Fortgeschrittene IT-Sicherheit - WS 2007-08

Driving Directions & Room description

Address of lecture hall ESA 1 W, room 221:
Edmund-Siemers-Allee 1
20146 Hamburg
Nearest train station: S - Dammtor
More information on this lecture hall

For driving directions please consult the map on the right or use the more detailed map of Hamburg.

Schedule

Please contact Henrich C. Pöhls for further questions and for scheduling your talk (--- indicates a free slot).

Abstracts

06.11.2007 - Björn Engelmann - Dynamic Web Application Analysis for Cross Site Scripting Detection

One of the main reasons for the recently observed rapid increase of disclosed XSS vulnerabilities is the classical "misplaced incentives" situation: While the problem is caused by defective web applications, the ones jeopardised are their users. This fact, along with coverage considerations, clearly demands a client-side defense mechanism, be it only as a last line of defense. This talk presents a Detector for reflected and stored XSS attacks in dynamic Webapplications. Besides it's application as a server-side anomaly-based Intrusion Detection Sensor, it may form the basis for a pure client-side XSS protection tool.

20.11.2007 - Siddharth Somasundaram - Security in Web 2.0 Framework

Web 2.0 is an abstract term to describe the second generation of Web based services that uses web as a platform for running Rich Internet Applications (RIA) and other Web 2.0 technologies. The reasons for the shift towards Web 2.0 applications are due to the powerfulness of XML.  XML is replacing HTML in at the presentation layer while SOAP and XMLHttpRequest is becoming the de facto transport mechanism in Web 2.0 applications.

The biggest problem facing Web 2.0 applications is security because the technologies are in its infancy and it is when the applications are most vulnerable to all kinds of attacks. In this project mainly deals with the security aspect of the most important Web 2.0 technologies by providing a Proof of Concept for the technologies.

27.11.2007 - Frank Ruwolt - Implementing a Prototype for Secure Session Establishment in P2P-based VoIP Systems

Distributed Hash Tables (DHTs) based on P2P systems like Chord provide reliable distributed storage of location data (IP adress, port) to facilitate registration and location services of SIP-based VoIP systems. But in absence of a central authority these DHTs are vulnerable to attacks on integrity and availability. The aim of this diploma thesis is the implementation and evaluation of different approaches to protect a Chord-based DHT against adversaries, with focus on protection of availability and integrity. This talk especially presents the basic ideas the diploma thesis is based on.

27.11.2007 - Muzliansyah Muzakkir - Security analysis of Web Services Protocols

Web Services present a substantial change, one that introduces many benefits in terms of productivity and efficiency. But, while they offer appealing advantages, Web Services also present big challenges relating to security and thus becoming a major concern for Web Services implementation. Thus, the field of Web Services security has evolved rapidly producing an impressive number of Web Services-based security standards and protocols. The problem arises when some of these protocols present security vulnerabilities such as XML rewriting, replay attack, etc. Therefore, in order to improve security design of Web Services protocols then ongoing protocol verification is needed. Some tools are already developed for this purpose such as ProVerif and TulaFale. The research of these tools shows that they can be used to verify security properties of security protocols. While ProVerif was developed to verify general security protocol and thus it is not intended specifically for analyzing Web services protocols, TulaFale was developed as an attempt 'to bridge the gap' between Web Services and ProVerif so that it can be used to analyze security protocol specific in Web Services scenario. The main objective of this master thesis is to gain experience as well as to investigate the usability and effectiveness of these tools for those purposes. The experience from using these tools shows that the user has to understand theories behind these tools such as process calculus, authenticity specification, etc in order to use these tools and this may become a problem for a practical user. In addition to that, it is very important for the user to model the protocol correctly in order to give reliable result. However, the results from secrecy and authenticity verification of targeted protocols show that these tools give positive results and thus they are quite reliable as verification tools.

04.12.2007 - Ayman Negm - JavaScript security model

The aim of this assignment is to describe the status quo of the JavaScript security model. Therefore the JavaScript language structure will be defined. The security model will be analysed. At the same time potential risks, which the user is exposed to during his internet activities, will be described. The abuse of the browser functionality or weaknesses in the security model will be exemplified.
Furthermore disadvantages of web-applications, that use JavaScript as data transfer mechanism, will be listed.

18.12.2007 - Rakesh Prithiviraj - Analysis of VPN Security

As companies expand their presence globally, there arises a need for secure electronic communications between geographically dispersed locations. Virtual private networks provide an economically viable option to address this need. Virtual private networks, commonly referred to as VPNs, are not an entirely new concept in networking. As the name suggests, a VPN can be defined as a private network service delivered over a public network infrastructure.
This studienarbeit aims at understanding the security aspects of different types of VPNs, concentrating more on IPSec VPN. Flaws in the implementation of IPSec VPNs will be analyzed using some available network security tools. Also a detailed comparison of IPSec VPN with SSL VPN will be done.

20.12.2007 @ Informatic Campus D-125 - Christian Muus - Availability in DHT-based Structured Overlay Networks Considering Chord as an Example

DHT-based Structured Overlay Networks provide a formally defined structure for distributed applications to store and retrieve content. DHTs can offer guarantees on lookup and resilience to nodes failing or leaving the network. However, handling malicious nodes which intentionally disrupt the the network is still a research challenge. One particular problem is providing availability of the lookup service in the presence of attackers.
The focus of this thesis is to investigate and develop novel techniques to assure high availability to DHT-based Structured Overlay Networks. A deep analysis of security threats to DHTs results in concrete algorithms that assure a high degree of availability. Since large peer-to-peer networks are very complex systems, simulations are necessary to verify the new algorithms. For this reason an existing simulator has been extended to simulate availability in DHTs. To demonstrate the effectiveness of these techniques Chord is used as example network. The algorithms that have been developed are based on universal techniques that can be applied to other DHTs as well.

08.01.2008 - Konrad Rieck - Self-Learning Systems for Detection of Unknown Attacks

In this talk we present a self-learning method for network intrusion detection cabable of detecting unknown attacks. The methods proceeds by embedding network payloads into a vector space and application of unsupervised anomaly detection - without prior learning phase or labeled network data.
The essential idea underlying the approach is analysis of embeded network payloads using high-dimensional yet simple geometric structures, such as hyperplanes and hyperspheres. Experiments with real-world network traffic for HTTP, FTP and SMTP yield 80% detection of unknown attacks with no false-positives.

22.01.2008 - Heiko Lüdemann- Modeling Authorization Policy for Inter-Domain Collaborations

Existing large and autonomous organizations, which already use authorization policies within their local domains, shall be put into the position to establish inter-domain collaborations based on authorization policies. The challenge is on one hand to provide necessary access for legitimate users in one domain to selected resources in another domain and on the other hand not to present the organizations internal structure to other domains, because the privacy of each domain should be preserved.
The authorization policies will be expressed in eXtensible Access Control Markup Language (XACML) combined with Role Based Access Control (RBAC). An own extension to XACML called "distributed role policy" will be presented. The focus will be on the support for the necessary negotiation between administrators of different, collaborating domains at the Policy Administration Point (PAP). Therefore, a PAP-Tool was implemented and will be presented using an example from the case-study "EuroPol/EuroJust".

29.01.2008 - Cetin Tongaloglu - Verification of XACML Authorization Policies Using Formal Methods

In this Diploma Thesis different approaches for verification of XACML Policies are compared. Especially, the use of Margrave which is a tool for verification and change-impact analysis is explained. Margrave uses Mult-teminal Binary Decision Diagrams (MTBDDs) as the main data structure for the representation of policies.

______________________________
Auszug aus dem KVV:

Sicherheitsrelevante Themen von Informatiksystemen werden anhand von aktuellen Projekt-, Baccalaureats- und Diplomarbeiten und Dissertationsvorhaben vorgestellt und intensiv diskutiert. Das Seminar wird gemeinsam vom Arbeitsbereich SVA der Technischen Universität Hamburg-Harburg und dem Arbeitsbereich SVS des Fachbereichs Informatik der Universität Hamburg angeboten und soll auch dem Austausch der aktuellen Forschungsergebnisse zwischen den beiden Arbeitsbereichen dienen und die Zusammenarbeit vertiefen.

Das Oberseminar soll Studierenden und Promovierenden, die sich im Fachgebiet IT- Sicherheit vertiefen, eine Plattform bieten, um aktuelle Probleme und Forschungsarbeiten im Bereich IT-Sicherheit vorzustellen und zu diskutieren. Gastvorträge sind im Programm ebenfalls vorgesehen.

Most Presentations are made available for download in PDF format, to view them you need the Acrobat Reader version 5 or higher.