News

New Semester is Coming

Written on 22.10.23 by Mang Zhao

Dear all,

 

for the new winter semester we will move to the new course which you can find here: https://cms.cispa.saarland/bms_ws2324/

Please switch to that one. The announcements will stop to be posted here and we expect that you will from now on submit the talk descriptions to the new… Read more

Dear all,

 

for the new winter semester we will move to the new course which you can find here: https://cms.cispa.saarland/bms_ws2324/

Please switch to that one. The announcements will stop to be posted here and we expect that you will from now on submit the talk descriptions to the new course.

 

Best wishes,

BAMA Seminar Team

Next Seminar on 25.10.2023

Written on 20.10.23 by Mang Zhao

Dear All,


The next seminar(s) take place on 25.10.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Julian Augustin, Assiri Nassirou Karim, Pit Jost

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 25.10.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Julian Augustin, Assiri Nassirou Karim, Pit Jost

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-15:30)

Zubayr Khalid, Ujjval Desai, Oliver Valta

https://cispa-de.zoom-x.de/j/64797489563?pwd=MFliNGNpSWRoTEtmNC9HUkNVN2ZNUT09

 

Session A:

14:00 - 14:30

Speaker: Julian Augustin
Type of talk: Bachelor Intro
Advisor: Andreas Zeller
Title: Hierarchical Delta Debugging and DDSet on context-sensitive Inputs
Research Area: RA4

Abstract: 
Fuzzing is a well-known technique to find inputs that trigger bugs in programs. 
A good way to fix the bug is to have a look at the usually very large failure-inducing input and see which part of it actually triggers the bug.
Delta debugging is an algorithm used to minimize the input as much as possible while still preserving the error. 
Using delta debugging on context-sensitive data is often not successful because wrong length fields or checksums often throw errors before the actual problem gets parsed.
I am going to use FormatFuzzer a framework that can fuzz context-sensitive data and use its mutation functions to implement a more refined version of delta debugging namely hierarchical delta debugging for context-sensitive inputs.
New work has gone even further. Instead of just minimizing the error-inducing input, DDSet is able to give a grammar for all inputs that create this error.
I will also implement the key functions of this approach for context-sensitive data using FormatFuzzer.

 

14:30 - 15:00

Speaker: Assiri Nassirou Karim

Type of talk: Bachelor Final

Advisors: Dr. Cristian-Alexander Staicu & Dr. Dolière Francis Somé

Title: A study of the security and privacy implications of the use of third-party web push notifications services

Research Area: RA5

Abstract: Progressive web apps (PWAs) are modern websites or web applications with new integrated features aimed at improving user experience. One of these features is Service Worker (SW), a Javascript program that runs in the background and offers several functionalities including acting as a proxy for network requests, enabling users to access specific web pages from the website even when they are offline or delivering web push notifications (WPNs). To take advantage of these features, websites may delegate the task of WPNs to third-party services (TPSs) such as OneSignal or Google Firebase Cloud Messaging for reasons such as technical expertise, scalability, or costeffectiveness. However, researchers have recently discovered that service workers can be exploited in several ways, including for phishing or social engineering attacks using WPNs. Moreover, as online advertising has expanded, WPNs have emerged as a viable method for delivering online ads, which attackers can also exploit to deliver malicious ads or redirect users to malicious websites. In our pre-experiment phase, we manually visited several websites, particularly online shopping platforms such as im-too.ru, and granted permission to receive notifications. Through this process, we observed a phenomenon: after a short duration, we began receiving notifications containing adult content. This outcome serves as a motivation to delve deeper into our study. It shows the urgency of investigating the potential risks and vulnerabilities associated with the use of WPNs. In this work, the main focus will be on WPNs, as it is essential to understand how they work and the types of notifications that are sent when using TPSs. We will also explore how and when TPSs subscribe users into notifications. The research is motivated by WPNs’ potential privacy and security implications, as they can be abused to track users or expose them to malicious content. To achieve this goal, the research design involves using ProwseBox, a tool for collecting data on TPSs used on websites. This will be followed by an analysis of the notifications sent by these providers, specially an analysis of the redirected URLs when clicking on these notifications.

 

15:00 - 15:30

Speaker: Pit Jost
Type of talk: Master Intro
Advisor: Prof. Dr. Andreas Zeller, Tural Mammadov
Title: Protocol Fuzzing with Grammars and Constraints extracted from RFCs
Research Area: RA3
Abstract:

Efficient automated testing of network protocols using conventional methods is a process that usually requires significant amounts of manual labor. To achieve high coverage that finds design and implementation flaws deeply embedded in such protocols, it is not suf- ficient to rely solely on a black-box fuzzing approach. Random inputs generated using a purely random approach tend to cause the protocol implementations to reject the inputs early during validation. More advanced approaches such as semantic fuzzing, which are aware of the protocol’s specification and the expected input formats, are much more ef- fective and can reach higher levels of coverage.

Generating semantically correct input is not a trivial task. Knowledge about the targeted protocol is necessary in order to achieve this, and it needs to be available in a machine-interpretable format to be usable for automated testing. Input Specification Lan- guage (ISLa), a grammar-aware input specification language and string constraint solver, aims to solve this by allowing for the expression of protocol specifications using context- free grammars and semantic constraints, which can, in turn, be used to produce inputs for grammar-based fuzzing. While ISLa requires formal protocol specifications written in its proprietary specification language, most network protocols are specified in documents known as Requests for Comments (RFCs), which are written in English natural language.

In this thesis, a method to automatically mine context-free grammars and semantic constraints from natural language specifications which are collected from RFC documents is developed. A pre-trained large language model is fine-tuned using a dataset that con- tains natural language specification fragments from RFCs and their grammar definitions together with semantic constraints. The model will be evaluated on automatically ex- tracting grammar constraints and related semantic constraints for a range of different network protocols.
 

 

Session B:

14:00 - 14:30

Speaker: Zubayr Khalid

Types of Talk: Master Final

Advisor: Dr. Julian Loss

Title: Implementation and Testing of GRandLine: A Novel Randomness Beacon Protocol, Secure Against Adaptive Adversaries

Research Area: RA1

Abstract: A source of continuous and publicly verifiable randomness is essential for many applications such as cryptocurrencies and financial audits. Existing works on distributed randomness beacons suffer from at least one of the following drawbacks: (i) lack of reconfiguration-friendliness, (ii) security only against a static adversary, (iii) cubic or higher communication cost, or (iv) computationally expensive tools such as Proof-of-Work. We introduce GRandLine, an adaptively secure randomness beacon protocol that overcomes these challenges while providing optimal resilience in the synchronous network setting. Our beacon has dominance over the existing work and to back up our claim we implement our protocol with worldwide geographically distributed AWS EC2 instances and evaluate it against the state-of-the-art randomness beacons such as BRandPiper in the same setting. In order to achieve the efficiency of GRandLine, we follow an approach of modeling the network as a binary tree data structure where each leaf of the tree represents a party. At each phase of our protocol two sibling nodes merge and agree on a common transcript which encrypts a secret. Eventually the whole network agrees on a common transcript which encrypts a random secret. The networking works by creating and maintaining a persitent TCP connection and a special reactor is implemented to react based on received messages at different rounds in the protocol. Besides having geographically distributed virtual machines, we have also included a development environment where one can test the network locally. For the first time, our implementation includes the existence of active adversarial nodes who will try to sabotage the protocol in different stages of execution. 
 

 

14:30 - 15:00

Speaker: Ujjval Desai

Type of talk: Master Intro

Advisor: Prof. Dr.  Lucjan Hanzlik

Title: FIDO-AC with third party trusted mediator in Intel SGX

Research Area: RA1: Trustworthy Information Processing

Abstract:

In the current digital landscape, the importance of web authentication is underscored, and the Fast IDentity Online (FIDO2) protocol plays a crucial role. FIDO2 enables seamless user authentication across various online services on both mobile and desktop platforms. It adopts a passwordless authentication approach grounded in cryptography and biometric verification, utilizing common devices for secure access. Despite its advantages, FIDO2 lacks the ability to aggregate user attributes during authentication, a gap addressed by Fast IDentity Online with Anonymous Credentials (FIDO-AC).

The implementation process involves keeping the mediator locally, as complete reliance on trusted third-party execution is considered unreliable, and external mediators lack sufficient incentives. To overcome these challenges, we propose employing Intel SGX to establish a Trusted Execution Environment (TEE) for the mediator. However, even with this improvement, the single mediator remains a potential single point of failure. To mitigate this risk, we intend to introduce multiple mediators that will work collaboratively to provide the necessary attestation. Additionally, to motivate trusted third parties, we plan to utilize adaptor signatures for their remuneration.

 

15:00 - 15:30

Speaker: Oliver Valta
Type of talk: Bachelor final talk
Advisor: Lucjan Hanzlik
Title: Practical One-time Programs and Applications to eCash
Research Area: Algorithmic foundations and cryptography
Abstract:

Over the last years, paper cash is getting replaced more and more with some form of digital cash. However, existing digital money schemes fail to replicate the properties of paper cash. For example, many such systems require Internet connectivity to per- form transactions or transactions only become valid after a certain period of time. The only systems capable of performing offline transactions are hardware based ones which
require the rather strong assumptions regarding the security of complex tamper-proof hardware, that needs to be distributed to each user. Furthermore, the privacy guarantees provided by existing schemes vary from a public transaction history to untraceable private transactions.
This thesis proposes and proves the security of two versions of an electronic money scheme based on one-time programs. One is secure against an honest-but-curious adversary while the more complex version is secure even in the presence of a malicious adversary. Using n-time use keys we construct one-time memory devices and from those one-time programs. These are used to implement a chain of MAC tag generation and verification. This scheme enables nearly instantaneous, transitive offline transactions with minimal hardware requirements, namely one-time memory devices. Additionally, we show that transactions are untraceable.
We provide a practical implementation as an Android app using the Android Keystore’s n-time use keys. Therefore, many Android devices can run it without any additional hardware. We discuss the practicality of such a system as well as future extensions.
 

Next Seminar on 11.10.2023

Written on 08.10.23 by Mang Zhao

Dear All,


The next seminar(s) take place on 11.10.2023 at 14:00 (Session A) and 14:30 (Session B).


Session A: (14:00-15:30)
Ayushi Churiwala, Milan Conrad, Tristan Hornetz

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 11.10.2023 at 14:00 (Session A) and 14:30 (Session B).


Session A: (14:00-15:30)
Ayushi Churiwala, Milan Conrad, Tristan Hornetz

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:30-15:00)

Osama Altamar

https://cispa-de.zoom-x.de/j/64797489563?pwd=MFliNGNpSWRoTEtmNC9HUkNVN2ZNUT09

 

Session A:

14:00 - 14:30

Speaker: Ayushi Churiwala

Type of talk: Master Intro

Advisor: Prof. Dr.  Andreas Zeller, Tural Mammadov

Title: LLM-based Active Code Repair

Research Area: RA3: Threat Detection and Defenses

Abstract:
Code generation through generative AI is an emerging and novel field that involves predicting code or program structures using incomplete data sources, natural language descriptions, alternate programming languages, or execution logs, offering the potential to drastically decrease the developer's workload and invested time. Developers have long resorted to using code from various online platforms and modifying it for their purposes. However, with generative AI advancements especially in Large Language Models (LLMs) like ChatGPT, they can now instruct the machine(in natural language) to generate code making external code search redundant.

OpenAI's language model, ChatGPT, has recently gained prominence for its ability to produce human-like responses across various natural language/ textual inputs, including those related to code generation. Nevertheless, the true effectiveness of ChatGPT in code generation remains uncertain, as it can produce logically questionable results and its performance could be significantly impacted by the selection of chosen prompts. This raises important questions about seamlessly integrating the code generated by ChatGPT into the development process, given its potential to expedite coding workflows and automate code generation. Especially, there is currently a lack of an automated testing and improvement framework specifically tailored for code generation systems. To address these issues, this research proposes to analyze the code generated by ChatGPT by exploring various prompt types and identifying and repairing inconsistent outputs. Our goal is to actively investigate the model's ability to self-repair. We check its impact on code generation for automatic self-code repair in a conversational manner by the inclusion of additional I/O pairs in the prompt with suitable feedback.

 

14:30 - 15:00

Speaker: Milan Conrad
No Information is available.

 

15:00 - 15:30

Speaker: Tristan Hornetz
Type of talk: Master Intro
Advisor: Dr. Michael Schwarz, Lukas Gerlach 
Title: Execute-only memory as a security hardening feature on x86-64
Research Area: RA3

Abstract: 
Execute-only memory (XOM) is a little-discussed, but powerful memory protection scheme, in which instruction fetches are allowed, but read and write accesses are not. However, PKU, the mechanism by which XOM is typically enforced on x86-64, can easily be disabled or bypassed, making its suitability as a security feature questionable.

In my master’s thesis, I will therefore investigate the potential of enforcing XOM through the configuration of nested page tables in virtual machines, which yields execute-only mappings with significantly stronger security guarantees. This enables the use of XOM for a wide range of security applications, which was previously not possible on x86-64. For example, it can serve is a highly effective countermeasure against exploitation techniques such as Blind-ROP, of which code-disclosure is an essential step. Other uses include the protection of intellectual property, for instance by preventing read access to the code of shared libraries. In addition to implementing this mode of enforcement with Xen and Linux, the goal of my thesis is to extensively evaluate its security benefits, performance impact and limitations in order to assess its effectiveness as a security enhancement feature.

 

Session B:

14:30 - 15:00

Speaker: Osama Altamar
Advisors: Dr. Cristian-Alexander Staicu
Title: Dynamic Analysis Of Browser Extension
Research Area: RA3

Abstract: Abstract Dynamic analysis of chrome extensions is crucial for evaluating the security of these software programs as it analyzes their behavior during runtime. This method enhances the effectiveness of static analysis by detecting malicious behavior and vulnerabilities that may not be immediately apparent.This presentation highlights the importance dynamic analysis in evaluating the security of chrome extensions. I will also outline my methodology for implementing the dynamic analysis tool, which involves injecting code into the extension components to collect data which will be analyzed to identify potential vulnerabilities or malicious behavior. The tool will allow for a comprehensive evaluation of the extension’s security, including Universal XSS vulnerabilities, and its behavior under different conditions. The main steps involved in dynamic analysis are acquiring the extension, setting up the environment, analyzing the code, executing the code, and finally, analyzing the results.

 

Next Seminar on 27.09.2023

Written on 23.09.23 by Mang Zhao

Dear All,


The next seminar(s) take place on 27.09.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Gleb Rostanin, Lennard Tworeck, Florian Romann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 27.09.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Gleb Rostanin, Lennard Tworeck, Florian Romann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-15:30)

Björn Karthein, Ahmad Hajy Omar, Moaz Airan

https://cispa-de.zoom-x.de/j/64797489563?pwd=MFliNGNpSWRoTEtmNC9HUkNVN2ZNUT09

 

Session A:

14:00 - 14:30

Speaker: Gleb Rostanin
Advisor: Nils Ole Tippenhauer

Research Area: RA3

No information is provided.

 

14:30 - 15:00

Speaker: Lennard Tworeck
Type of talk: Bachelor Intro
Advisor: Robert Künnemann, Kevin Morio
Title: A parser for the spthy protocol modeling language
Research Area: RA2
Abstract:
Security protocols ensure the confidentiality, integrity and authentication of transmitted data between two or more parties and are the basis of secure communication. Protocol verifiers like Tamarin, which is a tool for symbolic modeling and analysis of such protocols, have been developed to prove the correctness of those. It uses a security protocol model to specify the protocol, the environment and the security properties. These are specified in the so-called security protocol theory (spthy) file format, which has been developed for Tamarin.

In this thesis, we will create an independent parser that allows parsing such files for third party tools or Tamarin extensions. The goal is a flexible parser with few dependencies and bindings to different languages including Python, Go and Haskell. We use a parser generator to create the parser, which allows us to first define a grammar that accepts the syntax of spthy files. We then use that grammar as an input to the parser generator to create the parser. 
The syntax of the file format is partially documented in the Tamarin manual, but there is no entire description of it. With this method, we do not just build a parser for spthy files, but also document its syntax.
We aim to create a reusable tool that allows for an easier development of Tamarin extensions.

 

15:00 - 15:30

Speaker: Florian Romann
Type of talk: Bachelor Intro
Advisor: Aleksei Stafeev, Giancarlo Pellegrino
Title: Time Travel Crawling: Measuring the impact of state changing actions
Research Area: RA5: Empirical and Behavioural Security 

Abstract:
Automated Web vulnerability scanners are essential to achieve security at scale. However, before scanning a web application, it needs to be explored using a crawler component. By interacting with the web application, crawlers potentially irreversibly add, modify or delete content, thus not exploring the whole application.

In this thesis we present Time Travel Crawling, a crawling technique that manages the whole state of applications with the ability to revert arbitrary state changes, using virtual machine technology. We compare the impact of state changing actions, both quantitatively and qualitatively, by comparing depth- and breadth-first crawlers with their respective time traveling versions.

 

Session B:

14:00 - 14:30

Speaker: Björn Karthein
Type of talk: Master Intro
Advisors: Prof. Dr. Andreas Zeller, Dr. Cristian Staicu
Title: Exploring Input Invariants for Automated Testing of Web Forms
Research Area: RA5

Abstract: 
Web applications are omnipresent in today's world. Web applications often rely heavily on user input to interact and get information from the end-user, which naturally creates a big attack surface. Thoroughly testing these possible attack points is crucial to finding potentially security relevant bugs. Most modern websites employ client-side validation to verify user inputs directly inside the browser. This improves responsiveness and accessibility of the website, but does not suffice as a security measure against malicious users. In this thesis we present an approach that fully automatically generates input values for any web form and tests the application. The client-side's source code is analysed and constraints on the form input values are extracted. The constraints are presented to the tester in a human-readable format and can easily be altered or extended with predefined templates. The solution uses these constraints to generate explicit input values that either adhere to the specification or purposely violate it. Lastly, the application's response is inspected and a report is generated that summarizes any interesting behavior.

 

14:30 - 15:00

Speaker: Ahmad Hajy Omar

Type of talk: Bachelor Final

Advisor: Dr. Cristian-Alexander Staicu, Dr. Dolière Francis Somé

Title: Analysis of Content Security Policy in different browsers settings, including Desktop and Mobile browsers.

Research Area: RA3

Abstract: Content Security Policy (CSP) serves as a critical security mechanism to thwart attacks such as cross-site scripting (XSS) and data injection. Using Playwright, a Node.js tool for browser automation, an examination was conducted across various browser settings, including desktop and mobile environments. The evaluation revealed inconsistencies in how browsers enforce CSP, highlighting potential security vulnerabilities. Emphasis was also placed on the significance of accurate CSP configuration and regular updates to guard against evolving threats. We delved deeper into how CSP enforcement is affected by variations in user agents and accept language headers. Specifically, it probes into how websites respond when presented with malformed or absent user agents, or unconventional accept language headers. Surprisingly, certain websites failed to correctly enforce CSP under these conditions, leading to possible security gaps. Another focal point was the potential for nonce duplication within CSP. By comparing nonce values between main pages and their sub-pages, the research discovered a possibility of nonce value repetition after two website visits, creating another security concern.

 

15:00 - 15:30

Speaker: Moaz Airan
Type of talk: Bachelor Intro
Advisor: Dr. Cristian-Alexandru Staicu
Title: Exploring User Data Protection Provided by Firefox-based Web Browsers
Research Area: RA3
Abstract: User sensitive data stored by browsers should be properly secured and protected from stealing attacks such as cross-site scripting (XSS) for stealing cookies and Man-in-the-Middle attack for stealing passwords. Browsers implement different security mechanisms and encryption algorithms to manage eliminating these types of attacks, where the attacker try to steal data from a running browser session on the victim machine, in other words the attacker is connected "online" to the victim. A different way to reach the sensitive data is if a malware was installed on the user machine. This opens a lot of possibilities to steal and manipulate the data "offline" directly from the victim machine bypassing most of the protection provided by browsers. This thesis explores different exploitations and methods that could lead to leaking sensitive data like passwords and session tokens. Focusing on Firefox-based browsers, we also examine how the user data gets stored and how these browsers interact with operating systems, in our case it's Windows. 

Next Seminar on 13.09.2023

Written on 08.09.23 (last change on 08.09.23) by Mang Zhao

Dear All,


The next seminar(s) take place on 13.09.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Sahil Sihag, Thomas Boisvert-Bilodeau, Luk Stamann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Read more

Dear All,


The next seminar(s) take place on 13.09.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Sahil Sihag, Thomas Boisvert-Bilodeau, Luk Stamann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-15:00)

Jonas Büchner, Robert Pietsch

https://cispa-de.zoom-x.de/j/64797489563?pwd=MFliNGNpSWRoTEtmNC9HUkNVN2ZNUT09

 

Session A:

14:00 - 14:30

Speaker: Sahil Sihag
Type of talk: Master Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Coverage Guided Fuzzing of Drone Firmwares
Research Area: RA4: Secure Mobile and Autonomous Systems

Abstract: 
Cyber physical systems (CPS), such as drones, have witnessed increasing adoption across wide variety of domains. Nevertheless, security assessment of such systems is still a challenging problem. This is mainly due to limited functionality of embedded systems which makes it hard to analyse the inner workings of their firmware. Fuzzing, however, has proven to be successful in discovering security flaws in such opaque systems.

Recent work has focused upon treating CPS as a black box and using a grammar to generate input for the target. Response messages from the target are used as feedback for the fuzzer. This approach enables preliminary fuzzing of these systems but the feedback obtained from such response messages is too coarse-grained for deeper investigation. Another direction has focused upon re-hosting the firmware in an emulator. This has high barrier to running the complete firmware and often misses bugs that are dependent on hardware interaction.

In this thesis, we focus upon enabling coverage guided fuzzing of open-source drone firmwares. This will be done by taking advantage of "wiggle space" provided by the firmware since it often does not exhaust storage and memory capacity of the embedded system. With the help of this additional space, we can enable instrumentation of the firmware and store coverage information of firmware during execution. This fine-grained information can then be utilized by the fuzzer for generating better inputs. Moreover, we examine the challenges faced in deeper fuzzing of such targets given their stateful nature. Finally, we investigate additional feedback vectors to aid coverage information.

 

14:30 - 15:00

Speaker: Thomas Boisvert-Bilodeau
Type of talk: Bachelor Final
Advisor: Dr. Yang Zhang
Title: Understanding the relationship between backdoor attacks and membership inference attacks
Research Area: Trustworthy Information Processing
Abstract: In the domain of deep learning, there are proven risks associated with using third-party resources like datasets, training services or pre-trained models. A backdoor attack can be employed to control the behavior of a neural network when presented with a trigger. Once trained, classifiers can also be vulnerable to a membership inference attack. If a model has noticeable differences in the values it outputs when presented with inputs that were used in it's training versus inputs that are new, it can be inferred if a data point was part of the training dataset. This is obviously a privacy concern when datasets contain personal or sensitive information. While both those attack have been studied an refined, there is little knowledge on how one influence the other. This work is exploring the relationship between backdoor attacks and membership inference attack.
Two convolutional neural networks of different complexity, and the MNIST, CIFAR-10, and STL-10 datasets were used to investigate the impact of backdoor attack parameters, specifically trigger size and poisoning rate on MIAs. Surprisingly, no direct relationship was found between these parameters and the attack success rate of MIAs. Instead, a stronger influence emerged from the difference in model’s accuracy between training and test datasets, used as a heuristic for loss distribution. Dataset specific patterns also emerged, such as the superior performance of the Badnets inspired trigger and the importance of relative trigger size. Through a rigorous correlation analysis using Spearman’s ρ and linear regression, the study shows that backdoor attacks affect MIAs primarily by changing the dynamics of loss distribution. This study provides a new perspective on the nuanced relationship between backdoor attacks and MIAs and highlights the importance of monitoring loss distribution in the domain of adversarial deep learning.

 

15:00 - 15:30

Speaker: Luk Stamann

Type of Talk: Bachelor Intro

Advisor: Sven Bugiel

Title: Message-O-Matic  //  A Tool to find your Secure Messaging Application

Research Area: RA5 Empirical

Abstract:

There are plenty of secure messaging applications on the market. While each one features a different set of security and usability guarantees, the choice often comes down to peer pressure. But what do users want from their service of choice, and how well do they understand the featured or omitted security guarantees? My approach aims to significantly ease the choosing process, while not compromising on the security or usability aspects. Additionally, users can learn about the features offered in the secure messaging market. Therefore, my proposition will include a decision support tool where users with and without an information security background can make an informed messenger choice that fits best their needs. From this, I want to extract data regarding the users requirements and their understanding of security aspects for secure messaging applications.

 

Session B:

14:00 - 14:30

Speaker: Jonas Büchner
Type of talk: Master Intro
Advisor: Dr. Michael Schwarz
Title: Reverse Engineering UEFI Firmware to Discover Hidden CPU Features
Research Area: RA3

Abstract: 

With every new generation, the complexity of features in x86 processors increases. Luckily, CPU vendors allow the configuration of many of these. This is commonly done by using model-specific registers (MSRs). Besides configuration, these also allow performance monitoring and debugging. Naturally, a greater knowledge of the available MSRs improves control over the processor for researchers and users. While a lot of them are documented by Intel and AMD, there still remains a plethora of undocumented MSRs.

MSRs can only be accessed with the privileged RDMSR and WRMSR instructions. Therefore, the usage of MSRs is largely limited to low-level code, firmware in particular. Firmware is responsible for initializing and configuring the system during boot and serves as hardware abstraction for other software during runtime. The Unified Extensible Firmware Interface (UEFI) is a specification for firmware, which is implemented in many modern x86 systems. Because of its function, it is expected to make heavy use of MSRs, and is therefore a primary target for research.

In this thesis, we explore methods to discover the MSRs used in UEFI firmware, ideally together with their function. We apply different reverse-engineering techniques to the firmware binaries: First, we use static analysis, which analyzes the firmware based on the machine code itself. Using Ghidra, a common reverse-engineering tool, we perform manual inspection of the machine code and its disassembly. We also utilize the symbolic execution capabilities of angr to explore the potential execution flows involving MSRs without the need to provide concrete hardware behavior. Second, we use dynamic analysis, which involves actually running firmware binaries. Using the Qiling framework, we can emulate machine instructions and provide the necessary context of UEFI. Finally, we try to map the found MSRs to a user-accessible setting in the firmware setup application of the UEFI system.

 

14:30 - 15:00

Speaker: Robert J. Pietsch
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz, Lukas Gerlach
Title: Automated Checking of C Compiler Optimization Effects on Data Obliviousness 
Research Area: RA3

Abstract:
Side-channel attacks have become a major concern for software security as they can enable attackers to break confidentiality of functionally-correct software systems. The discipline of data-oblivious programming helps to mitigate such attacks by ensuring that data leaked via common side channels does only contain non-secret information. Due to various optimizations in modern compilers, data obliviousness is a property of programs that cannot be guaranteed on a high-level language level but must be checked for on the compiled machine code. In this thesis, we propose an automated pipeline for compiling C programs with different optimizations enabled and checking the resulting machine code for data-obliviousness regarding secret arguments. The pipeline is designed to efficiently detect violations to data obliviousness while at the same time being able to give strong guarantees for data obliviousness, if applicable. We use it to analyze the impact of different compiler configurations to a suite of programming primitives and cryptographic implementations. In testing, we find four primitives where seemingly data-oblivious code got compiled into machine code violating data obliviousness and a poorly-documented violation against data obliviousness in OpenSSL’s no-asm AES implementation. These results show the importance of checking for data obliviousness not only on high-level C code but also on the compiled machine code. We arrive at the conclusion that especially for security-critical implementations, it is desirable to have data-obliviousness checks as part of continuous integration.
 

Next Seminar on 30.08.2023

Written on 24.08.23 by Mang Zhao

Dear All,


The next seminar takes place on 30.08.2023 at 14:00 (Session A). Please note that there is only one session.


Session A: (14:00-15:30)
Sven Kuppe, Leonard Niemann, Dominik Sautter

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620… Read more

Dear All,


The next seminar takes place on 30.08.2023 at 14:00 (Session A). Please note that there is only one session.


Session A: (14:00-15:30)
Sven Kuppe, Leonard Niemann, Dominik Sautter

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:00 - 14:30

Speaker: Sven Kuppe
Type of talk: Bachelor Intro
Advisor: Lucjan Hanzlik
Title: Blockchain-Based Verification of Android Keystore-Generated Key Attestations using Smart Contracts
Research Area: RA1
Abstract:
When we use cryptocurrencies, we want to make sure our transactions are safe. 
Thereby, one question we have to ask ourselves is how can we be sure that our recipient has a reliable key management? Does he really store his private Key securely?

A secure way to store your private key is to use a hardware-backed keystore like Android keystore.

This project aims to achieve this safety property. By utilising Androids hardware-backed keystore feature, available in modern smartphones, to create a trust mechanism that verifies the presence of a hardware-backed key in a device. Which is then proven by a specialised smart contract.

The goal of this work is to develop an android application and the specialised smart contract. The application creates a key within the secure memory and and provides a proof that the key is inside secure memory. This establishes trust in the receiver's devices without the need for additional verification methods. As this provides an answer to the above mentioned security questions.

 

14:30 - 15:00

Speaker: Leonard Niemann
Type of talk: Master Final
Advisor: Dr. Michael Schwarz
Title: "Performance Counters Rethought: Actively Mitigating Microarchitectural Side Channels"
Research Area: RA3

Abstract:
In recent years, researchers have discovered new microarchitectural side-channel attacks regularly, which has gained them increasing popularity. These side-channel attacks leak secrets via metadata exposed through shared microarchitectural building blocks like the cache. Defenses are lacking behind, as they typically require expensive changes to the microarchitecture. Moreover, they are often overly specific to certain types of attacks and only work against a subset of all attacks. Recent research commonly proposes hardware performance monitoring counters for detecting attacks. However, most of these approaches do not specify the process after the detection but focus on the detection itself. Thus they do not prevent the leakage of sensitive data.

In this thesis, we present PMCDefender, which is a software-only toolkit for actively mitigating a variety of microarchitectural side-channel attacks. Similar to previous work, we rely on performance monitoring counters as the underlying mechanism. However, we do not actively query the counters and use machine learning. Instead, we present a synchronous way to immediately stop the execution of a victim program if an attack is detected by leveraging performance monitoring interrupts. Thereby, PMCDefender actively performance events data leakage or at least limits the amount of data that can leak to negligible. Moreover, our approach is portable, versatile, and allows fine-grained control. Our approach works against multiple cache-based side-channel attacks and Spectrestyle transient execution attacks.

We further demonstrate its applicability in two realworld case studies on the RSA implementation of GnuPG 1.4.13 and the AES routine of openSSL 1.0.1e. Across all attacks, PMCDefender achieves a detection rate of over 99 % and a false-positive rate of less than 1.5 %. The overhead is negligible with a runtime increase of 0.3 % for the RSA implementation and 1.8 % for an AES routine. Based on the results, we conclude that active mitigation of microarchitectural side-channel attacks works and that our approach’s capabilities are sufficient to prevent data leakage.

 

15:00 - 15:30

Speaker: Dominik Sautter
Type of talk: Master Intro
Advisor: Thorsten Holz, Bhupendra Acharya
Title: ScamChatBot: Analyzing the Fake Technical Support Scam in Social Media via Automated ChatGPT
Research Area: RA3
Abstract:
In the last few years, cryptocurrency users and value has been on the rise. The global market value for cryptocurrency is ever-rising and peaked at $2.9 Trillion in late 2021 [11]. As the market share of cryptocurrency is ever-expanding, phishing attacks often target online wallet accounts. Such attacks are often found to compromise the wallet by either risk of losing access to the wallet or funds being stolen. Thus, it is crucial to understand the mechanics of cryptocurrency attacks and scams in the wild.
Moreover, the market trend for users is shifting where one in every three social media users prefers to reach the brand or business support via social media. Thus, it is not surprising to see users with technical issues reaching out to the brand via popular social media such as Twitter, Instagram, and others. This has lately attracted scammers to perform fake technical support scams via interaction with users’ public posts based on technical issues. Users seeking technical help via social media are often lured to share their credentials and private keys via direct messaging. In this work, we plan to interact with scammers who pretend to act as providing official technical support to regular Internet users. Regular Internet users often seek solutions related to the technical issue by searching on Google and posting on social media such as Facebook, Twitter, and Instagram. Apparently, this kind of search or posts in social media often lures such scammers whose intention is to fake as official support. Our motive is to understand such behavioral end-to-end analysis of chatting with scammers and analyze the tricks that scammers play in monetizing regular Internet users. In order to perform large-scale systematized work, we plan to integrate a ChatGPT-based automated end-to-end analysis of fake technical support by posting a honey tweet on Twitter. The automated chat system collects the scammer’s preferred payment profile. For the collected payment profile we plan to track and provide insights on money laundering techniques by analyzing the digital footprint of scammers.

Next Seminar on 16.08.2023

Written on 10.08.23 (last change on 17.08.23) by Mang Zhao

Dear All,


The next seminar(s) take place on 16.08.2023 at 14:00 (Session A) and 15:00 (Session B).


Session A: (14:00-15:30)
Dimitri Harkovski, Laura Thineta Mulia, Devi Faustine

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Read more

Dear All,


The next seminar(s) take place on 16.08.2023 at 14:00 (Session A) and 15:00 (Session B).


Session A: (14:00-15:30)
Dimitri Harkovski, Laura Thineta Mulia, Devi Faustine

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (15:00-15:30)

Matthias Michels

https://cispa-de.zoom-x.de/j/64797489563?pwd=MFliNGNpSWRoTEtmNC9HUkNVN2ZNUT09

 

Session A:

14:00 - 14:30

Speaker: Dimitri Harkovski 
Type of talk: Bachelor Intro 
Advisor: Prof. Dr. Cas Cremers
Title: AGE - a modern file encryption tool 
Research Area: RA2: Reliable Security Guarantees
Abstract: In this bachelor thesis AGE will be analyzed, a modern file encryption tool. How does it work, what are the usecases and most important: is it really secure? 

 

14:30 - 15:00

Speaker: Laura Thineta Mulia
Type of talk: Bachelor Intro
Advisor: Prof. Thorsten Holz, Bhupendra Acharya
Title: Analyzing the Prevalence of Fake Cryptocurrency Wallet Distribution
Research Area: RA5: Empirical and Behavioural Security
Abstract:

Since the release of Bitcoin, the concept of cryptocurrency has been growing rapidly. The rapid growth of cryptocurrency not only created a decentralized trading and investment opportunity for users but also attracted malicious attackers in performing various social engineering tricks. These tricks include but are not limited to scam initial coin offers, fake airdrops, and distribution of fake crypto wallets via apps marketplaces. 

One common option where users can download their crypto wallet app is through Google Play Store, a vetted Android marketplace. Secondly, there are also plenty of non-vetted Android marketplaces that are available in the wild where users can download Android apps. These non-vetted app places do not go through a similar rigorous vetting process compared to Android marketplace app publishing. Though Android marketplaces such as Google Play Store are not themselves free from fake app publishing, however comparatively, malicious attackers have been on the rise lately in uploading socially-engineered fake apps in these non-vetted marketplaces.

In this work, we aim to focus on fake crypto wallets that target Android applications. Our goal is to analyze the prevalence of fake crypto wallets in the wild that are found in both vetted and non-vetted Android marketplaces. By identifying such scamming wallets, we plan to provide an end-to-end analysis of how typically a victim falls for an attack which often results in the loss of private key phrases or stealing credentials associated.

 

15:00 - 15:30

Speaker: Devi Faustine
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Efficiency of Post-Quantum Blind Signature using Secure Multi-Party Computation
Research Area: RA1
Abstract: Quantum resistant blind signatures nowadays have a relatively large size for their signatures due to security reasons and to keep the user input private from the signer. The idea of this thesis is to use Secure Multi-Party Computation (MPC) as means of computing a digital signature. Since MPC also keeps privacy of the parties' input, meaning this also fulfills the purpose of blind signatures. The digital signature used in this scheme would be SPHINCS+, which is a quantum-resistant, stateless hash-based signature scheme, specifically aimed at reducing signature size. 

The goal is to evaluate the efficiency of this scheme in practice and optimize its efficiency.

 

Session B:

15:00 - 15:30

Speaker: Matthias Michels
Type of talk: Master Intro
Advisor: Christine Utz, Ben Stock
Title: Privacy, Anyone? An Investigation into the Adoption of Privacy-Friendly Services and Configurations
Research Area: RA5: Empirical and Behavioural Security
Abstract:

Many website integrate embed third-party services for e.g., getting insights into their audience or for embedding additional content.
Because these services can and often even must process personal data of the websites visitors, website owners have to be careful when they decide to embed such a service.
But website owners can also influence the amount of processed personal identifiable information in two ways.
The first possibility is the selection of the third-party service and the second its configuration.

The decision of which third-party service to use and how it should be configured must also be considered in the context of data protection laws.
The GDPR as an example, requires website operators to limit the data collection to the least amount possible.
In order to account for this, courts already have placed boundaries for configurations which must or must not be made.
Such court decisions have already lead to waves of cease and desist letters in Germany and Austria.

In this thesis, we will crawl one million websites from the CrUX list and classify their use of third party services.
On websites where we identified the use of a privacy-friendly configuration, we will use the Internet Archive to find more information about the temporal context of the adoption of the privacy-friendly configuration.
With this information, we hope to identify additional internal and external factors which play a role in the adoption of privacy-friendly configurations of embedded third-party services.

Next Seminar on 02.08.2023

Written on 31.07.23 by Niklas Medinger

Dear All,


The next seminar(s) take place on 02.08.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Zubayr Khalid, Marvin Schank, Kristian Metzler

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 02.08.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Zubayr Khalid, Marvin Schank, Kristian Metzler

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-14:30)

Moritz Wilhelm

https://cispa-de.zoom.us/j/69371224982?pwd=amFFbmVBcVhDeGg5Q2VacXh0M3pKQT09

 

Session A:

14:00 - 14:30

Speaker: Zubayr Khalid

Types of Talk: Master Intro

Advisor: Dr. Julian Loss

Title: GRandLine: First Adaptively Secure One-Round Randomness Beacon with Quadratic Communication Complexity

Research Area: RA1

Abstract: A source of continuous and publicly verifiable randomness is essential for many applications such as cryptocurrencies and financial audits. Existing works on distributed randomness beacons suffer from at least one of the following drawbacks: (i) lack of reconfiguration-friendliness, (ii) security only against a static adversary, (iii) cubic or higher communication cost, or (iv) computationally expensive tools such as Proof-of-Work. We introduce GRandLine, an adaptively secure randomness beacon protocol that overcomes these challenges while providing optimal resilience in the synchronous network setting. Our beacon has dominance over the existing work and to back up our claim we implement our protocol with worldwide geographically distributed AWS EC2 instances and evaluate it against the state-of-the-art randomness beacons OptRand, BRandPiper and DRand in the same setting. In order to achieve the efficiency of GRandLine, we follow an approach of modeling the network as a binary tree data structure where each leaf of the tree represents a party. At each phase of our protocol two sibling nodes merge and agree on a common transcript which encrypts a secret. Eventually the whole network agrees on a common transcript which encrypts a random secret. Besides having geographically distributed virtual machines, we have also included a development environment where one can test the network locally. For the first time, our implementation includes the existence of active adversarial nodes who will try to sabotage the protocol in different stages of execution. Finally, we have discussed ways to optimize the implementation.

 

14:30 - 15:00

Speaker: Marvin Schank
Type of talk: Master Intro
Advisor: Prof. Dr. Cas Cremers
Title: Formal Analysis of Matrix's End-to-End Encryption
Research Area: RA2: Reliable Security Guarantees
Abstract: Matrix is a federated communication architecture that allows messenger applications like Element to provide end-to-end-encrypted communication to its users. Researchers recently discovered practically exploitable vulnerabilities in Matrix, questioning its security. To tackle the uncertainty of whether Matrix is secure, one must look closely at Matrix's End-To-End-Encryption protocol. With a formal analysis of the protocol, I want to show that Matrix can provide a frame for secure message transmission. In this thesis, I investigate Matrix's underlying encryption techniques, especially Short-Authentication-String, Olm, and Megolm as the main cryptographic subroutines. I convert those concepts into a symbolic model. Based on that model, Tamarin, a state-of-the-art model checker and security verification tool, proves the Matrix-claimed security guarantees.

 

15:00 - 15:30

Speaker: Kristian Metzler

Type of talk: Bachelor Final

Advisor: Lucjan Hanzlik

Title: Practicality of the Sweep-UC Protocol for Private Coin Swapping

Research Area: RA1

Abstract: Swapping coins (also called atomic swaps) between cryptocurrencies is an important
tool when commercing in the digital sphere. This is due to the many use cases a cryp-tocurrency may or may not fulfill. Having the ability to swap between coins of different
cryptocurrencies allows the user to benefit from both ecosystems, i.e. any shops, pro-grams or websites using the cryptocurrencies, at the same time without having to fully
commit to one specific cryptocurrency. One problems while swapping coins may arise
though: that is the lacking privacy in most atomic swap solutions. As a response the
concept of privacy-preserving atomic swaps emerged which allow exactly what the name
suggests. TumbleBit and A2L are two prominant examples of protocols which allow
an user to privately swap coins of the same type or between different cryptocurrencies.
A recent advancement in this topic is the Sweep-UC protocol, which describes itself
as “the first fair exchange protocol that simultaneously is efficient, minimizes scripting,
and is compatible with a wide range of currencies”.

 

Session B:

14:00 - 14:30

Speaker: Moritz Wilhelm
Type of talk: Master Intro
Advisor: Ben Stock
Title: A Song of Trust and Archives: Assessing the Dependability of Web Archives for Reproducible Web Security Measurements
Research Area: RA5: Empirical and Behavioural Security

Abstract:
In recent years, artifact evaluation has gained significant importance within the research community, addressing the challenge of achieving replicability in experimental results. Yet, the ephemeral nature of the Web poses a challenge for reproducing Web measurements reliably, as conducting the same data collection at different points in time can lead to inconsistent outcomes. However, Web archives could offer a potential solution to achieve replicability in Web measurements since archival data is intended to remain indefinitely available.

Web archives provide valuable insights into the historical evolution of the Internet by preserving periodically crawled copies of Web pages. Among these archives, the Internet Archive stands out as a prominent repository, containing an extensive collection of 735 billion Web pages spanning from 1996 to the present. Over the years, researchers have repeatedly relied on the Internet Archive to retrospectively conduct historical Web measurements.

In this thesis, we conduct a comprehensive evaluation of the reliability of data obtained from the Internet Archive. The evaluation includes a longitudinal analysis from 2016 to the present, covering a period of 7.5 years. We crawl the top 20,000 domains from the Tranco list and examine their coverage by the archive. Additionally, to minimize potential biases related to popular domains, we repeat the experiment using a randomly sampled subset of 20,000 domains from the complete Tranco one-million list. In addition to the quantitative analysis, we explore qualitative aspects of the data. Specifically, we assess the prevalence of syntactic and semantic differences in security headers among Internet Archive snapshots that are in close temporal proximity. Moreover, we explore the feasibility of leveraging the Internet Archive to simulate live Web security measurements, thereby addressing the challenge of replicability in such studies.

The results of this thesis are expected to provide valuable insights on the dependability of Web archives for Web security measurements, while offering practical guidelines for conducting archive-based studies.

Next Seminar on 19.07.2023

Written on 14.07.23 by Niklas Medinger

Dear All,


The next seminar(s) take place on 19.07.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Patrick Gräfe,
Daniel Berresheim, Yannick Ramb

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 19.07.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Patrick Gräfe,
Daniel Berresheim, Yannick Ramb

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-15:30)

Groß, David, Darian Hach, John Schmitt

https://cispa-de.zoom.us/j/69371224982?pwd=amFFbmVBcVhDeGg5Q2VacXh0M3pKQT09

 

Session A:

14:00 - 14:30

Speaker: Patrick Gräfe
Type of talk: Bachelor Intro
Advisor: Sebastian Brandt
Title: On exploiting cycles in distributed algorithms for maximal matching
Research Area: RA1: ALGORITHMISCHE GRUNDLAGEN UND KRYPTOGRAPHIE

Abstract:
The Round Elimination technique is a central method in the field of distributed algorithms for proving lower bounds for specific problems.
This technique constructs a worst-case graph that demonstrates that a problem requires at least a specific number of rounds to be solved,
providing a lower bound for the problem. However, the Round Elimination method always constructs tree-like structures to prove a statement.
An interesting observation is that if we consider only graph families with cycles, all the lower bounds established by Round Elimination no longer hold.
Consequently, there could be faster algorithms for known problems that exploit the cycles in these graphs.

In this work, our objective is to explore how distributed algorithms could perform in an environment with cycles, potentially surpassing the lower bounds set by the Round Elimination Technique. To achieve this, we will investigate the problem of maximal matching, which is one of the most fundamental problems in distributed algorithms.
Specifically, we will focus on the bipartite setting and aim to explore the possibility of a faster algorithm that exploits the presence of cycles.

 

14:30 - 15:00

Speaker: Daniel Berresheim
Type of talk: Bachelor Final
Advisor: Dr. Nils Ole Tippenhauer
Title: Protecting Motor Control Firmware against Manipulation
Research Area: RA3
Abstract: The increasing complexity of firmware to control vehicles introduces many new opportunities for attacks. Vulnerabilities in non-essential features can enable an attacker to execute code in parallel or concurrently to security critical code. Furthermore, we have to consider even the hardware owner as a potential attacker who might want to tune their vehicle by bypassing the hardware enforced speed limit.

We investigate in our Thesis whether Trusted Execution Environments (TEE), in particular Arm Trustzone can be used to protect critical functionality as well as hardware access of a system from parallel running attacker code.
We show different approaches we implemented to realize this Trustzone powered isolation and evaluate whether they reach the required security goals and whether they are capable to protect third-party monitoring software.

 

15:00 - 15:30

Speaker: Yannick Ramb
Type of talk: Master Final
Advisor: Prof. Dr. Thorsten Holz
Title: TDVFuzz: Fuzzing the Intel Trust Domain Virtual Firmware
Research Area: 3

Abstract:
Over the last few years, there has been a strong trend for businesses and individuals to outsource their data and services to the cloud.
One drawback of the current cloud computing landscape is that the Cloud Service Provider must be trusted implicitly, as it controls the hardware and is thus able to spy on and manipulate data and workloads inside customers' virtual machines (VMs).
Under these circumstances, confidential computing scenarios like the processing of sensitive or proprietary data are not possible.
The Intel Trust Domain Extensions (TDX) technology aims to mitigate this by isolating VMs on the hardware level from the hypervisor.
It requires specialized firmware called Trust Domain Virtual Firmware (TDVF) to provide integrity and confidentiality to the guest OS.
Since the boot firmware is responsible for maintaining the chain of trust, it is a highly critical component for security, and special care must be taken to minimize bugs and security vulnerabilities.
Software testing is one method to attain this and, to this extent, particularly fuzz-testing has proven to be an effective and productive tool.
However, the unique conditions posed by the execution environment and frequent interaction with hardware make firmware testing and application of tools like fuzzers challenging in practice.

This thesis aims to address this problem by providing a proof of concept fuzzing approach that is based on the kAFL fuzzing framework and extends TDVF source code to facilitate coverage-guided fuzz-testing of the TDVF firmware.
We demonstrated our method by fuzzing critical code sections that we identified in a previous security assessment under the new threat model in which the hypervisor is considered untrusted and potentially malicious.
Additionally, we explored options to enable sanitizers in our setup to further increase testing and bug-finding capabilities.
Evaluation results demonstrate that our method is able to effectively fuzz the TDVF firmware with high execution speed and detect bugs during the fuzzing campaigns.

 

Session B:

14:00 - 14:30

No information provided.

 

14:30 - 15:00

Speaker: Darian Hach
Type of talk: Bachelor Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Static Taint Analysis of Programmable Logic Controller Code
Research Area: RA4: Secure Mobile and Autonomous Systems
Abstract: Industrial Control Systems (ICS) constitute a core component of critical infrastructure such as the electric grid, oil refineries or nuclear power plants. At their lowest layer highly robust and reliable devices called Programmable Logic Controllers (PLCs) are fed with sensor readings and compute output to actuators based on a control logic that is programmed by engineers to control the system’s state. Due to the requirements of such systems towards continuity of operation and reliability and the often security-agnostic background of employed engineers, the security of ICSs and program logic in particular has often been neglected. Exacerbating this problem is the increasing connectivity of ICSs to the Internet that, as a result of the little security measures in place, dramatically increases the attack surface of such systems allowing for attacks against a nation’s critical infrastructure such as with Stuxnet or the Ukrainian power grid attacks.

While many protection measures have been suggested to protect ICSs, few have taken a human-centric and code-level approach to increasing the security. In this thesis we will thus propose the use of static taint analysis to support engineers with little security background by raising awareness about critical code locations in potentially highly complex programs and suggest remediation strategies to mitigate against potential vulnerabilities resulting from dangerous code locations.

 

15:00 - 15:30

Speaker: John Schmitt
Type of talk: Master Intro
Advisor: Giancarlo Pellegrino, Aleksei Stafeev
Title: Human Scan Patterns in Task-Driven Web Exploration
Research Area: RA5
Abstract:
Modern web applications have become quite complex and pose a major chal-
lenge for web crawlers. In modern web applications, web crawlers have some
weaknesses. These include identifying a webpage’s category, functionality, and
navigation to a desired target in the web application. Compared to crawlers,
humans find a quick and easy solution to these problems without much thought.
Motivated by the weaknesses of crawlers, in this thesis, we learn from human
behavior and try to identify patterns from the human eye gaze that can be ap-
plied in crawlers. The patterns should be able to improve the performance of a
crawler with respect to its weaknesses. To detect patterns, we perform an eye-
tracking study. We give participants specific exploration tasks on screenshots of
several webpages and register their gaze data. We conduct three stages in our
experiment, including tasks specific to the three weaknesses mentioned above.
The heatmaps and scanpaths we gather will indicate whether such patterns ex-
ist. In the end, we will be able to answer the question of human scan patterns
existing for task-driven webpage exploration. But more precisely, we will answer
the following research questions:
1. Do common exploration patterns exist for websites in equal categories?
2. Do common exploration patterns exist for webpages with equal functional-
ity?
3. Do common exploration patterns exist for a navigation task to a destination
page with desired functionality?

Next Seminar on 05.07.2023

Written on 03.07.23 by Niklas Medinger

Dear All,


The next seminar(s) take place on 05.07.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Tim Scheckenbach, Louise Malvin Tanaka, Mikka

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 05.07.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Tim Scheckenbach, Louise Malvin Tanaka, Mikka

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-15:30)

Robert Pietsch, Oliver Valta, Simon Anell

https://cispa-de.zoom.us/j/69371224982?pwd=amFFbmVBcVhDeGg5Q2VacXh0M3pKQT09

 

Session A:

14:00 - 14:30

Speaker: Tim Scheckenbach
Type of Talk: Bachelor Intro
Advisor: Prof. Dr. Andreas Zeller
Title: Specification-Based Fuzzing of x509 Certificates
Research Area: RA5
Abstract:
x509 certificates have been around for about 35 years to ensure secure web browsing
and identification. Because it is widely used, it must be secure, which can only
be achieved through extensive testing. However, this is a very difficult and costly
challenge due to the complexity of the x509 format. Automated testing techniques
such as fuzzing are needed to assist in this task.

In this talk, I will introduce the basic concepts of x509 certificates and specification-based fuzzing.
Moreover I will introduce the approach I take in my thesis, by building a fuzzer upon the ISLa solver, a
grammar-aware constraint solver. Using a grammar and some constraints the fuzzer is able to generate valid
certificates from scratch covering most of the different formats the x509 standard offers.

14:30 - 15:00

Speaker: Louise Malvin Tanaka
Type of Talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik
Title: Implementation of Virtual ePassport Based on ICAO MRTD
Research Area: RA1: Trustworthy Information Processing
Abstract:
Online verification, such as age verification nowadays lacks common standard that could be used across the internet.
On lower security level, some sites just trust what user inputs without any further verification.
On some heavier cases, verification process require user's personal identity (ex. ID card) and it takes some time to process.

To solve this problem, there exists some solution by creating a virtual ID that could be used to verify a user identity
accross the internet. However, instead of creating a new infrastructure, could we use existing one that are already widely available nowadays to solve this? By utilizing electronic passport, we could skip the bootstrap process to create a virtual ID, since it
has already done by the government. Extending functionality of epassport to be used to verify ourself on the internet would be the goal of this talk.

15:00 - 15:30

Speaker: Mikka Rainer
Type of Talk: Bachelor Intro
Advisor: Michael Schwarz, Lukas Gerlach
Title: Reversing the Microarchitecture with Microkernels
Research Area: RA3

Abstract:
The microarchitecture of modern CPUs contains many undocumented hash functions that distribute data to other microarchitectural elements. With knowledge of these hash functions, an attacker can significantly improve existing attacks or make new attacks against the microarchitecture possible. Due to that, these functions are important to create novel defenses and mitigations. While several of these hash functions have been successfully reversed, many functions on newer CPUs are still unknown. Existing techniques fail to reverse them, as the process of reversing the function relies on noise-free measurements.

In this thesis, we investigate how we can create a noise-free measurement environment for microarchitectural reversing by leveraging the power of microkernels. , we show how we can significantly improve the measurements in comparison to previous techniques, at the example of the addressing function of last-level cache slices.

 

Session B:

14:00 - 14:30

Speaker: Robert J. Pietsch
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz, Lukas Gerlach
Title: Automated Checking of C Compiler Optimization Effects on Data Obliviousness
Research Area: RA3

Abstract:
Being close to the limit of what is physically possible, the performance of modern general-purpose processors is no longer significantly increased by packing more transistors onto the dye or increasing the clock frequency. Instead, CPU manufacturers employ sophisticated optimizations like caches, branch predictors, and dynamic code reordering. While these optimizations provide a performance advantage in many real-world applications, they come at a heavy security cost: Plenty of microarchitectural side-channel attacks have been discovered that abuse optimizations to leak secret data. Examples are timing attacks on caches that allow attackers to detect locations of previous memory accesses and infer secret data.

One solution to this is writing programs in a "data-oblivious" way (also known as "constant-time programming"), not to perform any secret-dependent memory accesses. Data-obliviousness is a property of assembly code where only a few highly-specialized compilers can give guarantees dependent on the C code. When using other compilers (e.g. gcc or clang), it is currently impossible to derive such guarantees from a given C code. Especially for more complex compilers, formal verification is not feasible due to the complexity introduced by numerous optimizations and combinations thereof.

In this work, we present a tool to automate testing the behavior of several compilers on fixed C code snippets concerning data-obliviousness with different optimization combinations enabled. We employ the tool to check C constructs that, by the current research state, are recommended for developing data-oblivious programs. To trigger more sophisticated optimizations, we also fuzz-generate C code that we expect to be compiled into data-oblivious code and again analyze the compiler behavior with our tool. Additionally, we use the tool to analyze several cryptographic implementations for data-obliviousness violations when compiled with specific optimizations enabled.

14:30 - 15:00

Speaker: Oliver Valta
Type of talk: Bachelor Intro.
Advisor: Lucjan Hanzlik
Title: Practical One-time Programs and Applications to eCash
Research Area: Algorithmic foundations and cryptography
Abstract:

Digital money is an irreplaceable part of our society. However, most existing systems for eCash only work online. Despite benefits such as availability and privacy, offline transaction systems are still uncommon. For such systems, preventing double-spending typically relies on hardware.
One-time programs (OTP) allow computations on a single input without leaking anything about the program. OTPs can be used to reduce the complexity of the required hardware for offline transactions by relying on one-time memory devices.

In this thesis, we employ one-time programs to construct an eCash system and prove its security. We explore offline transactions as well as their limitations, and discuss the privacy of this system, both between users and the central instance.
Furthermore, we show how this system can be realized using existing hardware and the Android Keystore system.

15:00 - 15:30

Speaker: Simon Anell

No information provided.

 

Next Seminar on 21.06.2023

Written on 19.06.23 by Niklas Medinger

Dear All,


The next seminar(s) take place on 21.06.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Maximilian Jung, Kai Greshake, Maximilian Löffler

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Read more

Dear All,


The next seminar(s) take place on 21.06.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Maximilian Jung, Kai Greshake, Maximilian Löffler

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-15:30)

Florian Bauckholt, Kai Wittenmayer

https://cispa-de.zoom.us/j/69371224982?pwd=amFFbmVBcVhDeGg5Q2VacXh0M3pKQT09

 

Session A:

14:00 - 14:30

Speaker: Maximilian Jung
Type of talk: Master Final
Advisor: Valentin Dallmeier
Title: Automated Website Security Testing Based on Existing Selenium Tests with webmate
Research Area: RA5: Empirical and Behavioural Security

Abstract:
The web has become the most important platform of the internet and is used in all aspects of people's lives. It can be used for getting information, social interaction, online shopping and controlling smart homes or industry components. With the increasing amount of websites and features, there is a proportional rise in code complexity, which often results in more potential flaws. One of the most frequent flaws is Cross-Site Scripting (XSS), which allows attacker-controlled code execution in the context of the vulnerable application, as well as SQL injection, which allows attacker-controlled SQL code to be executed in the database to bypass logins, retrieve or alter information and even take over the whole database or server. We aim to alleviate this problem by automatically finding security vulnerabilities with automated test generation.

Unlike other automated website security testing approaches, we do not apply black-box fuzzing but are using an existing selenium test for a website as a basis by using webmate. Hence the security test is guided by the selenium test that is checking if the application works as intended. This enables us to test deeper paths in an application because the test knows how to get to a specific point of e.g. a multi-page form without fuzzing. The number of times we have to submit e.g. input fields are also greatly reduced by the fact that we know what data is expected in which fields because of the existing selenium test, which makes the testing more efficient and less invasive.

14:30 - 15:00

Speaker: Kai Greshake

 

No information provided.

15:00 - 15:30

Speaker: Maximilian Löffler.
Type of talk: Bachelor Intro.
Advisor: Michael Schwarz, Lukas Gerlach.
Title: Undervolt Fuzzing: Searching for Bad Instructions Gadgets.
Research Area: RA3
Abstract:

With the introduction of the Intel Haswell architecture, Intel allows kernel level code to update the voltage powering the CPU dynamically.
Reducing the voltage below the recommended value is called undervolting and can have beneficial effects on power consumption and heat dissipation.
In 2019, Plundervolt demonstrates that undervolting can destabilize the CPU to a point where it faults, compromising in-place security mechanisms like Intel SGX.

To change the voltage of the CPU, an attacker needs to be privileged on the target system.
Furthermore, Intel recently introduced Undervolt Protection (UVP), which disables runtime undervolting.
This puts significant limitations on the attack surface of Plundervolt.

In this talk we investigate the presence of CPU faults under less or no voltage stress.
This step is crucial to bridge the gap between a theoretical attack and real-world exploitation.
If possible, such faults expose new attack surfaces to the unprivileged attacker.

Towards this, we present the Undervolt Fuzzer, a tool to efficiently probe random instruction sequences for their ability to cause CPU faults.
We apply mild undervolting, e.g., between -20mV and -80mV below the recommended value.
This sufficies to destabilize the CPU while not provoking faults when in idle.

 

Session B:

14:00 - 14:30

Speaker: Florian Bauckholt
Type of talk: Master Intro
Title: Evaluating WebAssembly as a Fuzzing Compilation Target
Research Area: RA5
Abstract:

Traditional fuzzers rely on a static instrumentation phase, which can be hard
to extend and work with. Instead, we propose compiling to a shared compilation
target that retains most instrumentation opportunities with potential for
dynamic instrumentation. We propose WebAssembly as a suitable target due to its
widespread language support, deterministic and isolated nature, and simple and
easy to JIT instruction set.

We prototype Wasmfuzz, a fuzzer for WebAssembly modules that supports pluggable
instrumentation strategies, and evaluate the performance of various
instrumentation strategies. We show that WebAssembly retains enough high-level
information to implement a competitive fuzzer and discuss potential ideas for
adaptive instrumentation.

15:00 - 15:30

Speaker: Kai Wittenmayer
Type of talk: Bachelor Intro
Advisor: Dr. Rebekka Burkholz
Title: Inference and Prediction of international food trade networks
Research Area: RA1 Trustworthy Information Processing
Abstract:
Over the past 30 years, the international food trade network has evolved to be increasingly complex
and interconnected. As a result of this globalization, the food trade network is vulnerable to shocks
such as natural disasters, wars, or pandemics, as has been seen in recent years. This work aims to
utilize machine learning for predictive modeling of the food trade network. We collect, preprocess,
integrate and analyze data from several databases provided by FAOSTAT to build a comprehensive
temporal network of the global trade for four staple foods: soy, maize, wheat and rice. We use this
dataset to predict the available supply of staple foods in a country and the trade volume between
two countries. We perform a comparative study of the traditionally used economic gravity model and
several machine learning models for these tasks. Such data-driven predictive models provide insights
into international dependencies, the influence of key economic variables, and the impact of internal
or external shocks. These insights can be used by policymakers to ensure higher levels of global food
security.

Seminar Attendance on 07.06.2023

Written on 07.06.23 by Mang Zhao

 

Dear All,

 

Due to an oversight, the distribution of the attendance sheet for today's Seminar A was not carried out as planned.

Our team has decided that all registered students will be marked as present for today's seminar (07.06.2023).

Thank you for your understanding and… Read more

 

Dear All,

 

Due to an oversight, the distribution of the attendance sheet for today's Seminar A was not carried out as planned.

Our team has decided that all registered students will be marked as present for today's seminar (07.06.2023).

Thank you for your understanding and participation.

 

Best wishes,

BAMA team

Next Seminar on 7.06.2023

Written on 05.06.23 (last change on 05.06.23) by Niklas Medinger

Dear All,


The next seminar(s) take place on 07.06.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:00)
Justin Steuer, HTMA Riyadh

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 07.06.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:00)
Justin Steuer, HTMA Riyadh

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-14:30)

Thomas Boisvert-Bilodeau

https://cispa-de.zoom.us/j/69371224982?pwd=amFFbmVBcVhDeGg5Q2VacXh0M3pKQT09

 

Session A:

14:00 - 14:30

Time: 14:00 - 14:30
Speaker: Justin Steuer
Type of talk: Bachelor Intro
Advisor: Andreas Zeller
Title: Constraint-Aware Parsing
Research Area: RA5: Empirical and Behavioural Security

Abstract:

Parsing is an integral tool of software development for disassembling input and to check it for correctness.
However, parsers that solely rely on context-free grammars, while versatile, can only check input for syntactic validity and can not verify context-sensitive properties.
ISLa, a declarative specification language for context-sensitive properties, enables users to specify context-sensitive constraints on top of a context-free grammar that
each valid string must satisfy. ISLa cannot only produce valid inputs, but can also check for a specified string whether it fulfills all given constraints.
While this feature is functional, it is not optimal in the way that it is implemented, since it first parses the string through a parser for context-free grammars
(thus verifying its syntactic correctness) and only then verifies its semantic correctness afterwards.
This can be quite inefficient when a lot of inputs have to be verified, since each input needs to be fully parsed regardless of whether it fulfills the semantic requirements or not.

This talk introduces the concept of Constraint-Aware Parsing, which aims to build upon the Earley Parser, a parser for context-free grammars,
and give it additional functionality to verify context-sensitive constraints alongside the traditional parsing process and extend it into a so-called 'Constraint Parser'.
The general idea is that when the parser itself is aware of the context-sensitive properties that valid input needs to conform to,
it will be able to detect an invalid input much earlier than with the current method, especially in the case of a syntactically correct, but semantically invalid input.
Furthermore, it will also offer the advantage of being able to use constraints to resolve ambiguity while parsing, which can make parsing with ambiguous grammars
much more efficient compared to the Earley Parser, which creates a parse forest to handle ambiguity.

14:30 - 15:00

Speaker: HTMA Riyadh
Type of Talk: Master Final
Advisor: Katharina Krombholz
Title: Authentication Usability in Virtual Reality (VR)
Research Area: RA5: Empirical and Behavioural Security
Abstract:
Virtual Reality (VR) offers an immersive 3D environment for social, entertainment, and
research applications that require authentication. To achieve the end user’s confidence
and satisfaction, reliable usability for authentication is a must. Though the prior research
shows promising results in terms of the security of authentication but lacks a usability
study. In this thesis (N=40), we investigate the usability of the authentication process in
VR using 1. 2D PIN, which is well-established and frequently used in daily activities,
and 2. Gesture-based authentication method, which is relatively new for the common
people but a natural way of interaction. We identify that the authentication type and the
experience status have an impact on usability. Our result shows that the gesture has high
usability score than a PIN. We also notice that performance gets better if the interaction
mode is natural. This work helps to get a better understanding of authentication usability
in virtual reality and helps to counterbalance the trade-off between usability and security.

 

Session B:

14:00 - 14:30

Speaker: Thomas Boisvert-Bilodeau
    Type of talk: Bachelor Intro
    Advisor: Dr. Yang Zhang
    Title: Understanding the relationship between backdoor attacks and membership inference attacks
    Research Area: Trustworthy Information Processing
    Abstract: In the domain of deep learning, there are proven risks associated with using third-party resources like datasets, training services or pre-trained models. A backdoor attack can be employed to control the behavior of a neural network when presented with a trigger. Once trained, classifiers can also be vulnerable to a membership inference attack. If a model has noticeable differences in the values it outputs when presented with inputs that were used in it's training versus inputs that are new, it can be inferred if a data point was part of the training dataset. This is obviously a privacy concern when datasets contain personal or sensitive information. While both those attack have been studied an refined, there is little knowledge on how one influence the other. This work is exploring the relationship between backdoor attacks and membership inference attack.

Next Seminar on 24.05.2023

Written on 22.05.23 (last change on 22.05.23) by Niklas Medinger

Dear All,


The next seminar(s) take place on 24.05.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-14:30)
Chandrika Mohan

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B:… Read more

Dear All,


The next seminar(s) take place on 24.05.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-14:30)
Chandrika Mohan

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-14:30)

Tim Schneider

https://cispa-de.zoom.us/j/69371224982?pwd=amFFbmVBcVhDeGg5Q2VacXh0M3pKQT09

 

Session A:

14:00 - 14:30

Speaker: Chandrika Mohan
Type of talk: Master Intro
Advisor: Dr. Katharina Krombholz
Title: Contextual Analysis of Risk-based Re-authentication factors
Research Area: RA5: Empirical and Behavioural Security
Abstract:
Risk-based Authentication (RBA) is a process where each authentication request
is analysed to determine the risk associated with it. According to the risk score
computed, the user is either permitted to log in or is asked for further
re-authenticate. This process is now predominantly used by major online services
in varied sectors. The model used to calculate the risk score and the strategy to
select the re-authentication factors is currently kept confidential and varies from
one context of the website to another. There are no guidelines to determine how
the re-authentication factors should vary across different contexts.
We investigate how different re-authentication factors affect the usability of
online platforms where Risk-based authentication is used to determine the risk
level associated with the login attempt. Furthermore, we dwell on the security
and usability perceptions of users associated with using different
re-authentication factors. Analysis of website users' behaviour is also not yet been
studied. We believe it is necessary to assess users' perceptions of usability,
security, and effectiveness while using different RBA re-authentication factors so
web developers can make informed decisions while implementing RBA solutions
for their web platforms.

 

Session B:

14:00 - 14:30

Speaker: Tim Schneider
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz
Title: RISC(Y) Operations. Finding hidden instructions in RISC-V Chips
Research Area: RA3

Abstract:
The RISC-V instruction set architecture (ISA) has gained popularity in recent years due to its open-source nature and flexibility.
However, it has come to light that some well-established ISAs may contain hidden instructions that are not documented in the official ISA specification, which could potentially introduce security vulnerabilities or other unintended consequences.
It is therefore essential to identify and analyze these instructions to ensure the security and reliability of processors.
This thesis aims to build a tool that automates the process of finding hidden instructions in RISC-V processors and tests it on different chips.
By uncovering hidden instructions, this thesis seeks to contribute to the security and reliability of RISC-V processors while providing a better understanding of their behavior.

Next Seminar on 10.05.2023

Written on 04.05.23 (last change on 10.05.23) by Niklas Medinger

Dear All,


The next seminar(s) take place on 10.05.2023 at 15:00 (Session A) and 14:00 (Session B).


Session A: (15:00-15:30)
Syed Taqi Abbas Rizvi

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B:… Read more

Dear All,


The next seminar(s) take place on 10.05.2023 at 15:00 (Session A) and 14:00 (Session B).


Session A: (15:00-15:30)
Syed Taqi Abbas Rizvi

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-15:00)

Johannes Hägele, Shayari Bhattacharjee

https://cispa-de.zoom.us/j/63099204861?pwd=dzV1emRJNXBicEl1bVVNUjE4WFBiUT09
(Temporary Link)

 

Session A:

15:00 - 15:30

Speaker: Syed Taqi Abbas Rizvi

 

No information provided.

 

Session B:

14:00 - 14:30

Speaker: Johannes Hägele
Type of talk: Bachelor Final
Advisor: Prof. Zeller
Title: Debugger Driven Input Grammar Mining on Embedded Systems
Research Area: RA5: Empirical and Behavioural Security
Abstract:
Automated security testing is indispensable for modern software development. Advances
in digitalization and the complexity of code bases increase potential attack vectors, so
that manual security testing or even auditing is impractical and insufficient. Fuzz testing
is a technique to automatically detect bugs in software. The first fuzzers fed random
inputs to the software under test but fail if the input structures are very complex or have
to pass a parsing stage. Generation-based fuzzing can overcome this barrier. Here input
specifications of the target program, are used to generate valid, or almost valid, random
test inputs.
However precise input specifications for programs are often outdated or even unavailable.
Automated generation of such precise input specifications is therefore a hot research topic.
In this work, we combine a set of sample inputs, software under test in binary format,
GDB the GNU Debugger, and the Mimid algorithm to automatically synthesize a human-
readable context-free grammar capturing the input language of the program under test.
The major benefit of our method is that it works in any environment with GDB access,
and therefore even on proprietary binaries in embedded systems or microcontrollers.

 

14:30 - 15:00

Speaker: Shayari Bhattacharjee

Type of talk: Master Final

Advisor: Dr.Nils Ole Tippenhauer, Prof. Martina Maggio

Title: Adversarial Robustness of Camera-Lidar based Multi-Sensor Fusion Architectures in Autonomous Driving

Research Area: RA4

Abstract:
Autonomous Vehicles(AV) have become a active research domain in the recent years. There have been significant contributions in the area of perception, planning and control using Machine Learning(ML) related to autonomous vehicles and recently, security concerns have also caught attention in the recent times owing to the development in the attacks on Machine Learning components. As a defense technique to counterfeit Adversarial ML attacks, Multi-Sensor Fusion(MSF) was proposed where inputs of multiple sensors present in the AV architecture are fused together to produce output with higher confidence. However, recently MSF scheme have also been shown vulnerable to certain attacks which is applicable to single or multiple sensor sources which causes system-wide effect and cause mispredictions or loss of accuracy.

In this thesis, first we conduct a study of various autonomous driving datasets and 2D/3D object detection frameworks. We also do a elaborate study of various attacks that have been used to attack image, point-cloud and multi-sensor fusion based detection frameworks. Furthermore, we test the various schemes of Camera-Lidar based Multisensor fusion based neural network against noise, corruptions and partial relay attacks.

In the course of the thesis, we developed and tested multiple versions of the attacks and evaluate them on the Camera-Lidar fusion frameworks in a black-box and white-box manner using KITTI validation dataset. This makes it possible to evaluate the success rate of the proposed attack on the various fusion schemes based on the fusion strategy, also evaluating the robustness of the fusion schemes against the proposed attacks.

Next Seminar on 26.04.2023

Written on 20.04.23 (last change on 26.04.23) by Niklas Medinger

Dear All,


The next seminar(s) take place on 26.04.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:00)
Niklas Flentje, Dominic Troppmann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 26.04.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:00)
Niklas Flentje, Dominic Troppmann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-14:30)

Nils Hagen

https://us02web.zoom.us/j/88284395516?pwd=Vk1sTzZpSmhYVmxvY3RsSHN2RUR3Zz09 (update)

 

 

Session A:

14:00 - 14:30

Speaker: Niklas Flentje


No information provided.

 

14:30 - 15:00

Speaker: Dominic Troppmann
Type of talk: Master Intro
Advisor: Dr. Cristian-Alexandru Staicu
Title: Trust is good, control is better: Shedding light on typing practices in gradually typed scripting languages.
Research Area: RA5
Abstract: In recent years, scripting languages, most notably JavaScript/TypeScript and Python, have gained a lot of traction, due to their ease of learning, ease of use, and the presence of large ecosystems of third-party packages and libraries. Another key feature of these languages is that, contrary to languages like C or Java, they do not use a static type system, which saves developers the significant effort of adding type annotations and affords faster prototyping and development. However, this usually comes at the cost of an increased number of typing-related bugs, which would otherwise be caught by a static typing system. Thus, to give developers "the best of both worlds" both TypeScript and Python feature a gradual type system, allowing developers to add optional type annotations/hints. These type annotations are checked at compile time, but not enforced at runtime, meaning that developers must implement type checks to enforce datatypes during runtime.

But does this happen in practice, or might developers even be fooled into thinking their scripts become type-safe by simply annotating them? This study aims to address this question and better understand typing-related practices. More specifically, we want to learn how much developers rely on type annotations/checks, where developers are most likely to implement them, as well as trying to discern whether type annotations/checks, or rather lack thereof, can be used as an indicator for typing related bugs and vulnerabilities. To this end, we develop a static analysis based on CodeQL, which we use to analyze several tens of thousands of real-world github projects.
With this work, we hope to provide sufficient evidence about the importance of implementing solid type checks, even in the presence of type annotation, for developers to continuously adopt safer programming practices.

 

Session B:

14:00 - 14:30

Speaker: Nils Hagen
Type of talk: Bachelor Intro
Advisor: Prof. Andreas Zeller, Leon Bettscheider
Title: Semantic fuzzing with I/O contracts
Research Area: RA5: Empirical and Behavioural Security

Abstract:

Grammar-based fuzzing with context-free grammars is a common technique to make fuzzers
more program-specific and to increase coverage. This has proven to be an especially
successful test generation method in black-box settings with target programs that require
highly-structured inputs. However, context-free grammars are limited to the expression
of syntactic constraints which makes them unsuitable for input/output affiliations (like
in a client/server architecture or other reactive systems) where input and output are
semantically linked. Most fuzzers therefore rely solely on generic test oracles for bug
detection that either detect program crashes or output on standard error ports.
To express more powerful oracles we additionally want to consider the aforementioned input-
output relations. In this work we present a method to describe these semantically linked
interactions through I/O contracts where syntactic and semantic properties are expressed
through intertwined context-free grammars (termed I/O grammars) and semantic ISLa
constraints. Furthermore, we show how to apply these methods in practice on a real-world
server implementation of the IRC protocol and compare them to traditional context-free
grammar-based approaches.

 
 

 

 

Next Seminar on 12.04.2023

Written on 11.04.23 by Niklas Medinger

Dear All,


The next seminar(s) take place on 12.04.2023 at 14:00 (Session A).


Session A: (14:00-15:30)
Leonard Niemann, Severin Engel, Syed Tagi Abbas Rizvi

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 12.04.2023 at 14:00 (Session A).


Session A: (14:00-15:30)
Leonard Niemann, Severin Engel, Syed Tagi Abbas Rizvi

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:00 - 14:30

Speaker: Leonard Niemann
Type of talk: Master Intro
Advisor: Dr. Michael Schwarz
Title: Performance Counters Rethought: Actively Mitigating Microarchitectural Side-Channel Attacks
Research Area: RA3

Abstract:
In recent years, new microarchitectural side-channel attacks have been discovered regu-
larly, which has gained them popularity amongst researchers and criminals. These side
channel attacks leak secrets via metadata that is exposed through shared microarchitec-
tural building blocks. Defenses are lacking behind, as they typically require expensive
changes to the microarchitecture. Moreover, they are often overly specific to certain
types of attacks and only work against a subset of all attacks. Recent research proposes
using hardware performance monitoring counters for detecting attacks. However, none
of such approaches specifies the process after the detection has happened and thus they
do not prevent the leakage of data.
In this thesis, we present PMCDefender, which is a software-only toolkit for actively
mitigating a variety of microarchitectural side-channel attacks. While also relying on
performance monitoring counters, we present a synchronous way to immediately stop
the execution of a victim program, if an attack is detected. Thereby, we actively prevent
the leakage of data or at least limit the amount of data that can be leaked to be negli-
gible. We demonstrate that our approach works against multiple attacks and further
demonstrate its applicability in two real-world case studies. Based on the results we
conclude that active mitigation of microarchitectural side channel attacks works and
that our tool’s capabilities are sufficient to prevent the leakage of data.

 

14:30 - 15:00

Speaker: Severin Engel
Type of talk: Master Intro
Advisor: Dr. Nils Ole Tippenhauer & Dr. Ali Abbasi
Title: SatCom Security: Security Assessment of CCSDS Space Data Link Security & SDLS-EP
Research Area: RA3

Abstract:
Satellites provide both comfort services that affect many of us on a daily basis, such as GPS,
and critical infrastructure like military or emergency communication. Satellite communication
should be secured in order to protect these services from attacks. However, Russia's cyberattack
on Viasat terminals immediately preceding the beginning of the current Ukraine conflict proved
the possibility to compromise SatCom systems. It should be noted that those systems had known
open vulnerabilities that were not acted upon, which emphasizes the slow adaption of security in
satellite systems. Previously security was neglected on the premise that communicating with
satellites is only accessible to state-level actors. However, the growth of LEO constellations,
bringing satellites significantly closer to Earth and the development of software defined radios
made this assumption invalid.
To further emphasize the importance of SatCom security, space is not as spacious as it may sound
and both intentional and accidental satellite collisions occurred before. Such collisions create
thousands of debris pieces that will further increase the likelihood of collisions, which in a
catastrophic scenario may cause an unstoppable cascade of collisions known as the Kessler
Syndrome. Therefore satellite operators should avoid losing control and avoid attackers gaining
control of their satellites.

This project will be the first public independent security assessment of the state-of-the-art
SatCom security protocol CCSDS SDLS. The protocol is of high interest, as the committee CCSDS is
comprised of most major space agencies and the protocol SDLS is the only protocol providing CIA
guarantees to almost all types of traffic. We plan on creating an in-depth Design Review of the
protocol that will provide an insight in the protocol's security and will enable further
assessments.

 

15:00 - 15:30

Speaker: Syed Tagi Abbas Rizvi

No information provided.

Next Seminar on 29.03.2023

Written on 25.03.23 by Niklas Medinger

Dear All,


The next seminar(s) take place on 29.03.2023 at 14:00 (Session A).


Session A: (14:00-14:30)
Assiri Nassirou Karim

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:00 - 14:30

Read more

Dear All,


The next seminar(s) take place on 29.03.2023 at 14:00 (Session A).


Session A: (14:00-14:30)
Assiri Nassirou Karim

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:00 - 14:30

Speaker: Assiri Nassirou Karim
Type of talk: Bachelor intro
Advisors: Dr. Cristian-Alexander Staicu & Dr. Dolière Francis Somé
Title: A study of the security and privacy implications of the use of third-party web push notifications
services
Research Area: RA5
Abstract:
Over the past few years, web applications have increasingly integrated service workers (SWs) to
enhance their users' experience. This feature is a fundamental part of a progressive web app (PWA) and
provides several benefits, including acting as a proxy for network requests, allowing offline caching,
and enabling web push notifications (WPNs). To take advantage of these features, websites may
delegate the task of WPNs to third-party services (TBS) such as OneSignal. However, researchers have
recently discovered that SWs can be exploited in several ways, including for phishing or social
engineering attacks using WPNs. Moreover, as online advertising has expanded, WPNs have emerged
as a viable method for delivering online ads, which can also be exploited by attackers to deliver
malicious ads. The main focus of this work will be on web push notifications (WPNs). Our primary
objective is to comprehend how WPNs operate by creating our push notification service. The study
aims to identify the TBS used by a large number of websites and analyze the notifications they send to
users. The research is motivated by the potential privacy and security implications of WPNs, as they
can be used to track users and expose them to malicious content. To achieve this goal, the research
design includes a web crawling process to collect data on the TBS used on the websites, followed by an
algorithmic analysis of the notifications sent by these TBS. What sets our work apart from previous
studies is our investigation into the process and timing of TBS subscribing users to notifications.

Next Seminar on 15.03.2023

Written on 11.03.23 (last change on 11.03.23) by Niklas Medinger

Dear All,


The next seminar(s) take place on 15.03.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Paul Krappen, Abduallah Imad Malallah, Emily Ries

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Read more

Dear All,


The next seminar(s) take place on 15.03.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Paul Krappen, Abduallah Imad Malallah, Emily Ries

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-14:30)

Simon Anell

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

 

Session A:

14:00 - 14:30

Speaker: Paul Krappen
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz
Title: A deterministic and fast approach to reverse engineer the DRAM addressing function
Research Area: RA3

Abstract:

When processors access DRAM, memory cells that neighbor the accessed DRAM Row leak charge.
If enough charge is leaked, this can lead to bit flips in those memory cells.
When this was discovered, DRAM manufacturers implemented a mechanism that refreshes (reads and writes back immediately) the content of DRAM rows periodically.
This is sufficient for a normal operating computer system but researchers discovered, that specific memory access patterns circumvent this mechanism and thus can still be used to cause bit flips in meṁory.
This vulnerability is called Rowhammer and for it to be exploited, knowledge of how the processor maps physical addresses to DRAM locations is required.

To determine which location in DRAM a physical address maps to, CPUs have hardcoded functions depending on the Memory configuration of the system, which are for most systems undocumented.
Knowing this function can significantly improve Rowhammer attacks.
Thus researchers have worked on reverse-engineering it.
However, most approaches are non-deterministic, require physical access to the Hardware, or work only on specific CPUs of one manufacturer.

We aim to develop a framework for reverse-engineering the DRAM addressing function, that is deterministic, implemented fully in software, fast and works on both, ARMv8 and Intel Processors.
Additionally we want to investigate the applicability of this framework to AMD machines.

 

14:30 - 15:00

Speaker: Abdullah Imad Malallah
Type of talk: Bachelor Final
Advisor: Sven Bugiel
Title: Exploring API behaviour in android applications using Word2Vec
Research Area: RA4

Abstract: Most Android applications use services embedded in the mobile phone, e.g., WiFi,
Bluetooth, GPS, Camera, etc. These apps use those services via well-defined Android
application frameworks and SDK APIs. An application that uses these APIs could
retrieve sensitive and important information about the user or the device itself. For
example, the Location API provides the location of the user. APIs are practical and
add a lot of functionalities to Android applications, but they may get misused by those
applications as well.
The ability to verify whether an Android application performs as claimed has long been
a challenge for analysts. How do we know that an application uses these APIs in good
behavior? Does this application harm the privacy of the user, for example, by leaking
their location? The problem is not whether an app’s behavior fits a certain pattern or
not, but rather if the program behaves as promised. We use Android apps as a data set
for this work because of their market share and history of attacks. The main idea is to
cluster APIs based on their code context to detect outliers by using an NLP technique
called Word2Vec. To get the code context of APIs (from sources to sinks) we use a static
analysis tool called FlowDroid. Following the approach proposed in this work, we were
able to find normal and abnormal APIs. Most of the abnormal APIs were identified as
abnormal because of the code obfuscation.

 

15:00 - 15:30

Speaker: Emily Ries
Abstract:

As the usage of neural networks is pervasive in areas such as decision-making, it is
inevitable to ensure that their deployment does not lead to unfair treatment across
ethical groups. In order to make neural networks more accessible to average
consumers, they are required to be small in memory and complexity. Pruning algorithms
are helpful to fulfill these conditions. Although advanced pruning algorithms can
decrease model complexity while maintaining model accuracy, it is unclear whether the
pruned models show disparate impacts on different ethical groups. The purpose of this
Bachelor Thesis is to investigate the effect of pruning on model classification, especially
in the context of fairness.

 

Session B:

14:00 - 14:30

Speaker: Simon Anell

No information provided.

Next Seminar on 01.03.2023 (Updated: Session A starts at 14:30)

Written on 26.02.23 (last change on 27.02.23) by Niklas Medinger

Dear All,


The next seminar(s) take place on 01.03.2023 at 14:30 (Session A) and 14:00 (Session B).


Session A: (14:30-15:30)
Ahmad Hajy Omar, Moaz Airan

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,


The next seminar(s) take place on 01.03.2023 at 14:30 (Session A) and 14:00 (Session B).


Session A: (14:30-15:30)
Ahmad Hajy Omar, Moaz Airan

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-14:30)

Johanna Girndt

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

 

Session A:

14:30 - 15:00

Speaker: Ahmad Hajy Omar
Type of talk: Bachelor Intro
Advisor_1: Dr. Cristian-Alexander Staicu
Advisor_2: Dr. Dolière Francis Somé
Title: Web scrapping of Content Security Policy for Desktop and Mobile browsers with different browsers settings
Research Area: RA3

Abstract :
Content Security Policy (CSP) is one of the most important HTTP response headers that is
supported by most of the modern Mobile and Desktop-Browsers, it helps to improve the security of
web pages by restricting and detecting many types of attacks like the famous attack Cross Site
Scripting (XSS).
CSP play the role like an officer who gives the instructions how the browser can load things like
sources throw a specific directives with specific values.
Unfortunately the csp header can be affected by multiple reasons like the user agent, for example
visiting a website with tow different devices i.e. Samsung device and iPhone device might lead us to
see tow different csp headers with two different level of safety, moreover the various browsers and
the various browser versions can cause the same problem as previously.
We aim to collect more information and results by running tests using playwright method to scrape
the response headers and search for the content security policy header and even searching in the
meta tag for the csp by visiting a large set of ulrs (especially the famous urls) using different user
agents and devices with different viewports and different types of browsers with various versions.
We will run the tests on different operating systems (windows, ubuntu and mac ), at the end we want
to compare the results and analyze them to find out which is the most reason that cause or lead to
different csp headers with different level of safety options and if there is a solution to avoid this
problem.
 

15:00 - 15:30

Speaker: Moaz Airan
Type of talk: Bachelor Intro
Advisor: Dr. Cristian-Alexandru Staicu
Title: Exploring User Data Protection Provided by Firefox-based Web Browsers
Research Area: RA3
Abstract: User sensitive data stored by browsers should be properly secured and protected from stealing attacks such as cross-site scripting (XSS) for stealing cookies and Man-in-the-Middle attack for stealing passwords. Browsers implement different security mechanisms and encryption algorithms to manage eliminating these types of attacks, where the attacker try to steal data from a running browser session on the victim machine, in other words the attacker is connected "online" to the victim. A different way to reach the sensitive data is if a malware was installed on the user machine. This opens a lot of possibilities to steal and manipulate the data "offline" directly from the victim machine bypassing most of the protection provided by browsers. This thesis explores different exploitations and methods that could lead to leaking sensitive data like passwords and session tokens. Focusing on Firefox-based browsers, we also examine how the user data gets stored and how these browsers interact with operating systems, in our case it's Windows.

 

Session B:

14:00 - 14:30

Speaker: Johanna Girndt
Type of talk: Bachelor Final
Advisor: Prof. Andreas Zeller, Dr. Dominic Steinhoefel
Title: Conversion of ISLa Constraints into Binary Templates
Research Area: RA5
Abstract:
Grammar-based fuzzing is an effective method to generate structured inputs for testing programs. Efficient fuzzers exist for this purpose, but they are usually not precise enough since context-free grammars are not sufficient to specify all input formats. To overcome this lack of precision, the input description language ISLa was built. It is easy to adapt for developers, due to the fact that it is based on context-free grammars, but the existing ISLa solver has a slow working speed.
In turn, the grammar-based fuzzer and parser generator Format Fuzzer is much more time efficient, but the binary template language used by Format Fuzzer is complicated for humans to write.
In order to provide both, a commonly accepted way to describe a broad variety of input formats and provide efficient file generation, this work is dedicated to the translation of ISLa constraints to binary template language based on an existing LL1 parser generator that generates binary templates from context-free grammars.
For the presented tool, the tests have shown that the structure of the constraint and the language used have a large impact on the generation speed, but that the generated files cover a high number of k-paths in every test case.

 

We investigate whether Trusted Execution Environments (TEEs) can be used to protect motor control code in the presence of parallel running attacker code. We focus on analyzing the feasibility of detecting manipulation and whether it is possible to guarantee that the system can terminate its operation in a safe state in response to these manipulations. Additionally, we discuss a proof-of-concept implementation of motor control code and monitoring code protected by ARM Trustzone.

Next Seminar on 15.02.2023

Written on 10.02.23 (last change on 10.02.23) by Niklas Medinger

Dear All,

The next seminar(s) take place on 15.02.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-14:30)
Tim Recktenwald

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B:… Read more

Dear All,

The next seminar(s) take place on 15.02.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-14:30)
Tim Recktenwald

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session B: (14:00-15:30)

Daniel Berresheim,  Osama Altamar, Kristian Metzler

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

 

Session A:

14:00 - 14:30

Speaker: Tim Recktenwald
Type of talk: Bachelor Final
Advisor: Dr. Giancarlo Pellegrino
Title: Chikara: Combining Web Application Crawling With Forced Execution
Research Area: 5

Abstract: The modern web continues to evolve in a rapid pace, with web applications becoming ever-more-complex pieces of software. While users are relying on online services on a daily basis, their scale makes them increasingly prone to security vulnerabilities. Due to their automated vulnerability detection capabilities, web application scanners hence play an important part in keeping up with this development. These tools are, however, strongly dependent on the effectiveness of their crawling component.

At the same time, prior research works have showcased the successful application of forced execution, a dynamic code analysis technique, to related areas of web security. Yet, the integration of forced execution into web crawling has not been studied thus far. Motivated by this, we design and implement Chikara, a novel web application crawler that selectively applies forced execution analysis to guide its exploration process. Based on its development, we identify the collection of event handler code as one of the underlying key challenges of our approach.

Moreover, we evaluate the impact of our forced execution strategy by comparing Chikara’s code and URL coverage to the state-of-the-art scanner Black Widow. According to our measurements, we find that Chikara mostly exhibits a lower total coverage than its competitors. Nevertheless, the code coverage reports show that our forced execution approach discovers a small set of server-side code branches missed by the other crawlers. Our analysis reveals that the code snippets are partly related to error handling functionality. With these findings, we address a former research gap in web application crawling and lay the foundation for future work involving forced execution.

 

Session B:

14:00 - 14:30

Speaker: Daniel Berresheim
Type of talk: Bachelor Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Protecting Motor Control Firmware against Manipulation
Research Area: RA3
Abstract: The firmware used to control vehicles is becoming increasingly complex, as devices are connected to the internet through Wi-Fi, Bluetooth, or peripherals and can receive firmware updates. This creates various new opportunities for attackers to compromise these devices. Furthermore, those physical devices can even become the target of the hardware owners themselves, which aim to tune their vehicle to exceed the legal speed limit enforced by the firmware. With so many components that need to be individually protected, it becomes important to implement security measures that ensure safety even if an attacker successfully breaches the security of the OS or Kernel.

We investigate whether Trusted Execution Environments (TEEs) can be used to protect motor control code in the presence of parallel running attacker code. We focus on analyzing the feasibility of detecting manipulation and whether it is possible to guarantee that the system can terminate its operation in a safe state in response to these manipulations. Additionally, we discuss a proof-of-concept implementation of motor control code and monitoring code protected by ARM Trustzone.

14:30 - 15:00

Speaker: Osama Altamar
Abstract
Dynamic analysis of chrome extensions is crucial for evaluating the security of these
software programs as it analyzes their behavior during runtime. This method enhances
the effectiveness of static analysis by detecting malicious behavior and vulnerabilities that
may not be immediately apparent.This presentation highlights the importance dynamic
analysis in evaluating the security of chrome extensions.
I will also outline my methodology for implementing the dynamic analysis tool, which
involves injecting code into the extension components to collect data which will be
analyzed to identify potential vulnerabilities or malicious behavior. The tool will allow
for a comprehensive evaluation of the extension’s security, including Universal XSS
vulnerabilities, and its behavior under different conditions. The main steps involved in
dynamic analysis are acquiring the extension, setting up the environment, analyzing the
code, executing the code, and finally, analyzing the results.

15:00 - 15:30

Speaker: Kristian Metzler

Title: Swapping Coins Privately

Type: Bachelor intro

Abstract
You may have used or heard of atomic swaps if you have ever used cryptocurrencies. These protocols, as the name implies, are used to exchange coins, typically between two different blockchains,
without the use of a centralized intermediary (with full control of the coins). As a result, atomic swaps have become extremely important in the world of cryptocurrencies.
Even though they are extremely valuable, they are not without flaws. The majority of atomic swap protocols can only be used with blockchains that support scripts or contracts.
They also do not guarantee privacy. Sweep-UC was created to address these shortcomings. It is a novel protocol that allows coins to be exchanged between ledgers in a fair and private manner
without the use of special scripts or contracts.
The goal of this work would be to implement this protocol and then evaluate its practicability and performance using that implementation.

Next Seminar on 01.02.2023

Written on 27.01.23 by Niklas Medinger

Dear All,

The next seminar(s) take place on 01.02.2023 at 14:30 (Session A).


Session A: (14:30-15:00)
Julian Biehl

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session A:

14:30 - 15:00

Speaker:… Read more

Dear All,

The next seminar(s) take place on 01.02.2023 at 14:30 (Session A).


Session A: (14:30-15:00)
Julian Biehl

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=


Session A:

14:30 - 15:00

Speaker: Julian Biehl
Type of talk: Master Final
Advisor: Dr. Robert Künnemann
Title: Translating Multiset Rewrite Rules to ProVerif
Research Area: RA2

Abstract: Protocol verification tools are a means of modeling security protocols and checking whether they fulfill the desired security guarantees. One popular example for such a tool is Tamarin, which relies on multiset rewrite rules to model protocols. Another popular tool is ProVerif, where protocols are modeled in a process calculus. Since ProVerif is generally known to be very efficient, the question arises if the tool could perhaps be used to analyze some Tamarin models faster than Tamarin itself, provided a translation of those models. Translating MSR rules to ProVerif is not straightforward, but possible using some abstractions. In this thesis, we propose such a translation, implemented as an extension to Tamarin. We will also evaluate our translation using a variety of protocol models which were already written for Tamarin and compare the performance of the two.

Next Seminar on 18.01.2023

Written on 13.01.23 by Niklas Medinger

Dear All,

The next seminar(s) take place on 18.01.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:00)
Ali Alhasani, Hong-Thai Luu

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B:… Read more

Dear All,

The next seminar(s) take place on 18.01.2023 at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:00)
Ali Alhasani, Hong-Thai Luu

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (14:00-15:00)

Philip Decker, Franziska Granzow

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00 - 14:30

Speaker: Ali Alhasani
Type of talk: Master final
Advisor: Marius Smytzek
Title: Alhazen combined with statistical debugging
Research Area: RA1

Abstract:
Debugging programs has proven to be a challenging task. It requires a precise understanding of the failure’s circumstances, such as when the failure occurs and when it does not. Knowing these circumstances is necessary to solve the root causes of the failure. Alhazen is a promising fault diagnosis approach to address this issue automatically.

Alhazen performs two main tasks. First, it predicts whether an input will fail or not based on a decision tree model. Second, it generates more failure-causing inputs, to identify the circumstances under which the bug occurs. For these two tasks, Alhazen’s learner uses features related to the input to predict the bug or no-bug outcome.

However, Alhazen does not consider features related to the program execution, thus limiting the power of its fault-prediction capability and making Alhazen unable to identify runtime circumstances associated with program behavior. In this thesis, we propose a new solution to enhance Alhazen prediction by learning additional features over statistical debugging predicates derived from program runtime events. Besides we evaluate how learning event features enrich Alhazen.
In this work, we used SElogger to extract program runtime events. These events report a software’s progress and its essential data during the execution time. In addition, we applied statistical debugging to extract predicates from these program runtime events.

As a result, we see that our approach can identify possible fault locations in the code, the inputs associated with the fault, and hint at possible fixes. We believe that Alhazen’s hypotheses on the circumstances under which the program behavior occurs can be extended even beyond input features and program execution events to give additional hints on the root causes of failures.

 

14:30 - 15:00

Speaker: Hong-Thai Luu
Type of talk: Bachelor Intro
Advisor: Cristian-Alexandru Staicu
Title: Usages and Misuses of Crypto APIs in JavaScript
Research Area: RA5: Empirical and Behavioural Security
Abstract: Cryptographic APIs are used in a wide range of software project. In JavaScript applications, they are used on both client-side, and server-side. Keeping track of usages of cryptographic APIs become more and more difficult, due to the increasing amount of project and the number of different crypto libraries. Also, using these libraries is not a trivial task, due to the complexity of certain functions, as well as the lack of documentation and code examples. Developers tend to misuse them in a way that introduces vulnerabilities in the application by using broken hash function for storing passwords, hard-coding keys in the source code and so on. Besides the crypto module of NodeJs and the Web Cryptography API that is mainly used for client-side applications, there are many third party implementations of crypto APIs. In this work, we analyze about 50000 GitHub repositories as well as 160000 websites in order to investigate their crypto API usages (i.e. which APIs and what functionalities are used). But also hunt for misuses in these projects. For the analysis, we extend GitHub's static analysis tool CodeQL by additional queries in order to find usages of certain crypto APIs and also to find misuses of the NodeJs crypto module and of the Web Cryptography API.

 

Session B:

14:00 - 14:30

Speaker: Philip Decker

No information provided.

 

14:30 - 15:00

Speaker: Franziska Granzow
Type of Talk: Bachelor Intro
Advisor: Dr.-Ing. Ben Stock
Title: Messaging private data: Leakage of sensitive data via postMessage handlers after login
Research Area: RA5

Abstract:
Modern websites usually contain content from multiple origins, so often cross-origin communication is needed to make the different parts work together. However, by default, this is prevented by the Same-Origin-Policy, which disallows two documents with different origins to access each other. So the postMessage API was introduced to allow a controlled way for cross-origin communication. The API provides the means to check for integrity & confidentiality, but these checks are not mandatory. In case they are missing or incorrect, vulnerabilities can occur, e.g., cross-site-scripting, storage alteration, privacy leakage and more, which various works have studied.

However, none of the prior works did their analyses in an authenticated context. As user data is often only present after login, we want to study how many postMessage handlers leak sensitive data after login. Therefore we aim to collect postMessage handlers specified on websites in the wild in an authenticated context and check whether they can leak data to unauthorized parties. In case of a leakage, we also analyze what kind of data is leaked and whether it is sensitive concerning a user's privacy.

Written on 02.01.23 (last change on 02.01.23) by Niklas Medinger

Dear All,

The next seminar(s) take place on 4.1. at 14:00 (Session A).


Session A: (14:30-15:00)
Johannes Haegele

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session… Read more

Dear All,

The next seminar(s) take place on 4.1. at 14:00 (Session A).


Session A: (14:30-15:00)
Johannes Haegele

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B:

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:30 - 15:00

Speaker: Johannes Hägele
Type of talk: Bachelor Intro
Advisor: Prof. Zeller
Title: Debugger Driven Input Grammar Mining on Embedded Systems
Research Area: RA5: Empirical and Behavioural Security
Abstract:
Automated security testing is indispensable for modern software development. The sheer
scope of digitization and complexity of code bases increase potential attack vectors, so
that manual security testing or even auditing is impractical and insufficient. Therefore a
technique called fuzz testing was invented to automatically detect bugs in software. The
first fuzzers fed random inputs to the software under test but fail if the input structures
are very complex or have to pass a parsing stage. This is when generation-based fuzzing
has its finest hour. Here we utilize input specifications of the target program, to generate
valid or almost valid randomized test inputs.
However precise input specifications for the software under test are often outdated or
even unavailable. Automated generation of such precise input specifications is therefore
a hot research topic. In this work, we combine a set of sample inputs, a software under
test in binary format, the reverse engineering tool Ghidra, GDB the GNU Debugger
and the Mimid algorithm to automatically synthesize a human-readable context-free
grammar capturing the input language of the program under test. The major benefit of
our method is that it works in any environment with GDB access, and therefore even on
proprietary binaries in embedded systems or microcontrollers.

Written on 17.12.22 by Niklas Medinger

Dear All,

The next seminar(s) take place on 21.12. at 14:30 (Session A) and 14:00 (Session B).


Session A: (14:30-15:00)
Timon Ulrich

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (14:00-14:30,… Read more

Dear All,

The next seminar(s) take place on 21.12. at 14:30 (Session A) and 14:00 (Session B).


Session A: (14:30-15:00)
Timon Ulrich

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (14:00-14:30, 15:00-15:30)
Kevin Theobald, Tobias Risch

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:30-15:00 

Timon Ulrich
Master Final
Dr. Rebekka Burkholz
Continuous Sparsification for Strong Lottery Tickets
RA1
 

Abstract:
In a usual neural network training refers to adjusting the weights over multiple epochs in order to obtain a good performance. In rather recent works the Strong Lottery Ticket Hypothesis was established as a way to obtain competitive networks by simply pruning a randomly initialized network, leaving the weights at their initial values. Proposed in the original paper, the popular pruning algorithm to find these competitive networks so far has been edge-popup. Even though there have been made adjustments to improve this algorithm, it still requires a sparsity value as an input. This entails the cumbersome work of running the algorithm multiple times with different sparsity values in order to find a network as sparse as possible without sacrificing too much performance. In my thesis I propose an algorithm which by itself learns the sparsity of the network and delivers better results than even the previously mentioned improved edge-popup.

 

Session B:

14:00-14:30

Speaker: Kevin Theobald
Type of talk: Bachelor Final
Advisor: Prof. Dr. Andreas Zeller
Title: How Test Sets Influence Automatic Program Repair
Research Area: RA4

Abstract:

Automatic program repair is a technique to automatically fix software defects by finding, analyzing and fixing the defects. After each iteration in the technique, automated program repair generates a possible patch, which needs to be verified. This verification process is done by a test suite. There are two colliding interests about the size of the test suite. On the one side, if the test suite has no or too few test cases, the result of the automatic program repair technique is inapplicable. On the other side, if the test suite is too large, the runtime of the automatic program repair technique is unfeasible.

In this study, I want to investigate on what a test suite needs to be a suited candidate for automatic program repair. I use established techniques from test generation to create various test suites and investigate on how automatic program repair behaves on these test suites.

I want to find out if there exists a minimum or maximum size of test suites, which still produces a qualitative fix in automatic program repair.

The results of my study could help to improve automatic program repair by providing a reasoning about the trade between the quality of a fix and the runtime of automatic program repair.lts of my study could help to improve automatic program repair by providing a reasoning about the trade between the quality of a fix and the runtime of automatic program repair.

 

15:00-15:30

Speaker: Tobias Risch
Type of talk: Bachelor Final
Advisor: Prof. Dr. Andreas Zeller
Title: Fuzzing x509 Certificates
Research Area: 1,5

Abstract:
 

With the growing popularity of the usage of x509 certificates for identification came the increasing necessity for validating these certificates. This necessity led to the creation of multiple implementations for certificate checking. To ensure that these implementations work correctly, they need testing. As x509 certificates are highly complex structures, their generation for testing is quite a costly task. The usage of fuzzing to generate these certificates reduces the effort significantly as, once an appropriate fuzzer is created, the generation of certificates can be automated. However, simple fuzzing won't be sufficient to generate correctly formatted certificates.
This problem lead to the first main goal of my thesis: To be able to generate correctly formatted certificates automatically, we used FormatFuzzer to create a format-aware fuzzer for x509 certificates. FormatFuzzer is a tool, that was released in 2021 by Andreas Zeller, Rahul Gopinath and Rafael Dutra. It enables the user to create format-aware fuzzers for any arbitrary file format, as long as there is a binary template that describes the format.

The second goal of the thesis was to proove that the fuzzer is actually able to generate valid certificates as well as invalid ones (but all correctly formatted). We were able to achieve this goal by performing differential testing on four different SSL clients.

This talk will explain the implementation of the binary template for x509 certificates. Further, it will present the result of the differential testing process.

Next Seminar on 07.12.2022

Written on 01.12.22 by Niklas Medinger

Dear All,

The next seminar(s) take place on 07.12. at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Divesh Kumar, Antonios Gkiokoutai, Vinay Tilwani

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode:… Read more

Dear All,

The next seminar(s) take place on 07.12. at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:30)
Divesh Kumar, Antonios Gkiokoutai, Vinay Tilwani

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (14:00-14:30, 15:00-15:30)
Paul Frerichs, Birk Blechschmidt

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Divesh Kumar
Type of Talk: Master Intro
Advisor: Dr. Mridula Singh
Title: Study of object detection in automated driving systems
Research Area: RA4 (Secure Mobile and Autonomous Systems)


Abstract:

Autonomous vehicles (AV) are adopting the use of LiDAR sensors in order to better understand their surroundings. LiDARs provide a 3D view of objects around it and are also capable of providing 360 degrees data, this makes them a good fit for use in an autonomous vehicle. In this thesis we focus on perception part of AV driving systems. Cameras have been a major part of perception system in AV driving systems but happen to be easily spoofed, thus severely impacting the safety of such systems. LiDARs use wavelengths which are invisible to human eye, however attackers are inventing newer ways to manipulate LiDARs. In this thesis we wish to study the spoofing/blinding attacks on AV driving systems using LiDAR only perception and also combination of LiDAR and Camera/other sensor-based perception.
In a LiDAR spoofing attack, the attacker can use a transmitter with same wavelength laser and with open-source knowledge regarding LiDAR, can try to spoof some points, with goal of creating an artificial object in the space or try to make a real object seem closer or farther. Recent research proves that such attacks are possible and propose counter measures like averaging measurements, using different wavelengths inside LiDAR etc. However, such techniques are expensive or reduce the frequency of data received from LiDAR.
We wish to design new attacks and correspondingly lightweight defense mechanisms for adversarial attacks on LiDARs, for prevention against the state-of-the-art attacks that exist. To prove the effectiveness of attack/defense system an end-to-end study on AV driving system like Apollo by Baidu will be conducted.

 

14:30-15:00

Speaker: Antonios Gkiokoutai
Type of talk: Bachelor Final
Advisor: Dr. -Ing Ben Stock
Title: Temporal Analysis of the Security of Browser Extension Updates
Research Area: 5

Abstract:

Browser extensions have in recent years become very popular, with thousands of downloads
across different platforms. To be able to execute their tasks and improve user experience on
the web, they require access to special APIs. Example APIs include accessing the users
browsing history, or sending / intercepting network requests. Because of the nature of those
APIs being very powerful, access to them is restricted through permissions, which need to be
explicitly requested in the extensions manifest.

Similarly to the mobile ecosystem, it is recommended for extensions to request only
necessary permissions as per the Principle of Least privilege, meaning only the minimum set
of permissions that they absolutely need to carry out their tasks. However, past studies have
shown that extensions often request more permissions than they need. At the same
time, many permissions are coarse-grained and provide little information about their
capabilities to the user.

While all major browser vendors claim to review updates of extensions before releasing them, a
recent study confirms that many undetected malicious extensions turned malicious after
some update. This means the review process often fails to detect insecure updates. We would like to conduct a large-scale study on the Chrome Web Store across multiple versions of existing extensions. Key questions that
we want to answer are the following:
•- How often do extensions update and what is the nature of those updates?
•- Are permissions over-requested, and if so to what extent?
•- Finally, how can we detect updates that introduce changes with direct and critial security implications in the wild? How prevalent are such updates?

 

15:00-15:30

Speaker: Vinay Tilwani

 

No information provided.

 

Session B:

14:00-14:30

Speaker: Paul Frerichs
Type of talk: Bachelor Final
Advisor: Dr. Sven Bugiel, Prof. Dr. Andreas Zeller
Title: Local biometric prompt phishing on android devices
Research Area: 4


Abstract:
Mobile devices are treasure troves of critical data, making them an attractive target for attacks.
Even the implementation of hardware and software-based countermeasures by the manufacturers to protect the users and their data cannot prevent this.
Against malware impersonating the user, the device's integrity can only be guaranteed through user authentication.
Biometric authentication appears to be an answer to this problem.
Since this form of authentication is perceived as easy to use and secure, it seems optimal for mobile devices.
On the Android platform, biometric authentication is specially protected, and its integrity is still granted even if the OS is corrupted.
This circumstance makes it difficult for potential attackers to access resources secured by biometric authentication.
An attacker must therefore find a way to bypass the authentication.
Phishing is a possible option.
So the question is whether it is possible to carry out successful phishing attacks on biometric authentication.
To answer this question, we decided to test the chances of success of different phishing strategies against users in their typical environment, i.e., on their own device.
To avoid confirmation bias, we decided to design a deception study.
Participants are led to believe they are taking part in a study that examines their stress and mood levels in relation to physical activity and smartphone use.
At the beginning of the study, they have to install an app on their device.
This app will then simulate phishing attacks during the course of the study.

 

15:00-15:30

Speaker: Birk Blechschmidt
Type of talk: Master Final
Advisor: Dr.-Ing. Ben Stock
Title: Extended Hell: A Study on the Current Support of Email Confidentiality and Integrity
Research Area: RA5

Abstract:
The core specifications of electronic mail as used today date back as early as the 1970s. At that time, security did not play a major role in the development of communication protocols. These shortcomings still manifest itself today in the prevalence of phishing and the reliance on opportunistic encryption. Besides STARTTLS, various mechanisms such as SPF, DKIM, DMARC, DANE and MTA-STS have been proposed. However, related work has shown that they are not supported by all providers or that misconfiguration is common.

This thesis aims to provide an overview on the current state of email confidentiality and integrity measures and the effectiveness of their deployment. In particular, we investigate the support of security mechanisms by popular email providers, thereby validating and extending previous work. Since MTA-STS has not yet been widely studied, we contribute an overview on the outbound support of MTA-STS. Furthermore, we find a lower bound of domains supporting DANE bindings for OpenPGP as well as DNSSEC-associated S/MIME certificates and measure their key strength.

Next Seminar on 23.11.2022

Written on 18.11.22 (last change on 18.11.22) by Niklas Medinger

Dear All,

The next seminar(s) take place on 23.11. at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:00)
Christian Schumacher, Fabian Thomas

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session… Read more

Dear All,

The next seminar(s) take place on 23.11. at 14:00 (Session A) and 14:00 (Session B).


Session A: (14:00-15:00)
Christian Schumacher, Fabian Thomas

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (14:00-15:30)
Paul Krappen, Ryan Aurelio, Metodi Mitkov

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Christian Schumacher
Type of talk: Bachelor Final Talk
Advisor: Dr. Nils Ole Tippenhauer, Dr. Cristian-Alexandru Staicu
Title: Security Analysis of IoT Devices and Vulnerable User Notification
Research Area: RA3

Abstract:
IoT devices are becoming more and more common in everyone's daily lives. With every new device, the chance them being wrongly configured or outdated rises. I analyzed smart home devices (predominantly security cameras and routers) and checked their currently implemented security features by inspecting their interfaces and manuals with a focus on passwords. In addition, I looked at this from a usable security standpoint to see if the manufacturers could help reduce the amount of poorly secured devices by implementing known security ideas. I looked at different solutions, investigated systematically and analyzed what they would accomplish for the respective device.

Furthermore, I address the question, "How could someone contact affected people of wrongly configured outdated or infected devices?". A security researcher would usually only have the IP address of the affected device. What are the steps one has to go through to contact the owner? Is it even possible to reach them knowing only their IP, and how have other researchers dealt with the problem of reaching people with compromised devices in the past?

 

14:30-15:00

Speaker: Fabian Thomas

No information provided.

 

Session B:

14:00-14:30

Speaker: Paul Krappen
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz
Title: A deterministic and fast approach to reverse engineer the DRAM addressing function
Research Area: RA3

Abstract:

When processors access DRAM, memory cells that neighbor the accessed DRAM Row leak charge.
If enough charge is leaked, this can lead to bit flips in those memory cells.
When this was discovered, DRAM manufacturers implemented a mechanism that refreshes (reads and writes back immediately) the content of DRAM rows periodically.
This is sufficient for a normal operating computer system but researchers discovered, that specific memory access patterns circumvent this mechanism and thus can still be used to cause bit flips in meṁory.
This vulnerability is called Rowhammer and for it to be exploited, knowledge of how the processor maps physical addresses to DRAM locations is required.

To determine which location in DRAM a physical address maps to, CPUs have hardcoded functions depending on the Memory configuration of the system, which is for most systems undocumented.
Knowing this function can significantly improve Rowhammer attacks.
Thus researchers have worked on reverse-engineering it.
However, most approaches are non-deterministic, require physical access to the Hardware, or work only on Intel CPUs.

We aim to develop a framework for reverse-engineering the DRAM addressing function, that is deterministic, implemented fully in software, and also works on AMD and ARMv8 Processors.
 

14:30-15:00

Speaker: Ryan Aurelio
Type of talk: Bachelor Intro
Advisor: Dr. Giancarlo Pellegrino, Andrea Mengascini
Title: Exploring the Metaverse's Privacy and Security
Research Area: RA5

Abstract: Metaverse is a virtual world that allows users to interact with each other using Virtual Reality (VR) technology. VR enables users to experience the virtual world using devices that track their body movement. Metaverse and VR have become more popular over the years, increasing the privacy and security risks in this area. One example of those risks is a malicious user who tries to listen to some private conversations of other users.

This thesis will explore possible attacks that could be applied to the metaverse platforms and see which could threaten users. First, we collect the data to determine the market of VR and find which metaverse platforms are more popular. Then, we provide possible attack ideas on these platforms and categorize them. We will try to implement these potential attack ideas and simulate each of them on the metaverse platforms. We will then see which of these attacks can be a threat to the users.

 

15:00-15:30

Speaker: Metodi Mitkov
Type of talk: Bachelor Final
Advisor: Dr. -Ing Ben Stock
Title: Pre-and Post-Login Security Inconsistencies on the Web
Research Area: 5

The Web offers immense capabilities and interactivity but constantly grows in complexity. Developers struggle to employ security policies and often take shortcuts, weakening thesite’s security in the long run. Researchers frequently find inconsistencies in the employedsecurity headers, even on popular sites.
Sites offer different security policies based on factors such as the user’s location or browser. Researchers have found that not all policies are secure, causing some users to be protected while others are not. A factor that remains to be investigated is the authenticated context. Logged-in users have access to different resources, which requires different security considerations.
We investigate the differences in security headers between pre-and post-login pages. Using our automated crawling framework, we highlight inconsistencies in the employment of security mechanisms. We study popular sites and show several issues between pre-and post-login security headers. While these inconsistencies do not translate to a vulnerability directly, they weaken the sites’ ability to protect users against attacks on the Web.

No next Seminar on 9.11.

Written on 02.11.22 by Philip Lukert

Dear all,

next wednesday, there will be no seminar as there are no talks to be held.

Enjoy your free time:)

Best, Philip

Next Seminar on 26.10.2022

Written on 19.10.22 by Philip Lukert

 

Dear All,

The next seminar(s) take place on 26.10. at 14:00 (Session A) and 15:00 (Session B).


Session A: (14:00-15:30)
Tim Recktenwald, Ulysse Planta, Rayhanul Islam Rumel

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Read more

 

Dear All,

The next seminar(s) take place on 26.10. at 14:00 (Session A) and 15:00 (Session B).


Session A: (14:00-15:30)
Tim Recktenwald, Ulysse Planta, Rayhanul Islam Rumel

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (15:00-15:30)
Yannick Ramb

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$


Session A:

14:00-14:30 

Speaker: Tim Recktenwald
Type of talk: Bachelor Intro
Advisor: Dr. Giancarlo Pellegrino
Title: Chikara: Combining Web Application Crawling With Forced Execution
Research Area: 5

Abstract: Due to their ease of use, web application scanners are a popular choice when it comes to securing the web. Most of them take a blackbox approach, i.e., they do not require any prior knowledge about the tested application. To this end, blackbox scanners generally include a crawler to explore the states of a web application in an automated fashion. However, crawling modern web applications is by no means a trivial task: Whereas websites used to be completely static in the early days of the Internet, the adoption of JavaScript has rendered the client-side highly dynamic and increasingly complex.

The crawling approaches proposed in previous research works may not exercise all branches in the event handler code. This poses the question whether the deployment of advanced program analysis techniques could be a viable strategy in crawling. In particular, forced execution allows to run code irrespective of branch conditions by manipulating their outcome.

Although other works illustrate the remarkable potential of forced execution in rather narrowly defined areas of web security, the technique has not yet been studied in the more general context of web application scanning. Therefore, this thesis will explore how forced execution can be meaningfully integrated into web application crawling. Secondly, we will examine whether our method improves application coverage compared to existing approaches.

 

14:30-15:00

Speaker: Ulysse Planta
Type of talk: Bachelor Final
Advisor: Michael Schwarz
Title: Frequency Side-Channels on AMD Processors
Research Area: RA3

Abstract:

Traditionally, power side channels were limited to an attack model with full physical access
and external hardware to measure the power consumption of the system under attack. With the
addition of software interfaces like RAPL, software-only power side channels became feasible.
As a reaction to this new category of attacks, CPU vendors lowered the precision of reported energy
consumption and operating systems restricted access to energy measuring interfaces to
privileged programs only. Because modern processors continuously vary their operating
frequency depending on the workload, temperature, and energy constraints, we can draw a
conclusion about the type of workload solely from the frequency that the processor is operating at.
Using the RDPRU instruction introduced by AMD with its Zen 2 microarchitecture, an unprivileged
attacker can access two different processor internal registers, yielding a primitive, that allows for
frequency measurements with previously unreachable temporal resolution.

We investigate the resulting side channel on recent AMD processors to see what an attacker can
infer from frequency measurements on these processors and how these attacks can be mitigated.
In this talk we discuss the results of experiments and present the case studies performed.

 

 

15:00-15:30

Speaker: Rayhanul Islam Rumel
Type of talk: Master Final
Advisor: Prof. Yang Zhang
Title: Linking Attack Against Machine Learning Models
Research Area: RA1

Abstract: Popular internet services such as image and voice recognition, online video sharing, social media, and natural language translation use machine learning as part of their
services. Many popular companies e.g. Facebook, YouTube, Google use machine learning internally to improve marketing and advertising, offer products and services to customers, and
better understand the data generated by their business operations. Machine learning models can be considered confidential due to sensitive training data, economic value, or use in
security applications. Confidential ML models are increasingly provided with publicly available query interfaces.

On the other hand, big corporations have already begun to merge. Meta Inc., for example, currently owns Facebook, Instagram, and WhatsApp. However, these businesses are not
permitted to freely exchange their user data with one another to improve their own services. WhatsApp, for example, has signed an agreement indicating that it would not share any
EU user data with Facebook and will only transfer data in compliance with the General Data Protection Regulation (GDPR).

Taking all of these considerations into account, we develop a method on which we conduct linking attack for determining whether or not various machine learning models are using the
same data. The attacker's goal in linking attacks is to characterize sensitive information about a group of individuals using a specific dataset. In our case, we aim to learn
whether the models are using the same train set using a probe set. The study computes the area under the curve (AUC) to determine whether or not two models use a similar
train set. If the AUC is close to one, we may assume that these models used similar train sets. We can presume that two models used similar train sets if the AUC is close to one.
In each experiment, we train the target models (ML models that are being compared with the base model) and our base model (a model with which we compare the target models)
using data from the same distribution. We considered the ml models ResNet 18, MobileNet V2, and VGG16 along with the datasets MNIST and Cifar10 to conduct a
total of 12 experiments. Since we are using train data from the same distribution to train all of our ML models in an experiment, we anticipate a high AUC score. It’s interesting
that we had high AUC values in every experiment, and they were all quite near to one.

 

Session B:

15:00-15:30

Speaker: Yannick Ramb
Type of talk: Master Intro
Advisor: Prof. Dr. Thorsten Holz
Title: TDVFuzz - Fuzzing Intel's Trust Domain Virtual Firmware
Research Area: 3

Abstract:
With the rapid digital transformation and the dramatic rise of cloud computing over the
last decade, more and more businesses utilize cloud services to outsource their own
data and services. Despite the many advantages of this trend, there still is one major
obstacle: one must trust the Cloud Service Provider and its infrastructure. This is
particularly problematic for any business working with sensitive or proprietary data,
as Cloud Service Providers have technical capabilities to obtain and manipulate data
inside their virtual machines. To mitigate this situation, Intel developed Trust Domain
Extensions (TDX) - a novel set of architectural extensions for isolating guest VMs - called
Trust Domains (TD) - on a hardware level from an untrusted hypervisor and any other
non-Trust-Domain software on the platform.
Although designed with security in mind and extensively tested, TDX may contain
unexpected flaws and vulnerabilities. One component where such issues might occur
is the Trust Domain Virtual Firmware (TDVF), which is the TDX-aware pendant to
UEFI, i.e. the firmware that sets up the underlying platform and lays the foundation
for operating systems and other services to run. As such, TDVF is also a prominent
target for firmware-level attacks. To maintain the confidentiality and security of the
Trust Domain, we aim to detect unexpected issues by using a feedback-guided fuzzing
approach. To this end, we will extend the existing kAFL fuzzer framework, utilize
Intel Processor Trace for feedback acquisition and fuzz TDVF with our modified
framework.

Next Seminar on 6.10.2022

Written on 06.10.22 by Philip Lukert

Dear All,

The next seminar takes place on 12.10. at 14:30 (only Session A)


Session A: (14:30 - 15:00 && 15:00 - 15:30)
Erfan Balazadeh, Tejumade Afonja

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B… Read more

Dear All,

The next seminar takes place on 12.10. at 14:30 (only Session A)


Session A: (14:30 - 15:00 && 15:00 - 15:30)
Erfan Balazadeh, Tejumade Afonja

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B does not exist next week


Session A:

14:30-15:00 

Speaker: Erfan Balazadeh
Type of talk: Bachelor Final
Advisor: Dr. Lucjan Hanzlik
Title: Timed-Release Cryptography using a Proof-of-Stake Blockchain
Research Area: 1

Abstract: Imagine a scenario where you want to encrypt a message, but you don't want it to be able to be decrypted by the receiving party right away.
The concept of "encrypting a message to the future" is not new and has been around for many years. The proposed solutions so far, like time-lock puzzles or verifiable delay functions, for instance,
are not perfect however. They require a lot of computing power and the speed can vary drastically depending on the hardware being used.

The thesis' goal was to implement a new encryption scheme, which is efficiently computable and which gets rid of the previously mentioned solutions' weaknesses, inside of a real-world setting.
The idea is to make use of the existing Proof-of-Stake architecture in the Ethereum 2.0 consensus protocol, where so called committees vote on new blocks by using an aggregatable signature scheme named BLS. One of the implementation tasks of the thesis was to see if it is possible to listen to the unaggregated BLS signatures and the signed message, which are necessary for the encryption scheme. Once enough of these unaggregated signatures are accumulated, we can go on to decrypt the message. Basically, a receiving party can only decrypt the message once certain conditions are met that the encrypter knows will happen in a desired amount of time in the future.

This talk will present the results and the findings of the thesis.

 

15:00-15:30

Speaker: Tejumade Afonja
Type of talk: Master Final
Advisor: Prof. Dr. Mario Fritz
Title: Learning Generative Models for Tabular Data based on Small Data
Research Area: Trustworthy Information Processing

Abstract: 
Recent advances in generative modeling for images, speech, and natural language processing have also led to much interest in generative modeling for tabular data. However, tabular datasets are inherently heterogeneous and contain a mixture of numerical and categorical attributes, making them difficult to model. The current state-of-the-art tabular data generators (TDGs) have demonstrated impressive capabilities in capturing the statistical characteristics of the data, showing promising results in a few downstream machine learning tasks. However, existing results are based on large number of training instances (e.g., in tens of thousands), and are given only for specific metric, which rule out a myriad of practical scenarios where the sample size is limited and general properties beyond the specific metric are of interest. Hence, in this work, we systematically assessed the TDGs across various metrics as well as different subset sizes to better understand how these models behave in practical scenarios, specifically, the low-resource setting. To achieve this, we employ numerous existing measures that cover different aspects for the evaluation and propose two new metrics: the histogram intersection to measure the overlap between the synthetic and real data column, and the likelihood approximation to measure how likely the real data comes from the synthetic data distribution. Finally, we propose a benchmarking framework, faketrics, to comprehensively evaluate the TDGs along four axes: Utility, Joint, Column Pair, and Marginal so as to benchmark the evaluation of the models in low-resource setting.

 

Winter is Coming

Written on 27.09.22 by Philip Lukert

Dear all,

welcome to the new course for the Bachelor and Master seminar in the winter term.
Please switch to this course.

Best, Philip

Show all

Bachelor- and Master-Seminar

The bachelor/master seminar is a stage for all talks related to bachelor or master theses at CISPA.

The seminar is currently held bi-weekly on Wednesdays in odd-numbered calendar weeks. It takes place throughout the year, regardless of the lecture periods. You can join at any time. There are two parallel Zoom sessions from 14:00 to 15:30 with up to three talks each. The upcoming talks will be announced in the News section above.

Requirements for the course certificate

To pass the seminar, you have to

  • give an introductory talk where you present your thesis proposal

Furthermore, it is expected that you attend all talks of your own research area and participate in discussion during the time of your thesis work. You get a certificate and a grade for this course from your advisor. The advisor can contact us (bamaseminar@cispa.saarland) to check whether you meet all the passing conditions and to get a template for the certificate.

Further, you are required to hold a final talk about the results as a part of your thesis. While this talk is technically not part of the seminar but of the thesis work, you can still present it in the context of the seminar.

Attending a seminar session

Simply join one of the two parallel Zoom sessions. Choose the session with the talks you are most interested in. We welcome active participation and encourage you to ask questions and give helpful comments in the discussion after each talk.

During the seminar, we will share a link to an attendance sheet. Make sure to add your name to this document. We use these documents to track who attended which sessions.

Giving a talk in the seminar

Each talking slot is 30 minutes long. Your presentation should last about 20 minutes, so we have about 10 minutes left for discussion.

If you want to give a talk, you can book a time slot in one of the sessions. Use one of the following links for booking:

Please coordinate time and date with your advisor so that no two students of the same advisor present at the same time.

If you don't need a specific time slot, you can try to book 14:30, as some students either need the 14:00 or 15:00 slot. In rare cases, we will have to move the talks in a day, so please indicate which times you would be available. The final schedule will be announced in the News section a few days before the sessions take place.

To list your talk in the announcement, you will have to hand in some information about it, namely:

  • Speaker: Your name.
  • Type of talk: Bachelor Intro, Bachelor Final, Master Intro, or Master Final.
  • Advisor: The name of your advisor. If multiple advisors wish to attend the session, please list all of them so we can make sure that there are no collisions.
  • Title: Title of your talk.
  • Research Area: the number of your area. (In doubt check https://cispa.de/de/research or ask your advisor) The areas are the following:
    • RA1: Trustworthy Information Processing
    • RA2: Reliable Security Guarantees
    • RA3: Threat Detection and Defenses
    • RA4: Secure Mobile and Autonomous Systems
    • RA5: Empirical and Behavioural Security
  • Abstract: Abstract of your talk.

Refer to previous announcements for examples.

Please submit this information at least one week in advance (until 23:59 on the Wednesday before your talk). Upload your information as a submission to CMS (see Personal Status), preferably as a plain text file (.txt). You can find a template in the materials section.

Contact the organizers

If there are any questions left, please use the mail address bamaseminar@cispa.saarland to contact the organizers.

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.