Next Seminar on 18.01.2023
Written on 13.01.2023 16:58 by Niklas Medinger
The next seminar(s) take place on 18.01.2023 at 14:00 (Session A) and 14:00 (Session B).
Session A: (14:00-15:00)
Ali Alhasani, Hong-Thai Luu
Meeting-ID: 967 8620 5841
Session B: (14:00-15:00)
Philip Decker, Franziska Granzow
Meeting-ID: 990 2598 9421
14:00 - 14:30
Speaker: Ali Alhasani
Type of talk: Master final
Advisor: Marius Smytzek
Title: Alhazen combined with statistical debugging
Research Area: RA1
Debugging programs has proven to be a challenging task. It requires a precise understanding of the failure’s circumstances, such as when the failure occurs and when it does not. Knowing these circumstances is necessary to solve the root causes of the failure. Alhazen is a promising fault diagnosis approach to address this issue automatically.
Alhazen performs two main tasks. First, it predicts whether an input will fail or not based on a decision tree model. Second, it generates more failure-causing inputs, to identify the circumstances under which the bug occurs. For these two tasks, Alhazen’s learner uses features related to the input to predict the bug or no-bug outcome.
However, Alhazen does not consider features related to the program execution, thus limiting the power of its fault-prediction capability and making Alhazen unable to identify runtime circumstances associated with program behavior. In this thesis, we propose a new solution to enhance Alhazen prediction by learning additional features over statistical debugging predicates derived from program runtime events. Besides we evaluate how learning event features enrich Alhazen.
In this work, we used SElogger to extract program runtime events. These events report a software’s progress and its essential data during the execution time. In addition, we applied statistical debugging to extract predicates from these program runtime events.
As a result, we see that our approach can identify possible fault locations in the code, the inputs associated with the fault, and hint at possible fixes. We believe that Alhazen’s hypotheses on the circumstances under which the program behavior occurs can be extended even beyond input features and program execution events to give additional hints on the root causes of failures.
14:30 - 15:00
Speaker: Hong-Thai Luu
Type of talk: Bachelor Intro
Advisor: Cristian-Alexandru Staicu
Research Area: RA5: Empirical and Behavioural Security
14:00 - 14:30
Speaker: Philip Decker
No information provided.
14:30 - 15:00
Speaker: Franziska Granzow
Type of Talk: Bachelor Intro
Advisor: Dr.-Ing. Ben Stock
Title: Messaging private data: Leakage of sensitive data via postMessage handlers after login
Research Area: RA5
Modern websites usually contain content from multiple origins, so often cross-origin communication is needed to make the different parts work together. However, by default, this is prevented by the Same-Origin-Policy, which disallows two documents with different origins to access each other. So the postMessage API was introduced to allow a controlled way for cross-origin communication. The API provides the means to check for integrity & confidentiality, but these checks are not mandatory. In case they are missing or incorrect, vulnerabilities can occur, e.g., cross-site-scripting, storage alteration, privacy leakage and more, which various works have studied.
However, none of the prior works did their analyses in an authenticated context. As user data is often only present after login, we want to study how many postMessage handlers leak sensitive data after login. Therefore we aim to collect postMessage handlers specified on websites in the wild in an authenticated context and check whether they can leak data to unauthorized parties. In case of a leakage, we also analyze what kind of data is leaked and whether it is sensitive concerning a user's privacy.