Countdown to RuhrSec 2023

  • 0 Days
  • 0 Hours
  • 0 Minutes
  • 0 Seconds

RuhrSec - IT security conference - 2023

Since 2016, RuhrSec is the annual English speaking non-profit IT security conference with cutting-edge security talks by renowned experts. The conference is hosted at the Ruhr University Bochum in Germany, directly in the heart of Bochum near the river Ruhr. RuhrSec provides academic and industry talks, the typical University feeling, and a highly recommended social event.

Get the latest RuhrSec news on Twitter, Linkedin, or by subscribing to our newsletter.

Call for Presentations

For RuhrSec 2023, we have once again a call for presentations. Areas of interest are (but not limited to) Internet/Web Security, Data and Application Security, Network Security, Security in the Internet of Things, and Usable Security.

Please submit your proposal to the RuhrSec program committee until the 08th of January 2023. Your talk must have a length of 40 minutes (+5 minutes Q&A) and it has to be in English. Each speaker gets a free conference ticket, access to the awesome evening event, and a travel reimbursement up to a limit of EUR 1,000 (economy).

How to increase your chances of being accepted?
When submitting your proposal, please include the preliminary structure of your talk, and (if possible) a first version of your slides. Also, include videos and/or slides of your previous talks. All additional information will help us to evaluate your proposal. Please contact us in case that you have any questions.

The call for presentations is closed now.
Thank you to all participants!
The program committee will start to evaluate all submissions now and inform the participants soon.

The program committee consists of: Christian Mainka, Karsten Meyer zu Selhausen, Marcus Niemietz, and Juraj Somorovsky (Hackmanit)


Interested in becoming a RuhrSec sponsor for 2023?
Feel free and contact us to learn more about the RuhrSec sponsorship:
ruhrsec@hackmanit.de

Program

Conference (Ruhr University Bochum): Thursday, 11.05.23

The order of the talks might be adjusted before the conference.

08:00 – 09:00 Registration and Biscuits/Coffee
09:00 – 09:15 Opening, Marcus Niemietz
09:15 – 10:00 Keynote: TBA, Ross Anderson
10:00 – 10:30 Coffee Break
10:30 – 11:15 SQUIP or Why We Need to Study Processors Like Nature, Stefan Gast and Daniel Gruss
11:15 – 12:00 ShowTime: CPU Timing Attacks With the Human Eye, Antoon Purnal and Marton Bognar
12:00 – 13:30 Lunch
13:30 – 14:15 You Can't Always Get What You Want – How Web Sites (Often) Lack Consistent Protection, Sebastian Roth and Ben Stock
14:15 – 15:00 Server-Side Browsers: Exploring the Web’s Hidden Attack Surface, Marius Musch
15:00 – 15:45 Coffee Break
15:45 – 16:30 TBA, Jörg Schwenk
16:30 – 17:15 TBA, TBA
17:15 – Open End Social Event (incl. Dinner)

Conference (Ruhr University Bochum): Friday, 12.05.23

The order of the talks might be adjusted before the conference.

08:45 – 09:15 Biscuits/Coffee
09:15 – 10:00 Keynote: Towards High-Assurance Cryptographic Software, Karthikeyan Bhargavan
10:00 – 10:30 Coffee Break
10:30 – 11:15 We Really Need to Talk About Session Tickets: A Large-Scale Analysis of Cryptographic Dangers With TLS Session Tickets, Sven Hebrok
11:15 – 12:00 Content-Type: multipart/oracle - Tapping Into Format Oracles in Email End-to-End Encryption, Fabian Ising
12:00 – 13:30 Lunch
13:30 – 14:15 Everything You Wanted to Know About DOM Clobbering (But Were Afraid to Ask), Soheil Khodayari
14:15 – 15:00 Hand Sanitizers in the Wild: A Large-Scale Study of Custom JavaScript Sanitizer Functions, David Klein
15:00 – 15:30 Coffee Break
15:30 – 16:15 CPU Fuzzing: Automatic Discovery of Microarchitectural Attacks, Daniel Weber and Michael Schwarz
16:15 – 17:00 TBA, Veelasha Moonsamy and Rafa Gálvez
17:00 – 17:15 Closing

Talks

Ross Anderson

(Professor at University of Cambridge) – Keynote

Keynote. TBA

Abstract. TBA

Biography. TBA

@rossjanderson

Karthikeyan Bhargavan

(Inria Paris) – Keynote

Keynote. Towards High-Assurance Cryptographic Software

Abstract. TBA

Biography. Karthikeyan Bhargavan (Karthik) is a directeur de recherche (DR) at Inria in Paris, where he leads a team of researchers working on developing new techniques for programming securely with cryptography. He was born in India and did his undergraduate studies at the Indian Institute of Technology Delhi before pursuing his PhD at the University of Pennsylvania. He then worked at Microsoft Research in Cambridge until 2009 when he moved to France. Karthik’s research lies at the intersection of programming language design, formal verification, and applied cryptography. Most recently, his work has focused on the design and analysis of the TLS 1.3 Internet standard and the design and deployment of the HACL* cryptographic library. Karthik is also a co-founder of Cryspen, a company that specializes in high-assurance cryptographic solutions.

Marton Bognar

(KU Leuven) – Talk

Talk. ShowTime: CPU Timing Attacks With the Human Eye

Abstract. Are precise timers required for successful timing attacks?

While machines are accomplishing feats previously thought to require human-like intellect, this talk exposes how humans can achieve a task previously thought to require machine-like precision: observing phenomena happening at the nanosecond scale.

We propose ShowTime, a general attack framework that exposes arbitrary microarchitectural timing channels to coarse-grained timers. ShowTime converts microarchitectural leakage from one type to another, and amplifies minuscule initial leaks into huge timing differences.

Among other case studies, we explore whether the time difference arising from a single cache hit or miss can be amplified so that even the human eye can see the difference. Overall, our findings imply that CPU timing attacks remain a threat, even in the face of severe timer restrictions.

Biography. Marton is a Ph.D. candidate at the DistriNet research group of KU Leuven under the supervision of Frank Piessens. His interest lies in the intersection of side-channel attacks, hardware design, and formal verification. He is active in both offensive and defensive research.

@martonbognar

Rafa Gálvez

(KU Leuven) – Talk

Talk. TBA

Abstract. TBA

Biography. TBA

Stefan Gast

(Graz University of Technology) – Talk

Talk. SQUIP or Why We Need to Study Processors Like Nature

Abstract. As CPU microarchitectures have been the subject of security research over decades, one might think that we are close to exhaustively understanding them. However, we argue that this is not the case. We overview prior attacks and present a new case study: SQUIP - Scheduler Queue Usage Interference Probing.

We provide background on modern CPU pipelines and out-of-order execution. We discuss scheduler queues and their security implications, showing how scheduler queue contention can leak up to 2.7 MBit/s in a cross-process covert-channel scenario and up to 0.89 MBit/s across virtual machines. Our end-to-end SQUIP attack on AMD CPUs leaks full RSA private keys within 1 hour, across processes and virtual machines. Finally, we outline how to go forward, both on mitigating SQUIP and on microarchitectural security research in general, showing that we need to study microarchitectures like nature.

Biography. Stefan Gast started his PhD in Daniel's research group at Graz University of Technology in August 2021. His research focuses on software-based microarchitectural CPU attacks and defenses. SQUIP was the first publication for his PhD thesis. Stefan is also passionate about teaching and has been doing so for more than 10 years.

@notbobbytables
@notbobbytables@infosec.exchange

Daniel Gruss

(Professor at Graz University of Technology) – Talk

Talk. SQUIP or Why We Need to Study Processors Like Nature

Abstract. As CPU microarchitectures have been the subject of security research over decades, one might think that we are close to exhaustively understanding them. However, we argue that this is not the case. We overview prior attacks and present a new case study: SQUIP - Scheduler Queue Usage Interference Probing.

We provide background on modern CPU pipelines and out-of-order execution. We discuss scheduler queues and their security implications, showing how scheduler queue contention can leak up to 2.7 MBit/s in a cross-process covert-channel scenario and up to 0.89 MBit/s across virtual machines. Our end-to-end SQUIP attack on AMD CPUs leaks full RSA private keys within 1 hour, across processes and virtual machines. Finally, we outline how to go forward, both on mitigating SQUIP and on microarchitectural security research in general, showing that we need to study microarchitectures like nature.

Biography. Daniel Gruss is a Professor at Graz University of Technology. He has a great passion for teaching, which he started doing in 2009. Daniel's research focuses on microarchitectural security, covering both attacks as well as efficient and effective defenses. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues. In 2022, he was awarded an ERC Starting Grant to research how to make security more sustainable.

@lavados
@lavados@infosec.exchange

Sven Hebrok

(Paderborn University) – Talk

Talk. We Really Need to Talk About Session Tickets: A Large-Scale Analysis of Cryptographic Dangers With TLS Session Tickets

Abstract. Session tickets improve the TLS protocol performance and are therefore widely used. For this, the server encrypts secret state and the client stores the ciphertext and state. Anyone able to decrypt this ciphertext can passively decrypt the traffic or actively impersonate the TLS Server on resumption. To estimate the dangers associated with session tickets, we perform the first systematic large-scale analysis of the cryptographic pitfalls of session ticket implementations.

We found significant differences in session ticket implementations and critical security issues in the analyzed servers. Vulnerable servers used weak keys or repeating keystreams in the used tickets. Among others, our analysis revealed a widespread implementation flaw within the Amazon AWS ecosystem that allowed for passive traffic decryption for at least 1.9% of all servers in the Tranco Top 100k servers.

Biography. I am a PhD student at the System Security Chair at Paderborn University, supervised by Juraj Somorovsky. I'm Interested in TLS, cryptographic and configuration issues, as well as odd behavior of implementations in edge cases but also network security in general. Along the way, I have gathered some experience in large scale scanning and working with networks. Occasionally you can also find me in a Kayak.

@xoimex

Fabian Ising

(Münster University of Applied Sciences) – Talk

Talk. Content-Type: multipart/oracle - Tapping Into Format Oracles in Email End-to-End Encryption

Abstract. "Email is an offline protocol - oracle attacks against its end-to-end encryption are impractical." - This statement has been made time and time again. However, is it really true? Can we perform “real” oracle attacks, like Vaudenay's CBC Padding Oracle Attack and Bleichenbacher’s infamous Million Message Attack against E2EE email?

We survey how the decryption state of E2EE email can be made visible through the interplay of MIME and IMAP and describe side-channels caused by specific MIME trees. We analyze 19 OpenPGP and S/MIME email clients and exploit side-channels to decrypt S/MIME messages in iOS Mail and Google Workspaces.

Finally, we discuss why exploiting the other clients is impractical and that the unintended countermeasures create dangerous conflicts between usability and security. Finally, we present more rigid countermeasures for developers and the standards.

Biography. Fabian Ising is a security researcher and PhD candidate at Münster University of Applied Sciences and Ruhr Uni Bochum. He is interested in applied cryptography, especially in email security and network protocols. Apart from applied cryptography, he spends time on medical security and web security. He also has experience as a penetration tester and code auditor. When not working, he loves hiking and doing jigsaw puzzles.

@murgi
@murgi@infosec.exchange

Soheil Khodayari

(CISPA Helmholtz Center for Information Security) – Talk

Talk. Everything You Wanted to Know About DOM Clobbering (But Were Afraid to Ask)

Abstract. XSS has been a major threat to webapps for the past 20 years, often achieved by script injection, and mitigated by disallowing or controlling script execution. But what if the attackers can obtain XSS with script-less markups? DOM Clobbering is a type of namespace collision attack that enables attackers to transform seemingly benign HTML markups to executable code by exploiting the unforeseen interactions between JS code and the runtime environment. Unfortunately, attack techniques, browser behaviours, and code patterns that enable DOM clobbering has not been studied yet, and in this work, we undertake that. Our study shows that DOM clobbering vulnerabilities are ubiquitous, affecting 9.8% of the top 5K sites, and that existing defenses may not completely cut them. This talk covers clobbering techniques, vulnerability detection, prevalence, indicators, and defenses.

Biography. Soheil Khodayari is a PhD candidate at CISPA, Germany, researching in the area of Web security and privacy testing, and Internet measurements. Soheil has presented and published his works on top tier security venues like IEEE S&P, NDSS, USENIX Security, Stanford SecLunch, and OWASP AppSec. He also serves as the AE PC of security conferences like USENIX and ACSAC. Among his contributions, Soheil proposed the first taxonomy and detection of XS-leaks, one of the first studies about client-side CSRF, the state of the SameSite adoption, and other client-side vulnerabilities.

@Soheil__K

David Klein

(Technische Universität Braunschweig) – Talk

Talk. Hand Sanitizers in the Wild: A Large-Scale Study of Custom JavaScript Sanitizer Functions

Abstract. TBA

Biography. TBA

Veelasha Moonsamy

(Ruhr University Bochum) – Talk

Talk. TBA

Abstract. TBA

Biography. TBA

Marius Musch

(Technische Universität Braunschweig) – Talk

Talk. Server-Side Browsers: Exploring the Web's Hidden Attack Surface

Abstract. As websites grow ever more dynamic and load more of their content on the fly, automatically interacting with them via simple tools like curl is getting less of an option. Instead, headless browsers with JavaScript support, such as PhantomJS and Puppeteer, have gained traction on the Web over the last few years. For various use cases like messengers and social networks that display link previews, these browsers visit arbitrary, user-controlled URLs. To avoid compromise through known vulnerabilities, these browsers need to be diligently kept up-to-date.

In this talk, we investigate the phenomenon of what we coin 'server-side browsers' at scale and find that many websites are running severely outdated browsers on the server-side. Remarkably, the majority of them had not been updated for more than 6 months and over 60% of the discovered implementations were found to be vulnerable to publicly available proof-of-concept exploits.

By attending, you will not only learn about this new and unique attack surface, but also how to discover these vulnerabilities on your own. Moreover, you will learn how defenses against traditional SSRF attacks are insufficient in the context of this attack and what can be done about that.

Biography. Marius Musch is a web security researcher at the Institute for Application Security at Technical University Braunschweig, where he obtained his PhD in November 2022. His research interests focus on the intersection of client-side web attacks and large-scale studies. So far, Marius has given presentations at venues such as Usenix Security, AsiaCCS, OWASP Global AppSec, and the Chaos Communication Congress.

@m4riuz
@m4riuz@infosec.exchange

Antoon Purnal

(KU Leuven) – Talk

Talk. ShowTime: CPU Timing Attacks With the Human Eye

Abstract. Are precise timers required for successful timing attacks?

While machines are accomplishing feats previously thought to require human-like intellect, this talk exposes how humans can achieve a task previously thought to require machine-like precision: observing phenomena happening at the nanosecond scale.

We propose ShowTime, a general attack framework that exposes arbitrary microarchitectural timing channels to coarse-grained timers. ShowTime converts microarchitectural leakage from one type to another, and amplifies minuscule initial leaks into huge timing differences.

Among other case studies, we explore whether the time difference arising from a single cache hit or miss can be amplified so that even the human eye can see the difference. Overall, our findings imply that CPU timing attacks remain a threat, even in the face of severe timer restrictions.

Biography. Antoon (Toon) Purnal is a PhD researcher in the hardware security group at COSIC under the supervision of professor Ingrid Verbauwhede. His research interests include microarchitectural attacks and defences, and efficient and secure cryptographic implementations. Before joining COSIC, he obtained a Master’s degree in Electrical Engineering from KU Leuven.

@purnaltoon
@PurnalToon@infosec.exchange

Sebastian Roth

(CISPA Helmholtz Center for Information Security) – Talk

Talk. You Can't Always Get What You Want – How Web Sites (Often) Lack Consistent Protection

Abstract. Client-side security policies are designed to protect against various types of Web attacks and are communicated to the browser through HTTP response headers. To ensure protection, these headers must be consistently deployed and enforced across all pages within the same origin and for all clients.

In this talk, you will get a refresher on the most important security headers and see examples of seemingly innocuous misconfigurations that can lead to significant threats. Moreover, you’ll learn about how many of the top sites fall victim to such mistakes (based on our scientific measurement studies). Finally, you’ll learn how to avoid them for your own pages, and hear about a new proposal to overcome all these issues.

Biography. I am a last-year PhD Candidate (submitted in January 2023) at Saarland University / CISPA. My research interest is focused on client-side Web security as well as developer-centric usable security and is regularly published at Top Tier academic venues. But I also enjoy giving non-academic talks such that I can stay in contact with folks from the industry. In addition to that I have taught other students as a tutor and teaching assistant in several different lectures. During my leisure time, I regularly organize and participate in CTF (Capture the Flag) competitions together with saarsec.

@s3br0th

Michael Schwarz

(CISPA Helmholtz Center for Information Security) – Talk

Talk. CPU Fuzzing: Automatic Discovery of Microarchitectural Attacks

Abstract. Over the last two decades, researchers discovered different new attacks on modern CPUs. These attacks include side-channel attacks capable of leaking secret keys or breaking security mitigations. More recently, even more powerful attacks such as Spectre and Meltdown were discovered.

In this talk, we explore approaches that we developed to automatically find such attacks. First, we present Osiris, a tool to automatically find side channels. Second, with Transynther, we find new variants of Meltdown-type attacks. Third, we discuss MSRevelio, a tool searching for undocumented MSRs.

We also present the found attacks ranging from side-channel attacks over KASLR breaks, to Meltdown-type attacks. Along the way, we will elaborate on the challenges and limitations these tools face despite their success and comment on what we believe are the most important lessons we can learn from them.

Biography. Michael Schwarz is Faculty at the CISPA Helmholtz Center for Information Security, Germany, with a focus on microarchitectural attacks and system security. He obtained his PhD in 2019 from TU Graz. He holds two master's degrees in computer science and software engineering. He is a regular speaker at both academic and hacker conferences. He was part of one of the research teams that found the Meltdown, Spectre, Fallout, LVI, PLATYPUS, and ZombieLoad. He was part of the team developing the KAISER patch, the basis for the widely Meltdown countermeasure deployed in every modern operating system.

@misc0110

Jörg Schwenk

(Professor at Ruhr University Bochum) – Talk

Talk. TBA

Abstract. TBA

Biography. TBA

@JoergSchwenk

Ben Stock

(Professor at CISPA Helmholtz Center for Information Security) – Talk

Talk. You Can't Always Get What You Want – How Web Sites (Often) Lack Consistent Protection

Abstract. Client-side security policies are designed to protect against various types of Web attacks and are communicated to the browser through HTTP response headers. To ensure protection, these headers must be consistently deployed and enforced across all pages within the same origin and for all clients.

In this talk, you will get a refresher on the most important security headers and see examples of seemingly innocuous misconfigurations that can lead to significant threats. Moreover, you’ll learn about how many of the top sites fall victim to such mistakes (based on our scientific measurement studies). Finally, you’ll learn how to avoid them for your own pages, and hear about a new proposal to overcome all these issues.

Biography. Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web security, with a recent focus in particular on CSP and its connections to aspects of usability. His group regularly publishes at major security conferences such as USENIX Security, CSS, and NDSS, and Ben also serves on the PC and as track chair of the venues. His group also regularly shares insights outside the scientific community, such as at OWASP AppSec or Ruhrsec.

@kcotsneb

Daniel Weber

(CISPA Helmholtz Center for Information Security) – Talk

Talk. CPU Fuzzing: Automatic Discovery of Microarchitectural Attacks

Abstract. Over the last two decades, researchers discovered different new attacks on modern CPUs. These attacks include side-channel attacks capable of leaking secret keys or breaking security mitigations. More recently, even more powerful attacks such as Spectre and Meltdown were discovered.

In this talk, we explore approaches that we developed to automatically find such attacks. First, we present Osiris, a tool to automatically find side channels. Second, with Transynther, we find new variants of Meltdown-type attacks. Third, we discuss MSRevelio, a tool searching for undocumented MSRs.

We also present the found attacks ranging from side-channel attacks over KASLR breaks, to Meltdown-type attacks. Along the way, we will elaborate on the challenges and limitations these tools face despite their success and comment on what we believe are the most important lessons we can learn from them.

Biography. Daniel Weber is a PhD student researching in the field of microarchitectural attacks, such as side-channel and transient-execution attacks. His work focuses on improving the process of finding such attacks via automation. He is part of Michael Schwarz' research group at the CISPA Helmholtz Center for Information Security. Before that, he obtained a Bachelor's degree in Cybersecurity from Saarland University. In his free time, Daniel regularly participates in Capture the Flag competitions as part of the team saarsec.

@weber_daniel

TBA

(TBA) – Talk

Talk. TBA

Abstract. TBA

Biography. TBA

Location

Conference

Address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum

Google Maps: Link to the conference building

Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in the event center ("VZ" or "Veranstaltungszentrum"). You can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building (see More Information tab). Otherwise, you can find parking spaces for your car directly under the conference location (University Center/"Universität Mitte", parking space P9).

Flight and Train Information

The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "SkyTrain" from the airport to the train station "Düsseldorf Flughafen Bahnhof". Afterward, you should take a train to "Bochum Hauptbahnhof" (aka. "Bochum Hbf"). From there we recommend taking the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building. Otherwise, you can take a taxi to the conference center (about 10 euros).

Please notice:

  • Please pay for the SkyTrain (about 2 euros).
  • To get your train tickets, you can use a ticket machine after the SkyTrain. They allow you to choose English for the UI and you can (often) pay with your credit cards. Please be sure to bring enough cash (euro) with you, because it is possible that the ticket machine does not accept your credit card. The ticket price should be about 2 euros (SkyTrain) and 20 euros (train).
  • Please do not forget to validate your train ticket with one of the stamp machines. Otherwise, it is not valid.

If you want to check when your train will arrive you can use this web page: https://reiseauskunft.bahn.de/bin/query.exe/en

Accommodation

We do not offer any hotel room reservation service. From our experience, it is cheaper to use a common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.

Directly in the heart of Bochum and near the central station, we recommend two hotels:

Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous "Bermuda Dreieck" - with a lot of good bars and German beer.

Child Care

We want to enable everyone interested in attending RuhrSec to be able to attend it. Therefore, we offer professional child care for our attendees at the conference venue - free of cost! The child care will be provided in cooperation with the ProKids family service of the Ruhr University Bochum. It will take place in a room at the conference venue to ensure you will be close to your child or children. The child care service will provide toys fitting for the age of the registered children.

If you want to register your child or children for the child care service please submit the registration form (German, English) to Marieke Dohrmann and Karsten Meyer zu Selhausen until the 3rd of April 2023.
If you have any questions feel free to contact us!

Social Event

Every participant with a valid conference ticket is invited to be our guest at the social event.

Details

Location: TBA

How to get there: TBA. More information is given before the first talk.

Time: After the first conference day (>=17:00 o'clock)

Your Contact for RuhrSec

Karsten Meyer zu Selhausen

Responsible for RuhrSec, Senior IT Security Consultant at Hackmanit

In case you have any questions regarding the conference, please contact me:

Email

Hackmanit GmbH

Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Our Phone:

+49 (0)234 / 54459996

Fax:

+49 (0)234 / 54427593

Our Email:

ruhrsec@hackmanit.de

The RuhrSec conference is organized by Hackmanit - Your Specialist for Web Security and Cryptography.

The company Hackmanit was founded by employees of the Ruhr University Bochum, working at the Horst-Görtz Institute for IT Security. Hackmanit has in-depth knowledge about the security of Web applications (e.g., Cross-Site Scripting, UI-Redressing and Clickjacking), Web services, Single Sign-On, SSL/TLS, and applied cryptography. The company mainly focuses on providing services such as practical trainings, high-quality penetration tests, and customized expertise.