News
Next Seminar on 18.01.2023
Written on 13.01.2023 16:58 by Niklas Medinger
Dear All,
The next seminar(s) take place on 18.01.2023 at 14:00 (Session A) and 14:00 (Session B).
Session A: (14:00-15:00)
Ali Alhasani, Hong-Thai Luu
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B: (14:00-15:00)
Philip Decker, Franziska Granzow
https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09
Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$
Session A:
14:00 - 14:30
Speaker: Ali Alhasani
Type of talk: Master final
Advisor: Marius Smytzek
Title: Alhazen combined with statistical debugging
Research Area: RA1
Abstract:
Debugging programs has proven to be a challenging task. It requires a precise understanding of the failure’s circumstances, such as when the failure occurs and when it does not. Knowing these circumstances is necessary to solve the root causes of the failure. Alhazen is a promising fault diagnosis approach to address this issue automatically.
Alhazen performs two main tasks. First, it predicts whether an input will fail or not based on a decision tree model. Second, it generates more failure-causing inputs, to identify the circumstances under which the bug occurs. For these two tasks, Alhazen’s learner uses features related to the input to predict the bug or no-bug outcome.
However, Alhazen does not consider features related to the program execution, thus limiting the power of its fault-prediction capability and making Alhazen unable to identify runtime circumstances associated with program behavior. In this thesis, we propose a new solution to enhance Alhazen prediction by learning additional features over statistical debugging predicates derived from program runtime events. Besides we evaluate how learning event features enrich Alhazen.
In this work, we used SElogger to extract program runtime events. These events report a software’s progress and its essential data during the execution time. In addition, we applied statistical debugging to extract predicates from these program runtime events.
As a result, we see that our approach can identify possible fault locations in the code, the inputs associated with the fault, and hint at possible fixes. We believe that Alhazen’s hypotheses on the circumstances under which the program behavior occurs can be extended even beyond input features and program execution events to give additional hints on the root causes of failures.
14:30 - 15:00
Speaker: Hong-Thai Luu
Type of talk: Bachelor Intro
Advisor: Cristian-Alexandru Staicu
Title: Usages and Misuses of Crypto APIs in JavaScript
Research Area: RA5: Empirical and Behavioural Security
Abstract: Cryptographic APIs are used in a wide range of software project. In JavaScript applications, they are used on both client-side, and server-side. Keeping track of usages of cryptographic APIs become more and more difficult, due to the increasing amount of project and the number of different crypto libraries. Also, using these libraries is not a trivial task, due to the complexity of certain functions, as well as the lack of documentation and code examples. Developers tend to misuse them in a way that introduces vulnerabilities in the application by using broken hash function for storing passwords, hard-coding keys in the source code and so on. Besides the crypto module of NodeJs and the Web Cryptography API that is mainly used for client-side applications, there are many third party implementations of crypto APIs. In this work, we analyze about 50000 GitHub repositories as well as 160000 websites in order to investigate their crypto API usages (i.e. which APIs and what functionalities are used). But also hunt for misuses in these projects. For the analysis, we extend GitHub's static analysis tool CodeQL by additional queries in order to find usages of certain crypto APIs and also to find misuses of the NodeJs crypto module and of the Web Cryptography API.
Session B:
14:00 - 14:30
Speaker: Philip Decker
No information provided.
14:30 - 15:00
Speaker: Franziska Granzow
Type of Talk: Bachelor Intro
Advisor: Dr.-Ing. Ben Stock
Title: Messaging private data: Leakage of sensitive data via postMessage handlers after login
Research Area: RA5
Abstract:
Modern websites usually contain content from multiple origins, so often cross-origin communication is needed to make the different parts work together. However, by default, this is prevented by the Same-Origin-Policy, which disallows two documents with different origins to access each other. So the postMessage API was introduced to allow a controlled way for cross-origin communication. The API provides the means to check for integrity & confidentiality, but these checks are not mandatory. In case they are missing or incorrect, vulnerabilities can occur, e.g., cross-site-scripting, storage alteration, privacy leakage and more, which various works have studied.
However, none of the prior works did their analyses in an authenticated context. As user data is often only present after login, we want to study how many postMessage handlers leak sensitive data after login. Therefore we aim to collect postMessage handlers specified on websites in the wild in an authenticated context and check whether they can leak data to unauthorized parties. In case of a leakage, we also analyze what kind of data is leaked and whether it is sensitive concerning a user's privacy.