovers or more generally Robotic Vehicles (RVs) have long since ceased to be science-fiction. The usability of cyber-physical
systems in customer industry or the military is widely known. Take for example the advances of Amazon with their "Prime Air" project
where the aim is to create a drone delivery system for customers that could potentially massively impact the delivery market as a whole.

With both the commercial but also political impact that RVs can potentially hold, one needs to develop security mechanisms which are
elaborate enough to defend against - on one hand commercial loss (e.g. delivery services), on the other the endangerment of human life (e.g. military drone missions).
The corruption of cyber-physical systems holds much power as past attacks like Stuxnet prove.

The main challenges of cyber-physical-system security originate from the generally complicated nature of such, as e.g. drones or rovers
operate on both cyber (software) and physical (robotics) layers. Previous work shows that there already exist various possible attacks
on RVs like GPS spoofing or acoustic attacks on e.g. gyroscopes that can significantly deviate the vehicles from their programmed paths
or even lead to crashes. Advances in physics as well as software development and maths are required to develop security mechanisms for RVs.
In our work we want to discuss and and evaluate attacks against drones (more specifically quad-copters) that were introduced in recent research efforts.
Additionally we aim to find and create a systematic way of testing and evaluating countermeasures against such attacks.

 

15:00-15:30

Speaker: Birk Blechschmidt
Type of talk: Master Intro
Advisor: Dr.-Ing. Ben Stock
Title: Extended Hell: A Study on the Current Support of Email Confidentiality and Integrity
Research Area: RA5

Abstract: The core specifications of electronic mail as used today date back as early as the 1970s. At that time, security did not play a major role in the development of communication protocols. These shortcomings still manifest itself today in the prevalence of phishing and the reliance on opportunistic encryption. Besides STARTTLS, various mechanisms such as SPF, DKIM, DMARC, DANE and MTA-STS have been proposed. However, related work has shown that they are not supported by all providers or that misconfiguration is common.

This thesis aims to provide an overview on the current state of email confidentiality and integrity measures and the effectiveness of their deployment. In particular, we are going to investigate the support of security mechanisms by popular email providers, thereby validating and extending previous work. Since MTA-STS has not yet been widely studied, we contribute an overview on the outbound support of MTA-STS. Furthermore, we try to find a lower bound of domains supporting DANE bindings for OpenPGP as well as DNSSEC-associated S/MIME certificates and measure their key strength.

Dear students,

To accomodate for a specific case of circumstances, we will have one of the sessions on 8.6. at 14-15:30 as regular and one session at 15-16:30.
I appologize for your inconvenience. The dates for the later session can be booked on https://calendly.com/bamaseminar2

Of course, if you can not attend the session after 15:30, you will not have to change plans, we are aware this might collide with lectures.
Please visit the earlier seminar in that case (=if you don't have time later), even if your research area talks are in the later slots.

Best regards, Stella

Dear All,

The next seminar takes place on 27.04. at 14:30.

Session A: (RA1,5)
Nils Olze - Erfan Balazadeh

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:00-14:30 

No talk this week.

 

14:30-15:00

Speaker: Nils Olze
Type of talk: Master Intro
Advisor: Sven Bugiel
Title: Is Your Password On Your Hard Drive? Impact of File System Access on Credential Access
Research Area: 5

Abstract: Passwords are an aging but still the most wide-spread way of user authentication. With the ever growing amount of online services, users are burdened to manage more and more credentials, often leading to insecure password management behavior. Password Reuse puts all accounts of a user at risk, once a single pair credentials is known to an attacker. While Password Managers offer a solution to this problem, they are still lacking adoption by users, especially less tech-savy ones. Simpler methods like Password Notebooks in physical or digital form are adopted instead. Physical notebooks on the one hand, the are often recommended as a valid strategy, but unsecured digital ones put credentials at risk to anyone who has access to the file.

In this work, we consider an attacker with access to the file system of a victim. Our goal is threefold. First, we seek to empirically validate the results of prior work concerning password management of users. Second, we determine whether it is feasible for an attacker to automatically detect credentials saved in unprotected text files in a file system. Lastly, we try to measure the impact of the available data on a tailored password cracking attempt.

 

15:00-15:30

Speaker: Erfan Balazadeh
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Timed-Release Cryptography using Proof-of-Stake Blockchain
Research Area: 1

Abstract: Imagine a scenario where you want to encrypt a message, but you don't want it to be able to be decrypted by the receiving party right away.
The concept of "encrypting a message to the future" is not new and has been around for many years. The proposed solutions so far, like time-lock puzzles or verifiable delay functions for instance,
are not perfect however. They require a lot of computing power and the speed can vary drastically depending on the hardware being used.

This thesis' goal is to implement a new encryption scheme, which is efficiently computable and which gets rid of the previously mentioned solutions' weaknesses, inside of a real world setting.
The idea is to make use of the existing Proof-of-Stake architecture in the Ethereum 2.0 consensus protocol, where so called committees vote on new blocks by using an aggregatable signature scheme named BLS. One of the implementation tasks of the thesis is to see if it is possible to listen to the unaggregated BLS signatures and the signed message, which are necessary for the encryption scheme. Once we have accumulated enough of these unaggregated signatures, we can go on to decrypt the message. Basically, a receiving party can only decrypt the message once certain conditions are met that the encrypter knows will happen in a desired amount of time in the future.

Dear All,

Update 2022-04-09: Added Priyasha Chatterjee's talk information, which was missing due to technical difficulties. Sorry!

The next seminar(s) take place on 13.04. at 14:00.

Session A: (RA3,4)
Joshua Steffensky - Priyasha Chatterjee - Tom Baumeister

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:00-14:30 

Speaker: Joshua Steffensky
Type of talk: Master Intro
Advisor: Dr. Sven Bugiel
Title: FIDO2 inside - Unifying digital and physical authentication
Research Area: 4

Abstract:
The FIDO2 authentication scheme was released by the FIDO Alliance[1] in 2019 as the successor
of their Universal 2nd Factor (U2F) scheme. FIDO2 improves on U2F by providing a usable, secure and open
authentication scheme for both hardware backed two-factor authentication, as well as complete passwordless
authentication. While FIDO2 was, as the name ”Fast IDentity Online” suggests, designed for web authentic-
ation, its use of an asymmetric challenge-response scheme and the specification of an interface for movable
cryptographic security devices makes it amenable to being used in other authentication contexts. This thesis
aims to investigate the possibility of using FIDO2 authentication in the physical authentication context.

 

14:30-15:00

Speaker: Priyasha Chatterjee
Type of talk: Master Final
Advisor: Dr. Katharina Krombholz
Title: User-centric Privacy Design for Smart Speakers
Research Area: RA5

Abstract: As ubiquitous computing becomes more widespread, so does the market for voice-controlled smart devices which afford convenience like never before. Smart home systems allow smart devices to connect to a hub, such as Amazon's Alexa, or Google Nest, which are smart speakers allowing users to control them by voice. However, while users find that these systems offer great convenience, they also find that they need to settle on a trade-off between privacy and security, and convenience. There have been reports of many privacy incidents in recent years, and in 2019, 41% of all smart home users were found to have been apprehensive about privacy around their smart speakers.
While there already exist a few designs for privacy protecting solutions, to the best of my knowledge, none of these have taken a user-centric approach to the design problem. My thesis thus proposes to identify one or more effective designs for privacy enhancement solutions for smart speakers, designed with the users in mind.
This is achieved by conducting a brief mixed-methods study with smart speaker users. The study comprises a questionnaire, a semi-structured interview, and prototype evaluation, allowing for the collection of detailed and meaningful insights into users’ perceptions, requirements and preferences. Through this study, I observe patterns in user intentions and behaviours around their smart speakers, and elicit design preferences. Finally, I establish user-centric designs and present recommendations for the design and development of future privacy enhancement solutions.

 

15:00-15:30

Speaker: Tom Baumeister
Type of talk: Master Intro
Advisor: PD Dr.Swen Jacobs
Title: Parameterized Repair of Disjunctive Systems for Liveness Properties
Research Area: RA2 (Reliable Security Guarantees)

Abstract: Concurrent systems that are composed of an arbitrary number n of processes, are hard to get correct. For these systems, parameterized model checking can provide correctness guarantees that hold regardless of n. However, model checking gives the designer no information about a possible repair when detecting an incorrect behaviour. The parameterized repair problem is, for a given implementation, to find a deadlock-free refinement such that a given property is satisfied by the resulting parameterized system. We present a repair algorithm that uses a parameterized model checker to determine correctness of generated candidate repairs. By updating a constraint system, when detecting a violation, the algorithm returns a repair iff one exists. For general safety properties, this algorithm can be applied on classes of systems which can be represented as well-structured transition systems (WSTS), including disjunctive systems, pairwise rendezvous systems and broadcast protocols. However, the existing approach cannot guarantee correctness for liveness properties, like termination or the absence of undesired loops. Since verifying liveness properties for parameterized systems quickly leads to undecidability, we want to study the parameterized repair problem for disjunctive systems and general liveness properties.