Talk. For Smarter Authentication, We Might Need to Use the Brain

Abstract. We deserve smarter authentication mechanisms to move on from the current password-dominated scene. With the democratization of neurotechnologies, the usage of brain biometrics in everyday life becomes a tangible possibility. In this talk, we will present research contributions towards practical brainwave-based user authentication, covering both security and usability aspects.

Biography. Patricia Arias-Cabarcos is Professor of IT Security at Paderborn University. Her research interests lie in the area of human-centered security and privacy, with a special focus on usable authentication, behavioral data protection, and data-driven transparency. She publishes in major conferences in the field, such as CCS and USENIX Security, having also served on the technical program committee for this type of venues, including CCS, ESORICS and EuroUSEC.

Twitter: @patriAriasC

Talk. The Cyber-Triad - TTPs, Nightmares and Epic Fails All Things IR, Reverse Engineering and Red Teaming

Abstract. IT security incidents occur in many forms and characteristics. The reasons for a successful attack and the resulting incident are also diverse.

Using current examples from the last two years, this presentation explains in a realistic manner how Reverse Engineering, Incident Response/Readiness and various topics from the offensive side interact when dealing with an incident and where are limitations. Furthermore, fundamental obstacles and show-stoppers in the area of analyzing and dealing with IT security incidents are also discussed.

Biography. Jasper Bongertz is a network security expert with a focus on network forensics and incident response. He works as Head of Incident Response at G DATA Advanced Analytics in Bochum.

Talk. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale

Abstract. Browser extensions have elevated privileges compared to web pages, thus attracting the interest of attackers. While prior work focused on detecting malicious extensions, we consider vulnerable extensions. In fact, a web page under the control of an attacker can send malicious payloads to a vulnerable extension, leading to, e.g., universal XSS.

To uncover such attacks, we built DoubleX, our static analyzer detecting suspicious external data flows between an attacker and security- or privacy-critical APIs in extensions. On the 155k Chrome extensions analyzed, DoubleX has both high precision (89%) and recall (93%). Overall, we could exploit 184 extensions under our threat model (2021), 87% of which were already vulnerable in 2020.

We hope that our work will increase the awareness of well-intentioned developers toward unsafe programming practices leading to security and privacy issues.

Biography. Aurore Fass is a Visiting Assistant Professor of Computer Science at Stanford University (U.S.) and a Research Group Leader at CISPA (Germany). Aurore got her PhD from CISPA & Saarland University in 2021, jointly supervised by Michael Backes and Ben Stock. Her PhD thesis revolves around studying JavaScript security through static analysis.

Aurore's research focuses on Web Security & Privacy, Web Measurements, and Machine Learning. Specifically, she is interested in detecting malware & vulnerabilities on the Web and collecting data to better understand and improve user security and privacy.

Twitter: @AuroreFass

Talk. Secure Cache Designs: The State of the Art and Beyond

Abstract. In recent years, the advent of microarchitectural attacks has brought with it a renewed interest in secure cache designs. The prominent strategies that have emerged in secure cache designs to mitigate side-channel attacks are randomization or partitioning. Following initial designs, other works have shown that even these improved designs are limited in the face of more advanced attacks, starting a theoretical (cache) arms race.

In this talk, we give an overview of traditional and secure caches designs, as well as their respective attacks. We outline the mechanisms of the most prominent designs and discuss their properties. We take a detailed look at which design assumptions were broken by new attacks and where designs may have had flaws to begin with. Finally, we present a new cache design that aims to avoid currently known attacks and sidestep the mechanisms on which they are built.

Biography. Lukas Giner is a PhD Student at Graz University of Technology in the CoreSec group of Daniel Gruss. His research focuses on microarchitectural security, from attacks like Fallout to secure hardware designs like Scattercache.

Twitter: @redrabbyte

Talk. Secure Cache Designs: The State of the Art and Beyond

Abstract. In recent years, the advent of microarchitectural attacks has brought with it a renewed interest in secure cache designs. The prominent strategies that have emerged in secure cache designs to mitigate side-channel attacks are randomization or partitioning. Following initial designs, other works have shown that even these improved designs are limited in the face of more advanced attacks, starting a theoretical (cache) arms race.

In this talk, we give an overview of traditional and secure caches designs, as well as their respective attacks. We outline the mechanisms of the most prominent designs and discuss their properties. We take a detailed look at which design assumptions were broken by new attacks and where designs may have had flaws to begin with. Finally, we present a new cache design that aims to avoid currently known attacks and sidestep the mechanisms on which they are built.

Biography. Daniel Gruss is an Assistant Professor at Graz University of Technology. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on side channels and transient execution attacks. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues.

Twitter: @lavados

Talk. Why TLS is better without STARTTLS

Abstract. TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation added complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.

We performed the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduced a semi-automatic testing toolkit (EAST) to analyze email clients. We used EAST to analyze 28 email clients and 23 email servers, resulting in over 40 STARTTLS related issues. Only 3 out of 28 clients and 7 out of 23 servers did not show any STARTTLS-specific security issues. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided.

Biography. Fabian Ising is a security researcher and PhD candidate at Münster University of Applied Sciences and Ruhr Uni Bochum. He is interested in applied cryptography, especially in email security and network protocols. Apart from applied cryptography, he spends time on medical security and web security. He also has experience as a penetration tester and code auditor. Bugs love him and tend to jump at him as soon as he uses software. He/Him.

Twitter: @murgi

Talk. Modern Single Sign-On: On the Security of Single Sign-On Flows in Popups and IFrames

Abstract. Single Sign-On (SSO) protocols like OpenID Connect are cornerstones of user authentication on the web. Until now, HTTP redirects empowered the login flow to transfer authentication tokens from identity providers like Facebook and Google to arbitrary websites. With a rising demand for streamlined login experience, many websites adopted proprietary modern login flows that are executed in popups and iframes. Thereby, in-browser communications gradually replace the redirects, shifting SSO security closely towards the web security's territory. In this talk, we dive into the deployment of modern SSO. We discuss its new attack surface and showcase real-world vulnerabilities on popular sites like AliExpress and NYTimes to demonstrate our research impact. Further, we summarize the lessons learned and security best practices mitigating the issues such that developers can protect their login flows.

Biography. Louis Jannett is a first-year PhD candidate at the Chair for Network and Data Security at Ruhr University Bochum, supervised by Jörg Schwenk. His current research interests are focused on how web security threats enable new attacks on the security and privacy of user authorization and authentication on the web. He especially investigates the prevalence, security, and privacy of popular Single Sign-On protocols like OAuth and OpenID Connect, paying close attention to SDKs and custom implementations in the wild.

Twitter: @iphoneintosh

Talk. The Cyber-Triad - TTPs, Nightmares and Epic Fails All Things IR, Reverse Engineering and Red Teaming

Abstract. IT security incidents occur in many forms and characteristics. The reasons for a successful attack and the resulting incident are also diverse.

Using current examples from the last two years, this presentation explains in a realistic manner how Reverse Engineering, Incident Response/Readiness and various topics from the offensive side interact when dealing with an incident and where are limitations. Furthermore, fundamental obstacles and show-stoppers in the area of analyzing and dealing with IT security incidents are also discussed.

Biography. Tatjana Ljucovic is studying for her Master's degree in Internet Security. Over the past 10 years, she has gained profound knowledge in various fields of IT security and has focused in particular on secure network communication.

Talk. Why TLS is better without STARTTLS

Abstract. TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation added complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.

We performed the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduced a semi-automatic testing toolkit (EAST) to analyze email clients. We used EAST to analyze 28 email clients and 23 email servers, resulting in over 40 STARTTLS related issues. Only 3 out of 28 clients and 7 out of 23 servers did not show any STARTTLS-specific security issues. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided.

Biography. Damian Poddebniak is a software engineer and security researcher interested in email security, network protocols, and applied cryptography. He recently defended his dissertation about the limitations of end-to-end encrypted email and now seeks opportunities to sustainably improve the status quo of software security. He believes in free software, open access to knowledge, and a world with net-zero greenhouse gas emissions. Rustacean. He/Him.

Twitter: @dues__

Talk. I Wanna Deploy You, but My Senses Tell Me to Stop! – CSP’s Past, Present and Future?

Abstract. The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. Throughout the last years we have conducted several research projects that deal with topics around the Content Security Policy. In this talk, we want to highlight the lessons learned from those research projects. We show how the seemingly straightforward task of getting your own site CSP-compliant is undermined by third parties. Further, we discuss the insights of our study with 12 developers and the roadblocks that they face, such that you can avoid them when deploying a CSP for your Web applications.

Biography. Sebastian Roth is a third-year PhD student in the Secure Web Applications Group at the CISPA Helmholtz Center for Information Security, where he is supervised by Ben Stock. His research interest is focused on client-side Web Security as well as Usable Security for developers. Thus, he is collaborating with the research group of Katharina Krombholz. Currently, he is specifically looking into the prevalence, the usage, and the usability of security header present in Web applications.

Twitter: @s3br0th

Talk. The Cyber-Triad - TTPs, Nightmares and Epic Fails All Things IR, Reverse Engineering and Red Teaming

Abstract. IT security incidents occur in many forms and characteristics. The reasons for a successful attack and the resulting incident are also diverse.

Using current examples from the last two years, this presentation explains in a realistic manner how Reverse Engineering, Incident Response/Readiness and various topics from the offensive side interact when dealing with an incident and where are limitations. Furthermore, fundamental obstacles and show-stoppers in the area of analyzing and dealing with IT security incidents are also discussed.

Biography. Sascha Schimmler works as Head of Offensive Security Services at G DATA Advanced Analytics GmbH, where he is responsible for offensive penetration tests and security audits.

Talk. I Wanna Deploy You, but My Senses Tell Me to Stop! – CSP’s Past, Present and Future?

Abstract. The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. Throughout the last years we have conducted several research projects that deal with topics around the Content Security Policy. In this talk, we want to highlight the lessons learned from those research projects. We show how the seemingly straightforward task of getting your own site CSP-compliant is undermined by third parties. Further, we discuss the insights of our study with 12 developers and the roadblocks that they face, such that you can avoid them when deploying a CSP for your Web applications.

Biography. Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web security, with a recent focus in particular on CSP and its connections to aspects of usability. His group regularly publishes at major security conferences such as USENIX Security, CSS, and NDSS, and Ben also serves on the PC and as track chair of the venues. His group also regularly shares insights outside the scientific community, such as at OWASP AppSec or Ruhrsec.

Twitter: @kcotsneb