Next Seminar on 22.06.2022
Written on 17.06.2022 17:00 by Mang Zhao
The next seminar(s) take place on 22.6. at 14:00.
Session A: (RA4,5) (14:00-15:30)
Joshua Steffensky, Antonios Gkiokoutai, Daniel Reinold
Meeting-ID: 967 8620 5841
Session B: (RA 1,2,3|4)(14:00-15:30)
Julian Biehl, Mirko Meinerzag, Sophie Wenning
Meeting-ID: 990 2598 9421
Speaker: Joshua Steffensky
Type of talk: Master Final
Advisor: Dr. Sven Bugiel
Title: FIDO2 inside - Unifying digital and physical authentication
Research Area: 4
The FIDO2 authentication scheme was released by the FIDO Alliance in 2018 as the
successor of their Universal 2nd Factor (U2F) scheme. FIDO2 improves on U2F by
providing a usable, secure and open authentication scheme for both hardware backed
two-factor authentication, as well as complete passwordless authentication. While FIDO2
was, as the name “Fast IDentity Online” suggests, designed for web authentication, its
use of an asymmetric challenge-response scheme and the specification of an interface
for movable cryptographic security devices makes it amenable to being used in other
In this thesis we will explore this option. For this purpose we develop an adaptation
of the usability-deployablility-security (UDS) evaluation framework by Bonneau et al.
for physical authentication schemes. Our results show, that FIDO2 can be secured
for physical authentication and compares resonably well to existing schemes. However,
exposing the FIDO2 Authenticator to an untrusted access point breaks the protocol’s
Speaker: Antonios Gkiokoutai
Type of talk: Bachelor Intro
Advisor: Dr. -Ing Ben Stock
Title: Dangerous Extension Updates
Research Area: 5
Abstract: Browser extensions have in recent years become very popular, with thousands of downloads
across different platforms. To be able to execute their tasks and improve user experience on
the web, they require access to special APIs. Example APIs include accessing the users
browsing history, or sending / intercepting network requests. Because of the nature of those
APIs being very powerful, access to them is restricted through permissions, which need to be
explicitly requested in the extensions manifest.
Similarly to the mobile ecosystem, it is recommended for extensions to request only
necessary permissions as per the Principle of Least privilege, meaning only the minimum set
of permissions that they absolutely need to carry out their tasks. However, past studies have
shown that extensions often request more permissions than they need. At the same
time, many permissions are coarse-grained and provide little information about their
capabilities to the user.
To ensure that extensions do not misuse their privileges, they go through a vetting process
conducted by major browser vendors before they are released. Multiple studies have
contributed into helping detect both malicious extensions as well as vulnerable ones, that slip
through the vetting process and end up being installed by users. Still, little research has
focused specifically on extension updates, which directly contribute to the creation of
malicious extensions in more subtle ways.
A common scenario that is of interest in this case, is a benign extension turning malicious
after a future update. Results in this case can be disastrous, given that the extension has
already been installed potentially by multiple users and earned their trust, before being
updated and turning malicious.
While all major browsers claim to review updates of extensions before releasing them, a
recent study confirms that many undetected malicious extensions turned malicious after
some update. This means the review process often fails to detect dangerous updates. To be
able to estimate how prevalent are such updates, we would like to conduct a large-scale study
on the Chrome Web Store across multiple versions of existing extensions. Key questions that
we want to answer are the following:
ï How often do extensions update and what is the nature of those updates? To answer
this, we intend to study the time between updates, as well as their content. We are
interested in changes in the number of API permissions requested, changes in the host
permissions (e.g. from a few host names to <all_URLs> or https wildcards, or vice
versa), or changes in the manifest to upgrade to the newer v3  standard.
ï Are permissions over-requested, and if so to what extent and for how long? This
requires studying the actual usage of APIs across extensions and comparing it with
the corresponding permissions in the manifest. Naturally we want to observe changes
in those behaviors, and accordingly determine to what extent is the principle of least
ï Finally, when can we label an extension update as suspicious and as a result how
many suspicious extensions can we detect in the wild? Suspicious in this case would
imply the introduction of changes which have direct and critical security implications
on the extension. We need to come up with a collective approach, which leverages
data from studies in combination with our observations, in order to determine if an
update is deemed indeed suspicious.
Speaker: Daniel Reinold
Type of talk: Bachelor Final
Advisor: Prof. Dr. Andreas Zeller
Title: Transpiling the Web Service Description Language
Research Area: RA4
Users want a lot of functionality and information from the modern web. Web services
provide an interface to request information and functionality from remote resources,
connecting clients and servers to each other. This interface can receive direct user input,
which makes it vulnerable to invalid or malicious requests. If a web service goes offline
due to an attack or bug, it can affect other peers, that rely on its functionality. Because
of this, it is essential, that web services are robust and secure.
Fuzzing is a technique to automatically test software for vulnerabilities and other unin-
tended behavior by generating random inputs. However, if completely random values
are being produced, the result will be primarily invalid calls. To make this approach
more efficient at creating valid inputs, a grammar can be used. Grammars are a way to
specify the structure of an input and can be used in grammar-based fuzzers, to generate
values for testing. A drawback is, that it can be difficult and time-consuming to create
a grammar from scratch for a target application. This can be avoided by deriving the
grammar from documents specifying the interface.
For web services, such a description exists in a specification called Web Services Descrip-
tion Language. These documents are usually publicly available, which enables us to test
our implementation on a wide range of live web services. Our approach is to convert the
Web Service Description Language into a so-called universal grammar. We then use it to
generate many random values that match the input structure and sent them in a request
to the web service. Our goal is to create a process to automatically fuzz web services,
even if they have structurally complex interfaces.
Speaker: Julian Biehl
Type of talk: Master Intro
Advisor: Dr. Robert Künnemann
Title: Translating Multiset Rewrite Rules to ProVerif
Research Area: RA2
Abstract: Protocol verification tools are a means of modeling security protocols and checking whether they fulfill the desired security guarantees. One popular example for such a tool is Tamarin, which relies on multiset rewrite rules to model protocols. Another popular tool is ProVerif, where protocols are modeled in a process calculus, which is then translated to Horn clauses for the analysis. Since multiset rewrite (MSR) rules and Horn clauses share some common properties, translating MSR rules into Horn clauses is relatively straightforward, even though it introduces some overapproximation. In this thesis, we will propose such a translation, implemented as an extension to Tamarin. As ProVerif is generally known to be much faster than Tamarin, we suspect that this translation will allow to analyze many MSR models way faster than using only Tamarin. In order to verify this hypothesis, we will evaluate our translation using a variety of protocol models which were already written for Tamarin and compare the performance of the two. This evaluation will also be the main focus of the final thesis.
Speaker: Mirko Meinerzag
Type of talk: Bachelor Final
Advisor: Sven Bugiel
Title: Hardening Android's Task Management to Prevent Phishing
Research Area: RA3|4
Android's user interface has been frequently targeted by malware to perform attacks like phishing, denial of service, and more. These attacks often need little to no extra permissions but have devastating consequences for the user. One particular attack is called task hijacking. Task hijacking abuses the task management of Android to compromise the UI of benign applications. The vulnerability can then be used to launch follow-up attacks that leak sensitive information or deny crucial services.
This thesis continues previous work on task hijacking. One proposed solution is to enhance task management so that developers can protect their UI from being hijacked. In this work, the proposed solution is implemented as a prototype on Android 10. This is done by modifying the Android Open Source Project such that developers can declare in the manifest of their app which parts of the UI should be treated as sensitive and need further protection by a security-enhanced task management.
The prototype is evaluated against several proof-of-concept apps to show its effectiveness, usability, and performance compared to an unmodified Android version. Furthermore, we performed a small-scale analysis of top apps from Google Play. This work also presents the results of the apk analysis and compares them to previous, similar studies on the topic.
Speaker: Sophie Wenning
Advisor: Prof. Dr. Antoine Joux
Research Area: RA1
No information is provided.