Topic list
Daniel Weber and Michael Schwarz
ARM Instruction Fuzzing
Finding new side channels is often done manually - resulting in a time-consuming and labor-intensive process. Osiris is a fuzzer that automates this by automatically searching for side channels based on a machine-readable list of assembly instructions. The current Osiris implementation supports the x86 instruction set, and we want to extend that to the ARM instruction set. For this, we need certain building blocks. In this project, the task is to implement these building blocks as standalone functions (we do not require you to interact with the Osiris codebase). These building blocks consist mainly of different small subroutines, e.g., a high-precision timing routine, and a machine-readable specification of the ARM instruction set.
Requirements: Familiarity with programming in assembly (knowledge about ARM is beneficial but not required)
Michael Schwarz
Rowhammer on the gem5 CPU Simulator
Rowhammer is the best-known software-based fault attack. Although Rowhammer faults are typically not difficult to produce, it still takes several seconds to minutes to get a fault. Moreover, faults might occur in unexpected memory locations from time to time, leading to system crashes or data corruption. Hence, to develop reliable attacks and defenses, it is helpful to have a highly-accurate system simulator that models such faults. In this project, the task is to extend the well-known open-source CPU simulator gem5 to model the Rowhammer vulnerability. Existing defenses and exploits should be experimentally verified based on the modified simulator.
Requirements: Familiarity with programming C/C++ and with Linux
Low-Level VM Toolkit
Microarchitectural attacks often require low-level information, such as physical addresses. While tools such as PTEditor are extremely helpful, they can't be used inside virtual machines due to the additional abstraction layer introduced by extended page tables. Hence, there is currently no simple way of getting physical addresses or sharing memory pages in VMs. Your task is to implement a small C library to communicate with the hypervisor to retrieve such low-level information. One part of your toolkit runs inside the VM and allows applications to query low-level information, while the second part runs outside the VM to get and provide this information. Your toolkit should then be used to port an existing attack such as Foreshadow, demonstrating the functionality.
Requirements: Familiarity with programming C and with Linux
Lukas Gerlach and Michael Schwarz
Fuzzing + Differential Trace Analysis
Differential trace analysis (DATA) is a technique that allows automated detection of code and data accesses that can potentially be abused in side-channel attacks. DATA works well on cryptographic libraries where inputs are easy to generate and cover most of the program branches but reaches its limitations when inputs get harder to generate, or the program contains more branches. Fuzzing, however, has shown to be a great way to explore even deeply nested programs. Your task is to combine both approaches and improve DATA by driving its input with a fuzzer such that more complex programs can be tested.
Requirements: Familiarity with fuzzing (AFL)
Till Schlüter
Reverse Engineering (parts of) the ARM Cortex-A72 RAMINDEX Interface
The RAMINDEX interface of the ARM Cortex-A72 CPU allows to read internal CPU buffers. However, the communication protocol is only partly documented (especially w.r.t. the returned values). The goal of this project is to reverse engineer and document (parts of) this interface, for instance by priming the relevant buffers to a known state and finding correlations between the state and the received output.
Requirements: Ideally: Programming in C, Linux, some knowledge about the inner workings of a CPU
Alessandro Erba
Fuzzing industrial network protocols implementations
Industrial protocols are deployed in industrial facilities to allow the correct functioning and safety of industrial machinery. Implementations of such protocols are often proprietary (or even proprietary protocols). For this reason, network level fuzzing is useful in this setting.
Requirements: Familiarity with fuzzing concepts, Familiarity with rust and qemu
The project is suitable for a team of 2 students.
Rafael Dutra
FormatFuzzer Project 1: New File Formats
In order to fuzz a program that parses a binary file (such as a PNG image), we need to generate many random inputs with the correct file format structure.
We developed a framework called FormatFuzzer (https://github.com/uds-se/FormatFuzzer) that can generate random valid files for several different formats. It works by processing an existing specification of the format structure (010Editor binary template https://www.sweetscape.com/010editor/templates.html) in Python and creating C++ code that can both generate and parse those binary files.
There are hundreds of different file formats that could be supported, including
PNG, OGG, GIF, JPEG, TIFF, ZIP, PCAP, MP4, SWF, MIDI, WAV, AVI, BMP, MP3, ELF, PDF
We have different possible projects available in improving FormatFuzzer.
Fuzzing new file formats
We need your help to be able to generate high-quality inputs for new file formats. Your task in this project will be to pick one or a few of those formats (such as RAR, GZIP, RPM, SWF, TIFF, ELF, DEX, VDI, EXT2, LUKS), and improve the specification by making sure it generates the correct file structure for the selected formats.
Project requirements: The project uses binary template specifications which are written in a language similar to C/C++. Familiarity with C/C++ is recommended.
The project is suitable for a team of 2 students.
Format Fuzzer Project 2: Kaitai Struct
In order to fuzz a program that parses a binary file (such as a PNG image), we need to generate many random inputs with the correct file format structure.
We developed a framework called FormatFuzzer (https://github.com/uds-se/FormatFuzzer) that can generate random valid files for several different formats. It works by processing an existing specification of the format structure (010Editor binary template https://www.sweetscape.com/010editor/templates.html) in Python and creating C++ code that can both generate and parse those binary files.
There are hundreds of different file formats that could be supported, including
PNG, OGG, GIF, JPEG, TIFF, ZIP, PCAP, MP4, SWF, MIDI, WAV, AVI, BMP, MP3, ELF, PDF
We have different possible projects available in improving FormatFuzzer.
Converting Kaitai Structs into FormatFuzzer
Kaitai Struct is another format specification language that has been used to describe hundreds of binary file formats (https://formats.kaitai.io/). The goal of this project is to be able to use those kaitai struct specifications in FormatFuzzer. One possible approach is to use a python converter to convert kaitai structs into binary templates. Another possibility is to extend the kaitai compiler (written in scala) which produces C++ code for parsing the binary file so that this C++ code calls the FormatFuzzer APIs for accessing files directly.
Project requirements: Familiarity with C/C++ or Scala is recommended.
The project is suitable for a team of 2 students.
Kevin Morio
Instrumentation of NSS
The project's goal is to instrument the code of NSS to log TLS function calls for analyzing TLS sessions of Firefox. NSS, the Network Security Services, are a set of widely employe libraries used for developing security-enabled applications and is used, for example, in Firefox, Thunderbird, and Pidgin.
Requirements:
- Experience in C / C++
- An interest to dive into a large well-maintained codebase
Xaver Fabian
Detecting Speculative Leaks
Speculative Execution is a feature of modern processors to speed up execution through various predictors. The Spectre family abuses speculative execution to leak confidential data during program execution.
Spectector is a research tool that can detect speculative leaks in programs through the use aóf a semantics htat captures the behaviour of a specific Spectre variant.
We want to create new semantics for two other Spectre versions -- V2 and V5 -- and extend the tool with those.
Requirements: An Interest in Formal Reasoning.
A plus but not required in courses would be : Introduction to Computational Logic or Semantics.
The project is suitable for a team of 2 students.
John H. Castellanos
Evaluating Attack Consequences on UAVs
Students will perform different types of data-oriented attacks (false-data injection and stale attacks) on multiple components of an unmanned aerial vehicle. Students might explore several attack strategies that disrupt the system's operational goals. Students will run all the experiments in a simulated environment.
Requirements: Intermediate C++ programming skills. Basic Linux knowledge.
Robert Künnemann
If chairs could speak
Try to attack FIDO2 tokens, in particular, privacy of credentials via NFC.
Requirements: Reading APIs, creativity, a little JavaScript
The project is suitable for a team of 2 students.
Improving the Usability of Protocol Verification
Improve Tamarin, one of the most popular protocol verification tools.
Requirements: Experience in Haskell or experience in functional programming and readiness to learn Haskell
The project is suitable for a team of 2 students.
Rayna Dimitrova
Finding Violations to Pufferfish Privacy
Differential privacy is a framework for designing and analyzing privacy measures, in which data publishing mechanisms are formalized as randomized algorithms. These mechanisms provide access to a database via queries to which they return randomized answers, in order to preserve privacy. To be differentially private a mechanism has to yield similar output distributions on similar input data sets. As an intuitive example, consider two databases, D1 that contains your information, and D2 that does not contain your information. A mechanism M is differentially private if when applied to D1 and D2 the outputs “roughly” the same. This means that for an adversarial user of the database it is hard to judge only from the outputs of the algorithm if your data is in the database or not. For the formal definition of differential privacy, please refer to the seminal paper https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/dwork.pdf
Since its introduction, differential privacy has gained a lot of attention both in academia and in industry. Constructing differentially private algorithms is a difficult and error prone task, which has motivated the development of many methods and tools for automatically verifying or detect violations in differential privacy mechanisms.
One limitation of differential privacy is that it does not account for prior knowledge about data sets. Therefore, if a database contains correlated data entries, a mechanism that satisfies differential privacy may reveal too much information about individuals. For a typical example, consider a database that contains information about individuals from the same household and whether they have tested positive for a highly infectious disease. Then, in order to find out with sufficient confidence whether one specific member of the household has tested positive for the disease it suffices to determine if at least one member has tested positive.
Pufferfish privacy, introduced in https://users.cs.duke.edu/~ashwin/pubs/pufferfish_TODS.pdf is a framework that addresses this issue by allowing to take into account prior knowledge about data sets, for instance whether data entries are correlated or independent. This is achieved by specifying a set of probability distributions over datasets, where the dataset is drawn from a distribution belonging to this set. Then, pufferfish privacy ensures that limited information is revealed from prior knowledge.
Recently, an algorithm for verifying pufferfish privacy for mechanisms modelled as Hidden Markov Models (HMM) has been proposed in https://arxiv.org/pdf/2008.01704.pdf. This algorithm encodes the verification question as a logical formula whose satisfiability is checked by SMT solver. This approach, however has severe scalability issues for larger databases.
The goal of this project is to investigate and and implement methods for detecting violations to pufferfish privacy. Methods for detecting violations typically scale better than exhaustive verification. One option would be to employ an encoding similar to the one mentioned above, and, an alternative would be to explore statistical methods. You can use a programming language of your choice for the implementation, C++ or Python could be appropriate choices depending on the libraries or tools used.
Requirements: good programming skills; knowledge/interest in modelling and analysis of probabilistic systems is a plus
The project is suitable for a team of 2 students.