News
Next Seminar on 31.08.2022
Written on 26.08.2022 10:56 by Mang Zhao
Dear All,
The next seminar(s) take place on 31.08. at 14:00 (Session A) and 14:00 (Session B).
Session A: (RA3,5) (14:00-15:30)
Lisa Hoffmann, Simon Hasir, Philipp Baus
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA2,5)(14:00-15:30)
Philipp Dewald, Omar Renawi, Simon Ochsenreither
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Lisa Hoffmann
Type of talk: Bachelor Final
Advisor: Dr. Katharina Krombholz
Title: A User-Study on the Usability of a Cookie-Banner Violation Reporting Tool
Research Area: RA5
Abstract:
Cookie banners make a daily appearance in the internet usage of many.
The purpose of these pop-ups is to allow users of the website the opportunity to provide informed consent on the use of their personal data.
This is a result of the data privacy laws of the European Union (EU) and the countries inside the EU themselves.
The data privacy laws not only state that the users need to provide informed consent before the use of their personal data but also provide guidelines on how this consent has to be collected.
Some of the cookie banners maliciously or unconsciously violate those guidelines.
This thesis aims to create a violation reporting tool design and test users’ ability without further education in informatics or law to report these violations after a brief instruction with the tool’s help.
During the study, the participants were confronted with an introduction on which violations they could expect.
Afterwards, the participants were confronted with six example cookie banners, some of which had violations of the privacy law in their design.
The results indicate that the overall knowledge about cookie banners and the privacy law they base on is slight, and plenty of misconceptions were discovered, but with the proper introduction, the participants were able to recognise a modest amount of the violations.
With the information collected through the study and with the focus on the insecurities and problems the participants encountered, a user-friendly design of the reporting tool can be approached.
14:30-15:00
Speaker: Simon Hasir
Type of talk: Bachelor Intro
Advisor: Andreas Zeller and Rahul Gopinath
Title: Mining Output Grammars
Research Area: RA3: Threat Detection and Defenses
Abstract:
A formal specification of the in- and output language is crucial in research areas like intrusion and vulnerability detection. Our tool constructs Context-free grammars, which capture the syntactical structure of the output. We used instrumentation and tainting to reconstruct the dynamic control dependency graph (dynamic-CDG) and track each character's origin. Our results promise to reflect the intended structure and stay human-readable and solve the problem of missing syntactical output specifications.
15:00-15:30
Speaker: Philipp Baus
Type of talk: Bachelor Final
Advisor: Ben Stock
Title: Do you trust your Types? A qualitative Study on the Usability of Trusted Types to prevent Client-Side XSS vulnerabilities
Research Area: RA5
Abstract:
Cross-site scripting (XSS) is a web vulnerability that allows attackers to execute arbitrary JavaScript code in a victim’s browser. Although a lot of time has passed since the discovery in 1999, XSS is still a huge problem for websites on the internet nowadays. With the current trend of shifting the code of web applications to the client-side and the rising complexity of client-side code, the prevalence of client-side XSS vulnerabilities is also getting more severe.
To mitigate these vulnerabilities, Google recently introduced a new web API, called Trusted Types. Trusted Types eliminate the root causes of client-side XSS vulnerabilities by locking dangerous DOM and JavaScript API functions to only allow input in the form of a Trusted Types object. However, from the top websites at the time only Facebook and Google are actively using Trusted Types to protect their services against client-side XSS vulnerabilities.
Therefore, this thesis aims to find common roadblocks for web developers when it comes to the implementation and the understanding of Trusted Types. To achieve this goal, we conducted a qualitative study on the usability of Trusted Types for web developers.
Session B:
14:00-14:30
Speaker: Philipp Dewald
Type of talk: Bachelor Final
Advisor: Dr. Katharina Krombholz
Title: End User Privacy Concerns about the Corona-Warn-App
Research Area: RA5
Abstract: When the Corona-Warn-App was launched on June 16, 2020, the expectations and hopes were quite high. Helge Braun, then Chancellery Minister and Federal Minister for Special Tasks, stated his convenience that it is the best corona app. Then Chancellor Angela Merkel declared it would be a milestone in the fight against Corona. However, it turned out that this was not the case. The lack of broad participation was one of the reasons for the app’s ineffectiveness. Although the baseline that 15% of the population must participate for the app to work was reached only eight days after launch, a much-discussed and to be regarded with caution Oxford study stated 60% of the population would need to participate in stopping the pandemic. This value is not even reached after nearly two years. Related work has shown that the most common reason for people not using contact tracing apps is privacy concerns, which was also found with the Corona-Warn-App. We investigate these and find out what they are and where they come from. Investigating privacy concerns becomes even more interesting as it has been shown that the app complies with the requirements of the GDPR, and user data is stored decentrally. The goal of conducting 15 semi-structured interviews is to shed light on the darkness and identify end-user privacy concerns, reasons, and fears regarding the Corona-Warn-App. We see that people have concerns about surveillance, data leaks, misuse, confidentiality, hackers, and technical features of the app. They are mainly due to previous experiences and lack of or wrong knowledge. Among other findings, we also learn why some people indicate that they have no privacy concerns. The conclusions indicate implications for the Corona-Warn-App but also for health-related mobile applications and apps that depend on voluntary participation.
14:30-15:00
Speaker: Omar Renawi
Type of talk: Master Intro
Advisor: Dr. Julian Loss
Title: A Modular Treatment of Abe's Blind Signature Scheme
Research Area: 2
Abstract: Digital payment services provide a great convenience, yet this convenience may cost the customers their privacy because centralized payment systems enable the banks to perform mass surveillance. To tackle this problem, Chaum proposed the notion of blind signatures to construct untraceable digital payment systems. One of the well-known blind signatures schemes is Abe's scheme (EUROCRYPT'01), which has been proven secure by Kastner (PKC'22) in the Random Oracle Model and the Algebraic Group Model (ROM + AGM). Unfortunately, the fact that the adversary may behave dishonestly made the proof rather complex. To address this issue, we provide a modular security analysis to provide a simplified security proof for Abe's scheme in the model (ROM + AGM), following a similar methodology to Hauck (EUROCRYPT'19).
15:00-15:30
Speaker: Simon Ochsenreither
Advisor: Julian Loss
Research Area: RA2
No Information is provided.