Fuzzing: Breaking Software for Fun and Profit
Apply knowledge from https://beta.fuzzingbook.org to a critical domain (blockchain, web fonts, certificates, office input, protocols, ...). Up to 3 students can work on this!
Project requirements: programming skills (ideally python3).
We want to build a transparency mechanism for website code delivery that works in a way that it is easy for the public to see what changes are made by the website before downloading.
Our goal is to develop a distributed ledger for the project. We want to implement a Log that allows to append new versions and to monitor and audit existing versions. A nice property would be to preserve the browsing privacy of end-users when they append new contents to the Log.
The student would ideally implement the Log by using existing reusable software libraries and integrate them by making necessary changes for our purposes. A Go programming language knowledge is preferred and Java programming could also work.
Example of the libraries vary, but CONIKS is one of the best examples.
Causation on for program failures, operating on PDGs
If a program fails and you wonder: "Why does a variable have a certain value?",
"Why is it not having the following value?", then you are asking questions
about causation. We proposed a notion of causation that takes into account
control-flow, and want to try how well it works on program dependency graphs.
The goals are to answer the aforementioned query at any point in the program run,
e.g., after breaking in the debugger. There is support for computing PDGs for
many languages, so pick one of your choices.
Visualization of protocol traces
Tamarin is a tool for protocol verification with a convenient web-interface.
It provides a visualization of protocol traces for attacks but also steps in
the proof. These contain the state of protocol participants, but also the
messages eavesdropped and transformed by the adversary. Currently, this is done
using the tool `dot` which plots graphs as PNGs. We would prefer a more modern
and extensible interface similar to Google maps, operating via JS. The first
steps are done: we have a react framework and a way to plot nodes.
Attacking web sites using comments & console.log
Experimental PLC using CODESYS
Programmable Logic Controllers are used in Industrial Control Systems to
steer physical processes. Most platforms are proprietary (OS, software
to program, logic), but recently the CODESYS platform gains more
traction on Linux. Your Task: Implement a simple CODESYS-based PLC on a
Raspberry Pi and assess its security against various attacks.
Idea: Improve the existing MiniCPS framework with new devices and
features Lightweight virtualization and simulation of Industrial
Control System network and processes. Based on MiniNet, LXC
containers, written in Python. Your task: Review and extend our
implementation of a chemical process plant (Tennessee-Eastman process
resulting from the previous project), introduce new devices, protocols, or
processes. How could users identify that they are in a simulated
network? Which attacks can be emulated?
Manipulating Radio Firmware on Android
InternalBlue is a framework that allows manipulating firmware of the
BCM4339 Bluetooth controller used in Nexus 5. Your task:
Review and extend the current functionality to allow manipulation of
encrypted Bluetooth traffic (based on recent research results)
Investigate similar frameworks for other platforms or radio standards.
Virtualization of embedded firmware
For IoT and industrial devices, it is often difficult to instrument
systems to perform analysis such as fuzzing (or vulnerability
discovery as part of a honeypot). In this project, the student will
explore options to run simple firmware on QEMU (or similar), together
with basic IO (e.g., emulation of network interfaces), which would
lead the way to e.g., fuzzing later.
Inconsistencies between CDNs
Oliver Schranz with Michael Backes Cybersecurity (MBC)
Gamification Platform for Security Education & Training
Who said security education is no fun? We want to build a platform that allows registered users to compete against each other in short Quizduell-inspired quizzed. There will be scoreboards for different categories of questions or target audience and an admin area for managing questions & answers. The whole web app should be usable from desktop and mobile clients.
ARTist: Continuous Integration & Delivery
Continuous Integration & Delivery are common terms for fully-automated pipelines that build code, test it and in the best case deploy the result. While CI/CD, when properly implemented, take a lot of work from developers, it is not trivial to create and maintain such a pipeline for non-standard targets. For example, our compiler-based Android instrumentation framework called ARTist can only be built in the context of a fully-built Android Open Source Project (AOSP) tree, and the other repositories in the ARTist ecosystem come with heavy inter-dependencies as well. The goal of this project is to design and implement a full CI/CD pipeline that automatically builds and tests new code (master branch, PRs?), integrates with GitHub/itLab, and, if feasible, publishes the results as snapshots.
Extending our Android App Testing Framework
We have a basic prototype of an automated app testing framework that parallelizes the security-assessment of Android applications by applying existing security scanners and collecting their results. While we currently have running integrations for MobSF, QUARKS, and Drozer, we are interested in further improving the framework by adding new scanner and analyses. For example, we could integrate in-house projects such as LibScout that automatically detects (potentially vulnerable) libraries in app packages, or use an automated app test driver such as DroidMate in conjunction with traffic recording and filesystem watching to detect interesting app behavior.
Fuzzing of Systemserver native libs
While researchers found multiple exploitable flaws in Android's app-facing native libraries, no one seems to be testing the libraries that are loaded and used by the systemserver. The idea is to test them for bugs and vulnerabilities and then find a way to trigger those flaws through the systemserver. This requires to 1. identify these libraries, 2. to fuzz-test them, 3. reproduce the found bugs, and 4. find a way from a systemserver API down to the library so that the defect is triggered. The project is very research-intensive and therefore we cannot know beforehand if all of this is feasible, hence it is possible that we only cover some of these points in the project depending on how easy or hard the first tasks are.
Most companies are overwhelmed with Cyber Security and the daily support of their cyber security operations, because their environment is very fragmented and complex. To help businesses it is necessary to simplify as much as possible by automating as much as possible. Therefore the goal is to virtualize the operations by automatically orchestrating countermeasures for the toolset the customer has available. For this purpose, data from various sources must be collected and then evaluated in order to decide whether, where and which countermeasure makes the most sense. If the customer does not have a tool to deal with a threat/vulnerability, then one can be recommended. Measures can be technical or just recommendations. In some cases it makes sense to use different measures for a threat/vulnerability.
Project requirements: good Python skills, knowledge of machine learning would be helpful
ExtendingHashcatwith Support for Contextual Mangling Rules
A basic attack against passwords is a dictionary attack, where an attacker tests if words from a dictionary are the users' passwords. To easily extend the range of guessed and to mimic human-behavior for password generation, all major password cracking tools support word mangling rules. For instance, a dictionary word like "password" can create another password guess "P@ssword123" by applying the rule "c sa@ $1 $ 2 $3" in hashcat.
We recently found that the set of rules and their order in which they should be applied to a dictionary word depend on the category of the dictionary word. For instance, for names it is more likely that a year is appended (i.e., the rule "$1 $9 $8 $4" for 1984 is more likely than "$! $! $!").
Your task is to extend the open-source hashcat with support for such contextual rules. Hashcat should accept dictionaries as input where each word is labeled with a category, and it should use the set of rules for that particular category to create new password guesses from that dictionary word.
Requirements: Hashcat is written in C, thus skills for C coding are required. To extend hashcat, you first have to understand its internal logic, hence, you should be able to reverse engineer hashcat's logic from its mostly undocumented C code base.
Author de-anonymization based on Bibtex
Remote Timing for Side Channel Attacks
Basic idea: Current CPU-based side channels require local measurements with a couple of rdstc instructions to meaure the precise time it takes to access a given memory address. This allows to distinguish between cached and non-cached accesses. Is such a distinction also possible purely from remote?
Detecting µ-Architectural Attacks in Malware
Some malware families are known to launch u-arch attacks like Spectre and Meltdown. Why do they do this? And can you find an automated way of detecting such attacks, e.g., using dynamic analysis?
HnS is a popular IoT- and thus Linux-based botnet. We record P2P graph data from this network since a few months. Can you analyze the P2P population (size, development, churn) and commands exchanged in the network?
If you type search keywords in your browser (CTRL + F), it will automatically highlight and thus scroll to an occurance of your search term. Can a curious website find out what the user was searching for? Can a website be designed in such a way that to optimize the accuracy of this privacy attack?