News
Next Seminar on 15.01.2025
Written on 08.01.2025 19:49 by Xinyi Xu
Dear All,
The next seminar(s) will take place on 2025-01-15 at 14:00 (Session A) and 14:00 (Session B).
Session A: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)
Sophie Carolin Kohler, Mohamad Hammoud, Demian Fink
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Password: BT!u5=
Session B: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)
David Dewes, Lisa Roehl, Robin Jacobi
https://cispa-de.zoom-x.de/j/66136901453?pwd=YVBSZU9peUpvUlk4bWp3MDR4cGlUUT09
Meeting-ID: 661 3690 1453
Password: sxHhzA004}
Session A
14:00 - 14:30
Speaker: Sophie Carolin Kohler
Type of Talk: Bachelor Intro
Advisor: Katharina Krombholz, Carolyn Guthoff
Title: User Acceptance of Client-Side Nudity Filters
Research Area: RA5: Empirical and Behavioural Security
Abstract: Client-Side-Scanning (CSS) is a controversial method proposed to detect child sexual abuse material (CSAM). For example, the 2022 EU Commission proposal to prevent and combat Child sexual abuse faced substantial criticism from data protectionists due to its invasive approaches. However, not every algorithm is the same; CSS has many nuances and differences in its implementation and objectives. Nudity Filters protect users from unwanted exposure to nudity and are an existing application of CSS that people can understand and relate to. The goal of this thesis is to develop a questionnaire on the factors that influence users' acceptance of Nudity Filters.
14:30 - 15:00
Speaker: Mohamad Hammoud
Type of Talk: Master Intro
Advisor: Katharina Krombholz, Lea Gröber
Title: Designing a Comprehensive HTTP Header Security Analysis Extension: A Participatory Approach
Research Area: RA5: Empirical and Behavioural Security
Abstract: HTTP headers are critical for web security, managing content policies, access restrictions, and secure data transmission. Already existing HTTP header analysis tools such as Mdn HTTP Observatory and Probely Security Headers often lack comprehensive header analysis, actionable insights, advanced analysis, and integration into developer workflows. This thesis develops a browser-based HTTP header analysis tool using a user-centered design approach to address in an attempt to address these gaps. Co-design workshops shaped the tool’s features, ensuring alignment with user workflows, while a remote user study demonstrated its effectiveness, showing whether the tool addressed the main concern and requests of participating users. This work highlights the potential of user-centered design for developing impactful security tools.
15:00 - 15:30
Speaker: Demian Fink
Type of Talk: Bachelor Final
Advisor: Matthias Fassl, Katharina Krombholz
Title: Comparing Security and Privacy Advice on Social Media with established Expert Advice
Research Area: RA5: Empirical and Behavioural Security
Abstract: The landscape of security and privacy advice on social media is large. Individual sites like Twitter (now know as X) were previously analysed, but no full scale analysis over most or all major platforms has been conducted. Understanding the whos, the what and even the whys of security advice can help shape the future of security advice of tomorrow. The goal of this thesis is to understand these questions of who, what and why by collecting security and privacy advice from a multitude of social media platforms such as Twitter (X), Instagram, TikTok, Reddit, and Youtube. Other than just collecting the substance of the post, authors were collected to classify them into groups such as "News Agency", "Popular Influencer" etc. and meassure such as likes, retweets or views. The data was then compared to a established expert advice.
Session B
14:00 - 14:30
Speaker: David Dewes
Type of Talk: Bachelor Intro
Advisor: Thorsten Holz, Matteo Leonelli
Title: Context-Aware Web Application Fuzzing via Instrumenting Source Code
Research Area: RA3: Threat Detection and Defenses
Abstract: Due to the growing need for individuals and businesses to be present online, we have observed an ever-increasing trend in recent years towards website builders. WordPress is the most popular content-management system (CMS), empowering users with different skill levels to host, build, and manage their own websites. Due to its complex extensible nature and diverse user-driven plugin ecosystem, it becomes a particularly challenging task to automatically assess its security. Atropos, an innovative snapshot-based webfuzzer based on the Nyx framework, already utilized an instrumented php interpreter to gain useful insights about the target in a generalized way; however, it lacks in sensitivity for hard-to-spot indicators for vulnerabilities introduced by third-party extensions. We propose combining this state-of-the-art snapshot-based, feedback-driven fuzzing method with advanced crash detection via source code instrumentation of the core application's API. Our study aims to explore methods to efficiently instrument the target as a feedback mechanism for web extension fuzzing, improving the results of Atropos and minimizing the difference to competing specialized fuzzers.
14:30 - 15:00
Speaker: Lisa Roehl
Type of Talk: Bachelor Intro
Advisor: Lukas Gerlach
Title: Evaluation of constant-timeness verification tools
Research Area: RA6: Others
Abstract: Constant-time algorithms are crucial for the security of cryptographic implementations, as they mitigate the risk of timing side-channel attacks. This thesis aims to evaluate the effectiveness of constant-time verification tools in detecting and preventing such vulnerabilities. By applying these tools to a diverse set of cryptographic implementations, including open-source libraries and vulnerable code examples, this thesis assess their accuracy, efficiency, and ability to identify potential timing leaks.
15:00 - 15:30
Speaker: Robin Jacobi
Type of Talk: Master Final
Advisor: Michael Schwarz, Fabian Thomas
Title: Reproducing Meltdown-type Attacks in gem5
Research Area: RA3: Threat Detection and Defenses
Abstract: This master’s thesis extends the research in the area of transient execution attacks. With increasing complexity in every new generation of processors, ensuring robust security has become a critical challenge in security research. Simulators always offered a possibility to increase quantity and quality of the research without investing huge ressources in ever changing hardware setups. The gem5 simulator was already used in multiple experiments and provided a way to analyze the behavior of different attack types. Our goal is to simulate Meltdown-type attacks in gem5. Therefore we analyze the out-of-order CPU model of the simulator and modify the code to enable an exploitation and replicate the behavior of vulnerable CPUs. We evaluate our implementation using an open source Meltdown PoC and show, that the secret can be leaked after introducing our changes. Furthermore, an open source benchmark shows that the overhead is around 1.5% in comparison to the original gem5. After that, we also implement a Meltdown hotfix by altering the load instruction and return a dummy value instead of the original. This work provides the baseline for further research in the area of transient execution attacks, especially Meltdown-type attacks and the corresponding defenses.