Bachelor- and Master Seminar

Dear All,

The next seminar(s) take place on 07.12. at 14:00 (Session A) and 14:00 (Session B).

Session A: (14:00-15:30)
Divesh Kumar, Antonios Gkiokoutai, Vinay Tilwani

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B: (14:00-14:30, 15:00-15:30)
Paul Frerichs, Birk Blechschmidt

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Divesh Kumar
Type of Talk: Master Intro
Advisor: Dr. Mridula Singh
Title: Study of object detection in automated driving systems
Research Area: RA4 (Secure Mobile and Autonomous Systems)

Abstract:

Autonomous vehicles (AV) are adopting the use of LiDAR sensors in order to better understand their surroundings. LiDARs provide a 3D view of objects around it and are also capable of providing 360 degrees data, this makes them a good fit for use in an autonomous vehicle. In this thesis we focus on perception part of AV driving systems. Cameras have been a major part of perception system in AV driving systems but happen to be easily spoofed, thus severely impacting the safety of such systems. LiDARs use wavelengths which are invisible to human eye, however attackers are inventing newer ways to manipulate LiDARs. In this thesis we wish to study the spoofing/blinding attacks on AV driving systems using LiDAR only perception and also combination of LiDAR and Camera/other sensor-based perception.
In a LiDAR spoofing attack, the attacker can use a transmitter with same wavelength laser and with open-source knowledge regarding LiDAR, can try to spoof some points, with goal of creating an artificial object in the space or try to make a real object seem closer or farther. Recent research proves that such attacks are possible and propose counter measures like averaging measurements, using different wavelengths inside LiDAR etc. However, such techniques are expensive or reduce the frequency of data received from LiDAR.
We wish to design new attacks and correspondingly lightweight defense mechanisms for adversarial attacks on LiDARs, for prevention against the state-of-the-art attacks that exist. To prove the effectiveness of attack/defense system an end-to-end study on AV driving system like Apollo by Baidu will be conducted.

 

14:30-15:00

Speaker: Antonios Gkiokoutai
Type of talk: Bachelor Final
Advisor: Dr. -Ing Ben Stock
Title: Temporal Analysis of the Security of Browser Extension Updates
Research Area: 5

Abstract:

Browser extensions have in recent years become very popular, with thousands of downloads
across different platforms. To be able to execute their tasks and improve user experience on
the web, they require access to special APIs. Example APIs include accessing the users
browsing history, or sending / intercepting network requests. Because of the nature of those
APIs being very powerful, access to them is restricted through permissions, which need to be
explicitly requested in the extensions manifest.

Similarly to the mobile ecosystem, it is recommended for extensions to request only
necessary permissions as per the Principle of Least privilege, meaning only the minimum set
of permissions that they absolutely need to carry out their tasks. However, past studies have
shown that extensions often request more permissions than they need. At the same
time, many permissions are coarse-grained and provide little information about their
capabilities to the user.

While all major browser vendors claim to review updates of extensions before releasing them, a
recent study confirms that many undetected malicious extensions turned malicious after
some update. This means the review process often fails to detect insecure updates. We would like to conduct a large-scale study on the Chrome Web Store across multiple versions of existing extensions. Key questions that
we want to answer are the following:
•- How often do extensions update and what is the nature of those updates?
•- Are permissions over-requested, and if so to what extent?
•- Finally, how can we detect updates that introduce changes with direct and critial security implications in the wild? How prevalent are such updates?

 

15:00-15:30

Speaker: Vinay Tilwani

 

No information provided.

 

Session B:

14:00-14:30

Speaker: Paul Frerichs
Type of talk: Bachelor Final
Advisor: Dr. Sven Bugiel, Prof. Dr. Andreas Zeller
Title: Local biometric prompt phishing on android devices
Research Area: 4

Abstract:
Mobile devices are treasure troves of critical data, making them an attractive target for attacks.
Even the implementation of hardware and software-based countermeasures by the manufacturers to protect the users and their data cannot prevent this.
Against malware impersonating the user, the device's integrity can only be guaranteed through user authentication.
Biometric authentication appears to be an answer to this problem.
Since this form of authentication is perceived as easy to use and secure, it seems optimal for mobile devices.
On the Android platform, biometric authentication is specially protected, and its integrity is still granted even if the OS is corrupted.
This circumstance makes it difficult for potential attackers to access resources secured by biometric authentication.
An attacker must therefore find a way to bypass the authentication.
Phishing is a possible option.
So the question is whether it is possible to carry out successful phishing attacks on biometric authentication.
To answer this question, we decided to test the chances of success of different phishing strategies against users in their typical environment, i.e., on their own device.
To avoid confirmation bias, we decided to design a deception study.
Participants are led to believe they are taking part in a study that examines their stress and mood levels in relation to physical activity and smartphone use.
At the beginning of the study, they have to install an app on their device.
This app will then simulate phishing attacks during the course of the study.

 

15:00-15:30

Speaker: Birk Blechschmidt
Type of talk: Master Final
Advisor: Dr.-Ing. Ben Stock
Title: Extended Hell: A Study on the Current Support of Email Confidentiality and Integrity
Research Area: RA5

Abstract:
The core specifications of electronic mail as used today date back as early as the 1970s. At that time, security did not play a major role in the development of communication protocols. These shortcomings still manifest itself today in the prevalence of phishing and the reliance on opportunistic encryption. Besides STARTTLS, various mechanisms such as SPF, DKIM, DMARC, DANE and MTA-STS have been proposed. However, related work has shown that they are not supported by all providers or that misconfiguration is common.

This thesis aims to provide an overview on the current state of email confidentiality and integrity measures and the effectiveness of their deployment. In particular, we investigate the support of security mechanisms by popular email providers, thereby validating and extending previous work. Since MTA-STS has not yet been widely studied, we contribute an overview on the outbound support of MTA-STS. Furthermore, we find a lower bound of domains supporting DANE bindings for OpenPGP as well as DNSSEC-associated S/MIME certificates and measure their key strength.