News
Next Seminar on 11.09.2024
Written on 05.09.2024 08:25 by Xinyi Xu
Dear All,
The next seminar(s) will take place on 2024-09-11 at 14:00 (Session A) and 14:00 (Session B).
Session A: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)
Moritz Jung, Pit Jost, Robin Jacobi
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Password: BT!u5=
Session B: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)
Reza Zamiri, Sepehr Mirzaei, Parth Thakker
https://cispa-de.zoom-x.de/j/66136901453?pwd=YVBSZU9peUpvUlk4bWp3MDR4cGlUUT09
Meeting-ID: 661 3690 1453
Password: sxHhzA004}
Session A
14:00 - 14:30
Speaker: Moritz Jung
Type of Talk: Bachelor Intro
Advisor: Andreas Zeller
Title: Semantic Protocol Fuzzing
Research Area: RA3: Threat Detection and Defenses
Abstract: Discoveries of vulnerabilities such as the Heartbleed bug in the OpenSSL library in 2014, or the more recent discovery of the SMTP smuggling vulnerability which allows vulnerable server constellations to be exploited for email spoofing, show the importance of testing implementations of network protocols. One approach to testing for such vulnerabilities is fuzz testing, or fuzzing for short, a software testing technique where the system under test (SUT) is provided with automatically generated inputs. We show an approach to protocol fuzzing based on I/O grammars and ISLa constraints, and the ISLa solver and checker. An I/O grammar is a combination of context-free grammars for inputs and outputs, and allows for modeling of system states. The ISLa specification language allows for the specification of semantic constraints over a grammar's elements. Our fuzzer takes an I/O grammar and accompanying ISLa constraints as input, and employs the ISLa solver and checker to produce syntactically and semantically valid inputs, and to check input-output sequences for validity.
14:30 - 15:00
Speaker: Pit Jost
Type of Talk: Master Final
Advisor: Andreas Zeller, Tural Mammadov
Title: Protocol Fuzzing with Grammars and Constraints extracted from RFCs
Research Area: RA3: Threat Detection and Defenses
Abstract: Efficient automated testing of network protocols using conventional methods is a process that usually requires significant amounts of manual labor. To achieve high coverage that finds design and implementation flaws deeply embedded in such protocols, it is not suf- ficient to rely solely on a black-box fuzzing approach. Random inputs generated using a purely random approach tend to cause the protocol implementations to reject the inputs early during validation. More advanced approaches such as semantic fuzzing, which are aware of the protocol’s specification and the expected input formats, are much more ef- fective and can reach higher levels of coverage. Generating semantically correct input is not a trivial task. Knowledge about the targeted protocol is necessary in order to achieve this, and it needs to be available in a machine-interpretable format to be usable for automated testing. Input Specification Lan- guage (ISLa), a grammar-aware input specification language and string constraint solver, aims to solve this by allowing for the expression of protocol specifications using context- free grammars and semantic constraints, which can, in turn, be used to produce inputs for grammar-based fuzzing. While ISLa requires formal protocol specifications written in its proprietary specification language, most network protocols are specified in documents known as Requests for Comments (RFCs), which are written in English natural language. In this thesis, a method to automatically mine context-free grammars and semantic constraints from natural language specifications which are collected from RFC documents is developed. A pre-trained large language model is fine-tuned using a dataset that con- tains natural language specification fragments from RFCs and their grammar definitions together with semantic constraints. The model will be evaluated on automatically ex- tracting grammar constraints and related semantic constraints for a range of different network protocols.
15:00 - 15:30
Speaker: Robin Jacobi
Type of Talk: Master Intro
Advisor: Michael Schwarz, Fabian Thomas
Title: Reproducing Meltdown-type Attacks in gem5
Research Area: RA3: Threat Detection and Defenses
Abstract: Many details of the latest processors are kept under wraps by the manufacturers. Only gradually, through reverse engineering, the detailed design decisions are revealed. Simulators offer a relatively easy-to-use way to create complex simulation environments that can be used in computer-system architecture research. It is possible to adapt deeper changes in CPU operation and analyse them in more detail through log outputs. Possible attack vectors are increasingly focussed on small details rather than larger obvious vulnerabilities. We have set ourselves the goal of enabling further possibilities in the area of simulating transient execution attacks. This master's thesis continues the research on transient execution attacks in a simulated environment, using the gem5 simulator. It allows us to simulate an out-of-order CPU in a full-system environment, without external influences. The main focus will be on the Meltdown vulnerability, which was discovered in 2017 and affected all Intel processors available at the time, with a few exceptions. After an analysis and changes to the code base, the Meltdown vulnerability should be exploitable in gem5.
Session B
14:00 - 14:30
Speaker: Reza Zamiri
Type of Talk: Master Intro
Advisor: Nils Ole Tippenhauer
Title: Enhancing fuzz testing for Tricore-based automotive ECU firmware
Research Area: RA4: Secure Mobile and Autonomous Systems
Abstract: Nowadays, many of the new technologies and features in the automotive industry are driven by software development. In vehicles, software typically runs on ECUs (Electronic Control Units), which are embedded systems responsible for critical functions such as engine management or emissions control. The firmware which are running on these kinds of ECUs are playing a crucial role in the vehicle performance and safety. Consequently, validating ECU firmware binaries is essential to prevent potential failures that could lead to severe safety issues or cybersecurity vulnerabilities. One of the widely used microcontrollers in the automotive industry is Infineon’s TriCore family. However, despite the popularity of the TriCore architecture in the automotive industry, there is a gap of proper fuzz testing solutions which are specifically designed for TriCore-based ECU firmware. In this research, we will try to fill this gap by designing a methodology for fuzz testing and memory error detection mechanism to validate those firmware binaries.
14:30 - 15:00
Speaker: Sepehr Mirzaei
Type of Talk: Master Intro
Advisor: Giancarlo Pellegrino
Title: An Empirical Study of DOM Selector APIs Vulnerabilities on the Web
Research Area: RA5: Empirical and Behavioural Security
Abstract: As web applications become more feature-rich, their attack surface becomes more complex. Despite the introduction of numerous defense mechanisms in recent years, new variants of codeless injection attacks continue to emerge, circumventing many of these defenses. This thesis introduces and investigates a code-less injection attack that exploits vulnerabilities stemming from DOM Selector APIs and insecure coding practices, where developers mistakenly trust DOM content. This research systematically examines web browser APIs that accept DOM content and perform sensitive actions, conducting a large-scale analysis of the top 1K websites of Tranco list to identify the prevalence and impact of these vulnerabilities. Additionally, the study assesses the extent to which developers rely on DOM content without proper validation, highlighting the need for improved security practices and more robust defenses against DOM-based attacks.
15:00 - 15:30
Speaker: Parth Thakker
Type of Talk: Master Intro
Advisor: Thorsten Holz
Title: Optimizing Fuzzilli: Improving scheduling for a better fuzzing approach
Research Area: RA3: Threat Detection and Defenses
Abstract: Modern web development relies heavily on JavaScript, which allows for dynamic and interactive elements in a variety of web applications. The JavaScript engine inside the browser, responsible for executing JavaScript code is a highly crucial component. It is of high interest to adversaries, as they provide exploitation primitives making it possible to compromise the host process with a single vulnerability. Fuzzilli is a state of the art fuzzer designed to produce syntactically and semantically valid code to target JavaScript Engines. It is one of the few fuzzers that can target the JIT compilation. It however, is rather basic in some of its approaches, and there is room for enhancing its performance and coverage. In this thesis, we work on Fuzzilli to introduce corpus and mutator scheduling, using the state of the art methods defined in LibAFL. We then evaluate our fork, and present a detailed report of the work.