News
Next Seminar on 23.11.2022
Written on 18.11.2022 10:58 by Niklas Medinger
Dear All,
The next seminar(s) take place on 23.11. at 14:00 (Session A) and 14:00 (Session B).
Session A: (14:00-15:00)
Christian Schumacher, Fabian Thomas
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (14:00-15:30)
Paul Krappen, Ryan Aurelio, Metodi Mitkov
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00-14:30
Speaker: Christian Schumacher
Type of talk: Bachelor Final Talk
Advisor: Dr. Nils Ole Tippenhauer, Dr. Cristian-Alexandru Staicu
Title: Security Analysis of IoT Devices and Vulnerable User Notification
Research Area: RA3
Abstract:
IoT devices are becoming more and more common in everyone's daily lives. With every new device, the chance them being wrongly configured or outdated rises. I analyzed smart home devices (predominantly security cameras and routers) and checked their currently implemented security features by inspecting their interfaces and manuals with a focus on passwords. In addition, I looked at this from a usable security standpoint to see if the manufacturers could help reduce the amount of poorly secured devices by implementing known security ideas. I looked at different solutions, investigated systematically and analyzed what they would accomplish for the respective device.
Furthermore, I address the question, "How could someone contact affected people of wrongly configured outdated or infected devices?". A security researcher would usually only have the IP address of the affected device. What are the steps one has to go through to contact the owner? Is it even possible to reach them knowing only their IP, and how have other researchers dealt with the problem of reaching people with compromised devices in the past?
14:30-15:00
Speaker: Fabian Thomas
No information provided.
Session B:
14:00-14:30
Speaker: Paul Krappen
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz
Title: A deterministic and fast approach to reverse engineer the DRAM addressing function
Research Area: RA3
Abstract:
When processors access DRAM, memory cells that neighbor the accessed DRAM Row leak charge.
If enough charge is leaked, this can lead to bit flips in those memory cells.
When this was discovered, DRAM manufacturers implemented a mechanism that refreshes (reads and writes back immediately) the content of DRAM rows periodically.
This is sufficient for a normal operating computer system but researchers discovered, that specific memory access patterns circumvent this mechanism and thus can still be used to cause bit flips in meášory.
This vulnerability is called Rowhammer and for it to be exploited, knowledge of how the processor maps physical addresses to DRAM locations is required.
To determine which location in DRAM a physical address maps to, CPUs have hardcoded functions depending on the Memory configuration of the system, which is for most systems undocumented.
Knowing this function can significantly improve Rowhammer attacks.
Thus researchers have worked on reverse-engineering it.
However, most approaches are non-deterministic, require physical access to the Hardware, or work only on Intel CPUs.
We aim to develop a framework for reverse-engineering the DRAM addressing function, that is deterministic, implemented fully in software, and also works on AMD and ARMv8 Processors.
14:30-15:00
Speaker: Ryan Aurelio
Type of talk: Bachelor Intro
Advisor: Dr. Giancarlo Pellegrino, Andrea Mengascini
Title: Exploring the Metaverse's Privacy and Security
Research Area: RA5
Abstract: Metaverse is a virtual world that allows users to interact with each other using Virtual Reality (VR) technology. VR enables users to experience the virtual world using devices that track their body movement. Metaverse and VR have become more popular over the years, increasing the privacy and security risks in this area. One example of those risks is a malicious user who tries to listen to some private conversations of other users.
This thesis will explore possible attacks that could be applied to the metaverse platforms and see which could threaten users. First, we collect the data to determine the market of VR and find which metaverse platforms are more popular. Then, we provide possible attack ideas on these platforms and categorize them. We will try to implement these potential attack ideas and simulate each of them on the metaverse platforms. We will then see which of these attacks can be a threat to the users.
15:00-15:30
Speaker: Metodi Mitkov
Type of talk: Bachelor Final
Advisor: Dr. -Ing Ben Stock
Title: Pre-and Post-Login Security Inconsistencies on the Web
Research Area: 5
The Web offers immense capabilities and interactivity but constantly grows in complexity. Developers struggle to employ security policies and often take shortcuts, weakening thesite’s security in the long run. Researchers frequently find inconsistencies in the employedsecurity headers, even on popular sites.
Sites offer different security policies based on factors such as the user’s location or browser. Researchers have found that not all policies are secure, causing some users to be protected while others are not. A factor that remains to be investigated is the authenticated context. Logged-in users have access to different resources, which requires different security considerations.
We investigate the differences in security headers between pre-and post-login pages. Using our automated crawling framework, we highlight inconsistencies in the employment of security mechanisms. We study popular sites and show several issues between pre-and post-login security headers. While these inconsistencies do not translate to a vulnerability directly, they weaken the sites’ ability to protect users against attacks on the Web.