News
Next On-Site Seminar on 15.04.2026, CISPA D1 Room 0.15
Written on 09.04.2026 07:37 by Xinyi Xu
Dear All,
The next seminar(s) will take place on 15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany) - D1 Room 0.15. Presenters and their advisors are encouraged to present in person. We especially encourage other students and teachers to attend and present in person as well.
For presenters,
1. We would book the room half an hour in advance, so you are encouraged to arrive a few minutes early to set up your own poster.
2. For this session, you need to print the poster on your own. The size of the poster should be 116x86cm or 86x116cm. You can use the poster printing service of Saarland University (https://www.uni-saarland.de/en/page/uds-card/functions/printing.html -> Posterdruck A0).
3. You need to present your poster in a much smaller group, but you are encouraged to roam around and ask questions about other posters.
4. We encourage you to bring your laptop to present your demo; there will be small tables in the room where you can put your laptop.
Presenters: Willy Steinahrt, Akshay Kashyap, Sambit Basu, Muhammad Umair, Kevin George Leo, Eesha Ahsen, Hafsa Zubair, BATUHAN SERCE, Okhunjon Sobirjonov
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: Willy Steinahrt
Type of Poster: Bachelor Intro
Advisor: Leon Trampert, Michael Schwarz
Title: A Survey on Browser Fingerprinting in Mobile and Desktop Environments
Research Area: RA4: Threat Detection and Defenses
Abstract: Browser fingerprinting is a wide spread technique used by websites to recognize and track users without direct interaction. This utilizes a variety of different methods to extract data points about the user's device and environment that are all hashed together to create a unique identifier. Extracted data may be related to installed fonts, how graphics are rendered or information about the network connection. Past fingerprinting surveys have only looked at fingerprints on desktop devices and only provided higher level overviews on how effective fingerprint components are. In this thesis we present a user study evaluating how effective fingerprinting is on mobile platforms where sandboxing and standardized hardware is far more wide spread. In the study we will also analyze the effectiveness of existing canvas fingerprints and introduce new methods aimed at utilizing higher entropy data points. We will also give a comprehensive overview of the fingerprinting landscape and analyze current methods and mitigations.
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: Akshay Kashyap
Type of Poster: Master Intro
Advisor: Giancarlo Pellegrino, Aleksei Stafeev
Title: Evaluating Vulnerability Datasets and Static Analysis Tools for Security Patch Assessment in the JavaScript Ecosystem
Research Area: RA6: Empirical and Behavioural Security
Abstract: Open-source libraries have been very commonly used in software development recently, so it is much easier for software developers to develop their own software. However, software developers use third-party libraries for their own purposes. Because of this, software vulnerabilities that occur outside of a developer’s own implementation can be inherited by others in their own applications. Software developers will often use security updates to patch software vulnerabilities; however, limited research has been performed to assess the effectiveness of these patches and whether publicly available datasets can reliably be used for these assessments. Therefore, the purpose of this study is to assess security updates for effectively patching Cross-Site Scripting (XSS) vulnerabilities in npm libraries. Using the CVEFixes dataset as the primary source of data on vulnerability-commit mappings, we created a patch analysis pipeline to create both vulnerable and fixed versions of libraries from the metadata found in CVEFixes, OSV advisory data, and repository history. Using CodeQL, static taint analysis was conducted to determine where data flows from a source to a sink with regard to XSS vulnerabilities, which allowed for comparison between vulnerable and patched versions across library versions. From the initial list of 1,455 CVEs, we identified 232 CVEs that met the criteria for analysis. The results of our analysis indicate that 73% of the patches removed the data flows associated with the vulnerabilities, 17% of the patches still contained the data flows associated with the vulnerabilities, and 9% of the patches created new possible paths for exploitation. The study also revealed limitations in the available vulnerability datasets and the metadata associated with repositories, such as incomplete versioning information regarding a software library as well as commits to source code unrelated to the areas of code that contain XSS vulnerabilities. The findings of this study indicated that assessing patch effectiveness in a reliable manner at scale requires integrating multiple sources of data, as well as applying behavior-based static analysis techniques for accurately assessing the effectiveness of these patching activities.
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: Sambit Basu
Type of Poster: Master Intro
Advisor: Mario Fritz, Philipp Christmann
Title: Evaluating Capabilities and Limitations of Large Language Models by Structural Reasoning over Textual Evidence
Research Area: RA2: Trustworthy Information Processing
Abstract: Large Language Models (LLMs) are increasingly used for tasks such as natural language generation, code synthesis, reasoning and data analysis. A particularly promising application is enabling natural-language access to large-scale data repositories, such as relational databases or knowledge bases, potentially lowering technical barriers for non-expert users. Retrieval-augmented generation (RAG) is commonly employed to connect LLMs with external data by retrieving relevant information and incorporating it into the model’s context prior to answer generation. However, emerging evidence suggests that correct retrieval alone does not guarantee reliable reasoning. When tasks require aggregating, comparing, or logically combining multiple information pieces, LLMs often produce inconsistent or incorrect results even when the necessary evidence is present in the context. Despite growing interest in LLM-based data access systems, the conditions under which these models fail to reason correctly over retrieved information remain poorly understood. This thesis aims to systematically evaluate the capabilities and limitations of state-of-the-art LLMs in performing structural reasoning across collections of retrieved information. To this end, we propose a novel evaluation framework that enables for controlled experiments, and analyse model performance across multiple dimensions, including dataset scale, information organisation, query complexity, filtering conditions, and the composition of retrieval contexts. The goal is to identify the thresholds at which LLM reasoning begins to degrade as the amount and complexity of retrieved information increase. By characterising these failure points, this work aims to clarify the limits of current RAG-based approaches and support the development of more reliable LLM-based data access systems.
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: Muhammad Umair
Type of Poster: Master Intro
Advisor: Andreas Zeller
Title: Metamorphic Testing of Protocols with Interaction Grammars
Research Area: RA4: Threat Detection and Defenses
Abstract: Testing network protocol implementations is challenging due to their complex and stateful specifications making it difficult to create reliable test oracles. Metamorphic testing addresses this oracle problem by testing relationships between the outputs of related inputs rather than checking outputs against expected results. Our approach integrates metamorphic testing with Fandango interaction grammars to test network protocol implementations. Metamorphic relations are derived from protocol specifications and are formalized into interaction grammars that model the message exchanges between clients and servers. These grammars enable the automated generation and execution of both source and follow-up test cases, with built-in constraints to detect violation of the properties. We target our approach on multiple protocols across different categories of metamorphic relations. We evaluate our approach by applying mutation testing, therefore seeding faults into server implementations and checking if our approach can find them. Our initial results on SMTP show promising results, suggesting a deeper look into the area.
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: Kevin George Leo
Type of Poster: Master Intro
Advisor: Abdullah Alhamdan, Alexi Turcotte, Andreas Zeller
Title: ""Your problem is my problem"": A Study of Bug and Vulnerability Transferability Across JavaScript Runtimes
Research Area: RA4: Threat Detection and Defenses
Abstract: JavaScript plays a central role in the modern web, enabling interactive, responsive, and dynamic applications. Multiple JavaScript runtimes exist that provide complete environments for executing JavaScript code. However, these runtimes come with their own set of implementation deficiencies, which manifest in the form of bugs, vulnerabilities or inconsistencies. In this work, we investigate whether issues reported in one JavaScript runtime can be reproduced in other runtimes or in newer versions of the same runtime. To this end, we employ Large Language Models (LLMs) to automatically generate proof-of-concept (PoC) code from GitHub issue reports, translate runtime-specific commands, execute the generated code across multiple runtimes, and detect cross-runtime inconsistencies and regression behaviors. Additionally, we evaluate how different runtimes behave when executing packages affected by known security vulnerabilities in the npm ecosystem. Finally, we analyze fixes implemented by package maintainers by applying Abstract Syntax Tree (AST)-based mutations to determine whether patched vulnerabilities can be reintroduced. In a preliminary study of 50 Node.js issues, we identified and reported 9 cross-runtime bugs across Deno and Bun. Additionally, our mutation-based analysis of fixed npm-packages uncovered multiple previously unreported vulnerabilities, resulting in 5 assigned CVEs and 1 GHSA advisory.
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: Eesha Ahsen
Type of Poster: Master Intro
Advisor: Katharina Krombholz
Title: Mental Models of Generative AI Among Students in Creative Disciplines
Research Area: RA6: Empirical and Behavioural Security
Abstract: Generative Artificial Intelligence (GenAI) is rapidly transforming creative practices, while also generating concerns around its authorship, creativity, and labour— notably garnering strong resistance within artistic communities. At the same time, university students are increasingly adopting AI tools in both formal and informal learning contexts. However, students in creative disciplines may have varying opinions on GenAI due to the aforementioned ethical concerns as well as the hands-on nature of their work, making this a valuable avenue to explore. In the context of university, creative disciplines can be defined as a Bachelors/Masters of Arts program. This thesis will explore the mental models that university students in creative disciplines hold about GenAI. Using semi-structured interviews and thematic analysis, this project will examine how students explain AI processes as well as their opinions on the ethical concerns associated with GenAI. The project will also contain a comparison of the students’ mental model with the technical baseline about how GenAI works. This will provide further insight into how (mis)understandings of AI technologies may shape attitudes toward their use in creative practice.
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: Hafsa Zubair
Type of Poster: Master Intro
Advisor: Alexander Ponticello
Title: Unified Typology of Accessibility Barriers in Digital Authentication for Blind and Low-Vision Users
Research Area: RA6: Empirical and Behavioural Security
Abstract: In today’s technical world, the authentication systems are essential for digital security. However, many widely used methods are not accessible to blind and low vision (BLV) users. These methods, such as passwords, CAPTCHAs, and multi-factor authentication, usually use visual cues that introduce barriers and impact the usability and security for users with visual impairments. The aim of this study is to examine these challenges using existing literature and an empirical user study. The goal is to develop a unified typology of these limitations by investigating the common accessibility issues faced by BLV users while using these authentication systems. These findings will support the development of more inclusive and accessible designs of these methods. This work will also provide a structured foundation to understand and systematically categorize accessibility barriers in authentication systems which will help in improving both accessibility and security.
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: BATUHAN SERCE
Type of Poster: Master Intro
Advisor: Marius Smytzek, Tural Mammadov
Title: CHATREVISE: ITERATIVE CODE REPAIR FOR LLMS USING TEST FEEDBACK AND PERSONAS
Research Area: RA7: Others
Abstract: Large language models have shown strong capabilities in code generation, yet their outputs often contain logical errors, incorrect implementations, or runtime failures. This project introduces Chatrevise, an automated framework for iterative code repair that leverages structured test feedback and persona-conditioned prompting to improve code reliability. The system integrates a feedback-driven repair loop in which generated code is executed against a test suite, failures are captured as structured feedback, and the model iteratively refines its output over multiple attempts. A key contribution of this work is the incorporation of persona-based prompting, which influences reasoning style and repair strategies. The framework supports model specific prompt adaptation and enforces a fully automated testing pipeline that appends failure diagnostics directly to subsequent prompts. Experimental results demonstrate that iterative feedback significantly improves pass rate, while persona conditioning affects repair performance across models. Despite its strengths the approach is limited by a fixed iteration budget and dependence on test quality. Future work includes enhancing error classification and scaling cross-model evaluations. At the end, Chatrevise provides a systematic and extensible approach to improving LLM-based code generation through structured feedback and iterative refinement.
15.04.2026, 14:00 - 16:00, CISPA D1 (Kaiserstraße 21 66386 St. Ingbert, Germany)
Presenter: Okhunjon Sobirjonov
Type of Poster: Master Intro
Advisor: Ali Abbasi
Title: Integration and Validation of RACCOON OS-Based Satellite Systems in Extended NASA Operational Simulator for Space Systems
Research Area: RA5: Secure Mobile and Autonomous Systems
Abstract: It is an inevitable fact that small satellites are one of the main enablers of the New Space Era. Due to their constrained resources, small satellites resemble commercial embedded systems. Thus, in addition to space challenges, they are also subject to suffer from the risks and attacks like the ones in industrial embedded devices. RACCOON (Robust And seCure post quantum COmmunication fOr critical iNfrastructure) OS (Operating System) has been developed to mitigate these challenges. Even though there have been several RACCOON OS-Based Satellite mission launches, it is still required to have solid validation and verification processes in the RACCOON OS-Based Satellite Systems. Due to its high risks to test new or off-nominal services in real space missions, simulation based space mission development has been an integral part of space industries. To have an end-to-end test capability in RACCOON OS-Based Satellite Systems, this work presents RACCOON OS-Based Satellite System integration into NASA Operational Simulator for Small Satellites (NOS3) framework. In addition to default NOS3 sensor simulators, framework agnostic custom temperature and power simulators are also proposed as the state-of-the-art simulators. With its integration into simulation environment and custom simulators , we believe to improve RACCOON OS-Based Satellite System by enabling end-to-end testing (from Flight Software to Mission Control System) without hardware reliance, training operators and testing procedures for rare scenarios, and reducing mission risks by catching issues early.