Seminar: Anwendungssicherheit


Kick-Off Meeting: 29.10.2019 15:00 im IZ252


Das Seminar Anwendungssicherheit richtet sich an Bachelor oder Masterstudierende, die Interesse am Bereich der IT-Sicherheit haben.
Für das Seminar wählen sich die Studierenden nach Möglichkeit selbst jeweils eins der vorgegebenen Themen aus.

Gegeben sind aktuelle Themen in der IT-Sicherheit. Die Studierenden setzen sich mit der Veröffentlichung und dem zugehörigen Themenkomplex eigenverantwortlich auseinander. Als Prüfungsleistung muss in Kürze der Inhalt der gelesenen Papiere, sowie seine Position im aktuellen Stand der Forschung präsentiert werden.

Für die Prüfungsleistung müssen die Studierenden zusätzlich eine schriftliche Ausarbeitung erstellen, die einen kleinen eigenen Beitrag zu diesem Thema enthält. Dies könnte zum Beispiel das Isolieren einer offenen Problemstellung sein, das Definieren neuer Anwendungsmöglichkeiten oder eine kleine Vergleichs- oder Replikationsstudie. Somit sind die Studierenden nicht nur gefordert sich mit dem Paper, selber sondern auch mit den thematisch verwandten Arbeiten und somit dem aktuellen Stand der Wissenschaft auseinander zu setzen. Der eigene Beitrag soll dabei in einem dem Seminar zeitlich angemessenen Rahmen sein. Es ist gewünscht, dass dieser eigene Beitrag gemeinsam mit den Betreuern des Seminars abgeklärt und/oder identifiziert wird. Wir freuen uns darauf euch in eurem Lernprozess im wissenschaftlichen Arbeiten zu betreuen.

Zu den Formalitäten:
Das zu verwendende Template für die schriftliche Ausarbeitung ist basiert auf dem Association for Computing Machinery (ACM) LaTeX Template.
Der erwartete Umfang sind 10 Seiten ohne Literaturverzeichnis sowie eine ca. 20 minütige Präsentation mit anschließenden 10 minuten Q&A.

Da sowohl die Veröffentlichungen als auch die meisten Quellen in den gegebenen Themengebiet in englischer Sprache sind, wird empfohlen sowohl Ausarbeitung, als auch Präsentation in Englisch zu halten.

Das Seminar wird betreut von:


Dozen Prof. Johns
T.A. David Klein


Side-channel attacks on the Web

Over the recent years, mircoarchitectural side-channel attacks such as Meltdown and Spectre gained huge attention. Not as widely known are side-channel attacks in the browser like Cross-Site Search (XS-Search). This paper will describe how these attacks work and which existing and future countermeasures could be used to prevent them.

Secure processing of user-uploaded files

Allowing users to upload files to a web service is an often needed but dangerous use case. Processing of the files on the server-side can lead to full compromise of the server due to attacks like ImageTragick, while serving the files to other users can lead to client-side attacks, for example if the content is interpreted as a JavaScript or PDF file. This paper will summarize all applicable attacks in this scenario and give security recommendations for developers.

Programming Language Security

Modern programming language platforms, like the Java Virtual Machine, have started to be designed with security in mind. They incorporate techniques like sandboxing, access controls to provide a secure execution environment.
The goal of this topic is to research the used security techniques as well as the vulnerabilities in said platforms. Finally the efficacy of the used protection mechanisms shall be evaluated.

Unsafe Deserialization

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or send as part of communications. Many programming languages offer a native capability for serializing objects. These native formats usually offer a lot of features, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution (RCE) attacks.

NODESENTRY, Architecture for Secure Integration of Third-Party Libraries

The popularity of the JavaScript programming language for server-side programming has increased tremendously over the past decade. The Node.js framework is a popular JavaScript server-side framework with an efficient runtime for cloud-based event-driven architectures. One of its strengths is the presence of thousands of third-party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise an entire server.


Information security is a fast-changing domain. Traditional security mechanisms such as firewalls and access control are circumvented regularly. The amount of significant security incidents grows each year. Deception systems are a perfect match to support perimeter-based technologies in intrusion detection, data breach identification and data leakage prevention. In this work, a framework is proposed generating, deploying, monitoring and maintaining honeytokens on a host system.

Attribute-Based Encryption

Simple public-key encryption is quiet limited when it comes to access control over data. Either a party is in possession of the one and only decryption key and able to recover the plaintext from the ciphertext, or not.
In contrast, Attribute-Based-Encryption (ABE) schemes allow the encryption of content for any key that matches a particular attribute. Especially in times of mobile and IoT devices, it holds great potential for improving the security of shared content.
There are various reasons why this technology has been used very little so far.
The aim of this seminar is to give an abstract overview of ABE and to investigate the limitations of current Android implementations (based on two papers).

Self Sovereign Identity

Self Sovereign Identity (SSI) is a new technology layer that enables individuals and organizations to assert their own identity on the internet.
Using SSI users can transact with ease and efficiency while preserving the privacy of the specific elements of their identity.
The goal is to provide an overview of the SSI concept and to introduce three current approaches.

Certificate Revocation

The Public Key Infrastructure provides secure among parties, who never met before - it allows to sign and validate certificates and distributes public keys. Every now and then, certificates must be revoked for various reasons which means it can no longer be trusted. Ideally, clients should be able to detect that a certificate has been revoked.As in so many things on the Internet, there is no agreement on what is the best solution to do so (or whether to do anything at all).The goal is to write a survey about state of the art solution for certificate revocation (CRL, OSCP). Optionally, it can be extended by an investigation on novel solutions.

Understanding eWhoring

The digital economy is broad and rich with fraudulent offers. The Nigerian Prince Email fraud scheme has by now become a meme and somehow every time one visits certain sites one is the one millionth user, repeatedly. Recently a new fraud emerged targeting humanities baser needs. The paper 'Understanding eWhoring' studies this new fraud and gives inside on what the underlying mechanics and economics are.

Information-Flow Control for Database-backed Applications

Tracking information flow is an important security technique to prevent data leakages be it direct or indirect. However, database backed applications provide quite a challenge here as only securing one part of the setup, program or database, is clearly insufficient. Securing both parts individually might still leave the application vulnerable. The research up until now combining the both parts of the application
into one information flow scheme relies on simplistic models of the database and is thus still left open security relevant leaks.
The paper 'Information-Flow Control for Database-backed Applications' addresses this issue and extends previous work to account for such leaks.

Houdini's Escape: Breaking the Resource Rein of Linux Control Groups

Linux Control Groups have been the driving factor behind the development of container solutions like lxc or docker. While containerization promises security benefits and has been widely adopted, questions about the actual security benefits remain.
The goal of this topic is to provide an overview over the control group mechanism, assess their impact on secure application deployment and to compare it to similar solutions like e.g., Solaris jails.

Eigene Themenvorschläge

Es können gerne auch eigene Themenvorschläge eingebracht werden. Diese müssen allerdings im Vorfeld mit den Betreuern abgestimmt werden.

Diese Liste wird bis zum Beginn des Seminars ergänzt!