News
Next Seminar on 13.09.2023
Written on 08.09.2023 10:24 by Mang Zhao
Dear All,
The next seminar(s) take place on 13.09.2023 at 14:00 (Session A) and 14:00 (Session B).
Session A: (14:00-15:30)
Sahil Sihag, Thomas Boisvert-Bilodeau, Luk Stamann
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (14:00-15:00)
Jonas Büchner, Robert Pietsch
https://cispa-de.zoom-x.de/j/64797489563?pwd=MFliNGNpSWRoTEtmNC9HUkNVN2ZNUT09
Session A:
14:00 - 14:30
Speaker: Sahil Sihag
Type of talk: Master Intro
Advisor: Dr. Nils Ole Tippenhauer
Title: Coverage Guided Fuzzing of Drone Firmwares
Research Area: RA4: Secure Mobile and Autonomous Systems
Abstract:
Cyber physical systems (CPS), such as drones, have witnessed increasing adoption across wide variety of domains. Nevertheless, security assessment of such systems is still a challenging problem. This is mainly due to limited functionality of embedded systems which makes it hard to analyse the inner workings of their firmware. Fuzzing, however, has proven to be successful in discovering security flaws in such opaque systems.
Recent work has focused upon treating CPS as a black box and using a grammar to generate input for the target. Response messages from the target are used as feedback for the fuzzer. This approach enables preliminary fuzzing of these systems but the feedback obtained from such response messages is too coarse-grained for deeper investigation. Another direction has focused upon re-hosting the firmware in an emulator. This has high barrier to running the complete firmware and often misses bugs that are dependent on hardware interaction.
In this thesis, we focus upon enabling coverage guided fuzzing of open-source drone firmwares. This will be done by taking advantage of "wiggle space" provided by the firmware since it often does not exhaust storage and memory capacity of the embedded system. With the help of this additional space, we can enable instrumentation of the firmware and store coverage information of firmware during execution. This fine-grained information can then be utilized by the fuzzer for generating better inputs. Moreover, we examine the challenges faced in deeper fuzzing of such targets given their stateful nature. Finally, we investigate additional feedback vectors to aid coverage information.
14:30 - 15:00
Speaker: Thomas Boisvert-Bilodeau
Type of talk: Bachelor Final
Advisor: Dr. Yang Zhang
Title: Understanding the relationship between backdoor attacks and membership inference attacks
Research Area: Trustworthy Information Processing
Abstract: In the domain of deep learning, there are proven risks associated with using third-party resources like datasets, training services or pre-trained models. A backdoor attack can be employed to control the behavior of a neural network when presented with a trigger. Once trained, classifiers can also be vulnerable to a membership inference attack. If a model has noticeable differences in the values it outputs when presented with inputs that were used in it's training versus inputs that are new, it can be inferred if a data point was part of the training dataset. This is obviously a privacy concern when datasets contain personal or sensitive information. While both those attack have been studied an refined, there is little knowledge on how one influence the other. This work is exploring the relationship between backdoor attacks and membership inference attack.
Two convolutional neural networks of different complexity, and the MNIST, CIFAR-10, and STL-10 datasets were used to investigate the impact of backdoor attack parameters, specifically trigger size and poisoning rate on MIAs. Surprisingly, no direct relationship was found between these parameters and the attack success rate of MIAs. Instead, a stronger influence emerged from the difference in model’s accuracy between training and test datasets, used as a heuristic for loss distribution. Dataset specific patterns also emerged, such as the superior performance of the Badnets inspired trigger and the importance of relative trigger size. Through a rigorous correlation analysis using Spearman’s ρ and linear regression, the study shows that backdoor attacks affect MIAs primarily by changing the dynamics of loss distribution. This study provides a new perspective on the nuanced relationship between backdoor attacks and MIAs and highlights the importance of monitoring loss distribution in the domain of adversarial deep learning.
15:00 - 15:30
Speaker: Luk Stamann
Type of Talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Message-O-Matic // A Tool to find your Secure Messaging Application
Research Area: RA5 Empirical
Abstract:
There are plenty of secure messaging applications on the market. While each one features a different set of security and usability guarantees, the choice often comes down to peer pressure. But what do users want from their service of choice, and how well do they understand the featured or omitted security guarantees? My approach aims to significantly ease the choosing process, while not compromising on the security or usability aspects. Additionally, users can learn about the features offered in the secure messaging market. Therefore, my proposition will include a decision support tool where users with and without an information security background can make an informed messenger choice that fits best their needs. From this, I want to extract data regarding the users requirements and their understanding of security aspects for secure messaging applications.
Session B:
14:00 - 14:30
Speaker: Jonas Büchner
Type of talk: Master Intro
Advisor: Dr. Michael Schwarz
Title: Reverse Engineering UEFI Firmware to Discover Hidden CPU Features
Research Area: RA3
Abstract:
With every new generation, the complexity of features in x86 processors increases. Luckily, CPU vendors allow the configuration of many of these. This is commonly done by using model-specific registers (MSRs). Besides configuration, these also allow performance monitoring and debugging. Naturally, a greater knowledge of the available MSRs improves control over the processor for researchers and users. While a lot of them are documented by Intel and AMD, there still remains a plethora of undocumented MSRs.
MSRs can only be accessed with the privileged RDMSR and WRMSR instructions. Therefore, the usage of MSRs is largely limited to low-level code, firmware in particular. Firmware is responsible for initializing and configuring the system during boot and serves as hardware abstraction for other software during runtime. The Unified Extensible Firmware Interface (UEFI) is a specification for firmware, which is implemented in many modern x86 systems. Because of its function, it is expected to make heavy use of MSRs, and is therefore a primary target for research.
In this thesis, we explore methods to discover the MSRs used in UEFI firmware, ideally together with their function. We apply different reverse-engineering techniques to the firmware binaries: First, we use static analysis, which analyzes the firmware based on the machine code itself. Using Ghidra, a common reverse-engineering tool, we perform manual inspection of the machine code and its disassembly. We also utilize the symbolic execution capabilities of angr to explore the potential execution flows involving MSRs without the need to provide concrete hardware behavior. Second, we use dynamic analysis, which involves actually running firmware binaries. Using the Qiling framework, we can emulate machine instructions and provide the necessary context of UEFI. Finally, we try to map the found MSRs to a user-accessible setting in the firmware setup application of the UEFI system.
14:30 - 15:00
Speaker: Robert J. Pietsch
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz, Lukas Gerlach
Title: Automated Checking of C Compiler Optimization Effects on Data Obliviousness
Research Area: RA3
Abstract:
Side-channel attacks have become a major concern for software security as they can enable attackers to break confidentiality of functionally-correct software systems. The discipline of data-oblivious programming helps to mitigate such attacks by ensuring that data leaked via common side channels does only contain non-secret information. Due to various optimizations in modern compilers, data obliviousness is a property of programs that cannot be guaranteed on a high-level language level but must be checked for on the compiled machine code. In this thesis, we propose an automated pipeline for compiling C programs with different optimizations enabled and checking the resulting machine code for data-obliviousness regarding secret arguments. The pipeline is designed to efficiently detect violations to data obliviousness while at the same time being able to give strong guarantees for data obliviousness, if applicable. We use it to analyze the impact of different compiler configurations to a suite of programming primitives and cryptographic implementations. In testing, we find four primitives where seemingly data-oblivious code got compiled into machine code violating data obliviousness and a poorly-documented violation against data obliviousness in OpenSSL’s no-asm AES implementation. These results show the importance of checking for data obliviousness not only on high-level C code but also on the compiled machine code. We arrive at the conclusion that especially for security-critical implementations, it is desirable to have data-obliviousness checks as part of continuous integration.