Topic list
Andreas Zeller
Fuzzing: Breaking Software for Fun and Profit
Apply knowledge from https://beta.fuzzingbook.org to a critical domain (blockchain, web fonts, certificates, office input, protocols, ...). Up to 3 students can work on this!
Aurore Fass
JavaScript Obfuscation Techniques Detection
JavaScript is a browser scripting language initially created to enhance the interactivity of websites and to improve their user-friendliness. However as it offloads the work to the user’s browser, it can be used to engage in malicious activities. To avoid detection by traditional anti-virus signatures and impose additional hurdles to manual and static analyses, the attackers use different obfuscation techniques to hide the maliciousness of their JavaScript code, without specific regard to performance. At the same time, obfuscation can be used by benign scripts to protect code privacy and intellectual property, and minification can be used to reduce the scripts size, which results in better performance.
In this project, you will first study the different JavaScript obfuscation and minification techniques that you can find in the wild. Then, you will build an unattended system which directly works at the code level, can recognize and differentiate the obfuscation and minification techniques used on given JavaScript samples.
Project requirements: programming skills (ideally python3).
Intelligent Fuzzing System for JavaScript
JavaScript is a browser scripting language resting on the ECMAScript language specifications. Still, there are numerous ways to write a JavaScript program to perform a given task, which means that the same semantics can be represented by different ASTs (Abstract Syntax Trees).
In this project, you will first study the JavaScript grammar to implement a system that can automatically produce (the) different syntactic versions of one given JavaScript file, while keeping its behavior after execution. Then, you will select one of the previous syntactic versions so that it matches given syntactic patterns, which you are expected to copy.
Project requirements: programming skills (ideally python3); basic knowledge of JavaScript and the parser Esprima would be helpful.
IlkanEsiyok, Robert Künnemann
Accountable delivery of javascript code
We want to build a transparency mechanism for website code delivery that works in a way that it is easy for the public to see what changes are made by the website before downloading.
Our goal is to develop a distributed ledger for the project. We want to implement a Log that allows to append new versions and to monitor and audit existing versions. A nice property would be to preserve the browsing privacy of end-users when they append new contents to the Log.
The student would ideally implement the Log by using existing reusable software libraries and integrate them by making necessary changes for our purposes. A Go programming language knowledge is preferred and Java programming could also work.
Example of the libraries vary, but CONIKS is one of the best examples.
(*) https://github.com/coniks-sys/coniks-go
(*) https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-melara.pdf
Robert Künnemann
Causation on for program failures, operating on PDGs
If a program fails and you wonder: "Why does a variable have a certain value?",
"Why is it not having the following value?", then you are asking questions
about causation. We proposed a notion of causation that takes into account
control-flow, and want to try how well it works on program dependency graphs.
The goals are to answer the aforementioned query at any point in the program run,
e.g., after breaking in the debugger. There is support for computing PDGs for
many languages, so pick one of your choices.
Visualization of protocol traces
Tamarin is a tool for protocol verification with a convenient web-interface.
It provides a visualization of protocol traces for attacks but also steps in
the proof. These contain the state of protocol participants, but also the
messages eavesdropped and transformed by the adversary. Currently, this is done
using the tool `dot` which plots graphs as PNGs. We would prefer a more modern
and extensible interface similar to Google maps, operating via JS. The first
steps are done: we have a react framework and a way to plot nodes.
Gordon Meiser
Attacking web sites using comments & console.log
Web developers are using comments as a possibility to log and temporarily save values and variables. They also (ab)use it to test code and afterward comment it out. As javascript is used more and more on web sites, the code must also be debugged. Mostly, the browser console is used for that reason. These approaches may lead to possible attack vectors using information gathered by these data sources. Your task is the development of a crawler which visits web sites and collects the mentioned data. Afterward, you should evaluate whether the information can lead to possible attack vectors and vulnerabilities which can be exploited.
Nils Ole Tippenhauer
Experimental PLC using CODESYS
Programmable Logic Controllers are used in Industrial Control Systems to
steer physical processes. Most platforms are proprietary (OS, software
to program, logic), but recently the CODESYS platform gains more
traction on Linux. Your Task: Implement a simple CODESYS-based PLC on a
Raspberry Pi and assess its security against various attacks.
Extending MiniCPS
Idea: Improve the existing MiniCPS framework with new devices and
features Lightweight virtualization and simulation of Industrial
Control System network and processes. Based on MiniNet, LXC
containers, written in Python. Your task: Review and extend our
implementation of a chemical process plant (Tennessee-Eastman process
resulting from the previous project), introduce new devices, protocols, or
processes. How could users identify that they are in a simulated
network? Which attacks can be emulated?
Manipulating Radio Firmware on Android
InternalBlue is a framework that allows manipulating firmware of the
BCM4339 Bluetooth controller used in Nexus 5. Your task:
Review and extend the current functionality to allow manipulation of
encrypted Bluetooth traffic (based on recent research results)
Investigate similar frameworks for other platforms or radio standards.
Virtualization of embedded firmware
For IoT and industrial devices, it is often difficult to instrument
systems to perform analysis such as fuzzing (or vulnerability
discovery as part of a honeypot). In this project, the student will
explore options to run simple firmware on QEMU (or similar), together
with basic IO (e.g., emulation of network interfaces), which would
lead the way to e.g., fuzzing later.
Sebastian Roth
Inconsistencies between CDNs
In the Web, the usage of CDN for load balancing and the performance increase is very prevalent. Every CDN provides access to a plethora of libraries in several different versions. Despite the claim to all host a particular library in a specific version nobody actually investigated whether they really deliver the same library as its original manufacturer deployed it. In this work, we want to investigate the inconsistencies of JS libraries hosted by several CDNs and analyze the changes of the JavaScript.
Oliver Schranz with Michael Backes Cybersecurity (MBC)
Gamification Platform for Security Education & Training
Who said security education is no fun? We want to build a platform that allows registered users to compete against each other in short Quizduell-inspired quizzed. There will be scoreboards for different categories of questions or target audience and an admin area for managing questions & answers. The whole web app should be usable from desktop and mobile clients.
Oliver Schranz
ARTist: Continuous Integration & Delivery
Continuous Integration & Delivery are common terms for fully-automated pipelines that build code, test it and in the best case deploy the result. While CI/CD, when properly implemented, take a lot of work from developers, it is not trivial to create and maintain such a pipeline for non-standard targets. For example, our compiler-based Android instrumentation framework called ARTist can only be built in the context of a fully-built Android Open Source Project (AOSP) tree, and the other repositories in the ARTist ecosystem come with heavy inter-dependencies as well. The goal of this project is to design and implement a full CI/CD pipeline that automatically builds and tests new code (master branch, PRs?), integrates with GitHub/itLab, and, if feasible, publishes the results as snapshots.
Extending our Android App Testing Framework
We have a basic prototype of an automated app testing framework that parallelizes the security-assessment of Android applications by applying existing security scanners and collecting their results. While we currently have running integrations for MobSF, QUARKS, and Drozer, we are interested in further improving the framework by adding new scanner and analyses. For example, we could integrate in-house projects such as LibScout that automatically detects (potentially vulnerable) libraries in app packages, or use an automated app test driver such as DroidMate in conjunction with traffic recording and filesystem watching to detect interesting app behavior.
Fuzzing of Systemserver native libs
While researchers found multiple exploitable flaws in Android's app-facing native libraries, no one seems to be testing the libraries that are loaded and used by the systemserver. The idea is to test them for bugs and vulnerabilities and then find a way to trigger those flaws through the systemserver. This requires to 1. identify these libraries, 2. to fuzz-test them, 3. reproduce the found bugs, and 4. find a way from a systemserver API down to the library so that the defect is triggered. The project is very research-intensive and therefore we cannot know beforehand if all of this is feasible, hence it is possible that we only cover some of these points in the project depending on how easy or hard the first tasks are.
Sven Weizenegger
Security Orchestration
Most companies are overwhelmed with Cyber Security and the daily support of their cyber security operations, because their environment is very fragmented and complex. To help businesses it is necessary to simplify as much as possible by automating as much as possible. Therefore the goal is to virtualize the operations by automatically orchestrating countermeasures for the toolset the customer has available. For this purpose, data from various sources must be collected and then evaluated in order to decide whether, where and which countermeasure makes the most sense. If the customer does not have a tool to deal with a threat/vulnerability, then one can be recommended. Measures can be technical or just recommendations. In some cases it makes sense to use different measures for a threat/vulnerability.
Project requirements: good Python skills, knowledge of machine learning would be helpful
Sven Bugiel
ExtendingHashcatwith Support for Contextual Mangling Rules
A basic attack against passwords is a dictionary attack, where an attacker tests if words from a dictionary are the users' passwords. To easily extend the range of guessed and to mimic human-behavior for password generation, all major password cracking tools support word mangling rules. For instance, a dictionary word like "password" can create another password guess "P@ssword123" by applying the rule "c sa@ $1 $ 2 $3" in hashcat.
We recently found that the set of rules and their order in which they should be applied to a dictionary word depend on the category of the dictionary word. For instance, for names it is more likely that a year is appended (i.e., the rule "$1 $9 $8 $4" for 1984 is more likely than "$! $! $!").
Your task is to extend the open-source hashcat with support for such contextual rules. Hashcat should accept dictionaries as input where each word is labeled with a category, and it should use the set of rules for that particular category to create new password guesses from that dictionary word.
Requirements: Hashcat is written in C, thus skills for C coding are required. To extend hashcat, you first have to understand its internal logic, hence, you should be able to reverse engineer hashcat's logic from its mostly undocumented C code base.
Mario Fritz
Author de-anonymization based on Bibtex
Christian Rossow
Remote Timing for Side Channel Attacks
Basic idea: Current CPU-based side channels require local measurements with a couple of rdstc instructions to meaure the precise time it takes to access a given memory address. This allows to distinguish between cached and non-cached accesses. Is such a distinction also possible purely from remote?
Detecting µ-Architectural Attacks in Malware
Some malware families are known to launch u-arch attacks like Spectre and Meltdown. Why do they do this? And can you find an automated way of detecting such attacks, e.g., using dynamic analysis?
Hide-n-Seek
HnS is a popular IoT- and thus Linux-based botnet. We record P2P graph data from this network since a few months. Can you analyze the P2P population (size, development, churn) and commands exchanged in the network?
JavaScript-based On-site Search Leaks
If you type search keywords in your browser (CTRL + F), it will automatically highlight and thus scroll to an occurance of your search term. Can a curious website find out what the user was searching for? Can a website be designed in such a way that to optimize the accuracy of this privacy attack?