Christoph Sendner

Chair of Software Engineering (Informatik II)
Department of Computer Science
University of Würzburg

Am Hubland, 97074 Würzburg

Informatikgebäude, 1.OG, Room A117

E-Mail: christoph.sendner@uni-wuerzburg.de
Phone: +49 (931) 31 86863

Teaching

WS 2021/22

Ethical Hacking Lab Network
Seminar IT-Security

SS 2021

Ethical Hacking Lab Software
Seminar IT-Security

WS 2020/21

Ethical Hacking Lab Network

SS 2020

Ethical Hacking Lab Software
Seminar IT-Security

WS 2019/20

Exercises - Introduction to IT-Security
Seminar IT-Security

SS 2019

Exercises - Security of Software Systems
Seminar IT-Security
Ethical Hacking Lab Software

WS 2018/19

Exercises - Introduction to IT-Security

SS 2018

Exercises - Security of Software Systems

Research interests

Microarchitectural Attacks

Attacks on TEEs and others

Applied cryptography

Security in Software Systems

Publications

2023[ to top ]

Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning Sendner, Christoph; Chen, Huili; Fereidooni, Hossein; Petzi, Lukas; König, Jan; Stang, Jasper; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; Koushanfar, Farinaz; in To appear at the Network and Distributed System Security Symposium (NDSS) (2023).
- [ BibTeX ]
- [ BibSonomy-Post ]
@article{sendner2023smarter, author = {Sendner, Christoph and Chen, Huili and Fereidooni, Hossein and Petzi, Lukas and König, Jan and Stang, Jasper and Dmitrienko, Alexandra and Sadeghi, Ahmad-Reza and Koushanfar, Farinaz}, journal = {To appear at the Network and Distributed System Security Symposium (NDSS)}, keywords = {myown}, title = {Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning}, year = 2023 }

2022[ to top ]

Ransomware Detection in Databases through Dynamic Analysis of Query Sequences Sendner, Christoph; Iffländer, Lukas; Schindler, Sebastian; Jobst, Michael; Dmitrienko, Alexandra; Kounev, Samuel; in 2022 IEEE Conference on Communications and Network Security (CNS) (2022).
- [ BibTeX ]
- [ BibSonomy-Post ]
@conference{sendner2022ransomware, author = {Sendner, Christoph and Iffländer, Lukas and Schindler, Sebastian and Jobst, Michael and Dmitrienko, Alexandra and Kounev, Samuel}, booktitle = {2022 IEEE Conference on Communications and Network Security (CNS)}, keywords = {security}, title = {Ransomware Detection in Databases through Dynamic Analysis of Query Sequences}, year = 2022 }
Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations Hagen, Christoph; Weinert, Christian; Sendner, Christoph; Dmitrienko, Alexandra; Schneider, Thomas; in ACM Transactions on Privacy and Security (TOPS) (2022).
- [ Abstract ]
- [ BibTeX ]
- [ BibSonomy-Post ]
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations. Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10% of US mobile phone numbers for WhatsApp and 100% for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings. Furthermore, we demonstrate that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal. Most notably, we show that with the password cracking tool “JTR” we can iterate through the entire world-wide mobile phone number space in < 150s on a consumer-grade GPU. We also propose a significantly improved rainbow table construction for non-uniformly distributed input domains that is of independent interest. Regarding mitigations, we most notably propose two novel rate-limiting schemes: our incremental contact discovery for services without server-side contact storage strictly improves over Signal’s current approach while being compatible with private set intersection, whereas our differential scheme allows even stricter rate limits at the overhead for service providers to store a small constant-size state that does not reveal any contact information.

@article{hagen2022contact, abstract = {Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods and propose suitable mitigations. Our study of three popular messengers (WhatsApp, Signal, and Telegram) shows that large-scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10% of US mobile phone numbers for WhatsApp and 100% for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings. Furthermore, we demonstrate that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal. Most notably, we show that with the password cracking tool “JTR” we can iterate through the entire world-wide mobile phone number space in < 150s on a consumer-grade GPU. We also propose a significantly improved rainbow table construction for non-uniformly distributed input domains that is of independent interest. Regarding mitigations, we most notably propose two novel rate-limiting schemes: our incremental contact discovery for services without server-side contact storage strictly improves over Signal’s current approach while being compatible with private set intersection, whereas our differential scheme allows even stricter rate limits at the overhead for service providers to store a small constant-size state that does not reveal any contact information.}, author = {Hagen, Christoph and Weinert, Christian and Sendner, Christoph and Dmitrienko, Alexandra and Schneider, Thomas}, journal = {ACM Transactions on Privacy and Security (TOPS)}, keywords = {sss-group}, title = {Contact Discovery in Mobile Messengers: Low-cost Attacks, Quantitative Analyses, and Efficient Mitigations}, year = 2022 }

2021[ to top ]

ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning Lutz, Oliver; Chen, Huili; Fereidooni, Hossein; Sendner, Christoph; Dmitrienko, Alexandra; Sadeghi, Ahmad Reza; Koushanfar, Farinaz; in ArXiv | arXiv:2103.12607v1 (2021).
- [ Abstract ]
- [ BibTeX ]
- [ BibSonomy-Post ]
Ethereum smart contracts are automated decentralized applications on the blockchain that describe the terms of the agreement between buyers and sellers, reducing the need for trusted intermediaries and arbitration. However, the deployment of smart contracts introduces new attack vectors into the cryptocurrency systems. In particular, programming flaws in smart contracts can be and have already been exploited to gain enormous financial profits. It is thus an emerging yet crucial issue to detect vulnerabilities of different classes in contracts in an efficient manner. Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable, or train individual classifiers for each specific vulnerability, or demonstrate multi-class vulnerability detection without extensibility consideration. To overcome the scalability and generalization limitations of existing works, we propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for Ethereum smart contracts that support lightweight transfer learning on unseen security vulnerabilities, thus is extensible and generalizable. ESCORT leverages a multi-output NN architecture that consists of two parts: (i) A common feature extractor that learns the semantics of the input contract; (ii) Multiple branch structures where each branch learns a specific vulnerability type based on features obtained from the feature extractor. Experimental results show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract. When extended to new vulnerability types, ESCORT yields an average F1-score of 93%. To the best of our knowledge, ESCORT is the first framework that enables transfer learning on new vulnerability types with minimal modification of the DNN model architecture and re-training overhead.

@article{lutz2021escort, abstract = {Ethereum smart contracts are automated decentralized applications on the blockchain that describe the terms of the agreement between buyers and sellers, reducing the need for trusted intermediaries and arbitration. However, the deployment of smart contracts introduces new attack vectors into the cryptocurrency systems. In particular, programming flaws in smart contracts can be and have already been exploited to gain enormous financial profits. It is thus an emerging yet crucial issue to detect vulnerabilities of different classes in contracts in an efficient manner. Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable, or train individual classifiers for each specific vulnerability, or demonstrate multi-class vulnerability detection without extensibility consideration. To overcome the scalability and generalization limitations of existing works, we propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for Ethereum smart contracts that support lightweight transfer learning on unseen security vulnerabilities, thus is extensible and generalizable. ESCORT leverages a multi-output NN architecture that consists of two parts: (i) A common feature extractor that learns the semantics of the input contract; (ii) Multiple branch structures where each branch learns a specific vulnerability type based on features obtained from the feature extractor. Experimental results show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract. When extended to new vulnerability types, ESCORT yields an average F1-score of 93%. To the best of our knowledge, ESCORT is the first framework that enables transfer learning on new vulnerability types with minimal modification of the DNN model architecture and re-training overhead.}, author = {Lutz, Oliver and Chen, Huili and Fereidooni, Hossein and Sendner, Christoph and Dmitrienko, Alexandra and Sadeghi, Ahmad Reza and Koushanfar, Farinaz}, journal = {ArXiv | arXiv:2103.12607v1}, keywords = {security}, month = {mar}, title = {ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep Neural Network and Transfer Learning}, year = 2021 }
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers Hagen, Christoph; Weinert, Christian; Sendner, Christoph; Dmitrienko, Alexandra; Schneider, Thomas; in Network and Distributed System Security Symposium (NDSS) (2021).
- [ Abstract ]
- [ BibTeX ]
- [ BibSonomy-Post ]
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods. Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (crossmessenger) usage statistics, which also reveal that very few users change the default privacy settings. Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s current approach. Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest.

@inproceedings{DBLP:conf/ndss/2021, abstract = {Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods. Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (crossmessenger) usage statistics, which also reveal that very few users change the default privacy settings. Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s current approach. Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest.}, author = {Hagen, Christoph and Weinert, Christian and Sendner, Christoph and Dmitrienko, Alexandra and Schneider, Thomas}, booktitle = {Network and Distributed System Security Symposium (NDSS)}, keywords = {myown}, publisher = {The Internet Society}, title = {All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers}, year = 2021 }

2020[ to top ]

Evaluating the Privacy of Contact Discovery Sendner, Christoph; Thesis; University of Würzburg. (2020, July).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Currently deployed contact discovery of mobile messengers is based on the transmission of phone numbers to the service provider. This information is private and anonymized by hashing them. In this work, we show, that this anonymization is pseudo-anonymous and can easily be broken by an attacker. For that, we develop two hash reversal techniques: one using brute-force approach and another one using look-up databases. We provide generic architectures for each of the ap- proaches. Additionally, we provide and compare two instantiations for each. Furthermore, we evaluate and compare them to the third approach based on rainbow tables. The evaluation shows near instant lookup-times of under 0.1 ms using in-memory lookup databases, this approach is however costly in terms of memory – it would require over 10 TB RAM, which would be difficult to obtain. Our brute-force approach shows an astonishing performance, being able to reverse any mobile number in under 100 seconds using consumer-level hardware. The rainbow tables produce lookup-times of 4.5 minutes with a success rate of over 99.99%. The results of our evaluation demonstrate, that hash reversals of mobile phone numbers are practical and near instant. Thus, an attacker can easily reverse hash digests of mobile phone numbers and de-anonymize personally identifiable information – like phone numbers transmitted to the service provider of mobile messenger apps.

@mastersthesis{sendner2020contactdiscovery, abstract = {Currently deployed contact discovery of mobile messengers is based on the transmission of phone numbers to the service provider. This information is private and anonymized by hashing them. In this work, we show, that this anonymization is pseudo-anonymous and can easily be broken by an attacker. For that, we develop two hash reversal techniques: one using brute-force approach and another one using look-up databases. We provide generic architectures for each of the ap- proaches. Additionally, we provide and compare two instantiations for each. Furthermore, we evaluate and compare them to the third approach based on rainbow tables. The evaluation shows near instant lookup-times of under 0.1 ms using in-memory lookup databases, this approach is however costly in terms of memory – it would require over 10 TB RAM, which would be difficult to obtain. Our brute-force approach shows an astonishing performance, being able to reverse any mobile number in under 100 seconds using consumer-level hardware. The rainbow tables produce lookup-times of 4.5 minutes with a success rate of over 99.99%. The results of our evaluation demonstrate, that hash reversals of mobile phone numbers are practical and near instant. Thus, an attacker can easily reverse hash digests of mobile phone numbers and de-anonymize personally identifiable information – like phone numbers transmitted to the service provider of mobile messenger apps.}, author = {Sendner, Christoph}, keywords = {thesis_supervised_by_SSS_member}, month = {July}, school = {University of W{\"u}rzburg}, title = {Evaluating the Privacy of Contact Discovery}, type = {Master Thesis}, year = 2020 }