Bachelor- and Master Seminar

Dear All,

The next seminar(s) will take place on 2024-11-20 at  14:30 (Session A) and 14:00 (Session B).

Session A: (14:30 - 15:00, 15:00 - 15:30)

Chun Ngai Li, Abdullah Alfurjani

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841

Password: BT!u5=

 

Session B: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)

 

Julian Rederlechner, Yannick Schording, Robin Wiesen

https://cispa-de.zoom-x.de/j/66136901453?pwd=YVBSZU9peUpvUlk4bWp3MDR4cGlUUT09

Meeting-ID: 661 3690 1453

Password: sxHhzA004}

 

Session A

14:30 - 15:00

Speaker: Chun Ngai Li

Type of Talk: Master Intro

Advisor: Thorsten Holz, Bhupendra Acharya

Title: Exploring the Cybersecurity Threats in LLM-Powered Apps: Malicious Code Generation and Regulatory Challenges

Research Area: RA5: Empirical and Behavioural Security

Abstract: This thesis explores the cybersecurity threats by absuing the Large Language Model (LLM)-powered apps, focusing on their malicious code generation capabilities, the challenges and concerns in regulating these misuses. With the expansion of LLM apps across sectors, their potential misuse for generating harmful outputs, such as phishing emails and websites, has become a critical concern. This study investigates the vulnerabilities in current LLM-powered apps, particularly those lacking sufficient safeguards, which can be exploited for malicious code generation. By analyzing various of LLM apps using jailbreaking techniques, and their output quality, this research aims to assess the resilience of these applications against misuse. This study also examines the regulatory and developer policies needed to mitigate these threats and highlights the societal implications if these issues are not addressed. The results of the study will provide insights for strengthening cybersecurity defenses for LLM-driven technologies and advocate for stronger oversight mechanisms.

 

15:00 - 15:30

 

Speaker: Abdullah Alfurjani

Type of Talk: Master Intro

Advisor: Thorsten Holz

Title: Fingerprinting Attributes Independence Measurement

Research Area: RA5: Empirical and Behavioural Security

Abstract: The objective of this research is to systematically evaluate the independence and uniqueness of various web fingerprinting attributes by conducting a comprehensive measurement study. This study will focus on fingerprinting APIs available on the web, including those related to Audio, Canvas, and JavaScript Floating Point operations, to assess their ability to uniquely identify users across diverse environments. We aim to explore how these attributes perform under different combinations of browsers, devices, and operating systems and to determine which attributes are most effective in generating distinct, reliable user fingerprints. To achieve this, we will conduct an extensive data collection and measurement campaign, gathering real-world fingerprints from users operating in various contexts. This includes different browser versions, operating systems, and hardware setups, allowing us to study how fingerprinting attributes perform across a wide range of scenarios. We will measure the relative uniqueness of each attribute and quantify the extent to which they contribute to creating distinct user profiles. This study addresses a critical gap in existing research by shifting the focus from isolated assessments of fingerprinting attributes, as seen in prior studies [6], [7], [11], [18], to a comprehensive analysis of how these attributes interact with one another. While previous research has primarily evaluated individual fingerprinting techniques, our approach considers the complex interplay between multiple attributes across various contexts. This allows for a more nuanced understanding of which combinations yield the most robust user identification. Furthermore, this research introduces a novel framework that ranks fingerprinting attributes not only by their individual effectiveness but also by their independence and ability to uniquely identify users when combined with other attributes. This dual focus on interaction and ranking sets our framework apart from earlier studies, providing a more holistic tool for understanding and improving fingerprinting techniques.

 

Session B

 

14:00 - 14:30

Speaker: Julian Rederlechner

Type of Talk: Bachelor Intro

Advisor: Ali Abbasi

Title: Spot the Diff-erence: Investigation of bsdiff

Research Area: RA3: Threat Detection and Defenses

Abstract: In an age where efficient software updates are crucial, especially for IoT devices, smartphones with limited connectivity and even vehicles, small and reliable over-the-air (OTA) updates have become an important topic. In this talk, we will focus on the aspect of "minimizing data transmission". We will present bsdiff, an efficient binary diffing algorithm originally developed to create compact software patches. Its early version, bsdiff4, set a standard for generating minimal patches that optimize update distribution. Its successor, bsdiff6, promises smaller patch sizes, but is still largely unexplored and unpublished. Our research aims to explore the structure and benefits of bsdiff6, and ultimately provide a modern Rust implementation. This project will not only shed light on the capabilities of bsdiff6, but also provide a baseline implementation and comprehensive documentation that will contribute to OTA solutions for networked devices in various industries.

 

14:30 - 15:00

 

Speaker: Yannick Schording

Type of Talk: Master Final

Advisor: Dominic Steinhoefel

Title: Specification-Based Testing with JSON Schemas

Research Area: RA3: Threat Detection and Defenses

Abstract: In recent years, the JSON data format has become one of the most popular formats for data interchange via the internet, especially for communication between API endpoints. Since the services that provide these endpoints often handle sensitive data, it is crucial that they work as intended and do not contain any bugs that could be abused for malicious purposes. Fuzzing is one of the techniques that can be used to make sure that this is the case. By generating numerous diverse inputs and feeding them to these systems, it is possible to discover the inputs that trigger such bugs. While generating completely random inputs might already discover some bugs, most of them will not adhere to the syntax or semantics expected by the tested software. They are rejected early by the software and thus cannot reach deeper parts of its code. A popular approach to prevent this is fuzzing based on the specification of the input language expected by the software. The most prominent specification format for JSON is JSON schema. Schemas are written as JSON objects themselves and define the structure other JSON objects should follow. In this thesis, we develop a fuzzing tool that automatically generates JSON data which adheres to the syntactic and semantic rules defined by the schema. It first translates the schema to a grammar and a set of ISLa constraints, and then uses the ISLa solver to produce valid inputs for it. To prove the capabilities of our tool, we compare the quality of its inputs to ones produced by the popular JSON Schema Faker library and test some popular software applications with it.

 

15:00 - 15:30

 

Speaker: Robin Wiesen

Type of Talk: Bachelor Final

Advisor: Sven Bugiel

Title: Selective Permissions for Android's SDK Runtime

Research Area: RA4: Secure Mobile and Autonomous Systems

Abstract: A frequently criticized aspect of Android’s security concept is that third-party libraries are executed within the host app’s sandbox and thus inherit all of its privileges. This gives them access to substantially more sensitive resources than necessary, which jeopardizes the security and privacy of users. In response, Android 13 introduced the SDK Runtime as an option to confine untrusted code in its own sandbox with separate privileges. However, the current design is primarily geared towards advertising SDKs and imposes rigid restrictions on the isolated libraries, such as a fixed set of permissions. As this significantly limits the applicability of the SDK Runtime, it is questionable how much the offered potential is actually used. The aim of this bachelor thesis is to develop a solution that enables code in the SDK Runtime to selectively request additional permissions. To this end, we build an application-layer extension where the host app takes on the role of a proxy and requests permissions and data on behalf of the SDK. The library enforces a security policy for requests from the SDK Runtime, effectively enabling flexible permissions without OS modifications. In our prototype, we demonstrate the functionality of this approach exemplarily for location and contact data. Although subsequent performance measurements reveal relatively high overhead in some cases, it demonstrates the feasibility of using the SDK Runtime as the basis for flexible privilege separation. Extending its scope beyond advertising libraries facilitates the implementation of a modular, least-privilege app architecture. At the same time, supporting a more fine-grained access control policy without impairing user experience raises usability challenges that represent an interesting area for future research.

 

Dear All,

The next seminar(s) will take place on 2024-11-06 at  14:00 (Session A) and 14:00 (Session B).

Session A: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)

Syed Haider Ali Shah, Nirav Shenoy, Leonard Zitzmann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841

Password: BT!u5=

 

Session B: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)

 

Majdi Maalej, Mitul Bipin, Pranav Shetty

https://cispa-de.zoom-x.de/j/66136901453?pwd=YVBSZU9peUpvUlk4bWp3MDR4cGlUUT09

Meeting-ID: 661 3690 1453

Password: sxHhzA004}

 

Session A

14:00 - 14:30

Speaker: Syed Haider Ali Shah

Advisor: Matthias Fassl, Katharina Krombholz

Research Area: RA6: Others

 

14:30 - 15:00

 

Speaker: Nirav Shenoy

Type of Talk: Master Intro

Advisor: Rebekka Burkholz

Title: Efficient Sparse Training: Combining Continuous Sparsification with Learning Rate Rewinding

Research Area: RA1: Trustworthy Information Processing

Abstract: Iterative pruning methods have been effective at creating state-of-the-art sparse networks that match the performance of dense models. These methods however require multiple training cycles and incur substantial computational costs due to their dense-to-sparse approach. We propose an efficient training framework that aims to reduce training iterations and computational cost per training iteration by beginning with random sparse models and employing continuous sparsification during training to achieve high accuracy at extremely high sparsities. Continuous sparsification can prune to high sparsities over far fewer epochs compared to more computationally expensive post-training pruning methods. Our approach utilizes Soft Threshold Reparameterization (STR) for its ability to induce non-uniform sparsity without relying on heuristics or predetermined sparsity budgets. We combine this with Learning Rate Rewinding (LRR), where each training iteration rewinds the learning rate schedule while maintaining the final weight values from the previous cycle. While STR effectively identifies masks in sparse-to-sparse scenarios, its sensitivity prevents weight revival once pruned. To address this limitation, we introduce a modified version of GraNet, a zero-cost neuroregeneration technique, to revive potentially useful weights at high sparsities.

 

15:00 - 15:30

 

Speaker: Leonard Zitzmann

Type of Talk: Bachelor Intro

Advisor: Lea Gröber

Title: Know Thyself: A Comparative Security Analysis of Self-Hosted and Cloud-Hosted WordPress Websites

Research Area: RA5: Empirical and Behavioural Security

Abstract: Cloud-hosted services continue to rise in popularity, while already being the predominant form of hosting environment on the internet. Although cloud-hosting is considered to be more “secure” by the public, there is little to no data available to support this belief. We aim to provide a comparative analysis of self-hosted and cloud-hosted web services on the example of WordPress, regarding commonly used security awareness indicators like HTTP headers.

 

Session B

 

14:00 - 14:30

Speaker: Majdi Maalej

Type of Talk: Master Intro

Advisor: Sebastian Stich

Title: Challenges and Benefits of Homomorphic Encryption on different Federated Learning Schemes

Research Area: RA1: Trustworthy Information Processing

Abstract: Over recent years, federated learning (FL) has become popular in the area of machine learning as a method for collaborative model deployment without sharing the data, since the data stays at the client devices. Nonetheless, models built using FL are subject to model inversion attacks, where the malicious servers attempt to retrieve sensitive client information. This paper addresses the issue of incorporating homomorphic encryption (HE), in particular the provision of the CKKS scheme, with both synchronous and asynchronous FL models to protect data at all times. HE enables encrypted parameter aggregation, thereby alleviating the possibility of data exposure, and provides safeguards against inference attacks. The study looks at major issues including computation overheads, effects of the encryption on model accuracy and performance differences caused between the FL schemes.

 

14:30 - 15:00

 

Speaker: Mitul Bipin

Type of Talk: Master Final

Advisor: Masudul Hasan Masud Bhuyian

Title: Comparative Analysis of Defenses Against ReDoS-based Attacks

Research Area: RA3: Threat Detection and Defenses

Abstract: In the current development landscape, developers rely on regular expressions for several operations, e.g.,validation, filtering. Sometimes, these regular expressions might contain ambiguity, i.e., cases where the regular expression allows the possibility of taking multiple paths to reach perform the same match. When an attacker sends a specially crafted input string that exploits the ambiguity, it can exhaust server resources and cause a Denial of Service (DoS) attack. We call them Regular Expression Denial of Service (ReDoS) attacks. ReDoS attacks could be avoided by ensuring the regular expression does not contain ambiguities. However, in some cases, a complex regular expression might cause the developer to overlook an ambiguity, or an imported library might contain a regular expression that contains an ambiguity. There exist several researches to identify and prevent such vulnerable regular expressions, but we do not have any conclusive evidence to determine the most effective technique. Several cloud providers offer mitigation techniques, such as deploying a web application firewall, to prevent traditional DoS attacks. However, we do not have any conclusive evidence whether they can prevent Denial-of-Service caused by regular expressions. To address the aforementioned gaps, the thesis delivers a comparative analysis to determine the most effective method to mitigate ReDoS attacks in a web application configured with various ReDoS mitigation techniques. In addition to that, we deploy the same web application in the cloud and setup traditional DoS mitigation techiques to evaluate whether they could also prevent ReDoS attacks. We import known ReDoS vulnerabilities identified by a CVE number into web applications and fix the vulnerability using different mitigation techniques. We simulate a naive DoS attack scenario where we simulate benign HTTP requests for a pre-defined duration and intermittently inject malicious HTTP requests throughout the period. We repeat the experiment for every mitigation technique and document the latency and throughput of the benign HTTP requests obtained during the experiment. The results indicate that a given vulnerable regular expression fixed using a nonbacktracking regex engine and an alternate logic (custom parser which replicates the regular expression) process a higher throughput rates and yields a lower latency rate. Other mitigation techniques, such as a timeout mechanism and repairing a regular expression using an automatic repair algorithm failed to consistently process high throughput rates. Some of the cloud-based mitigation techniques, such as web application firewalls and issuing JavaScript challenges to HTTP requests can partially prevent a ReDoS attack. The rate-limiting mechanism failed to prevent a ReDoS attack.

 

15:00 - 15:30

 

Speaker: Pranav Shetty

Type of Talk: Master Intro

Advisor: Nils Ole Tippenhauer, Ankush Meshram

Title: Adversarial Attacks and Defenses on Network-based Intrusion Detection Systems in Industrial Networks

Research Area: RA3: Threat Detection and Defenses

Abstract: Industrial Control Systems (ICS) and other components of Industrial Networks that are critical for the functioning of essential services and manufacturing processes, are increasingly becoming the targets for cyber-attacks. These components are responsible for controlling and managing everything from power grids and water treatment facilities to factory automation systems. Any disruption or compromise of these systems can have severe consequences, including economic loss, safety hazards, and threats to public health. Network Intrusion Detection Systems (NIDS) are crucial for identifying and mitigating cyber threats in these environments. However, with the rise of Adversarial Machine Learning, attackers can develop techniques to evade the detection by NIDS. Hence, there is a need to inspect the vulnerability of NIDS models against such Adversarial Attacks. This research aims to address the challenge of developing effective Adversarial Attacks capable of bypassing the NIDS in Industrial Networks and designing Robust Defense Mechanisms to counter these attacks.

 

Dear All,

The next seminar(s) will take place on 2024-10-23 at  14:00 (Session A) and 14:00 (Session B).

Session A: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)

Madhurima Ghosh, Louai Alkhatib, Paul Kalbitzer

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841

Password: BT!u5=

 

Session B: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)

 

Luis Felger, Riddhi Suryavanshi, Lenny Händler

https://cispa-de.zoom-x.de/j/66136901453?pwd=YVBSZU9peUpvUlk4bWp3MDR4cGlUUT09

Meeting-ID: 661 3690 1453

Password: sxHhzA004}

 

Session A

14:00 - 14:30

Speaker: Madhurima Ghosh

Type of Talk: Master Intro

Advisor: Mridula Singh, Xiao Zhang

Title: Benchmarking Machine Learning-based Industrial Control Systems (ICS) Network Intrusion Detection System (NIDS) for Robustness

Research Area: RA3: Threat Detection and Defenses

Abstract: Industrial Control Systems (ICS) are an essential part of critical infrastructure, responsible for the automated control and monitoring of industrial processes. They are integral to sectors such as energy, water, manufacturing, transportation, and chemical production. The security of these systems is paramount due to the potential catastrophic consequences of successful cyber-attacks. Hence, Network Intrusion Detection System (NIDS) is required to analyse industrial network traffic in real time for adversarial behaviour. Anomaly detection mechanism using Machine Learning (ML) techniques is gaining popularity for NIDS. However, the robustness of these ML models, particularly against adversarial attacks, is not fully understood. This research proposes to develop a rigorous framework to test and benchmark the robustness of ML-based NIDS in ICS environments through adversarial attacks, ultimately contributing to more secure and resilient ICS networks.

 

14:30 - 15:00

 

Speaker: Louai Alkhatib

Type of Talk: Bachelor Intro

Advisor: Thorsten Holz, Bhupendra Acharya

Title: Hall of Fame: Measuring Vulnerability Disclosures by Bug Bounty Hunters

Research Area: RA5: Empirical and Behavioural Security

Abstract: Bug bounty programs have significantly enhanced software security by establishing structured environments for identifying vulnerabilities. These programs have been widely adopted by major corporations such as Google and Apple, and others are facilitated through crowdsourced platforms like HackerOne and Bugcrowd. A detailed analysis of reports from these programs would help us understand the technical details that hunters use during their vulnerability assessments. Therefore, this thesis explores the dual aspects of bug bounty programs: the analytical and the empirical. The analytical component try to asses the disclosed vulnerabilities, focusing on the types of vulnerabilities reported, the methodologies employed in their discovery. The empirical section delves into the experiences of top bug bounty hunters, exploring the strategies and tools they employ through a detailed survey. Notably, this research addresses the lack of focus on technical practices in the existing literature by integrating a comprehensive technical survey that uncovers the methods used by hunters to find bugs.

 

15:00 - 15:30

 

Speaker: Paul Kalbitzer

Type of Talk: Master Intro

Advisor: ["Andreas Zeller", "José Antonio Zamudio Amaya"]

Title: Generating tests for the detection of XMLi vulnerabilities based on WSDL specifications

Research Area: RA3: Threat Detection and Defenses

Abstract: In this thesis we propose a framework to combat XMLi. By leveraging the WSDL specification (Web Services Description Language) of a web service, our framework provides customized test inputs specifically designed to check for XMLi vulnerabilities. By creating XML messages that reflect the service’s functionality and strategically modifying them using grammar-based techniques, the framework effectively simulates XML injection attacks, enabling a thorough examination of web services for XMLi vulnerabilities.

 

Session B

 

14:00 - 14:30

Speaker: Luis Felger

Type of Talk: Bachelor Intro

Advisor: Michael Schwarz, Lukas Gerlach

Title: Analyzing the Data-Obliviousness Preservation of Runtimes by the Example of WebAssembly

Research Area: RA3: Threat Detection and Defenses

Abstract: Executing processor instructions on hardware often leads to micro-architectural effects, such as cache-induced timing differences when accessing memory. Adversaries can exploit these to observe the execution behavior of programs. If secret parameters affect this, adversaries can learn about their values, too. Hence, data-oblivious algorithms have been developed, which do not expose parameter values with their execution behavior. However, previous work showed that translating source code to machine code can affect data-obliviousness, e.g., due to applied optimizations. Meanwhile, widespread software development approaches include translating programs multiple times. For example source code is often compiled to intermediate representations before being translated by runtimes to operations of the target hardware. Thus, data-obliviousness can break at multiple stages. Previous analysis approaches, such as DATA, that depend on tracing and comparing executed instructions, focus on native binaries. However, it seems to be difficult to utilize these to analyze programs, that depend on runtimes to dynamically translate intermediate representations to operations of the target platform at execution. We assume that the complexity of such runtimes, strategies like garbage collection, and dividing work to multiple worker threads lead to huge and varying traces. Initial investigations back these considerations. Thus, our goal is to develop an alternative approach that improves analysing data-obliviousness of programs, that require runtimes to translate their intermediate representation at execution. While we assume that our general approach will be transferable to other environments as well, we want to focus our implementation and demonstration on programs, that have been written in C, translated to WebAssembly, and are executed with different runtimes on x86.

 

14:30 - 15:00

 

Speaker: Riddhi Suryavanshi

Type of Talk: Master Intro

Advisor: Nils Ole Tippenhauer

Title: Driving Off the Privacy Hill - Examining Privacy Concerns in Connected Cars

Research Area: RA4: Secure Mobile and Autonomous Systems

Abstract: In today’s automotive landscape, the integration of cloud connectivity into modern vehicles presents a variety of benefits. However, this car-to-cloud connectivity also expands the attack surface for potential hackers, raising concerns about the security and privacy of data transmission. Despite these concerns, a noticeable gap exists in research regarding the privacy practices associated with connected cars, including data collection and transmission methods. This thesis addresses this gap by identifying the current technologies employed in automotive car-to-cloud connectivity and evaluating their privacy posture.

 

15:00 - 15:30

 

Speaker: Lenny Händler

Type of Talk: Bachelor Final

Advisor: Robert Künnemann

Title: Analysing Tox using Equivalence Properties

Research Area:

Abstract: Tox is a protocol for instant messaging and audio/video communication. In contrast to other proposals like Skype, Signal or Matrix, it uses a p2p architecture. It was designed to provide privacy, however, neither the protocol, nor these guarantees have been clearly defined. Even worse, some attacks are already known. The goal of this thesis is to formalise the protocol and some of the confidentiality guarantees it means to provide. To this end, we are planning to use deepsec, a decidability procedure for trace equivalence.

 

Dear All,

The next seminar(s) will take place on 2024-10-09 at  14:00 (Session A) and 14:30 (Session B).

Session A: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)

Mohd Kashif, Divya Nidadavolu, Mohamad Altamer

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841

Password: BT!u5=

 

Session B: (14:30 - 15:00)

 

Faiq Iftikhar Awan

https://cispa-de.zoom-x.de/j/66136901453?pwd=YVBSZU9peUpvUlk4bWp3MDR4cGlUUT09

Meeting-ID: 661 3690 1453

Password: sxHhzA004}

 

Session A

14:00 - 14:30

Speaker: Mohd Kashif

Type of Talk: Master Intro

Advisor: Nico Döttling

Title: Haskel to FHE Transpiler

Research Area: RA0: Algorithmic Foundations and Cryptography

Abstract: We propose a fully homomorphic encryption transpiler that allows developers to convert high-level code (Haskell) that works on unencrypted data into high-level code that operates on encrypted data.

 

14:30 - 15:00

 

Speaker: Divya Nidadavolu

Type of Talk: Master Intro

Advisor: Xiao Zhang, Mario Fritz

Title: Double Trouble: Enhancing Robustness of Traffic Sign Classifiers Against Dual Adversarial Challenges

Research Area: RA3: Threat Detection and Defenses

Abstract: The advancement of deep learning has greatly improved intelligent transportation systems, especially in traffic sign recognition, which is vital for autonomous driving. While models trained on datasets like the German Traffic Sign Recognition Benchmark (GTSRB) have shown promise, their susceptibility to adversarial attacks is a growing concern. Data poisoning attacks can target specific subsets of traffic signs, leading to dangerous misclassifications, such as confusing stop signs with other signs. Additionally, out-of-distribution (OOD) attacks exploit the model's unfamiliarity with unusual conditions, causing further vulnerabilities. This thesis aims to enhance the robustness of traffic sign recognition models against these threats, ensuring their reliability and safety in real-world autonomous driving scenarios.

 

15:00 - 15:30

 

Speaker: Mohamad Altamer

Type of Talk: Bachelor Intro

Advisor: Cristian-Alexandru Staicu and Dr. Dolière Francis Somé

Title: Content Delivery Networks and CSP: Addressing Web Security Risks

Research Area: RA5: Empirical and Behavioural Security

Abstract: The global companies of today are putting in very serious efforts to ensure that content is presented to the user fast and at any part of the world. Content Delivery Networks (CDNs) now are an essential piece in enabling fast access to web resources globally. However, security concerns arise, particularly when public CDNs are used to deliver content like scripts on web pages, which poses risks to user data. This thesis investigates the relationship between the use of CDNs and Content Security Policy, an important feature in web security, intended to reduce risks associated with the delivery of content from third-party sources. While the CSP feature is useful for restricting content, it becomes insufficient when defining a public CDN as a trusted source By studying the drawbacks of CSP in conjunction with the inherent vulnerabilities in CDNs, This research investigates the security vulnerabilities of public CDNs, examining multiple services including Cloudflare, Amazon, and Google CDN.. The obtained results will contribute important insights for development, research, and usage, highlighting that more proper strategies need to be adopted to enhance the security of web applications. Ultimately, this work is going to contribute towards a more secure and trustworthy internet environment by eliminating the risks associated with the wide use of CDNs.

 

Session B

 

14:30 - 15:00

Speaker: Faiq Iftikhar Awan

Type of Talk: Master Final

Advisor: Andreas Zeller, Marius Smytzek

Title: More Tests, Better Repair?

Research Area: RA3: Threat Detection and Defenses

Abstract: An automated program repair is a tool that can automatically look for bugs in a program and fixes it using techniques like fault-localization, maximum branch coverage etc. Furthermore, test generation uses fuzzers to randomly generate test cases that increase branch coverage of a test subject. Fuzzers are software tools that can generate a large volume of random or semi- random data that can be directly fed into a test subject or program. With this definition in mind, we ask a question. Does more tests translate to better repair? We present a comprehensive analysis based on statistical data and results that tries to an- swer this question. Our approach utilizes recently published tools such as Avicenna, ISLa and Tests4Py to answer this simple question analytically. These tools serve as building blocks for a solution that can use minimal amount of tests to create a specification about a program. Then generate new test cases according to that specification and repair a program using test cases that provide most amount of coverage. Such repairs are then compared against a baseline. What level of enhancement, if any, does an increase in test cases contribute to the effectiveness of a program repair solution?