News
Next Seminar on 11.10.2023
Written on 08.10.2023 05:39 by Mang Zhao
Dear All,
The next seminar(s) take place on 11.10.2023 at 14:00 (Session A) and 14:30 (Session B).
Session A: (14:00-15:30)
Ayushi Churiwala, Milan Conrad, Tristan Hornetz
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (14:30-15:00)
Osama Altamar
https://cispa-de.zoom-x.de/j/64797489563?pwd=MFliNGNpSWRoTEtmNC9HUkNVN2ZNUT09
Session A:
14:00 - 14:30
Speaker: Ayushi Churiwala
Type of talk: Master Intro
Advisor: Prof. Dr. Andreas Zeller, Tural Mammadov
Title: LLM-based Active Code Repair
Research Area: RA3: Threat Detection and Defenses
Abstract:
Code generation through generative AI is an emerging and novel field that involves predicting code or program structures using incomplete data sources, natural language descriptions, alternate programming languages, or execution logs, offering the potential to drastically decrease the developer's workload and invested time. Developers have long resorted to using code from various online platforms and modifying it for their purposes. However, with generative AI advancements especially in Large Language Models (LLMs) like ChatGPT, they can now instruct the machine(in natural language) to generate code making external code search redundant.
OpenAI's language model, ChatGPT, has recently gained prominence for its ability to produce human-like responses across various natural language/ textual inputs, including those related to code generation. Nevertheless, the true effectiveness of ChatGPT in code generation remains uncertain, as it can produce logically questionable results and its performance could be significantly impacted by the selection of chosen prompts. This raises important questions about seamlessly integrating the code generated by ChatGPT into the development process, given its potential to expedite coding workflows and automate code generation. Especially, there is currently a lack of an automated testing and improvement framework specifically tailored for code generation systems. To address these issues, this research proposes to analyze the code generated by ChatGPT by exploring various prompt types and identifying and repairing inconsistent outputs. Our goal is to actively investigate the model's ability to self-repair. We check its impact on code generation for automatic self-code repair in a conversational manner by the inclusion of additional I/O pairs in the prompt with suitable feedback.
14:30 - 15:00
Speaker: Milan Conrad
No Information is available.
15:00 - 15:30
Speaker: Tristan Hornetz
Type of talk: Master Intro
Advisor: Dr. Michael Schwarz, Lukas Gerlach
Title: Execute-only memory as a security hardening feature on x86-64
Research Area: RA3
Abstract:
Execute-only memory (XOM) is a little-discussed, but powerful memory protection scheme, in which instruction fetches are allowed, but read and write accesses are not. However, PKU, the mechanism by which XOM is typically enforced on x86-64, can easily be disabled or bypassed, making its suitability as a security feature questionable.
In my master’s thesis, I will therefore investigate the potential of enforcing XOM through the configuration of nested page tables in virtual machines, which yields execute-only mappings with significantly stronger security guarantees. This enables the use of XOM for a wide range of security applications, which was previously not possible on x86-64. For example, it can serve is a highly effective countermeasure against exploitation techniques such as Blind-ROP, of which code-disclosure is an essential step. Other uses include the protection of intellectual property, for instance by preventing read access to the code of shared libraries. In addition to implementing this mode of enforcement with Xen and Linux, the goal of my thesis is to extensively evaluate its security benefits, performance impact and limitations in order to assess its effectiveness as a security enhancement feature.
Session B:
14:30 - 15:00
Speaker: Osama Altamar
Advisors: Dr. Cristian-Alexander Staicu
Title: Dynamic Analysis Of Browser Extension
Research Area: RA3
Abstract: Abstract Dynamic analysis of chrome extensions is crucial for evaluating the security of these software programs as it analyzes their behavior during runtime. This method enhances the effectiveness of static analysis by detecting malicious behavior and vulnerabilities that may not be immediately apparent.This presentation highlights the importance dynamic analysis in evaluating the security of chrome extensions. I will also outline my methodology for implementing the dynamic analysis tool, which involves injecting code into the extension components to collect data which will be analyzed to identify potential vulnerabilities or malicious behavior. The tool will allow for a comprehensive evaluation of the extension’s security, including Universal XSS vulnerabilities, and its behavior under different conditions. The main steps involved in dynamic analysis are acquiring the extension, setting up the environment, analyzing the code, executing the code, and finally, analyzing the results.