Theses/Practicum

Bachelor Thesis / Master Thesis / Master Practicum

The following topics are available at SS 25

Security of Systems and Protocols

(Master Thesis) Three times the charm - Implementation of FPGA-based Fuzzing against CPU Simulation Software [Contact Person: Melanie]

(Practicum / Bachelor/ Master Thesis) Guide the Blind: RL/LLM-Guided Fuzzing of eBPF Runtimes [Contact Person: Melanie]

(Practicum / Bachelor/ Master Thesis) LLMs for Intelligent Network Protocol Implementation Fuzzing [Contact Person: Melanie]

Application of AI for Improving Security

(Master Thesis) Securing Software Systems with Graph Clustering: Towards Automated Compartmentalization [Contact Person: Melanie]

(Practicum) LLM-Based Agentic RAG for Automated Program Repair and Security Vulnerability Fixes [Contact Person: Varun]

(Practicum) RESTing LLAMA: LLM-based REST API Fuzzing [Contact Person: Varun]

Improving the Security of Machine Learning

(Master Thesis) Countering LLM Jailbreaks - Improving LLM Safety Allignment via Parameter Entanglement [Contact Person: Torsten]

(Master Thesis) Forget About This! - Removing Tasks from Large Language Models [Contact Person: Torsten]

(Practicum) Evaluation of Siamese Networks for Quality Insurance in the Image Domain [Contact Person: Torsten]

(Practicum/ Bachelor Thesis) MatreshkaNN: Hide Multiple AI Models within Each Other [Contact Person: Torsten]

(Bachelor/ Master Thesis) Similarity-Preserving Hash Functions for Prediction Trust Scoring of AI Models [Contact Person: Torsten]

(Master Thesis) The Space of Language: Fuzzing LLMs for Defects [Contact Person: Varun]

(Bachelor/ Master Thesis) Semantically-Aligned Poisoning attack on LLM-RAG Systems [Contact Person: Varun]

(Master Thesis) Inception: Email Phishing for LLM RAG Injection [Contact Person: Melanie]

Contact

If you are interested in the topics above, please contact the respective group member mentioned above via E-mail..

Please note that some topics advertised as a master thesis may also be suitable for a bachelor thesis with some modifications. You may also propose topics of your own choosing.

Past Theses written by our Students

2024[ to top ]

SPOQchain: Platform for Secure, Scalable, and Privacy-preserving Supply Chain Tracing and Counterfeit Protection. Finke, Moritz; Thesis; Master Thesis. (2024, June).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Product counterfeiting continues to cause damage for the global economy and poses consid- erable safety risks for consumers. The need for automated product verification systems is emphasized exemplarily by Customer-to-Customer (C2C) platforms that deal with prod- ucts of unknown origin and currently require significant additional work to verify the authenticity of incoming goods. To address the lack of trustworthy central instances and limited traceability within supply chains, several systems for product tracing have been proposed in recent years that employ blockchain technology. In some approaches, product identification is additionally secured through Physical Unclonable Functions (PUFs) that cannot be copied by counterfeiters. While the use of blockchain offers increased trust, it is also associated with considerable performance losses and increased transparency, limiting global deployments and risking the privacy of its users users. This work presents SPOQchain, a novel platform for the management of product lifecycles and counterfeit detection. With SPOQchain, a scalable, more efficient use of blockchains is achieved through the intelligent batching of individual products. By covering the entire lifecycle, SPOQchain can not only be used for tracing within supply chains but also for securing C2C relations. Users retain their privacy and decide autonomously over passing on product data. SPOQchain allows the physical verification by means of any desired PUF and incorporates current advancements that enable more efficient verification using Zero Knowledge (ZK) proofs. With this work, the architecture of SPOQchain is specified and compared with existing approaches. Furthermore, different operational modes of SPOQchain are discussed and its implementation as a software library, decentralized client, and backend system is de- scribed. Finally, the system’s security aspects are discussed in regard to potential attacks. Furthermore, the impact on user privacy and the performance of the utilized blockchain are evaluated. It is shown that SPOQchain is a beneficial solution for supply chain par- ticipants, end customers, etc., and that it enables insights into product lifecycles with minimal effort.

@mastersthesis{finke2024spoqchain, abstract = {Product counterfeiting continues to cause damage for the global economy and poses consid- erable safety risks for consumers. The need for automated product verification systems is emphasized exemplarily by Customer-to-Customer (C2C) platforms that deal with prod- ucts of unknown origin and currently require significant additional work to verify the authenticity of incoming goods. To address the lack of trustworthy central instances and limited traceability within supply chains, several systems for product tracing have been proposed in recent years that employ blockchain technology. In some approaches, product identification is additionally secured through Physical Unclonable Functions (PUFs) that cannot be copied by counterfeiters. While the use of blockchain offers increased trust, it is also associated with considerable performance losses and increased transparency, limiting global deployments and risking the privacy of its users users. This work presents SPOQchain, a novel platform for the management of product lifecycles and counterfeit detection. With SPOQchain, a scalable, more efficient use of blockchains is achieved through the intelligent batching of individual products. By covering the entire lifecycle, SPOQchain can not only be used for tracing within supply chains but also for securing C2C relations. Users retain their privacy and decide autonomously over passing on product data. SPOQchain allows the physical verification by means of any desired PUF and incorporates current advancements that enable more efficient verification using Zero Knowledge (ZK) proofs. With this work, the architecture of SPOQchain is specified and compared with existing approaches. Furthermore, different operational modes of SPOQchain are discussed and its implementation as a software library, decentralized client, and backend system is de- scribed. Finally, the system’s security aspects are discussed in regard to potential attacks. Furthermore, the impact on user privacy and the performance of the utilized blockchain are evaluated. It is shown that SPOQchain is a beneficial solution for supply chain par- ticipants, end customers, etc., and that it enables insights into product lifecycles with minimal effort.}, author = {Finke, Moritz;}, keywords = {sssgroup}, month = {06}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {SPOQchain: Platform for Secure, Scalable, and Privacy-preserving Supply Chain Tracing and Counterfeit Protection}, year = 2024 }
Kako: Mirai’s Vaccine Using Worm-Like Propagation Methods To Immunize Devices. Hack, Felix; Thesis; Bachelor Thesis. (2024, January).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
In 2016, multiple large Distributed Denial of Service (DDoS) attacks were observed and attributed to a new botnet called Mirai [1]. Instead of personal computers and mobile devices, Mirai targets Internet of Things (IoT) devices like routers and surveillence cam- eras. As these devices are often equipped with insecure credentials by default [2], Mirai features a scanner component to identify devices and target them with a dictionary attack of common logins to gain access to those devices. This poses a threat, as many traditional methods of securing devices are not applicable to IoT, due to their limitations in com- puting power and memory [3]. White-hat approaches were proposed, based on the idea of infecting devices with a benign Mirai, which protects these devices against malicious variants [4]. However, there is a potential danger that users will not be able to access their devices after being protected with a white-hat. In this thesis, we present Kako, our proposed solution for a white-hat Mirai, which aims to address the issue of locking users out of their devices, while ensuring device security. Kako introduces a web-based dashboard that will list all vulnerable devices connected. When Kako is loaded onto a device with insecure credentials, they are automatically changed to secure it. The new login information can then be retrieved from the dashboard, among other data collected, such as the Medium Access Control (MAC) address and the Linux kernel version. The device manufacturer is automatically determined to make recognizing devices easier. Our approach was evaluated in a virtual environment and confirmed to be effective, as machines can no longer be infected with Mirai after being secured with Kako. It is also shown how Mirai’s scanning component can still be used with Kako to automatically secure vulnerable devices. We believe that Kako can be used and extended in further research, to also protect devices from newer incarnations of Mirai and similar botnets.

@mastersthesis{hack2024mirais, abstract = {In 2016, multiple large Distributed Denial of Service (DDoS) attacks were observed and attributed to a new botnet called Mirai [1]. Instead of personal computers and mobile devices, Mirai targets Internet of Things (IoT) devices like routers and surveillence cam- eras. As these devices are often equipped with insecure credentials by default [2], Mirai features a scanner component to identify devices and target them with a dictionary attack of common logins to gain access to those devices. This poses a threat, as many traditional methods of securing devices are not applicable to IoT, due to their limitations in com- puting power and memory [3]. White-hat approaches were proposed, based on the idea of infecting devices with a benign Mirai, which protects these devices against malicious variants [4]. However, there is a potential danger that users will not be able to access their devices after being protected with a white-hat. In this thesis, we present Kako, our proposed solution for a white-hat Mirai, which aims to address the issue of locking users out of their devices, while ensuring device security. Kako introduces a web-based dashboard that will list all vulnerable devices connected. When Kako is loaded onto a device with insecure credentials, they are automatically changed to secure it. The new login information can then be retrieved from the dashboard, among other data collected, such as the Medium Access Control (MAC) address and the Linux kernel version. The device manufacturer is automatically determined to make recognizing devices easier. Our approach was evaluated in a virtual environment and confirmed to be effective, as machines can no longer be infected with Mirai after being secured with Kako. It is also shown how Mirai’s scanning component can still be used with Kako to automatically secure vulnerable devices. We believe that Kako can be used and extended in further research, to also protect devices from newer incarnations of Mirai and similar botnets.}, author = {Hack, Felix}, keywords = {sssgroup}, month = {01}, publisher = {Bachelor Thesis}, title = {Kako: Mirai’s Vaccine Using Worm-Like Propagation Methods To Immunize Devices}, year = 2024 }
PUF-Based Device-to-Device Authentication in IoT without Trusted Intermediaries. Petzi, Lukas; Thesis; Master Thesis. (2024, February).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
The Internet of Things (IoT) signifies a revolutionary shift wherein everyday objects are embedded with sensors, software, and connectivity capabilities, allowing them to communicate and exchange data with other devices and systems across the Internet. As these devices continuously collect and exchange data, and act upon the information received, the authentication of devices within our networks becomes crucial to prevent malicious actors from breaching the network. While sophisticated hardware security architectures like Intel SGX or Trusted Platform Modules are available for more powerful devices like laptops or smartphones, their cost often makes them impractical for the typically budgetsensitive IoT device manufacturers. As a result, IoT devices frequently rely on storing confidential information in non-volatile memory, which, as studies have shown, can be vulnerable to physical attacks thereby compromising device security. Physical Unclonable Functions (PUFs) present a cost-effective solution by generating a unique response, or ”hardware fingerprint,” to a given stimulus (challenge) based on the natural variations in electronic hardware components during manufacturing. This fingerprint, generated on demand and not stored on the device, remains secure against adversaries attempting to access non-volatile memory. Although previous research has demonstrated the utility of PUFs for device authentication, these methods often depend on a trusted verifier storing significant amounts of confidential data, a requirement that limits the ability of low-end IoT devices to act as verifiers and raises the risk of impersonation attacks if the verifier is compromised. In this thesis, we introduce and examine three distinct PUF-based authentication schemes. Each scheme is designed to facilitate secure authentication between two parties that do not trust each other. A key feature of these approaches is their reliance solely on public information, eliminating the need for verifiers to store any sensitive data. This crucial aspect not only removes the storage burden from the verifier but also prevents a potentially malicious verifier from impersonating the provers. The methods developed are (1) ZK-PUF, a system that enables PUF-based authentication using zero-knowledge proofs, (2) PAVOC, which guarantees secure authentication using one-way hash chains, and (3) PAWOS, which uses the concept of cryptographic one-time signatures for authentication. Each strategy is based on different design principles that meet different security and operational requirements. They have been tested on IoT development boards with limited resources and have proven their efficiency even with limited computing power while protecting against non-volatile memory attacks and network-level adversaries.

@mastersthesis{petzi2024pufbased, abstract = {The Internet of Things (IoT) signifies a revolutionary shift wherein everyday objects are embedded with sensors, software, and connectivity capabilities, allowing them to communicate and exchange data with other devices and systems across the Internet. As these devices continuously collect and exchange data, and act upon the information received, the authentication of devices within our networks becomes crucial to prevent malicious actors from breaching the network. While sophisticated hardware security architectures like Intel SGX or Trusted Platform Modules are available for more powerful devices like laptops or smartphones, their cost often makes them impractical for the typically budgetsensitive IoT device manufacturers. As a result, IoT devices frequently rely on storing confidential information in non-volatile memory, which, as studies have shown, can be vulnerable to physical attacks thereby compromising device security. Physical Unclonable Functions (PUFs) present a cost-effective solution by generating a unique response, or ”hardware fingerprint,” to a given stimulus (challenge) based on the natural variations in electronic hardware components during manufacturing. This fingerprint, generated on demand and not stored on the device, remains secure against adversaries attempting to access non-volatile memory. Although previous research has demonstrated the utility of PUFs for device authentication, these methods often depend on a trusted verifier storing significant amounts of confidential data, a requirement that limits the ability of low-end IoT devices to act as verifiers and raises the risk of impersonation attacks if the verifier is compromised. In this thesis, we introduce and examine three distinct PUF-based authentication schemes. Each scheme is designed to facilitate secure authentication between two parties that do not trust each other. A key feature of these approaches is their reliance solely on public information, eliminating the need for verifiers to store any sensitive data. This crucial aspect not only removes the storage burden from the verifier but also prevents a potentially malicious verifier from impersonating the provers. The methods developed are (1) ZK-PUF, a system that enables PUF-based authentication using zero-knowledge proofs, (2) PAVOC, which guarantees secure authentication using one-way hash chains, and (3) PAWOS, which uses the concept of cryptographic one-time signatures for authentication. Each strategy is based on different design principles that meet different security and operational requirements. They have been tested on IoT development boards with limited resources and have proven their efficiency even with limited computing power while protecting against non-volatile memory attacks and network-level adversaries.}, author = {Petzi, Lukas}, keywords = {lukaspetzi}, month = {02}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {PUF-Based Device-to-Device Authentication in IoT without Trusted Intermediaries}, year = 2024 }

2023[ to top ]

Email Discovery in Modern Applications. Pastukh, Andrii; Thesis; Bachelor Thesis. (2023, July).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Email Discovery and Contact Discovery are processes that allow a user to find out which contacts from his phone book are using the same service. In the first case, the email address is used as an identifier, and in the second, the phone number. However, these processes come with privacy vulnerabilities that need to be addressed. One significant vulnerability is the potential for uploading all contacts and data of individuals who have not explicitly given permission for their information to be shared. When a user grants access to their phone book or contact list to a service, the people listed in their contacts have not necessarily consented to their data being uploaded to the server. This problem opens up the possibility of unauthorized access to sensitive data by third parties or even employees of the service provider. Data leaks and server attacks are also potential risks. Additionally, enumeration and crawling attacks pose threats by exploiting the ability to access data from a user’s phone book during the Email or Contact Discovery process. The danger of crawling attacks lies in the fact that they can be carried out without requiring special equipment or in-depth knowledge of the process for each specific service. As shown in the previous work, almost all modern instant messengers that use Contact Discovery are vulnerable to such crawling attacks. The purpose of our work is to study the possibility of carrying out crawling attacks on services that use an email address as an identifier, i.e., applications using Email Discovery. We consider instant messengers, job search applications, as well as gaming platforms and other applications. Our work shows that there are three applications using Email Discovery that turned out to be vulnerable to such crawling attacks: Xing, LinkedIn, and Google Contacts. To do this, we generate millions of email addresses that are then uploaded to the services to get information about whether the user is registered and to discover what data we can get with this information. The attacks carried out manually on the LinkedIn and Xing services proved to be ineffective primarily due to the implementation of Rate Limits. These limits restrict the number of requests allowed within a specific time frame, thereby hindering the success of our attacks. Additionally, the inclusion of user IP Address verification further contributed to the inability to extract user data successfully. As a result, the outcome of our attacks yielded insufficient results in terms of accessing and retrieving user data. The attack on the Google Contacts application shows the most devastating results. We develop a crawler, which allowed us to carry out a major crawling attack on this application. As a result, we are able to check 3046656 generated contacts. We also find that there are no Rate Limits enforced by Google to prevent such attacks. Thus, we show that, using a regular user PC, it is possible to carry out a crawling attack and find out such personal data of users as first name, last name, photo, links to other social networks, as well as online status. Furthermore, we analyze existing methods for protecting the Email Discovery process and propose privacy enhancements for the Google Contacts service.

@mastersthesis{pastukh2023email, abstract = {Email Discovery and Contact Discovery are processes that allow a user to find out which contacts from his phone book are using the same service. In the first case, the email address is used as an identifier, and in the second, the phone number. However, these processes come with privacy vulnerabilities that need to be addressed. One significant vulnerability is the potential for uploading all contacts and data of individuals who have not explicitly given permission for their information to be shared. When a user grants access to their phone book or contact list to a service, the people listed in their contacts have not necessarily consented to their data being uploaded to the server. This problem opens up the possibility of unauthorized access to sensitive data by third parties or even employees of the service provider. Data leaks and server attacks are also potential risks. Additionally, enumeration and crawling attacks pose threats by exploiting the ability to access data from a user’s phone book during the Email or Contact Discovery process. The danger of crawling attacks lies in the fact that they can be carried out without requiring special equipment or in-depth knowledge of the process for each specific service. As shown in the previous work, almost all modern instant messengers that use Contact Discovery are vulnerable to such crawling attacks. The purpose of our work is to study the possibility of carrying out crawling attacks on services that use an email address as an identifier, i.e., applications using Email Discovery. We consider instant messengers, job search applications, as well as gaming platforms and other applications. Our work shows that there are three applications using Email Discovery that turned out to be vulnerable to such crawling attacks: Xing, LinkedIn, and Google Contacts. To do this, we generate millions of email addresses that are then uploaded to the services to get information about whether the user is registered and to discover what data we can get with this information. The attacks carried out manually on the LinkedIn and Xing services proved to be ineffective primarily due to the implementation of Rate Limits. These limits restrict the number of requests allowed within a specific time frame, thereby hindering the success of our attacks. Additionally, the inclusion of user IP Address verification further contributed to the inability to extract user data successfully. As a result, the outcome of our attacks yielded insufficient results in terms of accessing and retrieving user data. The attack on the Google Contacts application shows the most devastating results. We develop a crawler, which allowed us to carry out a major crawling attack on this application. As a result, we are able to check 3046656 generated contacts. We also find that there are no Rate Limits enforced by Google to prevent such attacks. Thus, we show that, using a regular user PC, it is possible to carry out a crawling attack and find out such personal data of users as first name, last name, photo, links to other social networks, as well as online status. Furthermore, we analyze existing methods for protecting the Email Discovery process and propose privacy enhancements for the Google Contacts service.}, author = {Pastukh, Andrii}, keywords = {sssgroup}, month = {07}, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Email Discovery in Modern Applications}, type = {Bachelor Thesis}, year = 2023 }
Ensuring Integrity of NVMe Offloaded Data in Large-Scale Machine Learning. Götz, Raphael; Thesis; Master Thesis. (2023, January).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Machine learning is increasingly used in security-critical domains and therefore has become an attractive target for attackers. In a targeted poisoning attack, the machine learning model is trained to behave normally on benign input, however, when a certain trigger is present in the input, an attacker-chosen misbehavior is triggered. At the same time, neural networks are constantly increasing in size, especially in the natural language processing domain, because more parameters can achieve higher accuracy. In recent years, there have been impressive innovations that have led to networks such as the Megatron-Turing NLG 530B with 530 billion parameters. DeepSpeed is an open-source deep learning optimization library that enables the training of such large networks. One of many innovations it implements is a Non-Volatile Memory Express (NVMe) offload that increases memory efficiency by moving data from expensive GPU and CPU memory to cheap NVMe memory. However, this mechanism opens a potential attack surface that could be exploited to perform poisoning attacks. Therefore, this thesis investigates the security of the NVMe offload mechanism and improves it. To achieve this, first, untargeted poisoning attack scenarios are tested to show that the NVMe offload is actually vulnerable. Then a security extension, able to guarantee the integrity and freshness of the data offloaded to the NVMe is designed and extensively evaluated. During this process, various trade-offs between security and performance impact are carefully considered through the implementation and benchmarking of several different versions of the extension. Based on the experimental results, the security extension is then further improved. Furthermore, this thesis also investigates if multithreading and the use of previously generated hash tables can reduce the performance impact.

@mastersthesis{gotz2023ensuring, abstract = {Machine learning is increasingly used in security-critical domains and therefore has become an attractive target for attackers. In a targeted poisoning attack, the machine learning model is trained to behave normally on benign input, however, when a certain trigger is present in the input, an attacker-chosen misbehavior is triggered. At the same time, neural networks are constantly increasing in size, especially in the natural language processing domain, because more parameters can achieve higher accuracy. In recent years, there have been impressive innovations that have led to networks such as the Megatron-Turing NLG 530B with 530 billion parameters. DeepSpeed is an open-source deep learning optimization library that enables the training of such large networks. One of many innovations it implements is a Non-Volatile Memory Express (NVMe) offload that increases memory efficiency by moving data from expensive GPU and CPU memory to cheap NVMe memory. However, this mechanism opens a potential attack surface that could be exploited to perform poisoning attacks. Therefore, this thesis investigates the security of the NVMe offload mechanism and improves it. To achieve this, first, untargeted poisoning attack scenarios are tested to show that the NVMe offload is actually vulnerable. Then a security extension, able to guarantee the integrity and freshness of the data offloaded to the NVMe is designed and extensively evaluated. During this process, various trade-offs between security and performance impact are carefully considered through the implementation and benchmarking of several different versions of the extension. Based on the experimental results, the security extension is then further improved. Furthermore, this thesis also investigates if multithreading and the use of previously generated hash tables can reduce the performance impact.}, author = {Götz, Raphael}, keywords = {sssgroup}, month = {01}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Ensuring Integrity of NVMe Offloaded Data in Large-Scale Machine Learning}, type = {Master Thesis}, year = 2023 }
Gamification of Ethical Hacking Lab. Schraud, Johannes; Thesis; Bachelor Thesis. (2023, February).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Education is an important topic. Increasing the effectiveness and efficiency of conveying knowledge is interesting for schools of all kinds, in the professional world, but also in the private sector. In this paper, we deal with this highly important topic. Thus, we implement a promising approach for improving education called gamification, for the module Ethical Hacking Lab (EHL) of the Secure Software Systems Group of the Julius-Maximilians- University of Wuerzburg. Summarized into one sentence, in this paper we improve the EHL through gamification in the form of a so-called Capture The Flag (CTF) project. Specifically, on the one hand, we develop a CTF framework to provide and administer exercises. The framework also allows the integration of virtual laboratory environments. Furthermore, it contains statistics and various game elements to promote the game char- acteristics and to motivate the participants. On the other hand, we develop virtual laboratory environments for the binary exploitation exercises of the EHL. Hereby, we aim to further motivate and engage the participants by enabling an actual execution of their developed exploits against a virtual target. In addition, our laboratory environments relieve the participants from tedious setup tasks, as well as the tutors of the EHL from the manual correction of the submitted solutions. Furthermore, we integrate all other exercises of the EHL into our CTF framework. We implement this by extracting and integrating various questions about the exercises. By developing and executing detailed test plans, we ultimately ensure proper functionality of the CTF project.

@mastersthesis{schraud2023gamification, abstract = {Education is an important topic. Increasing the effectiveness and efficiency of conveying knowledge is interesting for schools of all kinds, in the professional world, but also in the private sector. In this paper, we deal with this highly important topic. Thus, we implement a promising approach for improving education called gamification, for the module Ethical Hacking Lab (EHL) of the Secure Software Systems Group of the Julius-Maximilians- University of Wuerzburg. Summarized into one sentence, in this paper we improve the EHL through gamification in the form of a so-called Capture The Flag (CTF) project. Specifically, on the one hand, we develop a CTF framework to provide and administer exercises. The framework also allows the integration of virtual laboratory environments. Furthermore, it contains statistics and various game elements to promote the game char- acteristics and to motivate the participants. On the other hand, we develop virtual laboratory environments for the binary exploitation exercises of the EHL. Hereby, we aim to further motivate and engage the participants by enabling an actual execution of their developed exploits against a virtual target. In addition, our laboratory environments relieve the participants from tedious setup tasks, as well as the tutors of the EHL from the manual correction of the submitted solutions. Furthermore, we integrate all other exercises of the EHL into our CTF framework. We implement this by extracting and integrating various questions about the exercises. By developing and executing detailed test plans, we ultimately ensure proper functionality of the CTF project.}, author = {Schraud, Johannes}, keywords = {sssgroup}, month = {02}, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Gamification of Ethical Hacking Lab}, type = {Bachelor Thesis}, year = 2023 }
Penetration Testing of the eSano Platform. Schumacher, Moritz; Thesis; Bachelor Thesis. (2023, March).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
We performed a penetration test on the eSano eHealth platform. The platform provides internet- and mobile-based interventions for mental health and chronic disease treatment. The primary objective of the pentesting was to enhance the security of the eSano platform, which in turn ensures the protection of sensitive patient data used and stored within it. The scope of the pentesting was one of three sub-platforms of eSano, as well as the API which connects all sub-platforms with the backend database. We employed a combination of OWASP resources and various tools to identify potential attack vectors, and subsequently prioritized them based on their impact, enabling us to concentrate our e↵orts on addressing the most critical vulnerabilities first. During the penetration testing of the eSano platform, we identified several vulnerabilities. These included multiple vulnerabilities with low and medium impact, such as unused endpoints, functionalities, and missing rate limits at certain points. In addition to these lower impact vulnerabilities, we also identified several critical issues. One critical issue involved a clickjacking attack that could trick users into performing unintended actions. We could also query whether an email address was associated with a platform user, which could lead to further attacks. A misconfiguration in the CORS protocol allowed third- party websites to make privileged requests about authenticated users. Finally, we were able to bypass the file extension restrictions and perform successful XSS, SSRF, and DoS attacks on the file upload functionality. This could potentially lead to compromised user data, unauthorized access to sensitive information, and potential denial of service. The findings of the pentesting have been shared with the developers of the eSano project, enabling them to address the identified vulnerabilities. This will make the platform more secure for data belonging to future users.

@mastersthesis{schumacher2023penetration, abstract = {We performed a penetration test on the eSano eHealth platform. The platform provides internet- and mobile-based interventions for mental health and chronic disease treatment. The primary objective of the pentesting was to enhance the security of the eSano platform, which in turn ensures the protection of sensitive patient data used and stored within it. The scope of the pentesting was one of three sub-platforms of eSano, as well as the API which connects all sub-platforms with the backend database. We employed a combination of OWASP resources and various tools to identify potential attack vectors, and subsequently prioritized them based on their impact, enabling us to concentrate our e↵orts on addressing the most critical vulnerabilities first. During the penetration testing of the eSano platform, we identified several vulnerabilities. These included multiple vulnerabilities with low and medium impact, such as unused endpoints, functionalities, and missing rate limits at certain points. In addition to these lower impact vulnerabilities, we also identified several critical issues. One critical issue involved a clickjacking attack that could trick users into performing unintended actions. We could also query whether an email address was associated with a platform user, which could lead to further attacks. A misconfiguration in the CORS protocol allowed third- party websites to make privileged requests about authenticated users. Finally, we were able to bypass the file extension restrictions and perform successful XSS, SSRF, and DoS attacks on the file upload functionality. This could potentially lead to compromised user data, unauthorized access to sensitive information, and potential denial of service. The findings of the pentesting have been shared with the developers of the eSano project, enabling them to address the identified vulnerabilities. This will make the platform more secure for data belonging to future users.}, author = {Schumacher, Moritz}, keywords = {sssgroup}, month = {03}, publisher = {Bachelor Thesis}, title = {Penetration Testing of the eSano Platform}, type = {Bachelor Thesis}, year = 2023 }
Adversarial Training in Federated Learning using Constrained Optimization Methods. König, Jan; Thesis; Master Thesis. (2023, May).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Federated Learning (FL) is an approach to machine learning that facilitates the collaborative training of models and allows participants to keep their local and potentially sensitive data private. Due to its decentralized nature, FL is especially vulnerable to certain types of attacks. In a so-called backdoor attack, adversaries submit manipulated updates to the model aggregation process. For adversary-determined inputs, the newly aggregated model will then generate targeted false predictions. A common defense so far has been to measure the deviation between a global model and the model trained by a participant and reject models with a deviation above a certain threshold. Adversaries can counteract by adjusting their training objective in a way that penalizes large deviations. However, this merely encourages and not guarantees that the deviation threshold is not exceeded. As the main contribution, this thesis reformulates the adversarial training objective as a constrained optimization problem, a class of problems well-researched in mathematics that often can be solved by the Augmented Lagrangian Method. This eliminates the dilemma that adversaries face when having to decide between the effectiveness of their backdoor and remaining undetected, as is the case with current methods. A secondary, independent contribution is a scheme to detect FL participants training a hidden objective, such as a backdoor, for linear approximations of non-linear models (Neural Tangent Kernels). Finally, to evaluate the effectiveness of the proposed attack- and defense mechanisms, this thesis evaluates them against several existing state-of-the-art backdoor types (e.g., Semantic backdoor).

@mastersthesis{jan2023adversarial, abstract = {Federated Learning (FL) is an approach to machine learning that facilitates the collaborative training of models and allows participants to keep their local and potentially sensitive data private. Due to its decentralized nature, FL is especially vulnerable to certain types of attacks. In a so-called backdoor attack, adversaries submit manipulated updates to the model aggregation process. For adversary-determined inputs, the newly aggregated model will then generate targeted false predictions. A common defense so far has been to measure the deviation between a global model and the model trained by a participant and reject models with a deviation above a certain threshold. Adversaries can counteract by adjusting their training objective in a way that penalizes large deviations. However, this merely encourages and not guarantees that the deviation threshold is not exceeded. As the main contribution, this thesis reformulates the adversarial training objective as a constrained optimization problem, a class of problems well-researched in mathematics that often can be solved by the Augmented Lagrangian Method. This eliminates the dilemma that adversaries face when having to decide between the effectiveness of their backdoor and remaining undetected, as is the case with current methods. A secondary, independent contribution is a scheme to detect FL participants training a hidden objective, such as a backdoor, for linear approximations of non-linear models (Neural Tangent Kernels). Finally, to evaluate the effectiveness of the proposed attack- and defense mechanisms, this thesis evaluates them against several existing state-of-the-art backdoor types (e.g., Semantic backdoor).}, author = {König, Jan}, keywords = {sss-group}, month = {05}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Adversarial Training in Federated Learning using Constrained Optimization Methods}, type = {Master Thesis}, year = 2023 }
Penetration Testing of the eSano Platform with the focus on Patient and eCoach components. Nolte, Alexander; Thesis; Bachelor Thesis. (2023, July).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
With the increasing digitization of healthcare and the growing demand for remote medical services, electronic health (electronic Health (eHealth)) platforms play a crucial role in facilitating doctor-patient communication and providing therapeutic support. However, ensuring the security and privacy of patient data on these platforms is of utmost importance. This thesis focuses on the penetration testing of the eSano platform, specifically targeting its Patient and eCoach components. The objective of the penetration testing is to assess the security posture of the eSano platform and identify potential vulnerabilities that could compromise the confidentiality, integrity, and availability of patient data. The testing follows a structured approach, incorporating the guidelines provided by the Open Web Application Security Project (OWASP). The identified vulnerabilities were mapped to the corresponding Common Weakness Enumeration (CWE) identifiers, providing a standardized framework for reporting and analysis. Throughout the penetration testing process, several critical vulnerabilities were discovered, including vulnerable file upload functionality, unprotected Application programming interface (API) endpoints, refreshment of expired authentication tokens, clickjacking vulnerabilities, user enumeration issues, email security vulnerabilities, and Comma Seperated Values (CSV) injection vulnerabilities. These vulnerabilities pose a substantial risk to the security and privacy of patient data, as they could allow unauthorized access, data manipulation, and the spread of malicious software. The results of the penetration testing underscore the critical need for robust security measures in eHealth platforms. By addressing the identified vulnerabilities and implementing the recommended security controls, based on the guidelines provided by OWASP and the corresponding CWE mappings, the eSano platform can enhance its security posture and protect sensitive patient information. The penetration testing report provided in this thesis serves as a valuable resource for the eSano developers, offering detailed insights into the vulnerabilities and recommendations for their remediation.

@mastersthesis{nolte2023penetration, abstract = {With the increasing digitization of healthcare and the growing demand for remote medical services, electronic health (electronic Health (eHealth)) platforms play a crucial role in facilitating doctor-patient communication and providing therapeutic support. However, ensuring the security and privacy of patient data on these platforms is of utmost importance. This thesis focuses on the penetration testing of the eSano platform, specifically targeting its Patient and eCoach components. The objective of the penetration testing is to assess the security posture of the eSano platform and identify potential vulnerabilities that could compromise the confidentiality, integrity, and availability of patient data. The testing follows a structured approach, incorporating the guidelines provided by the Open Web Application Security Project (OWASP). The identified vulnerabilities were mapped to the corresponding Common Weakness Enumeration (CWE) identifiers, providing a standardized framework for reporting and analysis. Throughout the penetration testing process, several critical vulnerabilities were discovered, including vulnerable file upload functionality, unprotected Application programming interface (API) endpoints, refreshment of expired authentication tokens, clickjacking vulnerabilities, user enumeration issues, email security vulnerabilities, and Comma Seperated Values (CSV) injection vulnerabilities. These vulnerabilities pose a substantial risk to the security and privacy of patient data, as they could allow unauthorized access, data manipulation, and the spread of malicious software. The results of the penetration testing underscore the critical need for robust security measures in eHealth platforms. By addressing the identified vulnerabilities and implementing the recommended security controls, based on the guidelines provided by OWASP and the corresponding CWE mappings, the eSano platform can enhance its security posture and protect sensitive patient information. The penetration testing report provided in this thesis serves as a valuable resource for the eSano developers, offering detailed insights into the vulnerabilities and recommendations for their remediation.}, author = {Nolte, Alexander}, keywords = {sssgroup}, month = {07}, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Penetration Testing of the eSano Platform with the focus on Patient and eCoach components}, type = {Bachelor Thesis}, year = 2023 }
Vulnerability Assessment of Smart Contracts using Explainable AI Methods. Hefter, Alexander; Thesis; Master Thesis. (2023, January).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Smart contracts are small computer programs stored on a blockchain and play an im- portant role in many cryptocurrencies, such as Ethereum. The code of a smart contract represents a sort of digital agreement between its users. However, like all computer pro- grams, smart contracts possibly contain security vulnerabilities an attacker can exploit to achieve goals beyond the original intent of the contract. Therefore, tools have been developed to identify smart contracts with vulnerabilities at source code or bytecode level. Some of these detection methods make use of deep neural networks, a machine learning technique. However, these methods only indicate whether a smart contract contains a certain vulnerability or not, but a programmer is also interested in its location in the code. The main problem is here that it is not obvious which parts of the source code are responsible for the prediction result of a neural network. This work describes two methods that determine whether a smart contract is vulnerable and find the locations of the vulnerabilities in the source code. Both methods are built on graph neural networks and, therefore, convert source code files into contract graphs. The first method identifies vulnerable contract graphs by graph classification. The vulnerability positions are figured out with an explainer, a program that determines the parts of the input graph that are responsible for the graph classification result. The second method is based on node classification. This method requires a dataset of source codes where the exact vulnerability positions are given by line numbers. Therefore, a dataset regarding the reentrancy vulnerability has been labeled by hand for this thesis. Both methods are tested and evaluated on this dataset. Although the first method reliably detects vulnerable contracts with a f1-score of up to 97.12%, the f1-score for locating the vulnerabilities does not exceed 9.0%. However, the second method determines vulnerable contracts with a f1-score of up to 93.02% and figures out the positions of the vulnerabilities with a f1-score of up to 93.69%. Moreover, the second method analyzes source codes in less than three seconds. Both methods can handle contract source codes of any lengths. The output of the analysis is in both cases given by the line numbers that contain the vulnerabilities.

@mastersthesis{hefter2023vulnerability, abstract = {Smart contracts are small computer programs stored on a blockchain and play an im- portant role in many cryptocurrencies, such as Ethereum. The code of a smart contract represents a sort of digital agreement between its users. However, like all computer pro- grams, smart contracts possibly contain security vulnerabilities an attacker can exploit to achieve goals beyond the original intent of the contract. Therefore, tools have been developed to identify smart contracts with vulnerabilities at source code or bytecode level. Some of these detection methods make use of deep neural networks, a machine learning technique. However, these methods only indicate whether a smart contract contains a certain vulnerability or not, but a programmer is also interested in its location in the code. The main problem is here that it is not obvious which parts of the source code are responsible for the prediction result of a neural network. This work describes two methods that determine whether a smart contract is vulnerable and find the locations of the vulnerabilities in the source code. Both methods are built on graph neural networks and, therefore, convert source code files into contract graphs. The first method identifies vulnerable contract graphs by graph classification. The vulnerability positions are figured out with an explainer, a program that determines the parts of the input graph that are responsible for the graph classification result. The second method is based on node classification. This method requires a dataset of source codes where the exact vulnerability positions are given by line numbers. Therefore, a dataset regarding the reentrancy vulnerability has been labeled by hand for this thesis. Both methods are tested and evaluated on this dataset. Although the first method reliably detects vulnerable contracts with a f1-score of up to 97.12%, the f1-score for locating the vulnerabilities does not exceed 9.0%. However, the second method determines vulnerable contracts with a f1-score of up to 93.02% and figures out the positions of the vulnerabilities with a f1-score of up to 93.69%. Moreover, the second method analyzes source codes in less than three seconds. Both methods can handle contract source codes of any lengths. The output of the analysis is in both cases given by the line numbers that contain the vulnerabilities.}, author = {Hefter, Alexander}, keywords = {sss-group}, month = {01}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Vulnerability Assessment of Smart Contracts using Explainable AI Methods}, type = {Master Thesis}, year = 2023 }
Sybil Attack in Tor - Shedding Light to the Diversity Problem in Tor. Schreider, Dominik; Thesis; Bachelor Thesis. (2023, August).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Tor is the most widely used anonymity communication network, which relies on voluntarily operated servers called relays to direct user traffic through its network. With an estimated daily user base of around 2 million, Tor stands as a widely adopted platform. However, the Tor network faces a significant challenge known as the ”Diversity Problem”, arising from a concentration of power, manifested through the trust and dependence placed upon a few dominant operators controlling a substantial portion of the network. For the analysis of this matter, we developed an Analysis Tool to aggregate and analyze Tor data. The Sybil attack within the Tor network includes two scenarios. (I) The attacker in- troduces additional relays into the network to increase their control and influence. The adversary’s objective in this scenario is to monitor a significant portion of the network traffic within Tor. (II) The attacker intentionally avoids associating the relays they man- age under a single entity, which is the typical practice expected from relay operators. As a result of this, they could potentially acquire advantageous visibility to observe connec- tions established via Tor by strategically placing their relays in critical positions of the circuit. Particularly concerning is the attacker’s capability to easily add relays to the Tor network and refrain from declaring relay ownership. The potential privacy risks for users emerge from both attack scenarios, with the combined effect being particularly concern- ing. Within this thesis, we extensively explore the Sybil attack to gain a comprehensive understanding of the factors that impact its effectiveness and how this attack affects the ”Diversity Problem”. By conducting a thorough analysis of the Sybil attack, we pinpoint the primary factors that shape its effectiveness. Moreover, we carry out simulations of the Sybil attack. An attacker who controls 100 Gbit/s of bandwidth could achieve up to a 40% likelihood of monitoring the exiting traffic or a 20% likelihood of observing incoming traffic within the Tor network. This capacity enables the attacker to potentially de-anonymize user connec- tions. We provide a proof of concept for the Sybil attack, critically analyzing the impact the attack can have on the Tor network. The rationale behind emphasizing this analysis is rooted in the absence of prior investigations into the Sybil attack’s effectiveness within the Tor ecosystem. Understanding the intricacies of the attack is essential to fortify Tor’s se- curity and preserve its mission of providing privacy and anonymity to its diverse user base. Furthermore, our aim extends to cultivating awareness among researchers and Tor users regarding the far-reaching implications of the ”Diversity Problem”, which subsequently affects the reliance and trust on a limited number of dominant entities.

@mastersthesis{schreider2023sybil, abstract = {Tor is the most widely used anonymity communication network, which relies on voluntarily operated servers called relays to direct user traffic through its network. With an estimated daily user base of around 2 million, Tor stands as a widely adopted platform. However, the Tor network faces a significant challenge known as the ”Diversity Problem”, arising from a concentration of power, manifested through the trust and dependence placed upon a few dominant operators controlling a substantial portion of the network. For the analysis of this matter, we developed an Analysis Tool to aggregate and analyze Tor data. The Sybil attack within the Tor network includes two scenarios. (I) The attacker in- troduces additional relays into the network to increase their control and influence. The adversary’s objective in this scenario is to monitor a significant portion of the network traffic within Tor. (II) The attacker intentionally avoids associating the relays they man- age under a single entity, which is the typical practice expected from relay operators. As a result of this, they could potentially acquire advantageous visibility to observe connec- tions established via Tor by strategically placing their relays in critical positions of the circuit. Particularly concerning is the attacker’s capability to easily add relays to the Tor network and refrain from declaring relay ownership. The potential privacy risks for users emerge from both attack scenarios, with the combined effect being particularly concern- ing. Within this thesis, we extensively explore the Sybil attack to gain a comprehensive understanding of the factors that impact its effectiveness and how this attack affects the ”Diversity Problem”. By conducting a thorough analysis of the Sybil attack, we pinpoint the primary factors that shape its effectiveness. Moreover, we carry out simulations of the Sybil attack. An attacker who controls 100 Gbit/s of bandwidth could achieve up to a 40% likelihood of monitoring the exiting traffic or a 20% likelihood of observing incoming traffic within the Tor network. This capacity enables the attacker to potentially de-anonymize user connec- tions. We provide a proof of concept for the Sybil attack, critically analyzing the impact the attack can have on the Tor network. The rationale behind emphasizing this analysis is rooted in the absence of prior investigations into the Sybil attack’s effectiveness within the Tor ecosystem. Understanding the intricacies of the attack is essential to fortify Tor’s se- curity and preserve its mission of providing privacy and anonymity to its diverse user base. Furthermore, our aim extends to cultivating awareness among researchers and Tor users regarding the far-reaching implications of the ”Diversity Problem”, which subsequently affects the reliance and trust on a limited number of dominant entities.}, author = {Schreider, Dominik}, keywords = {sssgroup}, month = {08}, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Sybil Attack in Tor - Shedding Light to the Diversity Problem in Tor}, type = {Bachelor Thesis}, year = 2023 }
Constrained Learning for Improved Attack Resilience in Federated Learning. Fella, Tobias; Thesis; Master Thesis. (2023, September).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Federated Learning is an approach to machine learning where several participants train models locally, followed by aggregating these models into a combined model. This ap- proach has several advantages over classic, centralized machine learning, e.g., that the training data does not have to leave the client’s devices. Defenses against poisoning at- tacks on Federated Learning are an area of active research. Most existing approaches detect malicious models by focusing only on the adversarial side. This thesis goes a differ- ent way, by proposing changes to benign training on the client side, which lead to improved detection capabilities of existing defense mechanisms. We do this by constraining certain model characteristics, so-called metrics, in benign learning. This causes the benign models to be more similar to each other within a certain metric that is leveraged by the defense mechanism. The central parts of our research are an evaluation of how to best constrain malicious learning, evaluating, among others, techniques from Multi-Task Learning. We then evaluate the system’s capability of detecting malicious models and other effects it has on the behavior of the Federated Learning environment.

@mastersthesis{fella2023constrained, abstract = {Federated Learning is an approach to machine learning where several participants train models locally, followed by aggregating these models into a combined model. This ap- proach has several advantages over classic, centralized machine learning, e.g., that the training data does not have to leave the client’s devices. Defenses against poisoning at- tacks on Federated Learning are an area of active research. Most existing approaches detect malicious models by focusing only on the adversarial side. This thesis goes a differ- ent way, by proposing changes to benign training on the client side, which lead to improved detection capabilities of existing defense mechanisms. We do this by constraining certain model characteristics, so-called metrics, in benign learning. This causes the benign models to be more similar to each other within a certain metric that is leveraged by the defense mechanism. The central parts of our research are an evaluation of how to best constrain malicious learning, evaluating, among others, techniques from Multi-Task Learning. We then evaluate the system’s capability of detecting malicious models and other effects it has on the behavior of the Federated Learning environment.}, author = {Fella, Tobias}, institution = {Master Thesis}, keywords = {sssgroup}, month = {09}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Constrained Learning for Improved Attack Resilience in Federated Learning}, type = {Master Thesis}, year = 2023 }

2021[ to top ]

Security Analysis of UniNow App. Zimmermann, Keven; Thesis; Bachelor Thesis. (2021, June).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
We performed a security analysis of the UniNow application, focusing on private user data. The application was chosen for its high popularity and amount of sensitive information handled through its new contact tracing functionality. This functionality is used by many universities for mandatory contact tracing against COVID-19. Our analysis concerned the Android mobile application and all web services. After mapping the attack surface using many tools to automate the process, we tested the potential issues in order of impact. We reveal multiple security issues with low to critical severity. Most of these vulnera�bilities threatened private user data directly. In particular, we found multiple disclosed secret keys that were used to encrypt user data on the client side, among others. Fur�thermore, we show how an in-app browser as well as an open redirect vulnerability were easing phishing attacks, and how university access tokens were shared with UniNow. Our more severe findings include how sensitive data was sent automatically to Google servers through backup files, how strict SSL certificate checking was disabled deliberately for many university endpoints, how JavaScript could be injected into the email viewer, and how ap�pointment invitations could be brute forced to get sensitive information about past and future appointments. The two critical security issues concern how user accounts could be taken over by using an account identifier, and how an internal service was accessible by anyone, allowing to change university configurations and potentially make user devices sent their user’s university credentials to the attacker. We performed a responsible disclosure, which serves as a reference to UniNow, enabling them to fix the discovered issues. Our work tangibly improves the security of student data handled by the company.

@mastersthesis{noauthororeditor, abstract = {We performed a security analysis of the UniNow application, focusing on private user data. The application was chosen for its high popularity and amount of sensitive information handled through its new contact tracing functionality. This functionality is used by many universities for mandatory contact tracing against COVID-19. Our analysis concerned the Android mobile application and all web services. After mapping the attack surface using many tools to automate the process, we tested the potential issues in order of impact. We reveal multiple security issues with low to critical severity. Most of these vulnera�bilities threatened private user data directly. In particular, we found multiple disclosed secret keys that were used to encrypt user data on the client side, among others. Fur�thermore, we show how an in-app browser as well as an open redirect vulnerability were easing phishing attacks, and how university access tokens were shared with UniNow. Our more severe findings include how sensitive data was sent automatically to Google servers through backup files, how strict SSL certificate checking was disabled deliberately for many university endpoints, how JavaScript could be injected into the email viewer, and how ap�pointment invitations could be brute forced to get sensitive information about past and future appointments. The two critical security issues concern how user accounts could be taken over by using an account identifier, and how an internal service was accessible by anyone, allowing to change university configurations and potentially make user devices sent their user’s university credentials to the attacker. We performed a responsible disclosure, which serves as a reference to UniNow, enabling them to fix the discovered issues. Our work tangibly improves the security of student data handled by the company.}, author = {Zimmermann, Keven}, keywords = {security}, month = {06}, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Security Analysis of UniNow App}, type = {Bachelor Thesis}, year = 2021 }
Intrusion Detection Using Machine Learning in Databases. Schindler, Sebastian; Thesis; Master Thesis. (2021, April).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Ransomware is a known threat that had a severe impact on computer security in the past five years. This type of malware has caused financial losses of about $13 Billion in 2017 and 2018 combined. Ransomware makes a user’s data unavailable to them, only granting access again when they pay a ransom. Traditionally, ransomware targeted the computer’s filesystem. Database ransomware is a new variant of the same principle. Instead of targeting individual files, it logs into DBMSs remotely and destroys the data, leaving only a ransom message behind. In most cases, attackers do not create a backup copy of the data. In this case, the data cannot be restored by the attackers, even if the ransom is paid. In 2018, Jobst et al. presented DIMAQS, a MySQL plugin to mitigate these attacks by detecting malicious activity through a Petri net classifier. Our work recognizes the main drawback of this approach: The Petri net cannot be easily adapted to new attack scenarios and has to be re-engineered manually. To solve this problem, we design a machine learning classifier to replace the original one. This approach yields a model that detects all attacks in our tests. Unfortunately, the model also produces a high number of false positives when trying to detect attacks before any harmful queries are issued. Overall, our approach achieves a 85.23% f1-score. The performance impact of the revised plugin is nonexistent for OLAP workloads and stays under 15% for OLTP tasks.

@mastersthesis{noauthororeditor, abstract = {Ransomware is a known threat that had a severe impact on computer security in the past five years. This type of malware has caused financial losses of about $13 Billion in 2017 and 2018 combined. Ransomware makes a user’s data unavailable to them, only granting access again when they pay a ransom. Traditionally, ransomware targeted the computer’s filesystem. Database ransomware is a new variant of the same principle. Instead of targeting individual files, it logs into DBMSs remotely and destroys the data, leaving only a ransom message behind. In most cases, attackers do not create a backup copy of the data. In this case, the data cannot be restored by the attackers, even if the ransom is paid. In 2018, Jobst et al. presented DIMAQS, a MySQL plugin to mitigate these attacks by detecting malicious activity through a Petri net classifier. Our work recognizes the main drawback of this approach: The Petri net cannot be easily adapted to new attack scenarios and has to be re-engineered manually. To solve this problem, we design a machine learning classifier to replace the original one. This approach yields a model that detects all attacks in our tests. Unfortunately, the model also produces a high number of false positives when trying to detect attacks before any harmful queries are issued. Overall, our approach achieves a 85.23% f1-score. The performance impact of the revised plugin is nonexistent for OLAP workloads and stays under 15% for OLTP tasks.}, author = {Schindler, Sebastian}, keywords = {ransomware}, month = {04}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Intrusion Detection Using Machine Learning in Databases}, type = {Master Thesis}, year = 2021 }
Security and Privacy Aspects of Digital Contact Tracing. Roos, Filipp; Thesis; Master Thesis. (2021, October).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
I am truly thankful to my advisor, Prof. Dr.-Ing. Alexandra Dmitrienko, for her guidance, support and patience throughout the research project and thesis writing process. Special thanks to Thien Nguyen for the discussions and feedback about the security analysis, as well as the rest of the TraceCORONA research and prototyping team at TU Darmstadt, which I am very grateful to have been a part of: Prof. Dr.-Ing. Ahmad-Reza Sadeghi, Dr.-Ing. Markus Miettinen, Joshua Kühlberg, Anel Muhamedagic and Richard Mitev. Without these people this work would not have been possible. Additionally, I would like to express gratitude to my parents, who have encouraged me to never give up, as well as the friends and family members who have helped with proofreading the thesis.

@mastersthesis{roos2021security, abstract = {I am truly thankful to my advisor, Prof. Dr.-Ing. Alexandra Dmitrienko, for her guidance, support and patience throughout the research project and thesis writing process. Special thanks to Thien Nguyen for the discussions and feedback about the security analysis, as well as the rest of the TraceCORONA research and prototyping team at TU Darmstadt, which I am very grateful to have been a part of: Prof. Dr.-Ing. Ahmad-Reza Sadeghi, Dr.-Ing. Markus Miettinen, Joshua Kühlberg, Anel Muhamedagic and Richard Mitev. Without these people this work would not have been possible. Additionally, I would like to express gratitude to my parents, who have encouraged me to never give up, as well as the friends and family members who have helped with proofreading the thesis.}, author = {Roos, Filipp}, keywords = {security}, month = 10, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Security and Privacy Aspects of Digital Contact Tracing}, year = 2021 }
Remote Attestation for IoT with Smart Verifier. Petzi, Lukas; Thesis; Bachelor Thesis. (2021, January).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
The Internet is evolving. The Internet of Things (IoT) is a disruptive technology, billions of small and smart devices are encompassing every aspect of our lives, which leads us to a new era of the Internet. IoT connects billions of heterogeneous embedded devices in large networks. Restricted capabilities of the devices in combination with various mutually mistrusting parties throughout the network pose new challenges to security. As IoT devices become increasingly important, so does trust in their secure and reliable operation. But before we can trust them, we need to establish the trust. In the past, remote attestation has emerged into a very powerful tool in order to establish trust between devices. Traditional remote attestation establishes a static trust between two devices. This approach suffers badly heterogeneity of IoT network and purely scales to a large number of devices. Furthermore, it is very vulnerable to Denial of Service attacks. Within this thesis, we present a new approach to Remote Attestation in IoT networks. Our design combines the core strength of Remote Attestation with the advantages blockchain technology in order to enable attestation and validation of attestation evidences in a scalable manner. At rst, we develop a remote attestation scheme on a low end device serving as an exemplary IoT device. Second, we design our smart verifier, a flexible system capable of validating and storing attestation evidence. The system is build on top of blockchain technology and solves several issues accompanied by Traditional Remote Attestation in IoT such as scalability and device heterogeneity. In the end, we build and evaluate a proof of concept implementation based on ARM TrustZone and Sawtooth Hyperledger. The proposed system architecture enables trust establishment in a scalable manner even in heterogeneous networks while preventing denial of service attacks

@mastersthesis{chan2019remote, abstract = {The Internet is evolving. The Internet of Things (IoT) is a disruptive technology, billions of small and smart devices are encompassing every aspect of our lives, which leads us to a new era of the Internet. IoT connects billions of heterogeneous embedded devices in large networks. Restricted capabilities of the devices in combination with various mutually mistrusting parties throughout the network pose new challenges to security. As IoT devices become increasingly important, so does trust in their secure and reliable operation. But before we can trust them, we need to establish the trust. In the past, remote attestation has emerged into a very powerful tool in order to establish trust between devices. Traditional remote attestation establishes a static trust between two devices. This approach suffers badly heterogeneity of IoT network and purely scales to a large number of devices. Furthermore, it is very vulnerable to Denial of Service attacks. Within this thesis, we present a new approach to Remote Attestation in IoT networks. Our design combines the core strength of Remote Attestation with the advantages blockchain technology in order to enable attestation and validation of attestation evidences in a scalable manner. At rst, we develop a remote attestation scheme on a low end device serving as an exemplary IoT device. Second, we design our smart verifier, a flexible system capable of validating and storing attestation evidence. The system is build on top of blockchain technology and solves several issues accompanied by Traditional Remote Attestation in IoT such as scalability and device heterogeneity. In the end, we build and evaluate a proof of concept implementation based on ARM TrustZone and Sawtooth Hyperledger. The proposed system architecture enables trust establishment in a scalable manner even in heterogeneous networks while preventing denial of service attacks}, author = {Petzi, Lukas}, booktitle = {CVPR Workshops}, keywords = {security}, month = {01}, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Remote Attestation for IoT with Smart Verifier}, type = {Bachelor Thesis}, year = 2021 }

2020[ to top ]

Evaluating the Privacy of Contact Discovery. Sendner, Christoph; Thesis; Master Thesis. (2020, July).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Currently deployed contact discovery of mobile messengers is based on the transmission of phone numbers to the service provider. This information is private and anonymized by hashing them. In this work, we show, that this anonymization is pseudo-anonymous and can easily be broken by an attacker. For that, we develop two hash reversal techniques: one using brute-force approach and another one using look-up databases. We provide generic architectures for each of the ap- proaches. Additionally, we provide and compare two instantiations for each. Furthermore, we evaluate and compare them to the third approach based on rainbow tables. The evaluation shows near instant lookup-times of under 0.1 ms using in-memory lookup databases, this approach is however costly in terms of memory – it would require over 10 TB RAM, which would be difficult to obtain. Our brute-force approach shows an astonishing performance, being able to reverse any mobile number in under 100 seconds using consumer-level hardware. The rainbow tables produce lookup-times of 4.5 minutes with a success rate of over 99.99%. The results of our evaluation demonstrate, that hash reversals of mobile phone numbers are practical and near instant. Thus, an attacker can easily reverse hash digests of mobile phone numbers and de-anonymize personally identifiable information – like phone numbers transmitted to the service provider of mobile messenger apps.

@mastersthesis{sendner2020contactdiscovery, abstract = {Currently deployed contact discovery of mobile messengers is based on the transmission of phone numbers to the service provider. This information is private and anonymized by hashing them. In this work, we show, that this anonymization is pseudo-anonymous and can easily be broken by an attacker. For that, we develop two hash reversal techniques: one using brute-force approach and another one using look-up databases. We provide generic architectures for each of the ap- proaches. Additionally, we provide and compare two instantiations for each. Furthermore, we evaluate and compare them to the third approach based on rainbow tables. The evaluation shows near instant lookup-times of under 0.1 ms using in-memory lookup databases, this approach is however costly in terms of memory – it would require over 10 TB RAM, which would be difficult to obtain. Our brute-force approach shows an astonishing performance, being able to reverse any mobile number in under 100 seconds using consumer-level hardware. The rainbow tables produce lookup-times of 4.5 minutes with a success rate of over 99.99%. The results of our evaluation demonstrate, that hash reversals of mobile phone numbers are practical and near instant. Thus, an attacker can easily reverse hash digests of mobile phone numbers and de-anonymize personally identifiable information – like phone numbers transmitted to the service provider of mobile messenger apps.}, author = {Sendner, Christoph}, keywords = {sss-group}, month = {07}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Evaluating the Privacy of Contact Discovery}, type = {Master Thesis}, year = 2020 }
Aggregatable Remote Attestation for IoT. Alistarov, Vasil; Thesis; Bachelor Thesis. (2020, December).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
With the recent spike of Internet of Things (IoT) and "smart" devices, there has also been an increase in the amount of attacks on IoT networks. Wide-reaching attacks such as the one from the Mirai botnet in 2016 show how crucial it is to know that a device can be trusted before initiating communication. Remote Attestation (RA) is a proven method for asserting that a device is in a benign state. It is a challenge-response process between two parties, where the first checks the trustworthiness of the second. However, it is characterizable with low scalability a critical issue in the IoT sector. In our work, we model a new RA protocol, called Aggregatable Remote Attestation, which would allow a device to process multiple RA challenges simultaneously. We base it on the already existing SIMPLE architecture and implement it as a Proof-of-Concept (PoC) by modifying the code of the Security MicroVisor the core component of SIMPLE. We evaluate our work in terms of security and performance and show that it greatly outperforms the underlying SIMPLE. We discuss the relevance of our design in relation to the IoT sphere and denote a small set of potential topics for future work and research.

@mastersthesis{alistarov2020aggregatable, abstract = {With the recent spike of Internet of Things (IoT) and "smart" devices, there has also been an increase in the amount of attacks on IoT networks. Wide-reaching attacks such as the one from the Mirai botnet in 2016 show how crucial it is to know that a device can be trusted before initiating communication. Remote Attestation (RA) is a proven method for asserting that a device is in a benign state. It is a challenge-response process between two parties, where the first checks the trustworthiness of the second. However, it is characterizable with low scalability a critical issue in the IoT sector. In our work, we model a new RA protocol, called Aggregatable Remote Attestation, which would allow a device to process multiple RA challenges simultaneously. We base it on the already existing SIMPLE architecture and implement it as a Proof-of-Concept (PoC) by modifying the code of the Security MicroVisor the core component of SIMPLE. We evaluate our work in terms of security and performance and show that it greatly outperforms the underlying SIMPLE. We discuss the relevance of our design in relation to the IoT sphere and denote a small set of potential topics for future work and research.}, author = {Alistarov, Vasil}, keywords = {security}, month = 12, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Aggregatable Remote Attestation for IoT}, type = {Bachelor Thesis}, year = 2020 }
Strategies for the Security Assessment of IoT Devices by Certification Authorities. Finke, Moritz Anton; Thesis; Bachelor Thesis. (2020, May).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
The Internet of Things (IoT) is a global infrastructure that interconnects physical and virtual things based on evolving information and communication technologies. Along with the rise of the IoT, multiple unprecedented forms of security issues and attacks have emerged. While their limited resources disallow the utilization of computing-intensive security measures, the services of IoT devices represent an attractive target for vulnerability exploitation. Certification Authorities (CAs) have responded to the trend and offer security assessments and certification for IoT devices. To ensure qualitative and fair certification, security testing requires well-defined strategies. This bachelor thesis analyzes the existing IoT security assessment models and proposes a novel, CA oriented Testing Guide Model (TGM) for standardized and reproducible assessments. The TGM describes a complete security assessment approach for application in IoT device security certification procedures of CAs. As part of the bachelor thesis, the TGM is specified, implemented, and its applicability evaluated with the help of existing IoT devices. CAs account for the security of certified products. The certification of devices that (subsequently) prove to be insecure can lead to a consumer's loss of trust in the CA. Therefore, the decision for issuing certificates must be comprehensible and made carefully. For the risk estimation of security issues and vulnerabilities, it is common to make use of numerical scoring systems. Well-defined scoring systems allow precise and reproducible estimations. In addition to the introduction of the TGM, this bachelor thesis analyzes the scoring systems established in the field of IT security in regard to their applicability for the scoring of IoT related vulnerabilities, complete IoT devices, and for the specific requirements of CAs. This thesis uncovers incompatibilities and insufficiencies in the existing systems that disallow application for the scoring of IoT devices and for application by CAs. To counter these issues, the thesis introduces a novel Security Scoring System (SSS) for rating IoT devices based on the risks of their vulnerabilities, services, and operational contexts. The SSS is integrated into the TGM, implemented in software, and evaluated with a comparison to the existing scoring systems. To summarize, the contributions of this bachelor thesis are two novel models for the security assessment of devices of the IoT: the TGM and the SSS. The models are intended to find application for CAs and both standardize and improve the security testing and assessment procedures.

@mastersthesis{finke2020strategies, abstract = {The Internet of Things (IoT) is a global infrastructure that interconnects physical and virtual things based on evolving information and communication technologies. Along with the rise of the IoT, multiple unprecedented forms of security issues and attacks have emerged. While their limited resources disallow the utilization of computing-intensive security measures, the services of IoT devices represent an attractive target for vulnerability exploitation. Certification Authorities (CAs) have responded to the trend and offer security assessments and certification for IoT devices. To ensure qualitative and fair certification, security testing requires well-defined strategies. This bachelor thesis analyzes the existing IoT security assessment models and proposes a novel, CA oriented Testing Guide Model (TGM) for standardized and reproducible assessments. The TGM describes a complete security assessment approach for application in IoT device security certification procedures of CAs. As part of the bachelor thesis, the TGM is specified, implemented, and its applicability evaluated with the help of existing IoT devices. CAs account for the security of certified products. The certification of devices that (subsequently) prove to be insecure can lead to a consumer's loss of trust in the CA. Therefore, the decision for issuing certificates must be comprehensible and made carefully. For the risk estimation of security issues and vulnerabilities, it is common to make use of numerical scoring systems. Well-defined scoring systems allow precise and reproducible estimations. In addition to the introduction of the TGM, this bachelor thesis analyzes the scoring systems established in the field of IT security in regard to their applicability for the scoring of IoT related vulnerabilities, complete IoT devices, and for the specific requirements of CAs. This thesis uncovers incompatibilities and insufficiencies in the existing systems that disallow application for the scoring of IoT devices and for application by CAs. To counter these issues, the thesis introduces a novel Security Scoring System (SSS) for rating IoT devices based on the risks of their vulnerabilities, services, and operational contexts. The SSS is integrated into the TGM, implemented in software, and evaluated with a comparison to the existing scoring systems. To summarize, the contributions of this bachelor thesis are two novel models for the security assessment of devices of the IoT: the TGM and the SSS. The models are intended to find application for CAs and both standardize and improve the security testing and assessment procedures.}, author = {Finke, Moritz Anton}, keywords = {IoT}, month = {05}, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Strategies for the Security Assessment of IoT Devices by Certification Authorities}, type = {Bachelor Thesis}, year = 2020 }
Detection of Software Vulnerabilities in Smart Contracts using Deep Learning. Lutz, Oliver; Thesis; Master Thesis. (2020, October).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Der Missbrauch von Programmierfehlern in Kryptowährungsplattformen kann zu großen wirtschaftlichen Schäden fuhren. Deshalb wird in dieser Arbeit analysiert, wie Deep-Learning genutzt werden kann, um Schwachstellen in Ethereum Smart Contracts aufzudecken. Als Ergebnis ist ein Framework entwickelt worden, das sich um die Datengewinnung, Vorklassifizierung und Modellbildung kummert. Mit diesem Framework können Deep-Learning-Modelle entwickelt, trainiert und evaluiert werden, um einen KI-Scanner zu erstellen. Selbst bei einfachen neuronalen Netz-Architekturen erreicht der KI-Scanner, der acht verschiedene Arten von Schwachstellen erkennen kann, eine Genauigkeit von 98%. Dieser KI-Scanner kann zur weiteren Verwendung eingesetzt werden. Er kann jedoch auch um Schwachstellentypen erweitert werden, um ein noch mächtigeres Tool zu bilden.

@mastersthesis{lutz2020detection, abstract = {Der Missbrauch von Programmierfehlern in Kryptowährungsplattformen kann zu großen wirtschaftlichen Schäden fuhren. Deshalb wird in dieser Arbeit analysiert, wie Deep-Learning genutzt werden kann, um Schwachstellen in Ethereum Smart Contracts aufzudecken. Als Ergebnis ist ein Framework entwickelt worden, das sich um die Datengewinnung, Vorklassifizierung und Modellbildung kummert. Mit diesem Framework können Deep-Learning-Modelle entwickelt, trainiert und evaluiert werden, um einen KI-Scanner zu erstellen. Selbst bei einfachen neuronalen Netz-Architekturen erreicht der KI-Scanner, der acht verschiedene Arten von Schwachstellen erkennen kann, eine Genauigkeit von 98%. Dieser KI-Scanner kann zur weiteren Verwendung eingesetzt werden. Er kann jedoch auch um Schwachstellentypen erweitert werden, um ein noch mächtigeres Tool zu bilden.}, author = {Lutz, Oliver}, keywords = {Private_AI}, month = 10, publisher = {Master Thesis}, school = {University of Würzburg}, title = {Detection of Software Vulnerabilities in Smart Contracts using Deep Learning}, type = {Master Thesis}, year = 2020 }
Testbed for Security Testing of Smart Contracts. Denk, Lukas; Thesis; Bachelor Thesis. (2020, November).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Ethereum, one of the most popular decentralized blockchain-based platforms [1], manages cryptocurrency worth more than 40 billion US Dollars [2]. A lot of the money is controlled by autonomous programs, so called smart contracts. They are executed on the platform and everyone can call their functions; vulnerabilities are therefore easily exploited. The immutable nature of the blockchain sharpens the problem even further by prohibiting belated bug fixes. In fact, there were several cases where attackers were able to steal cryptocurrency worth several millions of US Dollar [3]. This emphasises the need of soundly testing a smart contract before deployment. Unfortunately, existing security analysing tools each cover a different subsets of vulnerabilities [4]. Moreover, even when they test for the same security issues, they often find different results. A solid test run should therefore contain several tools, which makes the whole procedure very laborious. For these reasons, we provide a testbed which runs on a virtual machine (VM) with several smart contract security analysing tools integrated. It does not only offer a command line- but also an intuitive web interface. Both interfaces allow the user to analyse his contract with all the underlying tools in a single step. Additionally, our testbed provides a detailed report for each of the tools’ test runs as well as an overview of the overall security issues the different tools found. Our evaluation shows that our testbed identifies significantly more potential security issues than each of the compared smart contract analysing tools individually does. Indeed, we found 92% of our analysed contracts as potentially being vulnerable, while even the most sensitive tool only flagged 76% of its successfully analysed contracts. Furthermore, we observed that occasionally, two tools testing for the same vulnerability, contradict themselves in more than 81% of the contracts successfully analysed by both tools

@mastersthesis{denk2020testbed, abstract = {Ethereum, one of the most popular decentralized blockchain-based platforms [1], manages cryptocurrency worth more than 40 billion US Dollars [2]. A lot of the money is controlled by autonomous programs, so called smart contracts. They are executed on the platform and everyone can call their functions; vulnerabilities are therefore easily exploited. The immutable nature of the blockchain sharpens the problem even further by prohibiting belated bug fixes. In fact, there were several cases where attackers were able to steal cryptocurrency worth several millions of US Dollar [3]. This emphasises the need of soundly testing a smart contract before deployment. Unfortunately, existing security analysing tools each cover a different subsets of vulnerabilities [4]. Moreover, even when they test for the same security issues, they often find different results. A solid test run should therefore contain several tools, which makes the whole procedure very laborious. For these reasons, we provide a testbed which runs on a virtual machine (VM) with several smart contract security analysing tools integrated. It does not only offer a command line- but also an intuitive web interface. Both interfaces allow the user to analyse his contract with all the underlying tools in a single step. Additionally, our testbed provides a detailed report for each of the tools’ test runs as well as an overview of the overall security issues the different tools found. Our evaluation shows that our testbed identifies significantly more potential security issues than each of the compared smart contract analysing tools individually does. Indeed, we found 92% of our analysed contracts as potentially being vulnerable, while even the most sensitive tool only flagged 76% of its successfully analysed contracts. Furthermore, we observed that occasionally, two tools testing for the same vulnerability, contradict themselves in more than 81% of the contracts successfully analysed by both tools}, author = {Denk, Lukas}, keywords = {secure}, month = 11, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Testbed for Security Testing of Smart Contracts}, type = {Bachelor Thesis}, year = 2020 }
Understanding UI attacks on Android. Jasper, Stang; Thesis; Bachelor Thesis. (2020, December).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
In this thesis, we closely examine an important type of attack against Android smart- phones that exploit weaknesses in the user interface. In particular, we study, analyze and implement the “Keystroke Inference #3” attack from the “Cloak and Dagger” paper by Fratantonio et al. [1, 2], which enables an attacker to steal sensitive input such as pass- words. The attack takes advantage of a vulnerability that was subsequently patched on all newer Android versions. Yet, it still affects a significant user base that utilizes older devices. In this paper, we present the end-to-end attack implementation of the “Keystroke Inference #3” concept and elaborate on in-depth details. In order to make the attack fea- sible certain technical challenges needed to be solved, therefore our developed approaches are presented as well. After the evaluation of the results, we show that the implementa- tion is applicable to a wide range of Android versions. We then present our novel defense technique OverlayShifter, which fully prevents the attack while being independent of operating system modifications. Moreover, characteristics that facilitate the detection of the attack are discussed.

@mastersthesis{jasper2020understanding, abstract = {In this thesis, we closely examine an important type of attack against Android smart- phones that exploit weaknesses in the user interface. In particular, we study, analyze and implement the “Keystroke Inference #3” attack from the “Cloak and Dagger” paper by Fratantonio et al. [1, 2], which enables an attacker to steal sensitive input such as pass- words. The attack takes advantage of a vulnerability that was subsequently patched on all newer Android versions. Yet, it still affects a significant user base that utilizes older devices. In this paper, we present the end-to-end attack implementation of the “Keystroke Inference #3” concept and elaborate on in-depth details. In order to make the attack fea- sible certain technical challenges needed to be solved, therefore our developed approaches are presented as well. After the evaluation of the results, we show that the implementa- tion is applicable to a wide range of Android versions. We then present our novel defense technique OverlayShifter, which fully prevents the attack while being independent of operating system modifications. Moreover, characteristics that facilitate the detection of the attack are discussed.}, author = {Jasper, Stang}, keywords = {sssgroup}, month = 12, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Understanding UI attacks on Android}, type = {Bachelor Thesis}, year = 2020 }

2019[ to top ]

Implementation and Evaluation of a Group Encryption Scheme. Ten, Peter; Thesis; Bachelor Thesis. (2019, December).
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
@mastersthesis{2019-BA-Peter-Ten, author = {Ten, Peter}, keywords = {group}, month = 12, publisher = {Bachelor Thesis}, school = {University of Würzburg}, title = {Implementation and Evaluation of a Group Encryption Scheme}, type = {Bachelor Thesis}, year = 2019 }

2018[ to top ]

Hardening Bitcoin Against Off-Topic Data Inclusion Attacks. Seeg, Andreas; Thesis; University of Würzburg. (2018, August).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Bitcoin is a novel peer to peer payment network that was started in 2009 and that has since flourished, gaining acceptance all over the world. By contributing their resourcefulness as network connectivity and computing power, all participants are creating the the Bitcoin network together. Designed as an open source software system, the participation rules for this network are not upheld by humans, but implemented in code, and generally allow anyone to join or leave the network at will.Since the time of Bitcoin’s inception, software errors had to be fixed and network attacks that tried to make parts of the network unavailable have been endured. This thesis provides a solution to the problem of illegal data inclusions within the blockchain, a data structure that cannot easily be changed and that has to be transmitted to participants of Bitcoin.The flaw, i.e. the possibility for any user of Bitcoin to potentially include illegal data and therefore illegalizes the whole blockchain, is not just a software flaw, but can be seen as a structural one if free participation and uncensorable payments are to be provided.The proposal to solve the problem is layered in two tiers. The first tier prevents effective data inclusion for some standard payment functions within Bitcoin. This allows participants to be certain that these transactions do not contain bad data, allowing them to be included into Bitcoin blocks. It also solves the problem of illegal data permanently occupying valuable resources on Bitcoin nodes, as parts of the provably clean transactions are generally held in RAM until they have been spent. The prevention mechanism is essentially a system that provides proof that bitcoins were sent to actual Bitcoin addresses,stopping data inclusion by address fields abusal.The second tier consists of rule changes for Bitcoin. First of all, all non-standard payment transactions are removed from Bitcoin, with the exception of the more computationally flexible and popular P2SH transactions. This limits the avenues for data inclusion in Bitcoin without destroying its flexibility or its smart contract capabilities. Then, P2SHtransactions are redesigned to allow for a more fine grained deletion of their data, so only offending parts could be removed without destroying the integrity of the rest. Finally, a special type of transaction is introduced that allows censorship of just the signature data of a P2SH transaction. This transaction has to include a payment equal to the Bitcoin provided by the previous P2SH transaction, however. By adding this requirement, the system is protected from becoming open to money creation attacks that might inflate the currency without the agreement of all participants.With these changes, illegal data inclusion becomes either impossible, or they can be re-moved without destroying the integrity of the payment system as a whole or for payments that have already happened.Implementing all proposed changes would go beyond the scope of a master thesis. Tier1 of the presented solution has been implemented as a proof-of-concept, though. As a basis, the most popular Bitcoin node software, Bitcoin Core, has been used. Additionally,the ideas behind tier 2 are explained in full, and the potential impact on the system is discussed.v This thesis also covers previous attempts to allow for data removal in similar systems. Their discussion is meant to encourage the adoption of the presented proposal, as it should causeless disruption than some more extreme measurements that might introduce centralization into a system that was meant to run decentralized.

@mastersthesis{seeg2018hardening, abstract = {Bitcoin is a novel peer to peer payment network that was started in 2009 and that has since flourished, gaining acceptance all over the world. By contributing their resourcefulness as network connectivity and computing power, all participants are creating the the Bitcoin network together. Designed as an open source software system, the participation rules for this network are not upheld by humans, but implemented in code, and generally allow anyone to join or leave the network at will.Since the time of Bitcoin’s inception, software errors had to be fixed and network attacks that tried to make parts of the network unavailable have been endured. This thesis provides a solution to the problem of illegal data inclusions within the blockchain, a data structure that cannot easily be changed and that has to be transmitted to participants of Bitcoin.The flaw, i.e. the possibility for any user of Bitcoin to potentially include illegal data and therefore illegalizes the whole blockchain, is not just a software flaw, but can be seen as a structural one if free participation and uncensorable payments are to be provided.The proposal to solve the problem is layered in two tiers. The first tier prevents effective data inclusion for some standard payment functions within Bitcoin. This allows participants to be certain that these transactions do not contain bad data, allowing them to be included into Bitcoin blocks. It also solves the problem of illegal data permanently occupying valuable resources on Bitcoin nodes, as parts of the provably clean transactions are generally held in RAM until they have been spent. The prevention mechanism is essentially a system that provides proof that bitcoins were sent to actual Bitcoin addresses,stopping data inclusion by address fields abusal.The second tier consists of rule changes for Bitcoin. First of all, all non-standard payment transactions are removed from Bitcoin, with the exception of the more computationally flexible and popular P2SH transactions. This limits the avenues for data inclusion in Bitcoin without destroying its flexibility or its smart contract capabilities. Then, P2SHtransactions are redesigned to allow for a more fine grained deletion of their data, so only offending parts could be removed without destroying the integrity of the rest. Finally, a special type of transaction is introduced that allows censorship of just the signature data of a P2SH transaction. This transaction has to include a payment equal to the Bitcoin provided by the previous P2SH transaction, however. By adding this requirement, the system is protected from becoming open to money creation attacks that might inflate the currency without the agreement of all participants.With these changes, illegal data inclusion becomes either impossible, or they can be re-moved without destroying the integrity of the payment system as a whole or for payments that have already happened.Implementing all proposed changes would go beyond the scope of a master thesis. Tier1 of the presented solution has been implemented as a proof-of-concept, though. As a basis, the most popular Bitcoin node software, Bitcoin Core, has been used. Additionally,the ideas behind tier 2 are explained in full, and the potential impact on the system is discussed.v This thesis also covers previous attempts to allow for data removal in similar systems. Their discussion is meant to encourage the adoption of the presented proposal, as it should causeless disruption than some more extreme measurements that might introduce centralization into a system that was meant to run decentralized.}, author = {Seeg, Andreas}, keywords = {journal-and-magazine-articles}, month = {08}, school = {University of Würzburg}, title = {Hardening Bitcoin Against Off-Topic Data Inclusion Attacks}, type = {Master Thesis}, year = 2018 }
DIMAQS - Dynamic Identiﬁcation of Malicious Query Sequences. Jobst, Michael; Thesis; Master Thesis. (2018, June).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Ransomware is an emerging threat which imposed 5 billion USD loss in 2017 and is predicted to hit 11.5 billion in 2019. While initially targeting PC (client) platforms,recently it made a leap to server-side databases – in January 2017 we faced MongoDB Apocalypse attack, followed by other attack waves targeting a wide range of DB technologies such as MongoDB, MySQL, ElasticSearch, Cassandra, Hadoop, and CouchDB. While previous research has developed countermeasures against client-side ransomware (e.g., CryptoDrop and ShieldFS), no attention was given to the problem of server-side ransomware yet.This thesis aims to bridge this gap and presents design and implementation of the tool DIMAQS (Dynamic Identification of Malicious Query Sequences) for MySQL servers that can efficiently and effectively detect server-side ransomware. DIMAQS performs run-time monitoring of incoming queries and pattern matching using a Colored Petri Net (CPN) for attack detection. The system design of DIMAQS exhibits several novel techniques to enable efficient detection of malicious query sequences globally (i.e., without limiting detection to distinct user connections). Evaluation results show high efficiency with no false positives and no false negatives,and a very moderate performance overhead (for a run-time monitoring tool) of under5% in worst case scenarios.

@mastersthesis{jobst2018dimaqs, abstract = {Ransomware is an emerging threat which imposed 5 billion USD loss in 2017 and is predicted to hit 11.5 billion in 2019. While initially targeting PC (client) platforms,recently it made a leap to server-side databases – in January 2017 we faced MongoDB Apocalypse attack, followed by other attack waves targeting a wide range of DB technologies such as MongoDB, MySQL, ElasticSearch, Cassandra, Hadoop, and CouchDB. While previous research has developed countermeasures against client-side ransomware (e.g., CryptoDrop and ShieldFS), no attention was given to the problem of server-side ransomware yet.This thesis aims to bridge this gap and presents design and implementation of the tool DIMAQS (Dynamic Identification of Malicious Query Sequences) for MySQL servers that can efficiently and effectively detect server-side ransomware. DIMAQS performs run-time monitoring of incoming queries and pattern matching using a Colored Petri Net (CPN) for attack detection. The system design of DIMAQS exhibits several novel techniques to enable efficient detection of malicious query sequences globally (i.e., without limiting detection to distinct user connections). Evaluation results show high efficiency with no false positives and no false negatives,and a very moderate performance overhead (for a run-time monitoring tool) of under5% in worst case scenarios.}, author = {Jobst, Michael}, keywords = {ransomware}, month = {06}, publisher = {Master Thesis}, school = {University of Würzburg}, title = {DIMAQS - Dynamic Identiﬁcation of Malicious Query Sequences}, type = {Master Thesis}, year = 2018 }
Design of a Shared Parking System with Special Attention to Security Aspects. Englert, Simon; Thesis; Bachelor Thesis. (2018, August).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
As major cities are growing more and more, the parking situation in those cities is becoming more precarious than ever. Parking demand already exceeds the limited amount of parking spaces available, and thus people searching for a place to park generate a significant part of those cities traffic. This leads to frustration with drivers, more traffic jams, unnecessary use of petrol and further air pollution. The creation of new parking spaces is often either difficult or very expansive, which means existing parking spots have to be used more efficiently. Solutions realizing that idea to try and solve those problems are for the most part called intelligent parking systems. This thesis is focused on Shared Parking, a special kind of intelligent parking system, which opens the possibility of sharing a parking place between different people. This work features the design and implementation of such a system with special attention given to security aspects.

@mastersthesis{2018-BA-Simon-Engelert, abstract = {As major cities are growing more and more, the parking situation in those cities is becoming more precarious than ever. Parking demand already exceeds the limited amount of parking spaces available, and thus people searching for a place to park generate a significant part of those cities traffic. This leads to frustration with drivers, more traffic jams, unnecessary use of petrol and further air pollution. The creation of new parking spaces is often either difficult or very expansive, which means existing parking spots have to be used more efficiently. Solutions realizing that idea to try and solve those problems are for the most part called intelligent parking systems. This thesis is focused on Shared Parking, a special kind of intelligent parking system, which opens the possibility of sharing a parking place between different people. This work features the design and implementation of such a system with special attention given to security aspects.}, author = {Englert, Simon}, keywords = {sss-group}, month = {08}, publisher = {Bachelor Thesis}, title = {Design of a Shared Parking System with Special Attention to Security Aspects}, type = {Bachelor Thesis}, year = 2018 }