CySec Project Winter Term 18/19

Andreas Zeller

Fuzzing: Breaking Software for Fun and Profit

Apply knowledge from https://beta.fuzzingbook.org to a critical domain (blockchain, web fonts, certificates, office input, protocols, ...). Up to 10 students can work on this!

 

Christian Rossow

Sandnet TLS Traffic Inspection

Malware has started to use strong TLS communication to communicate with various end hosts, including C&C servers. This project will modify Windows libraries (DLLs) to make it possible to sniff that communication from within a malware sandbox. The idea is to hook network libraries (e.g., wininet.dll) such that the traffic can be intercepted *before* it gets encrypted and allows to log the otherwise encrypted communication.

 

Remote Timing for Architectural Side Channels in Browsers

This project will explore the possible timing sources in modern browsers that can be used for side-channel attacks. As an aftermath of recent Spectre-like vulnerabilities, browsers intentionally make their timing sources (e.g., performance.now) less precise; thus, making it harder for attackers to measure the timing differences, e.g.,  between cached/uncached memory accesses. This project will use network communication as an alternative source for timing information. The outcome of this project will be (i) showing that the network communication is not stable/reliable timing source, or (ii) showing that network packets can be used to measure subtle timing differences for microarchitectural attacks.

 

DNS QNAME Minimization

In standard DNS, FQDNs are used as QNAME whenever requests are sent to (potential) authoritative nameservers. This way, resolvers leak queried domains to authoritative nameservers (e.g., root NS). To solve this privacy leak, RFC 7816 suggests a privacy-friendly recursion mechanisms that leaks as little information as possible to upstream authoritative nameservers. But does the suggested mechanism really work? As pointed out in the RFC, authoritative NSes may fail to support trimmed queries, or even respond with wrong responses. This project is supposed to measure, given a set of FQDNs, whether or not the various RFC 7816 implementations in common resolvers lead to correct name resolutions.

 

Jilles Vreeken

Malware Detection with Really Random Forests

Detecting whether an app is malicious or totally okay is highly important both to safeguard users, as well as to ensure trust in an appstore. One of the big problems in detecting malware is that it is hard to automate; every malware tries to hide, and hence there are no obvious patterns that we can reliably use to say 'you, you are malware!'. Instead, we often rely on the opposite, namely 'you, you are doing something out of the ordinary!'. That is, we rely on anomaly detection. Because the task is one-sided, anomaly detection is inherently more difficult than classification. In this project, we want to investigate whether the highly promising approach of isolation forests to detect malware, and see if this way we can get close to, or even beat the celebrated CHABADA approach.

Project requirements: good programming skills, interest in data-driven techniques

 

How to get better at FRAUD

Why play fair, go through the trouble of being actually good at something, when we can just be a fraud? Well, one reason is that nobody likes fraud, and if we are found out we'll be hung and humiliated. So, if we go for fraud, we better be real good at it. In this project we are going to attack the current state of the art in detecting fraud in graphs, FRAUDAR. The main claim of FRAUDAR is that it can detect fraudulent nodes (e.g. fake Twitter accounts) even if these use camouflage (e.g. try to mimic normal behaviour) or hijacked accounts. Well, nothing is perfect, and hence neither is FRAUDAR. In this project we'll be trying to tackle FRAUDAR, figure out where it stumbles, and come up with better camouflage, such that afterwards we don't have to worry anymore that FRAUDAR will figure out we're a fraud. (or, maybe, come up with an even better fraud detection mechanism, which we could call FRAUDAWESOMAR)

Project requirements: good Python skills, good understanding of graphs, interest in data-driven techniques

 

Nils Ole Tippenhauer

Experimental PLC using CODESYS

Programmable Logic Controllers are used in Industrial Control Systems to steer physical processes. Most platforms are proprietary (OS, software to program, logic), but recently the CODESYS platform gains more traction on Linux. Your Task: Implement a simple CODESYS-based PLC on a Raspberry Pi and assess its security against various attacks.

 

Security Assessment of Industrial PLC running Linux

Newest generation PLCs such as the WAGO PFC200 and NI’s CompactRIO start to run Linux. Little investigation was done so far on the security of such devices: what is the standard configuration? Which security features are used? Are there vulnerabilities? Your Task: Perform in-depth analysis and security assessment of a Linux-based PLC

 

Extending MiniCPS

Idea: Improve the existing MiniCPS framework with new devices and features Lightweight virtualization and simulation of Industrial Control System network and processes. Based on MiniNet, LXC containers, written in Python. Your task: Review and extend the code, introduce new devices, protocols, or processes. How could users identify that they are in a simulated network? propose countermeasures!

 

VPN Honeynet

Idea: present vulnerable VPN server with industrial network on Internet. If attackers gain access (e.g., guess PW), they get Link-Layer access to virtualized network. Your task: Configure and run such a VPN honeynet in the cloud Design and implement interesting emulated industrial network using MiniCPS or similar. Analyze incoming traffic to learn about attacker’s capabilities

 

Manipulating Radio Firmware on Android

InternalBlue is a framework that allows to manipulate firmware of the BCM4339 Bluetooth controller used in Nexus 5. Your task: Review and extend the current functionality to allow manipulation of encrypted bluetooth traffic (based on recent research results) Investigate similar frameworks for other platforms or radio standards.

 

Stefan Nürnberger

FakeID

Investigate how FaceID works on a jailbroken device and develop an attack technique that can trick FaceID into accepting an artificial face for authentication.

 

Sven Bugiel

Study of third party library hooking in Android app markets

Malware authors commonly trojanize apps by piggybacking their malicious payload onto those apps and adding hooks from legitimate code to malicious payload. To make the hooking efficient, malware authors hook third party library code that is contained in various apps and, hence, avoid the need to scan app code that varies between app developers for suitable places for hooks. Goal of this project is to investigate the extent of this hooking in apps in markets by extending the LibScout project. LibScout can detect third party libraries within Android application packages and your task is to add additional checks for the integrity of included libraries, i.e., detect whether the included library was hooked or not.

 

App for BLE (and high frequency audio) token detection & mapping

Bluetooth Low Energy (BLE) beacons are used to track users' movement (e.g., if they passed by or entered a particular shop). Such devices send out regular BLE beacons that are received by mobile devices and their apps, and are then used by tracking companies to monitor the users' movements. Similar, ultra-sonic audio beacons help tracking users' when the device in proximity of such a sound device records ultra-sonic sounds that encode the current location. To get a picture of how frequent those beacons are and give users some transparency, your task is to develop an app to crowd-source the collection of such beacons together with a server with a (Google) map to register and display those beacons' locations.

 

TPM Integration as System Service in Android

Our group has developed a Trusted Platform Module (TPM) on a SIM card. Currently, this SIM-based module only provides security services to low-level, highly privileged system processes (e.g., for secure boot). To allow app developers and system apps to also leverage the TPM, we need you to implement a new Android system services that communicates with the simTPM and provides apps with a TPM-API as part of the Android SDK.

 

Passwordless authentication for non-compatible services

Recently, a number of popular web services, such as Google, Amazon, or Microsoft, have begun implementing password-less authentication to their web services. Instead of entering a password (or just a password), the user authenticates using her smartphone (e.g., face recognition, fingerprint recognition) or extra devices (e.g., YubiKey). This password less authentication is made possible through new standards like WebAuthN or FIDO2.0. However, passwordless authentication requires support by the service, which is not very widespread yet. In this project, your task is to implement a combination of browser plugin and smartphone app that together provide the same user experience of passwordless authentication while under the hood actually building on top of the standard password-based authentication.

 

Have I’v been almost pwned? (or: Will I be pwned?)

Have I Been Pwned is a service that allows users to check if their/a password was contained in a prior password leak, such that users can avoid such high-risk passwords. HIBP is also being integrated into registration forms, password managers, or as a browser plugin to provide users at various password creation/entry points with feedback. However, HIBP only answers if a password was exactly leaked before, it does not answer if a user's password is only close to a leaked password but close enough to be in the set of password guesses by an attacker. Your task is to implement a browser extension together with a web service that provides users such feedback about their password being too close to leaked passwords to be considered secure or low-risk.

 

Aurore Fass

JavaScript Obfuscation Techniques Detection

JavaScript is a browser scripting language initially created to enhance the interactivity of websites and to improve their user-friendliness. However as it offloads the work to the user’s browser, it can be used to engage in malicious activities. To avoid detection by traditional anti-virus signatures and impose additional hurdles to manual and static analyses, the attackers use different obfuscation techniques to hide the maliciousness of their code, without specific regard to performance. At the same time, obfuscation can be used by benign scripts to protect code privacy and intellectual property, and minification can be used to reduce the scripts size, which results in better performance. In this project, you will first study the different obfuscation and minification techniques that you can find in the wild. Then, you will build an unattended system which can recognize and differentiate the obfuscation and minification techniques used in given input samples.

Project requirements: programming skills (ideally python3).

 

Intelligent Fuzzing System for JavaScript

JavaScript is a browser scripting language resting on the ECMAScript language specifications. Still, several AST-based representations of JavaScript can lead to the same semantic after execution. In this project, you will first study the JavaScript grammar to implement a system that can automatically produce (the) different syntactic representation of one given file, while keeping its behavior after execution. Then, you will select one of the previous outputs so that it matches given syntactic patterns, which you are expected to copy.

Project requirements: programming skills (ideally python3); basic knowledge of JavaScript and the parser Esprima would be helpful.

 

Ahmed Gamal Salem / Yang Zhang

Evaluating Different ML Attacks on Different Testbeds

This project aims to evaluate the different machine learning attacks on different testbeds. There exist different attacks on machine learning models which violates the privacy of the training dataset like membership inference, or the privacy of the model itself like model stealing. We want to explore the practicality of such attacks and more in the wild. In other words, we want to try the different attacks on different machine learning models/classifiers and different datasets to evaluate the actual threat of all of these attacks.

 

Yang Zhang

Security Scholar

This project aims to build a data platform for the security and privacy research community, namely Security Scholar. The platform should have two main functions, i.e., data collection (from DBLP and Google Scholar) and data analysis. With Security Scholar, a user should easily find the newest or seminal papers in a specific research domain, find the leading scientists in the community, and get some hints on the future hot topics. The student needs to have some basic knowledge on web crawling, website design, and data analysis.

 

Marius Steffens

Overcoming the nemesis of Crawlers

In the area of Web Security, we want to frequently verify hypotheses we develop of how the Web functions and validate them on some subset of it (e.g., Top 1 Million websites). To that end, we resort to crawlers which ideally should collect meaningful information about these sites. Some crawlers visit the front page of the top 1 Million sites and then leave, others try to follow links and thus explore the Web application but limit themselves to the top 5 thousand sites. These parameters drastically influence which portion of the Web applications we are investigating, thus potentially changing the outcome of our analysis. Besides the more general parameters presented above, content which is hidden behind logins or interstitial pages(e.g., GDPR sites) is rarely considered by recent research. In this work, we want to investigate which problems crawlers might encounter during their endeavor and how overcoming each of them may impact our analyses.

 

Oliver Schranz

Clustered Android Systemserver Fuzzing

The systemserver is a central component of Android's middleware that exposes and manages access to critical resources, such as hardware or user data. We recently created a framework to dynamically fuzz-test a subset of its APIs to uncover vulnerabilities and other kind of bugs. However, until now we solely focused on testing one exposed API at a time, which misses more interesting flaws that are triggered by combinations of multiple APIs. In this project, we want to explore how we can create clusters of APIs that increase the chance of finding these new kinds of bugs by, e.g., sorting APIs together based on the service that exposes them, the permission that is enforced, a data sink they share or the amount of commonly invoked helper functionality. This project is open-ended and requires empirical research. The idea is to discuss and test (some of) these ideas or maybe others you come up with, and see what kind of flaws we can find on the way.

 

Find Vulns and Differences in Vendor Android ROMs

Vendors like Samsung and Huawei produce their own customized versions of Android and deploy it on their devices, but research has shown that they often break assumptions and introduce vulnerabilities with their modifications. In this project, we want to assess the changes added by certain vendors in comparison to its base, the Android Open Source Project (AOSP). To achieve this, the main task is to improve our existing fuzzing framework for Android's systemserver so that it can not only work with a self-compiled AOSP version but wit arbitrary Android images. There are two main subtasks: 1. We use the ARTist instrumentation framework to modify the systemserver so we receive feedback for executed code basic blocks and can detect crashes. However, currently the instrumentation happens at boot time of the Android emulator that requires ARTist to be used as the system compiler. This can be solved by either finding a way to deploy ARTist as the system compiler on any image or implement systemserver instrumentation from the app layer. 2. Our fuzzing currently requires binder transaction IDs of methods, i.e. their sequential index number that might differ in non-AOSP ROMs. We currently compute them from AOSP, so we need to find a way to do this for any given ROM image instead. The project is open-ended and research-intensive, however might find actual vulnerabilities on currently deployed Android devices.

 

Fuzzing of Systemserver native libs

While researchers found multiple exploitable flaws in Android's app-facing native libraries, no one seems to be testing the libraries that are loaded and used by the systemserver. The idea is to test them for bugs and vulnerabilities and then find a way to trigger those flaws through the systemserver. This requires to 1. identify these libraries, 2. to fuzz-test them and 3. to find a way from a systemserver API down to the library so that the defect is triggered. The project is very research-intensive and therefore we cannot know beforehand if all of this is feasible, hence we can restrict the focus at any time.

 

Android app testing framework

The average quality of an app from the Google Play Store is remarkably low. While there is an increasing amount of publicly-accessible security assessment, pentesting and analysis tools for Android, we currently lack the proper infrastructure to test apps at scale with existing and novel analyses. The scope of this project is to extend our existing open-source analysis management framework to automatically assess the security and robustness of apps by applying various analysis modules. The idea is to have a generic system where we can add modules for popular analysis tools, such as Drozer and Frida, but also for evaluating research prototypes. The scope of this project includes the adaption of the automation framework for this purpose, the creation of a base emulator image that is used for testing apps and a set of analysis modules to get started with. We try to leverage existing open-source implementations wherever possible. Additionally, the ARTist instrumentation framework can be used to patch-out code that avoids analysis, such as root detection or SSL pinning. The project allows for a lot of own ideas and creativity, and is not sharply defined, meaning we will discuss what kind of analyses we want to support and implement.

 

Android holistic app taint tracking

Taint tracking is a technique to follow the path of inputs throughout applications to determine where it ends up and which other data is influenced. There are two existing approaches on Android that tried to implement this for apps. 1. The famous TaintDroid paper that modified the Dalvik Virtual Machine to do the taint tracking. However, it is not applicable anymore on modern devices because since Android 5 apps are compiled and natively executed. 2. TaintART & TaintARTist used a compiler-based approach to modify the app code to track its own data flows. However, the restriction to app code leads to information loss whenever the app interacts with the Android framework code (e.g., Java standard library) or data leaves the app (Binder IPC, Intents, Broadcasts, ...). In this projects, we want to get the best out of both worlds by applying the compiler-based approach not only to apps but to the systemserver and Android framework code as well. While we have TaintARTist available as a reference, in this project we will discuss and develop an improved design and implement it on the system level. For this project, you can easily add own ideas and be part of the research process. The final goal is not completely fixed as we will see how difficult the subtasks turn out as we go.

 

Patrick Speicher / Robert Künnemann

Mitigation-analysis: evaluation in the cloud

We have delopped an openVAS extension that scans networks for their topology and shared credentials and creates a simulated pentesting model for it. We would like to evaluate the tool, and need to set up a virtual network to test it on a diverse set of virtual machines.

 

Cause detection for program failures (computing causation) - let's get fast

Sufficient causes are all those events in a given situation, that by themselves ensure a certain outcome, but if only one event is removed, the outcome is not sure anymore. Determining causation is in coNP, but planning might be use to be fast in practice. We have an idea how, and are looking for a student to implement this idea in terms of an embedding into planning and a slight modification to the FF-downward planner.

 

Cause detection for program failures (operating on PDGs) - let's get real

Causation is defined in a very abstract model and usually applied to pholosophical problems. We proposed a notion of causation that takes into account control-flow, and want to try how well it works on program dependency graphs. There is support for computing PDGs for almost any language, so pick one of your choice and generate a causation problem for it.

 

Sybil-freeness game

A sybil is a pair of identities in a system that belongs to the same person. In this project, you prepare a playing ground for a sybil-detection protocol based on the assumption that (a) machines cannot win the Turing test, and (b) a single person cannot have to video conversations at the same time without anyone noticing. We might be wrong though, so your task is to set-up a system where this protocol is run in the browser (e.g., using WebRTC), as a game. This game can be attacked to prove our assumptions wrong.

 

Accountable distributed learning

Classification in machine learning relies on training data. Often its provenance is given, however, bad training data might lead to wrong classification. In case such classification leads to damage, we would like to quickly determine the training set or sets of training sets which lead to this misclassification. Borrowing from literature on causality, we want to provide a method of determining causes. For many machine learning algorithms, e.g., Gaussian processes, these can be determined efficiently by pre-computing training-set specific classifiers and combining them, allowing for causal reasoning at runtime. We want to demonstrate applications that go beyond forensic analysis. e.g., a risk-averse classifier can detect whether classifications rely on a single training-set, or a training-set with low trust and chose safe default in this case.

 

Symbolic execution for BIL

BIL is an abstraction for low-level machine code, e.g., ARM or x86. We want to perform cryptographic verification on the machine-code level. One step we need is a symbolic execution engine for BIL, i.e., a program that executes a BIL program (a virtual machine or a hypervisor) on variable input, i.e., the program that adds two and then removes three from a memory adress results in a memory state with input variables, where the final memory contains the term "v + 2 - 3" at the aformentioned memory address.

 

Hamed Nemati / Swen Jacobs

Extracting low-level information from CPUs

Checking security properties at the level of hardware, e.g., at the processor level, requires a framework that allows extraction of detailed information about the state of the hardware that are usually not accessible through standard hardware inspection mechanisms. Existing solutions like OpenOCD are not able to extract all required information that are needed to analyze security threats like cache side channel attacks. The student will develop an interface to extract this information, allowing us to use it in testing security properties of the hardware.

 

Extension of MIPS processor model

Existing formal processor models are in most cases rather high-level, abstracting from implementation details such as speculative execution or the caching mechanism. Excluding such components simplifies the verification process, but it makes unsound the analysis of the system when deployed on platforms where these features are enabled. The student will extend an existing processor model of a MIPS processor with advanced features that are important for security of the hardware.

 

STH: A Security Hypervisor for IOT Devices

Virtualization is the act of abstracting the underlying hardware to multiplex resources among multiple guests and security-check accesses to system resources before executing them. The SICS Thin Hypervisor (STH) [1] software is a fully verified small portable hypervisor designed for the ARM architecture, with the main purpose to improve the security of embedded systems through the isolation properties that virtualization can provide. Current version of the STH only supports one guest. The goal of the project would be extending the hypervisor to support several guests.

[1] https://bitbucket.org/sicssec/sth/src/master/

 

Hojoon Lee / Swen Jacobs

Compiler-level for Fine-grained Program Partitioning

The current system privilege distinction, that coarsely divides the system into kernel and user space, leaves in-application secrets just as unprotected as a "Hello World" string. The advent of Trusted Execution Environments (TEE) and runtime boundary checks provide developers with an architectural foundation on which they can isolate sensitive parts of their program. However, existing software is not developed with isolation in mind, and it is a non-trivial task to structure a program in a way that the sensitive program code and data can be readily migrated to TEEs. In this project, we aim to design and implement a TEE-aware compiler that automatically isolates program "slices" that interact with sensitive program data (e.g., server private key). Previous works have limited isolation granularity and security guarantees; isolation was performed at a function-level and the isolated functions are assumed to be safe without any verification. Our goal is to achieve instruction-level isolation through our compiler-based approach and also automatically verify that the isolated code meets our security guarantees. The student would be working on static analysis (program slicing) and automatic program partitioning using the LLVM compiler infrastructure.

 

Alfusainey Jallow

Token-Based Authentication of Devices for Eclipse Hono

Eclipse Hono [1] is an open source project of the Eclipse Foundation that allows IoT applications to consume data from any IoT device regardless of the communication protocol supported by the device. IoT applications connects to Hono using only the AMQP 1.0 protocol and can consume data from devices supporting arbitrary protocols. Hono achieves this by introducing an abstraction layer, called a Protocol Adapter, that abstracts away a devices' communication protocol. Devices wishing to publish data to downstream consumer applications authenticates to a specific protocol adapter and, upon success, publishes their data through the protocol adapter.

Hono provides out-of-the-box protocol adapter implementations for the HTTP, MQTT, CoAP and AMQP 1.0 protocols. These protocol adapters currently only supports the username-password and X.509 certificate based authentication mechanisms. The goal of this student project is to add token-based authentication to the list of the already supported authentication mechanisms. Adding support for token-base authentication will allow devices to authenticate to a protocol adapter using a single token (ideally a JWT) that is issued by an external Identity Provider (IdP).

In the case of a JSON Web Token (JWT), the protocol adapters will authenticate a device only when the token contains a valid signature. Validating the token requires that the protocol adapter have access to the public key of the (trusted) IdP that issued the token. You are free to decide which of the protocol adapters you intend to provide token-based authentication for. Our recommendation is to add this support for the HTTP protocol adapter since the usage of Bearer Tokens, in the context of OAuth, has already been specified in RFC 6750[2]. The entire Hono codebase is available on Github[3].

[1] www.eclipse.org/hono

[2] https://tools.ietf.org/html/rfc6750

[3] github.com/eclipse/hono

Requirements: Strong Java programming skills

 

Gordon Meiser

Same Origin Policy in the era of Spectre & Meltdown

Meltdown and Spectre exploit critical vulnerabilities in modern processors by reading the process memory of programs. Modern browsers are also affected due to possible side-channel/timing attacks, f.i. by measuring the precise execution time of cryptographic algorithms. The Spectre flaw, in particular, represents a severe threat to all people browsing websites because individual pages often serve JavaScript from multiple domains that run in the same process. Utilizing this flaw, a malicious ad might steal sensitive user data belonging to a site hosting the ad, a hack that would violate the Web security cornerstone known as the Same Origin Policy. Browser vendors already reacted and applied some patches/restrictions to minimize the attack surface of the browsers.

Within this project, the mitigation efforts and already implemented features of the browser vendors (f.i. "site isolation" in Chrome) should be depicted. Additionally, the current protection status of the five main browsers (Chrome, Firefox, Safari, Edge, and Opera) shall be illustrated.

Furthermore, the following tools/attacks need to be developed:

• Develop a Javascript-based Web-Tool which can check whether the browser used to visit the checker's website is vulnerable to the Spectre attack.
• Create a proof-of-concept exploit which can attack a vulnerable browser (version).
• Extract and analyze the (semantic of the) data gathered by the memory leak and test if browser protection mechanisms can be circumvented this way. Based on these insights: develop new exploits attacking all affected browsers.