Christoph Sendner

Chair of Software Engineering (Informatik II)
Department of Computer Science
University of Würzburg

Am Hubland, 97074, Würzburg, Germany
Informatikgebäude, 2.OG, Room B 203

E-Mail: christoph.sendner@uni-wuerzburg.de
Phone: +49 (931) 31 86863

Teaching

WS 2021/22

Ethical Hacking Lab Network
Seminar IT-Security

SS 2021

Ethical Hacking Lab Software
Seminar IT-Security

WS 2020/21

Ethical Hacking Lab Network

SS 2020

Ethical Hacking Lab Software
Seminar IT-Security

WS 2019/20

Exercises - Introduction to IT-Security
Seminar IT-Security

SS 2019

Exercises - Security of Software Systems
Seminar IT-Security
Ethical Hacking Lab Software

WS 2018/19

Exercises - Introduction to IT-Security

SS 2018

Exercises - Security of Software Systems

Research interests

Microarchitectural Attacks
Attacks on TEEs and others
Applied cryptography
Security in Software Systems

Projects

CROSSON

Publications

2024[ to top ]

Large-Scale Study of Vulnerability Scanners for Ethereum Smart Contracts. Sendner, Christoph; Petzi, Lukas; Stang, Jasper; Dmitrienko, Alexandra; in To appear in the IEEE Symposium on Security & Privacy (2024).
- [ BibTeX ]
- [ BibSonomy-Post ]
@article{sendner2024largescale, author = {Sendner, Christoph and Petzi, Lukas and Stang, Jasper and Dmitrienko, Alexandra}, journal = {To appear in the IEEE Symposium on Security & Privacy}, keywords = {lukaspetzi}, month = {05}, title = {Large-Scale Study of Vulnerability Scanners for Ethereum Smart Contracts}, year = 2024 }
MirageFlow: A New Bandwidth Inflation Attack on Tor. Sendner, Christoph; Stang, Jasper; Dmitrienko, Alexandra; Wijewickrama, Raveen; Jadliwala, Murtuza; in the Network and Distributed System Security Symposium (NDSS) (2024).
- [ BibTeX ]
- [ BibSonomy-Post ]
@article{sendner2024mirageflow, author = {Sendner, Christoph and Stang, Jasper and Dmitrienko, Alexandra and Wijewickrama, Raveen and Jadliwala, Murtuza}, journal = {the Network and Distributed System Security Symposium (NDSS)}, keywords = {sss-group}, title = {MirageFlow: A New Bandwidth Inflation Attack on Tor}, year = 2024 }

2023[ to top ]

Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study. Sendner, Christoph; Petzi, Lukas; Stang, Jasper; Dmitrienko, Alexandra; in ArXiv | arXiv:2312.16533 (2023).
- [ BibTeX ]
- [ URL ]
- [ Download ]
- [ BibSonomy-Post ]
@article{sendner2023vulnerability, author = {Sendner, Christoph and Petzi, Lukas and Stang, Jasper and Dmitrienko, Alexandra}, journal = {ArXiv | arXiv:2312.16533}, keywords = {lukaspetzi}, month = 12, title = {Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study}, year = 2023 }
TorMult: Introducing a Novel Tor Bandwidth Inflation Attack. Sendner, Christoph; Stang, Jasper; Dmitrienko, Alexandra; Wijewickrama, Raveen; Jadliwala, Murtuza; in ArXiv | arXiv.2307.08550 (2023).
- [ BibTeX ]
- [ URL ]
- [ BibSonomy-Post ]
@article{sendner2023tormult, author = {Sendner, Christoph and Stang, Jasper and Dmitrienko, Alexandra and Wijewickrama, Raveen and Jadliwala, Murtuza}, journal = {ArXiv | arXiv.2307.08550}, keywords = {sss-group}, title = {TorMult: Introducing a Novel Tor Bandwidth Inflation Attack}, year = 2023 }
Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning. Sendner, Christoph; Chen, Huili; Fereidooni, Hossein; Petzi, Lukas; König, Jan; Stang, Jasper; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; Koushanfar, Farinaz; in Network and Distributed System Security Symposium (NDSS) (2023).
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
@article{sendner2023smarter, author = {Sendner, Christoph and Chen, Huili and Fereidooni, Hossein and Petzi, Lukas and König, Jan and Stang, Jasper and Dmitrienko, Alexandra and Sadeghi, Ahmad-Reza and Koushanfar, Farinaz}, journal = {Network and Distributed System Security Symposium (NDSS)}, keywords = {lukaspetzi}, title = {Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning}, year = 2023 }
G-Scan: Graph Neural Networks for Line-Level Vulnerability Identification in Smart Contracts. Sendner, Christoph; Zhang, Ruisi; Hefter, Alexander; Dmitrienko, Alexandra; Koushanfar, Farinaz; in arXiv:2307.08549 (2023).
- [ BibTeX ]
- [ URL ]
- [ BibSonomy-Post ]
@article{sendner2023gscan, author = {Sendner, Christoph and Zhang, Ruisi and Hefter, Alexander and Dmitrienko, Alexandra and Koushanfar, Farinaz}, journal = {arXiv:2307.08549}, keywords = {sss-group}, title = {G-Scan: Graph Neural Networks for Line-Level Vulnerability Identification in Smart Contracts}, year = 2023 }
Metadata-based Malware Detection on Android using Machine Learning. Hefter, Alexander; Sendner, Christoph; Dmitrienko, Alexandra; in ArXiv | arXiv.2307.08547 (2023).
- [ BibTeX ]
- [ URL ]
- [ BibSonomy-Post ]
@article{noauthororeditormetadatabased, author = {Hefter, Alexander and Sendner, Christoph and Dmitrienko, Alexandra}, journal = {ArXiv | arXiv.2307.08547}, keywords = {sss-group}, title = {Metadata-based Malware Detection on Android using Machine Learning}, year = 2023 }

2022[ to top ]

Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations. Hagen, Christoph; Weinert, Christian; Sendner, Christoph; Dmitrienko, Alexandra; Schneider, Thomas; in Cryptology ePrint Archive, Report 2022/875 (2022). (2022/875)
- [ BibTeX ]
- [ URL ]
- [ BibSonomy-Post ]
@article{hagen2022contact, author = {Hagen, Christoph and Weinert, Christian and Sendner, Christoph and Dmitrienko, Alexandra and Schneider, Thomas}, journal = {Cryptology ePrint Archive, Report 2022/875}, keywords = {security}, number = {2022/875}, publisher = {Cryptology ePrint}, title = {Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations}, year = 2022 }
Ransomware Detection in Databases through Dynamic Analysis of Query Sequences. Sendner, Christoph; Iffländer, Lukas; Schindler, Sebastian; Jobst, Michael; Dmitrienko, Alexandra; Kounev, Samuel; in IEEE Conference on Communications and Network Security (CNS) (2022).
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
@conference{sendner2022ransomware, author = {Sendner, Christoph and Iffländer, Lukas and Schindler, Sebastian and Jobst, Michael and Dmitrienko, Alexandra and Kounev, Samuel}, booktitle = {IEEE Conference on Communications and Network Security (CNS)}, keywords = {ransomware}, title = {Ransomware Detection in Databases through Dynamic Analysis of Query Sequences}, year = 2022 }
Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations. Hagen, Christoph; Weinert, Christian; Sendner, Christoph; Dmitrienko, Alexandra; Schneider, Thomas; in ACM Transactions on Privacy and Security (TOPS) (2022).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations. Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10% of US mobile phone numbers for WhatsApp and 100% for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings. Furthermore, we demonstrate that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal. Most notably, we show that with the password cracking tool “JTR” we can iterate through the entire world-wide mobile phone number space in < 150s on a consumer-grade GPU. We also propose a significantly improved rainbow table construction for non-uniformly distributed input domains that is of independent interest. Regarding mitigations, we most notably propose two novel rate-limiting schemes: our incremental contact discovery for services without server-side contact storage strictly improves over Signal’s current approach while being compatible with private set intersection, whereas our differential scheme allows even stricter rate limits at the overhead for service providers to store a small constant-size state that does not reveal any contact information.

@article{hagen2022contact, abstract = {Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations. Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10% of US mobile phone numbers for WhatsApp and 100% for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings. Furthermore, we demonstrate that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal. Most notably, we show that with the password cracking tool “JTR” we can iterate through the entire world-wide mobile phone number space in < 150s on a consumer-grade GPU. We also propose a significantly improved rainbow table construction for non-uniformly distributed input domains that is of independent interest. Regarding mitigations, we most notably propose two novel rate-limiting schemes: our incremental contact discovery for services without server-side contact storage strictly improves over Signal’s current approach while being compatible with private set intersection, whereas our differential scheme allows even stricter rate limits at the overhead for service providers to store a small constant-size state that does not reveal any contact information.}, author = {Hagen, Christoph and Weinert, Christian and Sendner, Christoph and Dmitrienko, Alexandra and Schneider, Thomas}, journal = {ACM Transactions on Privacy and Security (TOPS)}, keywords = {security}, title = {Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations}, year = 2022 }

2021[ to top ]

ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning. Lutz, Oliver; Chen, Huili; Fereidooni, Hossein; Sendner, Christoph; Dmitrienko, Alexandra; Sadeghi, Ahmad Reza; Koushanfar, Farinaz; in ArXiv | arXiv:2103.12607v1 (2021).
- [ Abstract ]
- [ BibTeX ]
- [ URL ]
- [ BibSonomy-Post ]
Ethereum smart contracts are automated decentralized applications on the blockchain that describe the terms of the agreement between buyers and sellers, reducing the need for trusted intermediaries and arbitration. However, the deployment of smart contracts introduces new attack vectors into the cryptocurrency systems. In particular, programming flaws in smart contracts can be and have already been exploited to gain enormous financial profits. It is thus an emerging yet crucial issue to detect vulnerabilities of different classes in contracts in an efficient manner. Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable, or train individual classifiers for each specific vulnerability, or demonstrate multi-class vulnerability detection without extensibility consideration. To overcome the scalability and generalization limitations of existing works, we propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for Ethereum smart contracts that support lightweight transfer learning on unseen security vulnerabilities, thus is extensible and generalizable. ESCORT leverages a multi-output NN architecture that consists of two parts: (i) A common feature extractor that learns the semantics of the input contract; (ii) Multiple branch structures where each branch learns a specific vulnerability type based on features obtained from the feature extractor. Experimental results show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract. When extended to new vulnerability types, ESCORT yields an average F1-score of 93%. To the best of our knowledge, ESCORT is the first framework that enables transfer learning on new vulnerability types with minimal modification of the DNN model architecture and re-training overhead.

@article{lutz2021escort, abstract = {Ethereum smart contracts are automated decentralized applications on the blockchain that describe the terms of the agreement between buyers and sellers, reducing the need for trusted intermediaries and arbitration. However, the deployment of smart contracts introduces new attack vectors into the cryptocurrency systems. In particular, programming flaws in smart contracts can be and have already been exploited to gain enormous financial profits. It is thus an emerging yet crucial issue to detect vulnerabilities of different classes in contracts in an efficient manner. Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable, or train individual classifiers for each specific vulnerability, or demonstrate multi-class vulnerability detection without extensibility consideration. To overcome the scalability and generalization limitations of existing works, we propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for Ethereum smart contracts that support lightweight transfer learning on unseen security vulnerabilities, thus is extensible and generalizable. ESCORT leverages a multi-output NN architecture that consists of two parts: (i) A common feature extractor that learns the semantics of the input contract; (ii) Multiple branch structures where each branch learns a specific vulnerability type based on features obtained from the feature extractor. Experimental results show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract. When extended to new vulnerability types, ESCORT yields an average F1-score of 93%. To the best of our knowledge, ESCORT is the first framework that enables transfer learning on new vulnerability types with minimal modification of the DNN model architecture and re-training overhead.}, author = {Lutz, Oliver and Chen, Huili and Fereidooni, Hossein and Sendner, Christoph and Dmitrienko, Alexandra and Sadeghi, Ahmad Reza and Koushanfar, Farinaz}, journal = {ArXiv | arXiv:2103.12607v1}, keywords = {cryptography}, month = {03}, title = {ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning}, year = 2021 }
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers. Hagen, Christoph; Weinert, Christian; Sendner, Christoph; Dmitrienko, Alexandra; Schneider, Thomas; in Network and Distributed System Security Symposium (NDSS) (2021).
- [ Abstract ]
- [ BibTeX ]
- [ URL ]
- [ Download ]
- [ BibSonomy-Post ]
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods. Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (crossmessenger) usage statistics, which also reveal that very few users change the default privacy settings. Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s current approach. Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest.

@inproceedings{DBLP:conf/ndss/2021, abstract = {Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods. Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (crossmessenger) usage statistics, which also reveal that very few users change the default privacy settings. Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s current approach. Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest.}, author = {Hagen, Christoph and Weinert, Christian and Sendner, Christoph and Dmitrienko, Alexandra and Schneider, Thomas}, booktitle = {Network and Distributed System Security Symposium (NDSS)}, keywords = {dblp}, month = {02}, publisher = {The Internet Society}, title = {All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers}, year = 2021 }
Sound Smart Contract Security Testing with Just One Tool. Dmitrienko, Alexandra; Chen, Huili; Fereidooni, Hossein; Sendner, Christoph; Sadeghi, Ahmad-Reza; Koushanfar, Farinaz; in CyberSec&AI 2021 (2021).
- [ BibTeX ]
- [ URL ]
- [ Download ]
- [ BibSonomy-Post ]
@conference{dmitrienko2021sound, author = {Dmitrienko, Alexandra and Chen, Huili and Fereidooni, Hossein and Sendner, Christoph and Sadeghi, Ahmad-Reza and Koushanfar, Farinaz}, booktitle = {CyberSec&AI 2021}, keywords = {sss-group}, title = {Sound Smart Contract Security Testing with Just One Tool}, year = 2021 }

2020[ to top ]

All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers. Hagen, Christoph; Weinert, Christian; Sendner, Christoph; Dmitrienko, Alexandra; Schneider, Thomas; in Cryptology ePrint Archive, Report 2020/1119 (2020).
- [ BibTeX ]
- [ URL ]
- [ BibSonomy-Post ]
@article{cryptoeprint:2020:1119, author = {Hagen, Christoph and Weinert, Christian and Sendner, Christoph and Dmitrienko, Alexandra and Schneider, Thomas}, journal = {Cryptology ePrint Archive, Report 2020/1119}, keywords = {security}, month = {09}, title = {All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers}, year = 2020 }
Evaluating the Privacy of Contact Discovery. Sendner, Christoph; Thesis; Master Thesis. (2020, July).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Currently deployed contact discovery of mobile messengers is based on the transmission of phone numbers to the service provider. This information is private and anonymized by hashing them. In this work, we show, that this anonymization is pseudo-anonymous and can easily be broken by an attacker. For that, we develop two hash reversal techniques: one using brute-force approach and another one using look-up databases. We provide generic architectures for each of the ap- proaches. Additionally, we provide and compare two instantiations for each. Furthermore, we evaluate and compare them to the third approach based on rainbow tables. The evaluation shows near instant lookup-times of under 0.1 ms using in-memory lookup databases, this approach is however costly in terms of memory – it would require over 10 TB RAM, which would be difficult to obtain. Our brute-force approach shows an astonishing performance, being able to reverse any mobile number in under 100 seconds using consumer-level hardware. The rainbow tables produce lookup-times of 4.5 minutes with a success rate of over 99.99%. The results of our evaluation demonstrate, that hash reversals of mobile phone numbers are practical and near instant. Thus, an attacker can easily reverse hash digests of mobile phone numbers and de-anonymize personally identifiable information – like phone numbers transmitted to the service provider of mobile messenger apps.

@mastersthesis{sendner2020contactdiscovery, abstract = {Currently deployed contact discovery of mobile messengers is based on the transmission of phone numbers to the service provider. This information is private and anonymized by hashing them. In this work, we show, that this anonymization is pseudo-anonymous and can easily be broken by an attacker. For that, we develop two hash reversal techniques: one using brute-force approach and another one using look-up databases. We provide generic architectures for each of the ap- proaches. Additionally, we provide and compare two instantiations for each. Furthermore, we evaluate and compare them to the third approach based on rainbow tables. The evaluation shows near instant lookup-times of under 0.1 ms using in-memory lookup databases, this approach is however costly in terms of memory – it would require over 10 TB RAM, which would be difficult to obtain. Our brute-force approach shows an astonishing performance, being able to reverse any mobile number in under 100 seconds using consumer-level hardware. The rainbow tables produce lookup-times of 4.5 minutes with a success rate of over 99.99%. The results of our evaluation demonstrate, that hash reversals of mobile phone numbers are practical and near instant. Thus, an attacker can easily reverse hash digests of mobile phone numbers and de-anonymize personally identifiable information – like phone numbers transmitted to the service provider of mobile messenger apps.}, author = {Sendner, Christoph}, keywords = {sss-group}, month = {07}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Evaluating the Privacy of Contact Discovery}, type = {Master Thesis}, year = 2020 }