Bachelor- and Master Seminar

Dear All,

The next seminar(s) take place on 21.7. at 14:00.

This week the submission of information worked poorly! Remember that you should upload your talk information by Wednesday night. The research area you write in should actually include the number 1-5 as provided in our last post - I have made a guess which number applies for you if you didn't provide it this week, but for the other students to find your talk it is essential that you put in your area codes in the future! Ask your advisor in doubt!

I also made a new submission form for proposals, don't be confused, this will come in in the future.

Session A:
Tristan Hermanns - Tristan Hornetz - Leon Trampert

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B:
Anania Tesfaye - Yannik Schwindt - David Butscher

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Tristan Hermanns
Type of talk: Bachelor Intro
Advisor: Prof. Dr. Christian Rossow
Title: Automatic Exploitation of Vulnerable ERC20 Contracts (An Extension of TeEther)
Research Area: RA3

With their recent increase in popularity, cryptocurrencies like Bitcoin and Ethereum are on the rise. In Ethereum, so called smart contracts can be deployed, allowing for programmatic control of funds. These smart contracts can not be patched or updated and therefore software vulnerabilities are directly coupled with financial loss.

With teEther, Rossow et al. created a tool that is capable of automatically finding and exploiting vulnerable smart contracts. For this, the EVM bytecode is scanned for critical paths that cause an extraction of funds to the attacker controlled address.

We plan to extend this tool to not only extract Ether, but also arbitrary ERC20-Tokens. ERC20 Tokens are standardized Cryptocurrencies implemented using Ethereum smart contracts. Because this standard eases tracking and fungibility of Tokens, new Cryptocurrencies are often deployed as ERC20 Tokens. Previous work on automated contract analysis has only focused on Ether-related vulnerabilites, but there is a need for automated ERC20 analysis.

 

14:30-15:00

Speaker: Tristan Hornetz
Type of talk: Bachelor Intro
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Marius Smytzek
Title: Evaluating the Effectiveness of Automated Fault Localization in Python
Research Area: RA4 - Secure Mobile and Autonomous Systems

Abstract: Automated fault localization describes a group of techniques that can aid a programmer in locating the cause of bugs during software development. An abundance of research has been performed on the topic, with Statistical Debugging (SD) and Spectrum Based Fault Localization (SBFL) being two of the most popular approaches. However, there is surprisingly little research about the applicability and general usefulness of automated fault localization in the Python programming language. With its powerful introspection and ever-growing popularity, Python seems like the optimal programming language to apply these techniques. As such, the goal of my Bachelor's Thesis is to research the effectiveness of automated fault localization in Python. For this purpose, I will conduct an empirical study on bugs in real-world software.

 

 

15:00-15:30

Speaker: Leon Trampert
Type of talk: Bachelor Intro
Advisor: Prof. Dr. Christian Rossow, Dr. Michael Schwarz
Title: Browser-based CPU Fingerprinting
Research Area: RA3

Abstract:

As of January 2021, almost 60 percent of the global population is connected to the internet.
In most cases, a web browser is used to access the internet.
Using JavaScript and WebAssembly an attacker can execute sandboxed code on the system of a potential victim visiting his malicious site.
This sandboxed code execution does not give the attacker full control over the instructions executed, as the JavaScript and WebAssembly code will be JIT-compiled by the browser engine to the instruction set architecture (ISA) of the particular CPU.

Research in recent years has revealed multiple critical CPU bugs related to speculative execution and other optimization techniques.
Most of these vulnerabilites are CPU-specific and only found in recent CPU generations, whilst some of the latest generations may already include fixes against some of them.
Some attacks, such as RIDL  and Spectre  have successfully been implemented in the browser, opening new attack vectors.
Identifying potential victims or even choosing the most effective attack for a concrete target may be valuable to an attacker.

We plan to collect a multitude of different CPU-specific properties and behaviors, which may ultimately lead to the identification of the concrete CPU model.
The implications of this are worrisome, as they pose a direct threat to the security of everyone browsing the web.

 

Session B:

14:00-14:30

Speaker: Anania Tesfaye
Advisor: Ben Stock
RA: 5
No info provided yet!

 

14:30-15:00

15:00-15:30

Speaker: David Butscher
Type of talk: Bachelor Final
Advisor: Dr. Ben Stock, Dr. Giancarlo Pellegrino
Title: Measuring the Impact of the Crawling Context on the Results of Web Scanners
Research Area: 5? Web Security

Abstract:
Web scanners are essential tools for security researchers. They are used to measure the
occurrence of security flaws in the known web. Unfortunately, their efficiency suffers from
multiple limitations. One limitation is that in the first phase - the crawling phase - the
crawling module needs to explore as many resources of a domain as possible. The found
URLs are the input for the attack modules in the second phase. Hence the efficiency of
the whole web scanner depends on the efficiency of the crawler module. This work
aims to identify factors that influence the success of web scanners, especially in the
crawling phase. To reach this goal, we have changed the context of the crawling process
and examined the crawling results for differences. We targeted four factors in detail:

1. IP address: the change of the IP addresses could mitigate the countermeasures of
web application firewalls against known attackers. There is also a possibility that
some sites are only accessible from particular locations.
2. Language: the web is accessible from around the globe, so site owners may serve
their websites in different languages. There might be a chance that they deliver
different web applications for different languages.
3. User-Agent: site owners may deliver multiple versions of their site customized for
the end-user device.
4. Authentication: signed up users may access pages that unknown users will never
be able to reach. Since authentication in an automated fashion is not trivial, we
mainly focused on websites that offer SSO.

We have used a limited set of top domains listed by Tranco for our experiments. For
our evaluation, we have built a crawler that loaded a special crawling profile. We ran
one crawler without modifications and one crawler for each of the first 3 modified factors
in parallel. Afterward, we have counted the number of detected security indicators. In
this way, we could measure the direct influence of single changes to the crawling context.
We also extended our crawler to find social login buttons and to automatically log in to
these websites leveraging the found buttons.

Dear All,

I had accidentally deleted the seminar announcement :) Here it is back up. Please check the post about changes!

Session A
Joshua Renckes - Paul Kalbitzer - Paul Szymanski

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session A:

14:00-14:30

Speaker: Joshua Renckens

Type of talk: Bachelor Intro

Advisor: Prof. Andreas Zeller

Title: 0KFuzzer: Applying Systematic Exploration to Binary Templates

Abstract:
Fuzzing is a technique used to test the robustness of programs by automatically generating inputs and feeding them into programs under test. However, using only randomly generated inputs is not a good way to achieve great code coverage. Most will immediately fail at the beginning of the program execution due to not matching the structure that is expected of the input.

Ways to mitigate this are grammar-based fuzzers. They take grammars that specify languages first and then base the input generation on the specified language. This makes sure that a certain input structure is maintained, reaching parts of the test programs random fuzzing wouldn't be able to reach. The k-path algorithm improves on these grammar-based fuzzers by making sure that all of the grammar is systematically covered.

The FormatFuzzer has an idea similar to grammar-based fuzzers but it takes binary templates that specify file formats as inputs instead of grammars. It compiles them into C++ code that then acts as a generator of inputs according to the format specification described in said templates. This thesis aims to improve on the FormatFuzzer by combining it with the k-path algorithm, taking the systematic coverage of grammars and using it on format specifications. This combination of the FormatFuzzer and the k-path algorithm will then be evaluated against the default FormatFuzzer to compare language coverage and program coverage.

 

14:30-15:00

 

Speaker: Paul Kalbitzer

Type of talk: Bachelor Intro
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Dr. Rafael Dutra

Title: Statistics-based testing with the Format Fuzzer

Abstract: Fuzzing is an automated testing method that uses an immense number of
automatically generated inputs to examine the behaviour of the program under
test. These inputs are usually randomly generated to detect crashes or other
errors. When testing programs that receive files as input, the problem arises
that formats are very complex and that input that does not meet the structural
requirements is rejected by the program in an early parsing phase. This in turn
results in a low code coverage, which is tantamount to a fuzzing result without
meaningfulness.

The FormatFuzzer, a structure-aware approach, counters this problem by
using binary templates. In this way, it ensures that structural requirements for
inputs are met in order to be able to test programs with complex input requirements.
However, the FormatFuzzer does not yet allow to declare probabilities
in general, as well as for individual variables. This makes it impossible for example,
to focus on uncommon aspects of a format.

The goal of my thesis is to present a version of FormatFuzzer that supports
the use of statistics and probabilities, but does not depend on their existence.
The focus is on offering the possibility to generate files based on probability
distributions, to be able to direct test generation towards a specic direction.

15:00-15:30

Speaker: Paul Szymanski
Type of talk: Bachelor Intro
Advisor: Cristian-Alexandru Staicu
Title: A Study of State-of-the-Art Call Graph Creation Approaches for JavaScript

Call graph creation is an important stepping stone for building sophisticated static analyses, e.g., taint analysis. However, many state-of-the art tools perform poorly when faced with real-world code. That is, many of the available call graph creation tools for JavaScript are extremely fragile and thus, fail to produce a call graph when certain language constructs are present in the analysed code. For example, many such tools only support ECMAScript 5 features, while practitioners rely on more modern syntax. Some call graph creation tools solve this problem by performing a transpilation step, e.g., using Babel, on the code before processing it further. Although these transformations are assumed to be preserving the functionality of the code, the transformations might result in different call graphs. This might be the case for other kinds of transformations, like obfuscation and minification, as well.
The goal of this bachelor thesis is to study existing call graph creation algorithms and identify their limitations, i.e. which language constructs are the most difficult to analyse. Additionally, we are interested in identifying code transformation techniques with the highest impact on the performance of static call graph algorithms, both beneficial and detrimental.

 

Dear All,

There will be a change to the seminar organisation. From now on, we will track the research area of your topics, as this clusters people of similar research interests and facilitates discussion of your results.

What you need to do now:

1. Find out what your research area is (by going here: https://cispa.de/de/research and or checking in with your advisor)
2. Provide this info in your future calendly registrations
3. For all talks after the 7.7. use the new template for the talk information uploaded before your talk, which is found in the Materials section. State your area as "RA1" or "RA5" for example.

Furthermore this affects attention. During the time of your thesis work, you are expected to attend and participate in discussions of the talks on all days with talks within your research area (1-2 absences for sickness etc. will be accepted naturally , also this obviously only applies to future talks).

In case you are unsure, the areas are

• RA1: Trustworthy Information Processing
• RA2: Reliable Security Guarantees
• RA3: Threat Detection and Defenses
• RA4: Secure Mobile and Autonomous Systems
• RA5: Empirical and Behavioural Security
   

Best regards,
Stella Wohnig

 

Dear All,

The next seminar takes place on 23.6. at 14:00.

Session A
Gunnar Heide - Jonas Büchner - Philipp Zimmermann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session A:

14:00-14:30

Speaker: Gunnar Heide
Type of talk: Bachelor Intro
Advisor: Dr. Lucjan Hanzlik, CISPA
Title: Implementing SFIDO - Improving FIDO2 with pairing-based cryptography
    
Abstract:
FIDO - "Fast IDentity Online" is a set of standard specifications published by the FIDO
Alliance for online authentication using hardware tokens. Based on traditional public
key cryptography it allows for passwordless authentication. In doing so it alleviates the
major issues of password database breaches, which are exacerbated by rampant password
reuse. It further curbs many types of phishing.
However, it is limited by its design since new features like anonymous attestation require
support for entirely new cryptographic operations on the hardware token.
SFIDO is a protocol developed by research group of L. Hanzlik at CISPA, that provides
a less complex solution leveraging pairing-based cryptography. With a fixed single cryp-
tographic primitive executed on the hardware token it provides not only authentication
and attestation, but is also extendable to a full anonymous credential system.
In this thesis a proof-of-concept implementation of the SFIDO client will be developed and benchmarked. Ideally, this will result in execution times which are comparable to FIDO2. Therefore, the goal of this thesis is to show that SFIDO represents a new, effective and efficient tool for secure online authentication using hardware tokens.

14:30-15:00

 

Speaker: Jonas Büchner
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz
Title: MONITORing Secrets with Hardware Features
Abstract: There is a plephora of attacks on the microarchitecture of current CPUs. They rely on a side channel for extractring (meta-)information. Prominent examples, like Flush+Reload or Prime+Probe, use the timing differences between cache hits and cache misses, which restricts the scope of those side channels to CPUs, where caches are shared.  
We try to overcome this, by replacing the side channel with the MONITOR/MWAIT instructions, which are contained in the SSE3 extensions of all modern x86 CPUs. This pair of instructions is meant for power managment and thread optimization. Its primary use is to wait for a change on a monitored address range and continue execution, once a write (or other triggering events) occur. While this aims at things like lock acquisation, it seems to be perfectly exploitable as a side channel. Since it does not rely on caches but is meant to wake up on any write to memory, it could potentially even be used as a cross-CPU side-channel. Moreover, it can be used to implement controlled channel attacks, without relying on caches. In current implementations, it is only available in kernel space, which requires a strong attacker. This is no problem in the attack scenario of SGX.  
We evaluate to what extent different attacks on SGX can make use of the MONITOR/MWAIT side channel. If the needed hardware arrives in time, we will also analyze the new UMONITOR/UMWAIT, which allows the monitoring from user space.

15:00-15:30

Speaker: Philipp Zimmermann
Type of Talk: Bachelor Intro
Advisor: Dr. Yang Zhang
Title: Link Stealing Attacks on Inductive Trained Graph Neural Networks
Abstract:
Since nowadays graphs are a common way to store and visualize data, Machine Learning algorithms have been improved to directly operate on them.
In most cases the graph itself can be deemed confidential, since the owner of the data often spends much time and resources collecting and preparing the data.
In our work, we show, that so called inductive trained graph neural networks can reveal sensitive information about their training graph.
We focus on extracting information about the edges of the target graph by observing the predictions of the target model in so called link stealing attacks.
In prior work, He et al. proposed the first link stealing attacks on graph neural networks, focusing on the transductive learning setting.
More precisely, given a black box access to a graph neural network, they were able to predict, whether two nodes of a graph that was used for training the model, are linked or not.
In our work, we now focus on the inductive setting.
Specifically, given a black box access to a graph neural network model that was trained inductively, we aim to predict whether there exists a link between any two nodes of the training graph or not.

 

Dear All,

The next seminar takes place on 26.5. at 14:30.

Session A 14:30-15:30
Banji Olorundare - Lorenz Hetterich

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

 

Session A:

14:30-15:00

 

Speaker: Banji Olorundare.
Type of talk: Master Intro.
Supervisor: Prof. Dr. Andreas Zeller.
Advisor: Dr. Rahul Gopinath.
Title: Inferring Input Grammar from Binary Programs using String Inclusion
Abstract: Knowing the input language of a program is important for fuzzing. While
there are tools that learn an input language from a program with or without
samples, most of these tools rely on dynamic taints. However, obtaining dynamic
taints involves using instrumented binaries. Unfortunately, such instrumentation
may be unavailable in many cases. Hence, tracking information flow using dynamic
taint information can be challenging. This can be especially hard in stripped
binaries where no debug information is present.
In this work, we present a technique that can extract the grammar from a given
program. Our technique takes a binary program and a small set of sample inputs
and identifies the structural decomposition of the input using the string inclusion
technique.
The result of this process is context-free grammar that forms the complete input
specification of the program. In our evaluation, our prototype automatically
produces readable and structurally accurate grammars from different evaluation
subjects. The resulting grammars produced can be used as input in test generators
for comprehensive automated testing.

15:00-15:30

Speaker:
Lorenz Hetterich

Type of talk:
Bachelor Intro

Advisor:
Dr. Michael Schwarz

Title:
Spectre on IOS

Abstract:
Most CPU don't stall execution when they encounter control flow instructions, but use predictors to make educated guesses on the destination (e.g. whether a branch is taken or not).
This allows them to speculatively continue execution resulting in a major time save upon correct predictions.
On incorrect predictions, speculatively executed instructions are not retired, the pipeline is flushed, and execution continues at the correct destination.
Whilst speculatively executed instructions are not visible on an architectural level, they may leave microarchitectural traces that can be observed using a side-channel.
Spectre abuses this by miss-training predictors and observing microarchitectural state changes caused by speculative execution.
Even though research has been done on Spectre on most major platforms, IOS Mobile Devices have hardly received any attention.
We want to evaluate the primitives required for cache side-channels on IOS Devices and explore whether Spectre type attacks are practical.
This talk will give an overview of the building blocks for a simple Spectre attack and what difficulties we expect compared to other platforms.

 

Dear All,
 

Due to limited avaiability of the advisors we will sadly not be able to make a nice block of talks this week, so there will be a break in one of the blocks. If any of the participants still change their mind and want to opt for 14.30 please inform me ASAP at bamaseminar@cispa.saarland - I think this will greatly increase the chance that people will listen to your talks!
The next seminar(s) take place on 26.5. at 14:00/15:00

Session A 14:00-15:30: (break 14:30-15:00)
Dominic Troppman - Xaver Fabian

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B 15:00-15:30:
Abhilash Gupta

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Dominic Troppmann
Type of talk: Bachelor Intro    
Advisor: Dr. Ing. Cristian-Alexandru Staicu
Title: On the Prevalence of Native Extensions in Scripting Languages

Abstract:
Native extensions are modules written in low-level C/C++ code that one can conveniently invoke from higher-level scripting languages like JavaScript, Python, or Ruby. Using native extensions offers several benefits such as superior performance and access to functionality otherwise unavailable in these scripting languages. Unfortunately, they also allow developers to break certain safety guarantees present in the higher-level languages, such as memory- and crash-safety. Thus, if not implemented correctly, native extensions can quickly turn into a security risk, acting as a backdoor for entire categories of -particularly nasty- bugs and vulnerabilities. Examples include but are not limited to buffer overflows, use-after-free vulnerabilities, or even hard crashes, which would not occur under normal circumstances.
The main goal of this thesis is to measure the prevalence of native extensions in JavaScript, Python, and Ruby. Furthermore, we want to understand the role they play in the ecosystems surrounding these three languages. To this end, we aim to conduct a comprehensive study of npm, PyPI, and RubyGems, the three largest software ecosystems backing up the scripting languages mentioned above. To detect usage of native extensions APIs, we perform static analysis on each packages' source code. Finally, we will use this information in combination with package metadata to answer our research questions.
 

 

14:30-15:00

coffee break

 

 

15:00-15:30

Speaker: Xaver Fabian
Type of talk: Master Intro
Advisor: Prof. Jan Reineke und Dr. Marco Patrignani
Title: Detecting (more) Spectre vulnerabilities

Abstract:
Speculative Execution is an optimization technique of processors that gives a significant speed-up by
predicting the outcome of branching (and other) instructions and continues execution based on these predictions.
If a prediction was incorrect, the processor rolls back the effect of the speculated instructions on the CPU
architectural state, which consists of registers and main memory. However, side effects on the microarchitectural state,
e.g., cache content, are not rolled back.
The Spectre attacks demonstrated how an attacker can exploit the side effects of these speculatively-executed instructions
by abusing different prediction mechanisms of the CPU. Several tools were developed to automatically detect Spectre vulnerabilities,
but most tools can only detect up to one or two variants of Spectre.
We want to extend one of these tools, called Spectector, to detect more Spectre vulnerabilities.
In this talk, I give an overview of Spectre and explain how Spectector finds these speculative vulnerabilities.
I then present our approach to extending Spectector to support additional Spectre variants and give an outlook
of what further is possible with this extended version of the tool.

 

Session B:

14:00-14:30

no talk this week.

 

 

14:30-15:00

15:00-15:30

Speaker: Abhilash Gupta
Type of Talk: Master Intro
Advisor: Dr. Rahul Gopinath
Supervisor: Prof. Dr. Andreas Zeller
Title: Grammar Fuzzing Command lineutilities in Linux
Abstract: The execution of command-line (CLI) utilities is determined by both configuration options and arguments passed in its invocation. Configuration options activate specific code segments in the utility while arguments are the utility’s input. It is imperative to utilise both arguments and configuration options to fuzz these utilities.

We describe a method to integrate configuration options and arguments into the fuzzing process via the use of context-free grammars (CFG). We present a general technique that takes any utility and automatically constructs a readable CFG capturing the syntax of its invocation. We use these grammars in our fuzzing tool to fuzz command-line utilities to search for failures. We plan to evaluate the results obtained by our fuzzer and inspect its results with respect to previously observed fuzzing results.  We will also evaluate the coverage attained by our fuzzer compared to other fuzzing attempts on CLI utilities.

Dear All,
 

Please use this new page for your submissions from now on!
Hope you're all having a good semester.
The next seminar(s) take place on 12.5. at 14:00./14:30

Session A 14:00-15:00:
Pit Jost - Joshua Sonnet

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B 14:30-15:30:
Robin Gärtner - Bachir Bendrissou

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Pit Jost
Type of talk: Bachelor Final
Supervisor: Prof. Dr. Andreas Zeller
Advisor: Dr. Rafael Dutra
Title: Automated generation of format-aware Fuzzers using FormatFuzzer

Abstract: Fuzzing is an automated testing technique used to execute computer programs with a high number of automatically generated, often ill-formed inputs in order to trigger unexpected behavior such as hangs, crashes or undesired outputs which can be a sign for the presence of vulnerabilities that can be exploited. As file formats tend to be very complex, programs often validate the structure of their inputs at an early parsing stage. Randomly generated files will likely not match the expected structure, thus are discarded during this early stage. Due to this, purely random fuzzing only reaches low code coverage, making it inefficient.

In this thesis, the novel fuzzing technique FormatFuzzer is used. FormatFuzzer uses a structure-aware approach that works by compiling descriptions of binary file formats, referred to as binary templates, into executables that can be used to parse, generate and mutate binary files compliant to their respective format specifications. These binary templates contain all information required to generate and parse structurally valid files of a given format. The files generated by FormatFuzzer are expected to perform better than conventional fuzzing approaches, as due to their structure-awareness, the files are most likely to pass the parsing stage of a given program, thus reaching higher code coverage.

The main focus in this thesis will be on developing reliable binary templates in order to support formats for which no binary templates optimized for generation with FormatFuzzer exist. As a starting point, existing templates made publicly available by 010 Editor are used. These templates work fine for parsing, but are not intended for file generation, as they are missing important information about specific values that need to be present at specific positions in the generated files in order for them to be valid, such as magic bytes. To tackle this issue, this information is added to the existing templates. Furthermore, the process of developing binary templates will be facilitated for future work by the introduction of new features into the binary template language, by automating parts of the process or by using new procedures. The efficiency of the resulting templates will finally be evaluated, and the results will be compared with related work.

14:30-15:00

Speaker: Joshua Sonnet
Type of talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Towards Decentralised Access Control in Thread-based Home IoT

Abstract: With the ever-emerging smart home systems today, convenience is the main aspect for IoT (Internet of Things) devices. But this oftentimes excludes contextual factors for authorisation of the respective device. This includes policies like children should only be allowed to control the TV, when parents are nearby to supervise them on what they are watching or remotely controlled lights should only be allowed to be turned on when someone is present in that room.
The goal of this thesis is to implement an access control layer for IoT devices build on Thread. Due to it being a mesh powered network without a true central hub, the authorisation of each device will also be decentralised, s.t. each one will decide about its own access control policy. As Thread allows for concurrent application layers, this model will run beside Thread and the controlling application of the device.

 

 

15:00-15:30

No talk this week.

 

Session B:

14:00-14:30

no talk this week.

 

 

14:30-15:00

15:00-15:30

Speaker:          Bachir Bendrissou
Advisor: Rahul Gopinath, Andreas Zeller
Type of talk: Master Intro talk

Title: Sample-Free Blackbox Grammar Synthesis

Abstract:
Having a program input specification is crucial in various fields such as vulnerability analysis, reverse engineering, and software testing.  However, in many cases, a formal input specification may be un-available, incomplete, or obsolete. When the program source is available, one may be able to mine the input specification from the source code itself. However, when the source code is unavailable, a blackbox approach becomes necessary.

Unfortunately, blackbox approaches to learning context free grammars are bounded in theory, and was shown to be as hard as reversing RSA. Hence, general context-free grammar recovery is thought to be computationally hard. Glade is a recent blackbox grammar synthesizer, which claims it can recover an accurate context-free input grammar of any given subject using only a small set of seed inputs, and a general oracle able to distinguish between valid and invalid inputs. It also claims to be fast for all programs tested. While an implementation of GLADE is available, the input grammar is produced is in an undocumented format that is hard to reverse engineer. Furthermore, GLADE also uses custom parsers and fuzzers which are hard to verify.

This thesis attempts to first replicate GLADE independently by first implementing the GLADE algorithm in Python and using this implementation to verify the reported GLADE experiments, and further evaluate GLADE using new context-free grammars. This will provide us with precise information and insights about the limits and suitability of GLADE in diverse circumstances.

The second part of our thesis will extend GLADE by pairing it with our bFuzzer tool. Bfuzzer generates and monotonically extends syntactically valid input prefixes until it finds valid inputs. Hence, in this pairing, bFuzzer will provide the syntactically valid sample inputs that GLADE requires to infer the grammar. We will evaluate the combined fuzzer against diverse subjects.

Dear All,
 

Great that you found the new semesters page :)
The next seminar(s) take place on 28.4. at 14:00.

Session A 14:00-15:00:
Muhammad Bilal Latif - John Schmitt

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841
Kenncode: BT!u5=

Session B 14:00-15:00:
Peter Stolz - Marc Katz

https://cispa-de.zoom.us/j/99025989421?pwd=cWJIM29LYktsbStxTXlKUStZRi9MUT09

Meeting-ID: 990 2598 9421
Kenncode: 3mZyE$

Session A:

14:00-14:30 

Speaker: Muhammad Bilal Latif.
Type of talk: Master Intro.
Advisor: Dr. Ing. Cristian-Alexandru Staicu.
Title: Empirical Study of Full-Stack JavaScript Web Applications.
Abstract: Traditionally, most web applications were using Java or PHP on the server-side and JavaScript on the client-side. However, in recent years, we have seen a rise of interest in running JavaScript on the server-side as well, i.e., full-stack JavaScript web applications. The reason for this shift is multifold, e.g., uniform tools usage, easier skills transfer across the stack, etc. Recent work warns about the security practices in server-side JavaScript and in particular in its package manager, npm, supposedly the largest software ecosystem in the world.
However, judging the security of a given dependency in isolation is hard and it often leads to over-reporting security vulnerabilities. For example, let us consider the CVE-2019-1010266 vulnerability, which affects the method camelCase of the popular lodash package. In the associated bug report, it is speculated that an attacker can take advantage of the input to this method, without providing any empirical evidence, e.g., a GitHub project in which this is indeed possible. As a result of the issued CVE, all the clients of lodash were warned that they are at risk and that they should upgrade to the newest library version, independent of whether in their particular case, user input can reach the vulnerable method or even the package. To provide a more realistic view of the security of full-stack JavaScript web applications, one should consider the entire code of the application, i.e., client-side and server-side code together with third-party code.
The goal of this project is to perform an empirical study of open-source, full-stack JavaScript web applications. To this end, a testing infrastructure should be developed that allows both dynamic and static program analysis of realistic web applications. The infrastructure should be used to answer various research questions about (the security of) the analyzed web applications.

14:30-15:00

Speaker: John Schmitt
Type of talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Implementing Certificate Transparency Into Android Open Source Project

Abstract: To verify the identity of a web server, a web client has to rely on the validity of the provided certificate. As a result, web clients blindly trust in the integrity of the certificate authority to properly issue certificates. But what happens if a certificate authority is compromised, goes rogue, or issues flawed certificates? In case of such a certificate misissuance, certificate transparency helps by providing a secure append-only log that documents every certificate issuance and thus enforces accountability for certificate authorities. Mobile devices are a major source of network traffic to web servers. Additionally, Android currently holds the biggest market share of mobile operating systems but does not present any solution to a certificate transparency implementation. Our goal is to provide a proof of concept for an implementation of certificate transparency in the Android Open Source Project and make use of its benefits to protect Android users from certificate misissuance and thus man-in-the-middle attacks.

 

 

15:00-15:30

No talk this week.

 

Session B:

14:00-14:30

Speaker: Peter Stolz
Type of talk: Bachelor Intro
Advisor: Ben Stock
Title: To hash or not to hash
Abstract:
Content Security Policy (CSP) is a great way to mitigate Cross-site scripting (XSS) if used correctly. CSP has the experimental directive "unsafe-hashes" to whitelist certain inline event handlers and style attributes.
Before more browsers than chromium add support for it we want to analyse how many event handlers can be abused to trigger XSS if an attacker reuses them on a malicious tag.
This allows us to determine if it is a useful feature or if it should be abandoned because it implies a false sense of security for the most part.
How would the results change if we add a none to each tag, so an attacker can't inject arbitrary tags.

 

 

14:30-15:00

15:00-15:30

No talk this week.