News
Next Seminar on 06.07.2022
Written on 30.06.2022 19:16 by Mang Zhao
Dear All,
The next seminar(s) take place on 06.07. at 14:00 (Session A) and 14:30 (Session B).
Session A: (RA1,4,5) (14:00-15:30)
Kevin Theobald, Luc Seyler, Metodi Mitkov
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (RA 3)(14:30-15:00)
Fabian Thomas
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Kevin Theobald
Type of talk: Bachelor Intro
Advisor: Prof. Dr. Andreas Zeller
Title: How Test Sets Influence Automatic Program Repair
Research Area: RA4
Abstract:
Automatic program repair is a technique to automatically fix software defects by finding, analyzing and fixing the defects. After each loop in the technique, automated program repair generates a possible patch which needs to be verified. This verification process is done by a test suite. There are two colliding interests about the size of the test suite. On the one side, if the test suite has no or too few test cases, the result of the automatic program repair technique is inapplicable. On the other side, if the test suite is too large, the runtime of the automatic program repair technique is unfeasible.
In this study, I want to investigate on what a test suite needs to be a suited candidate for automatic program repair. I use established techniques from test generation to create various test suites and investigate on how automatic program repair behaves on these test suites.
I want to find out if there exists a minimum or maximum size of test suites which still produces a qualitative fix in automatic program repair. In addition, I want to investigate on how many failing and passing test cases the test suite needs.
The results of my study could help to improve automatic program repair by providing a reasoning about the trade between the quality of a fix and the runtime of automatic program repair.
14:30-15:00
Speaker: Luc S.
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Signing without Interaction - Anonymous EC Blind Signatures
Research Area: RA1
15:00-15:30
Speaker: Metodi Mitkov
Type of talk: Bachelor Intro
Advisor: Dr. -Ing Ben Stock
Title: Security Headers on the Web Post-Login
Research Area: 5
Abstract: Web sites are continuously growing in complexity - an ever-increasing codebase that relies heavily on third-party content is a common occurrence on the Web today. Developers have the difficult task of ensuring that each component on a Web site works correctly and does not cause conflicts or errors. While the main focus lies in ensuring that all components work correctly, the security of a Web site is often pushed to the side. For these reasons, we regularly hear about vulnerabilities on the Web. A multitude of browser-enforced defense mechanisms exists to protect against the possibility of a vulnerability in the ever-rising complexity of the Web. However, defense policies are frequently misused, leading to a false sense of protection. The usual culprit of security inconsistencies on the Web is CSP, widely known by developers for its difficulty to use. Even other defense mechanisms on the Web, which are supposedly easier to use, such as cookie security attributes, are misused across the board. While researchers have investigated the development of security mechanisms and their inconsistent use across the Web, some questions remain to be answered. For example an important aspect is the separated context between a registered and an unregistered session. A registered user could have access to other features and pages which are otherwise inaccessible.
I want to investigate the prominence of misused security headers in the context of a logged-in user and compare it to the pre-login counterpart. I want to understand why inconsistencies occur and what conclusions I can draw from the current state of the usage of security policies. What type of inconsistencies are there? Are there differences between the security guarantees for logged-in users and not logged-in visitors? Which security policies are misused the most? Are there any patterns?
Session B:
14:30-15:00
Speaker: Fabian Thomas
Type of talk: Bachelor Intro
Advisor: Michael Schwarz
Title: Meltdown as a Sidechannel
Research Area: RA3
Abstract:
As a response to the disclosure of the Meltdown vulnerability in 2017, which
essentially enables an attacker to read arbitrary kernel memory, all major
Operating Systems implemented software fixes to address this new kind of attack
on hardware. We present a novel way to leak sensitive data that is not protected
by these state of the art mitigations. Our new technique relies on the fact that
some data structures like the Interrupt Descriptor Table are required to be
mapped into user space on x86 CPUs. Therefore no software patches can be applied
to these memory regions. By interpreting a successful Meltdown read as a cache
hit we are able to leak the timing of hardware keyboard interrupts and legacy
system calls on CPUs without hardware fixes addressing these issues. We use a
custom Meltdown block to further improve the reliability of this caching side
channel. Additionally, we analyze the Meltdown mitigation kernel page-table
isolation (KPTI) to evaluate the severity of our findings.