RuhrSec 2023

RuhrSec - IT security conference - 2023

Since 2016, RuhrSec is the annual English speaking non-profit IT security conference with cutting-edge security talks by renowned experts. The conference is hosted at the Ruhr University Bochum in Germany, directly in the heart of Bochum near the river Ruhr. RuhrSec provides academic and industry talks, the typical University feeling, and a highly recommended social event.

Get the latest RuhrSec news on X, Linkedin, or by subscribing to our newsletter.

Curious how the talks given at RuhrSec are selected? Have a look here.

Interested in becoming a RuhrSec sponsor ?
Feel free and contact us to learn more about the RuhrSec sponsorship:
ruhrsec@hackmanit.de

Program

Conference (Ruhr University Bochum): Thursday, 11.05.23

The order of the talks might be adjusted before the conference.

08:00 – 09:00 Registration and Biscuits/Coffee
09:00 – 09:15 Opening, Marcus Niemietz
09:15 – 10:00 Keynote: Crypto War 3: From the DMA to Chatcontrol, Ross Anderson
10:00 – 10:30 Coffee Break
10:30 – 11:15 SQUIP or Why We Need to Study Processors Like Nature, Stefan Gast and Daniel Gruss
11:15 – 12:00 ShowTime: CPU Timing Attacks With the Human Eye, Antoon Purnal and Marton Bognar
12:00 – 13:30 Lunch
13:30 – 14:15 You Can't Always Get What You Want – How Web Sites (Often) Lack Consistent Protection, Sebastian Roth and Ben Stock
14:15 – 15:00 Everything You Wanted to Know About DOM Clobbering (But Were Afraid to Ask), Soheil Khodayari
15:00 – 15:45 Coffee Break
15:45 – 16:30 Security of Push Messaging, Jörg Schwenk
16:30 – 17:15 Your Wi-Fi Is the Eavesdropper’s Radar: How to Counter Privacy Threats of Wireless Sensing, Paul Staat
17:15 – Open End Social Event (incl. Dinner)

Conference (Ruhr University Bochum): Friday, 12.05.23

The order of the talks might be adjusted before the conference.

08:45 – 09:15 Biscuits/Coffee
09:15 – 10:00 Keynote: Towards High-Assurance Cryptographic Software, Karthikeyan Bhargavan
10:00 – 10:30 Coffee Break
10:30 – 11:15 We Really Need to Talk About Session Tickets: A Large-Scale Analysis of Cryptographic Dangers With TLS Session Tickets, Sven Hebrok
11:15 – 12:00 Content-Type: multipart/oracle - Tapping Into Format Oracles in Email End-to-End Encryption, Fabian Ising
12:00 – 13:30 Lunch
13:30 – 14:15 Server-Side Browsers: Exploring the Web’s Hidden Attack Surface, Marius Musch
14:15 – 15:00 Hand Sanitizers in the Wild: A Large-Scale Study of Custom JavaScript Sanitizer Functions, David Klein
15:00 – 15:30 Coffee Break
15:30 – 16:15 CPU Fuzzing: Automatic Discovery of Microarchitectural Attacks, Daniel Weber and Michael Schwarz
16:15 – 17:00 Federated Learning and Its Application for a Privacy-Respecting Android Malware Classifier, Veelasha Moonsamy and Rafa Gálvez
17:00 – 17:15 Closing

Talks

Ross Anderson

(Professor at University of Cambridge) – Keynote

Keynote. Crypto War 3: From the DMA to Chatcontrol

Abstract. During the 1980s, the intelligence agencies sought to maintain information dominance via export controls on crypto hardware. During the 1990s, once crypto could be done in software, they tried to mandate government access to keys. During the 2000s, as communications came to rely on the server farms of Hotmail, Gmail and Facebook, they harvested most of their material from there. After Ed Snowden told us this in 2013, people started using end-to-end crypto, so the agencies turned their attention to our phones and other devices. We now face a twin attack. Laws proposed in the EU, the UK and elsewhere will mandate client-side scanning, with the usual rhetoric about terrorists and kids. The second front is the EU's Digital Markets Act which will mandate interoperability. If government access to keys was undesirable because of the complexity it introduced, even if escrow keys were kept perfectly secure, then mandated interoperability is complexity on steroids. A coherent response from academia and civil society must engage many issues, from cryptographic protocol design through antitrust economics to strategies to combat violence against women and girls.

Biography. Ross Anderson is Professor of Security Engineering at the Universities of Cambridge and Edinburgh. He made early contributions to the study of cryptographic protocols, hardware tamper-resistance, security usability and the economics of information security, and has worked with a range of applications from payment networks and electronic health records to vehicle tachographs and prepayment utility meters. He is a Fellow of the Royal Society and the Royal Academy of Engineering, and won the Lovelace Medal, Britain's top award in computing. He is the author of the standard textbook "Security Engineering – A Guide to Building Dependable Distributed Systems".

@rossjanderson

Karthikeyan Bhargavan

(Inria Paris) – Keynote

Keynote. Towards High-Assurance Cryptographic Software

Abstract. The threat of quantum computing, the promise of blockchains, and the need for privacy against pervasive surveillance has ushered in a golden era for the design and deployment of new cryptography, with multiple cryptographic algorithms and protocols being standardised every year. Despite all these exciting developments, however, correctly designing and securely implementing cryptographic systems remains a challenging and error-prone task, even for experts. In this talk, we will see how formal verification and security-oriented programming languages can be used to help build high-assurance cryptographic software. We will discuss their use in the design of recent cryptographic standards like HPKE and MLS, and in the implementation of cryptographic libraries like HACL*. We will conclude by looking at how these methods can be made more widely usable by cryptographic engineers in the future.

Biography. Karthikeyan Bhargavan (Karthik) is a directeur de recherche (DR) at Inria in Paris, where he leads a team of researchers working on developing new techniques for programming securely with cryptography. He was born in India and did his undergraduate studies at the Indian Institute of Technology Delhi before pursuing his PhD at the University of Pennsylvania. He then worked at Microsoft Research in Cambridge until 2009 when he moved to France. Karthik’s research lies at the intersection of programming language design, formal verification, and applied cryptography. Most recently, his work has focused on the design and analysis of the TLS 1.3 Internet standard and the design and deployment of the HACL* cryptographic library. Karthik is also a co-founder of Cryspen, a company that specializes in high-assurance cryptographic solutions.

Marton Bognar

(KU Leuven) – Talk

Talk. ShowTime: CPU Timing Attacks With the Human Eye

Abstract. Are precise timers required for successful timing attacks?

While machines are accomplishing feats previously thought to require human-like intellect, this talk exposes how humans can achieve a task previously thought to require machine-like precision: observing phenomena happening at the nanosecond scale.

We propose ShowTime, a general attack framework that exposes arbitrary microarchitectural timing channels to coarse-grained timers. ShowTime converts microarchitectural leakage from one type to another, and amplifies minuscule initial leaks into huge timing differences.

Among other case studies, we explore whether the time difference arising from a single cache hit or miss can be amplified so that even the human eye can see the difference. Overall, our findings imply that CPU timing attacks remain a threat, even in the face of severe timer restrictions.

Biography. Marton is a Ph.D. candidate at the DistriNet research group of KU Leuven under the supervision of Frank Piessens. His interest lies in the intersection of side-channel attacks, hardware design, and formal verification. He is active in both offensive and defensive research.

@martonbognar

Rafa Gálvez

(KU Leuven) – Talk

Talk. Federated Learning and Its Application for a Privacy-Respecting Android Malware Classifier

Abstract. Federated Learning (FL) has gained popularity as a mechanism to address privacy threats in the training process of a machine learning model. Instead of sharing raw data, users can share locally trained models to stop service providers from getting access to their personal information. FL has been deployed in a popular Android application, the Gboard mobile keyboard, and researchers are investigating new ways to make it more accurate and more secure.

In this talk, we introduce the basics for understanding FL and discuss three important shortcomings of vanilla FL. First, users are required to provide the system with ground truth to enable local training in their own devices. Second, the introduction of malicious users to the federation may break the integrity of the model in order to lower performance. And third, an honest-but-curious service provider may break user privacy by attacking their individual models. Our solution is based on semi-supervised machine learning techniques that, on the one hand, allow users to learn from their unlabeled data, and on the other hand, reduce the attack surface of the federated model.

We demonstrate the feasibility of our design by implementing LiM, an Android malware classifier that is resistant against poisoning and inference attacks while providing state-of-the-art results without user supervision. We end by giving an overview of potential applications of LiM beyond malware detection.

Biography. Rafa Gálvez is a recent PhD graduate from the COSIC research group at KU Leuven working on privacy engineering for AI. He is interested in delivering high-quality, state-of-the-art AI products that respect user privacy and solve real-world needs of as many (vulnerable) people as possible.

@artificialphilosopher@scholar.social

Stefan Gast

(Graz University of Technology) – Talk

Talk. SQUIP or Why We Need to Study Processors Like Nature

Abstract. As CPU microarchitectures have been the subject of security research over decades, one might think that we are close to exhaustively understanding them. However, we argue that this is not the case. We overview prior attacks and present a new case study: SQUIP - Scheduler Queue Usage Interference Probing.

We provide background on modern CPU pipelines and out-of-order execution. We discuss scheduler queues and their security implications, showing how scheduler queue contention can leak up to 2.7 MBit/s in a cross-process covert-channel scenario and up to 0.89 MBit/s across virtual machines. Our end-to-end SQUIP attack on AMD CPUs leaks full RSA private keys within 1 hour, across processes and virtual machines. Finally, we outline how to go forward, both on mitigating SQUIP and on microarchitectural security research in general, showing that we need to study microarchitectures like nature.

Biography. Stefan Gast started his PhD in Daniel's research group at Graz University of Technology in August 2021. His research focuses on software-based microarchitectural CPU attacks and defenses. SQUIP was the first publication for his PhD thesis. Stefan is also passionate about teaching and has been doing so for more than 10 years.

@notbobbytables
@notbobbytables@infosec.exchange

Daniel Gruss

(Professor at Graz University of Technology) – Talk

Talk. SQUIP or Why We Need to Study Processors Like Nature

Abstract. As CPU microarchitectures have been the subject of security research over decades, one might think that we are close to exhaustively understanding them. However, we argue that this is not the case. We overview prior attacks and present a new case study: SQUIP - Scheduler Queue Usage Interference Probing.

We provide background on modern CPU pipelines and out-of-order execution. We discuss scheduler queues and their security implications, showing how scheduler queue contention can leak up to 2.7 MBit/s in a cross-process covert-channel scenario and up to 0.89 MBit/s across virtual machines. Our end-to-end SQUIP attack on AMD CPUs leaks full RSA private keys within 1 hour, across processes and virtual machines. Finally, we outline how to go forward, both on mitigating SQUIP and on microarchitectural security research in general, showing that we need to study microarchitectures like nature.

Biography. Daniel Gruss is a Professor at Graz University of Technology. He has a great passion for teaching, which he started doing in 2009. Daniel's research focuses on microarchitectural security, covering both attacks as well as efficient and effective defenses. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues. In 2022, he was awarded an ERC Starting Grant to research how to make security more sustainable.

@lavados
@lavados@infosec.exchange

Sven Hebrok

(Paderborn University) – Talk

Talk. We Really Need to Talk About Session Tickets: A Large-Scale Analysis of Cryptographic Dangers With TLS Session Tickets

Abstract. Session tickets improve the TLS protocol performance and are therefore widely used. For this, the server encrypts secret state and the client stores the ciphertext and state. Anyone able to decrypt this ciphertext can passively decrypt the traffic or actively impersonate the TLS Server on resumption. To estimate the dangers associated with session tickets, we perform the first systematic large-scale analysis of the cryptographic pitfalls of session ticket implementations.

We found significant differences in session ticket implementations and critical security issues in the analyzed servers. Vulnerable servers used weak keys or repeating keystreams in the used tickets. Among others, our analysis revealed a widespread implementation flaw within the Amazon AWS ecosystem that allowed for passive traffic decryption for at least 1.9% of all servers in the Tranco Top 100k servers.

Biography. I am a PhD student at the System Security Chair at Paderborn University, supervised by Juraj Somorovsky. I'm Interested in TLS, cryptographic and configuration issues, as well as odd behavior of implementations in edge cases but also network security in general. Along the way, I have gathered some experience in large scale scanning and working with networks. Occasionally you can also find me in a Kayak.

@xoimex

Fabian Ising

(Münster University of Applied Sciences) – Talk

Talk. Content-Type: multipart/oracle - Tapping Into Format Oracles in Email End-to-End Encryption

Abstract. "Email is an offline protocol - oracle attacks against its end-to-end encryption are impractical." - This statement has been made time and time again. However, is it really true? Can we perform “real” oracle attacks, like Vaudenay's CBC Padding Oracle Attack and Bleichenbacher’s infamous Million Message Attack against E2EE email?

We survey how the decryption state of E2EE email can be made visible through the interplay of MIME and IMAP and describe side-channels caused by specific MIME trees. We analyze 19 OpenPGP and S/MIME email clients and exploit side-channels to decrypt S/MIME messages in iOS Mail and Google Workspaces.

Finally, we discuss why exploiting the other clients is impractical and that the unintended countermeasures create dangerous conflicts between usability and security. Finally, we present more rigid countermeasures for developers and the standards.

Biography. Fabian Ising is a security researcher and PhD candidate at Münster University of Applied Sciences and Ruhr Uni Bochum. He is interested in applied cryptography, especially in email security and network protocols. Apart from applied cryptography, he spends time on medical security and web security. He also has experience as a penetration tester and code auditor. When not working, he loves hiking and doing jigsaw puzzles.

@murgi
@murgi@infosec.exchange

Soheil Khodayari

(CISPA Helmholtz Center for Information Security) – Talk

Talk. Everything You Wanted to Know About DOM Clobbering (But Were Afraid to Ask)

Abstract. XSS has been a major threat to webapps for the past 20 years, often achieved by script injection, and mitigated by disallowing or controlling script execution. But what if the attackers can obtain XSS with script-less markups? DOM Clobbering is a type of namespace collision attack that enables attackers to transform seemingly benign HTML markups to executable code by exploiting the unforeseen interactions between JS code and the runtime environment. Unfortunately, attack techniques, browser behaviours, and code patterns that enable DOM clobbering has not been studied yet, and in this work, we undertake that. Our study shows that DOM clobbering vulnerabilities are ubiquitous, affecting 9.8% of the top 5K sites, and that existing defenses may not completely cut them. This talk covers clobbering techniques, vulnerability detection, prevalence, indicators, and defenses.

Biography. Soheil Khodayari is a PhD candidate at CISPA, Germany, researching in the area of Web security and privacy testing, and Internet measurements. Soheil has presented and published his works on top tier security venues like IEEE S&P, NDSS, USENIX Security, Stanford SecLunch, and OWASP AppSec. He also serves as the AE PC of security conferences like USENIX and ACSAC. Among his contributions, Soheil proposed the first taxonomy and detection of XS-leaks, one of the first studies about client-side CSRF, the state of the SameSite adoption, and other client-side vulnerabilities.

@Soheil__K

David Klein

(Technische Universität Braunschweig) – Talk

Talk. Hand Sanitizers in the Wild: A Large-Scale Study of Custom JavaScript Sanitizer Functions

Abstract. Input Sanitization is the main defense strategy against the ever present class of injection vulnerabilities. Needing to process complex input data, such as HTML fragments, makes writing correct sanitizers very demanding. Are developers up to the task?

This is the question we will answer during this talk with a focus on Client-Side Cross-Site Scripting. We will cover how to detect sanitization logic on websites, automatically assess their security and bypass them if they are insecure. With this toolkit we present the results of our study on the state of HTML sanitization on the Web at large. This includes various examples how developers try and fail at writing such routines.

Finally, we will discuss ways to actually protect yourself as a developer as well as a glimpse towards upcoming mitigations built into the browser. Maybe these will finally aid to ridden the web of this vulnerability class.

Biography. David is a PhD candidate at the Institute for Application Security at Technische Universität Braunschweig. His research interests include Web Security with a focus on (breaking) protection mechanisms, as well as approaches on making existing software more privacy preserving. David has presented both at academic venues as well as industrial conferences such as SAP DKOM, IT-DEFENSE and OWASP Global AppSec.

@ncd_leen
@leeN@chaos.social

Veelasha Moonsamy

(Ruhr University Bochum) – Talk

Talk. Federated Learning and Its Application for a Privacy-Respecting Android Malware Classifier

Abstract. Federated Learning (FL) has gained popularity as a mechanism to address privacy threats in the training process of a machine learning model. Instead of sharing raw data, users can share locally trained models to stop service providers from getting access to their personal information. FL has been deployed in a popular Android application, the Gboard mobile keyboard, and researchers are investigating new ways to make it more accurate and more secure.

In this talk, we introduce the basics for understanding FL and discuss three important shortcomings of vanilla FL. First, users are required to provide the system with ground truth to enable local training in their own devices. Second, the introduction of malicious users to the federation may break the integrity of the model in order to lower performance. And third, an honest-but-curious service provider may break user privacy by attacking their individual models. Our solution is based on semi-supervised machine learning techniques that, on the one hand, allow users to learn from their unlabeled data, and on the other hand, reduce the attack surface of the federated model.

We demonstrate the feasibility of our design by implementing LiM, an Android malware classifier that is resistant against poisoning and inference attacks while providing state-of-the-art results without user supervision. We end by giving an overview of potential applications of LiM beyond malware detection.

Biography. Veelasha Moonsamy is a tenured research faculty at the Chair for System Security at Ruhr University Bochum in Germany. She was previously an Assistant Professor in the Digital Security group at Radboud University (The Netherlands) and was briefly affiliated with the Software Systems group at Utrecht University (The Netherlands) in 2018. She received her PhD degree in 2015 from Deakin University (Australia). Her research interests revolves around security and privacy for embedded devices, in particular side- and covert-channel attacks, malware detection, and mitigation of information leaks at application and hardware level.

@veelasha_m
@veelasha@infosec.exchange

Marius Musch

(Technische Universität Braunschweig) – Talk

Talk. Server-Side Browsers: Exploring the Web's Hidden Attack Surface

Abstract. As websites grow ever more dynamic and load more of their content on the fly, automatically interacting with them via simple tools like curl is getting less of an option. Instead, headless browsers with JavaScript support, such as PhantomJS and Puppeteer, have gained traction on the Web over the last few years. For various use cases like messengers and social networks that display link previews, these browsers visit arbitrary, user-controlled URLs. To avoid compromise through known vulnerabilities, these browsers need to be diligently kept up-to-date.

In this talk, we investigate the phenomenon of what we coin 'server-side browsers' at scale and find that many websites are running severely outdated browsers on the server-side. Remarkably, the majority of them had not been updated for more than 6 months and over 60% of the discovered implementations were found to be vulnerable to publicly available proof-of-concept exploits.

By attending, you will not only learn about this new and unique attack surface, but also how to discover these vulnerabilities on your own. Moreover, you will learn how defenses against traditional SSRF attacks are insufficient in the context of this attack and what can be done about that.

Biography. Marius Musch is a web security researcher at the Institute for Application Security at Technical University Braunschweig, where he obtained his PhD in November 2022. His research interests focus on the intersection of client-side web attacks and large-scale studies. So far, Marius has given presentations at venues such as Usenix Security, AsiaCCS, OWASP Global AppSec, and the Chaos Communication Congress.

@m4riuz
@m4riuz@infosec.exchange

Antoon Purnal

(KU Leuven) – Talk

Talk. ShowTime: CPU Timing Attacks With the Human Eye

Abstract. Are precise timers required for successful timing attacks?

While machines are accomplishing feats previously thought to require human-like intellect, this talk exposes how humans can achieve a task previously thought to require machine-like precision: observing phenomena happening at the nanosecond scale.

We propose ShowTime, a general attack framework that exposes arbitrary microarchitectural timing channels to coarse-grained timers. ShowTime converts microarchitectural leakage from one type to another, and amplifies minuscule initial leaks into huge timing differences.

Among other case studies, we explore whether the time difference arising from a single cache hit or miss can be amplified so that even the human eye can see the difference. Overall, our findings imply that CPU timing attacks remain a threat, even in the face of severe timer restrictions.

Biography. Antoon (Toon) Purnal is a PhD researcher in the hardware security group at COSIC under the supervision of professor Ingrid Verbauwhede. His research interests include microarchitectural attacks and defences, and efficient and secure cryptographic implementations. Before joining COSIC, he obtained a Master’s degree in Electrical Engineering from KU Leuven.

@purnaltoon
@PurnalToon@infosec.exchange

Sebastian Roth

(CISPA Helmholtz Center for Information Security) – Talk

Talk. You Can't Always Get What You Want – How Web Sites (Often) Lack Consistent Protection

Abstract. Client-side security policies are designed to protect against various types of Web attacks and are communicated to the browser through HTTP response headers. To ensure protection, these headers must be consistently deployed and enforced across all pages within the same origin and for all clients.

In this talk, you will get a refresher on the most important security headers and see examples of seemingly innocuous misconfigurations that can lead to significant threats. Moreover, you’ll learn about how many of the top sites fall victim to such mistakes (based on our scientific measurement studies). Finally, you’ll learn how to avoid them for your own pages, and hear about a new proposal to overcome all these issues.

Biography. I am a last-year PhD Candidate (submitted in January 2023) at Saarland University / CISPA. My research interest is focused on client-side Web security as well as developer-centric usable security and is regularly published at Top Tier academic venues. But I also enjoy giving non-academic talks such that I can stay in contact with folks from the industry. In addition to that I have taught other students as a tutor and teaching assistant in several different lectures. During my leisure time, I regularly organize and participate in CTF (Capture the Flag) competitions together with saarsec.

@s3br0th

Michael Schwarz

(CISPA Helmholtz Center for Information Security) – Talk

Talk. CPU Fuzzing: Automatic Discovery of Microarchitectural Attacks

Abstract. Over the last two decades, researchers discovered different new attacks on modern CPUs. These attacks include side-channel attacks capable of leaking secret keys or breaking security mitigations. More recently, even more powerful attacks such as Spectre and Meltdown were discovered.

In this talk, we explore approaches that we developed to automatically find such attacks. First, we present Osiris, a tool to automatically find side channels. Second, with Transynther, we find new variants of Meltdown-type attacks. Third, we discuss MSRevelio, a tool searching for undocumented MSRs.

We also present the found attacks ranging from side-channel attacks over KASLR breaks, to Meltdown-type attacks. Along the way, we will elaborate on the challenges and limitations these tools face despite their success and comment on what we believe are the most important lessons we can learn from them.

Biography. Michael Schwarz is Faculty at the CISPA Helmholtz Center for Information Security, Germany, with a focus on microarchitectural attacks and system security. He obtained his PhD in 2019 from TU Graz. He holds two master's degrees in computer science and software engineering. He is a regular speaker at both academic and hacker conferences. He was part of one of the research teams that found the Meltdown, Spectre, Fallout, LVI, PLATYPUS, and ZombieLoad. He was part of the team developing the KAISER patch, the basis for the widely Meltdown countermeasure deployed in every modern operating system.

@misc0110

Jörg Schwenk

(Professor at Ruhr University Bochum) – Talk

Talk. Security of Push Messaging

Abstract. Push services like SMS, e-mail and instant messaging are one of the foundations of digital communications. However, their security differs significantly. Researchers are enthusiastic about new security paradigms implemented in instant messaging applications like SIGNAL and WhatsApp, and despair about the security of OpenPGP and S/MIME. But is either enthusiasm or despair justified? This talk gives an overview on recent research and novel solutions to these problems.

Biography. Since September 2003, Prof. Dr. Jörg Schwenk heads the Chair for Network and Data Security at the Ruhr University Bochum. The chair belongs to the renowned Horst Görtz Institute for IT Security. Professor Schwenk is an internationally recognized expert in the areas of cryptography and IT security. After completing his doctorate in the Department of Mathematics at the University of Gießen he moved in 1993 to Darmstadt, where he worked at the Telekom Technology center for applied research in the field of IT security. Professor Schwenk is an author of numerous international publications in renowned conferences (for example USENIX Security, ACM CCS), author of textbooks on cryptography and Internet security, and about 60 patents in the field of IT security.

@JoergSchwenk

Paul Staat

(Ruhr University Bochum) – Talk

Talk. Your Wi-Fi Is the Eavesdropper's Radar: How to Counter Privacy Threats of Wireless Sensing

Abstract. Today's ubiquitous wireless devices are attractive targets for passive eavesdroppers to launch reconnaissance attacks. Regardless of cryptographic measures, adversaries can overhear standard communication signals on the physical layer to obtain estimations of wireless propagation channels. These are known to contain information about the surrounding environment, which can be extracted using wireless sensing methods. In this way, adversaries may gain sensitive information which poses a major privacy threat. For instance, it is easily possible to infer human motion, allowing to remotely monitor premises of victims.

In this talk, we first review wireless sensing and its privacy implications. We then introduce IRShield - a countermeasure against adversarial wireless sensing based on recent advances on intelligent reflecting surfaces. IRShield is designed as a plug-and-play privacy-preserving extension to existing wireless networks. We demonstrate that IRShield defeats a state-of-the-art human motion detection attack proposed in the literature.

Biography. Paul Staat received his B.Sc. degree in electrical engineering and the M.Sc. degree in communication systems and networks from the University of Applied Sciences Cologne, Germany, in 2016 and 2018, respectively. He is currently working towards the Ph.D. degree at the Max Planck Institute for Security and Privacy in Bochum. His research interests include physical-layer and wireless security and tamper-resistant hardware.

Ben Stock

(CISPA Helmholtz Center for Information Security) – Talk

Talk. You Can't Always Get What You Want – How Web Sites (Often) Lack Consistent Protection

Abstract. Client-side security policies are designed to protect against various types of Web attacks and are communicated to the browser through HTTP response headers. To ensure protection, these headers must be consistently deployed and enforced across all pages within the same origin and for all clients.

In this talk, you will get a refresher on the most important security headers and see examples of seemingly innocuous misconfigurations that can lead to significant threats. Moreover, you’ll learn about how many of the top sites fall victim to such mistakes (based on our scientific measurement studies). Finally, you’ll learn how to avoid them for your own pages, and hear about a new proposal to overcome all these issues.

Biography. Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web security, with a recent focus in particular on CSP and its connections to aspects of usability. His group regularly publishes at major security conferences such as USENIX Security, CSS, and NDSS, and Ben also serves on the PC and as track chair of the venues. His group also regularly shares insights outside the scientific community, such as at OWASP AppSec or Ruhrsec.

@kcotsneb

Daniel Weber

(CISPA Helmholtz Center for Information Security) – Talk

Talk. CPU Fuzzing: Automatic Discovery of Microarchitectural Attacks

Abstract. Over the last two decades, researchers discovered different new attacks on modern CPUs. These attacks include side-channel attacks capable of leaking secret keys or breaking security mitigations. More recently, even more powerful attacks such as Spectre and Meltdown were discovered.

In this talk, we explore approaches that we developed to automatically find such attacks. First, we present Osiris, a tool to automatically find side channels. Second, with Transynther, we find new variants of Meltdown-type attacks. Third, we discuss MSRevelio, a tool searching for undocumented MSRs.

We also present the found attacks ranging from side-channel attacks over KASLR breaks, to Meltdown-type attacks. Along the way, we will elaborate on the challenges and limitations these tools face despite their success and comment on what we believe are the most important lessons we can learn from them.

Biography. Daniel Weber is a PhD student researching in the field of microarchitectural attacks, such as side-channel and transient-execution attacks. His work focuses on improving the process of finding such attacks via automation. He is part of Michael Schwarz' research group at the CISPA Helmholtz Center for Information Security. Before that, he obtained a Bachelor's degree in Cybersecurity from Saarland University. In his free time, Daniel regularly participates in Capture the Flag competitions as part of the team saarsec.

@weber_daniel

Location

Conference

Address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum

Google Maps: Link to the conference building

Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in the event center ("VZ" or "Veranstaltungszentrum"). You can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building (see More Information tab). Otherwise, you can find parking spaces for your car directly under the conference location (University Center/"Universität Mitte", parking space P9).

Flight and Train Information

The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "SkyTrain" from the airport to the train station "Düsseldorf Flughafen Bahnhof". Afterward, you should take a train to "Bochum Hauptbahnhof" (aka. "Bochum Hbf"). From there we recommend taking the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building. Otherwise, you can take a taxi to the conference center (about 10 euros).

Please notice:

  • Please pay for the SkyTrain (about 2 euros).
  • To get your train tickets, you can use a ticket machine after the SkyTrain. They allow you to choose English for the UI and you can (often) pay with your credit cards. Please be sure to bring enough cash (euro) with you, because it is possible that the ticket machine does not accept your credit card. The ticket price should be about 2 euros (SkyTrain) and 20 euros (train).
  • Please do not forget to validate your train ticket with one of the stamp machines. Otherwise, it is not valid.

If you want to check when your train will arrive you can use this web page: https://reiseauskunft.bahn.de/bin/query.exe/en

Accommodation

We do not offer any hotel room reservation service. From our experience, it is cheaper to use a common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.

Directly in the heart of Bochum and near the central station, we recommend two hotels:

Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous "Bermuda Dreieck" - with a lot of good bars and German beer.

Child Care

We want to enable everyone interested in attending RuhrSec to be able to attend it. Therefore, we offer professional child care for our attendees at the conference venue - free of cost! The child care will be provided in cooperation with the ProKids family service of the Ruhr University Bochum. It will take place in a room at the conference venue to ensure you will be close to your child or children. The child care service will provide toys fitting for the age of the registered children.

If you want to register your child or children for the child care service please submit the registration form (German, English) to Marieke Dohrmann and Karsten Meyer zu Selhausen until the 3rd of April 2023.
If you have any questions feel free to contact us!

Social Event

Every participant with a valid conference ticket is invited to be our guest at the social event.

Details

Location: Q-West Bochum

How to get there: < 5 minutes' walk from the conference building. More information is given before the first talk.

Time: After the first conference day (>=17:00 o'clock)

Your Contact for RuhrSec

Karsten Meyer zu Selhausen

Responsible for RuhrSec, Senior IT Security Consultant at Hackmanit

In case you have any questions regarding the conference, please contact me:

Email

Hackmanit GmbH

Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Our Phone:

+49 (0)234 / 54459996

Fax:

+49 (0)234 / 54427593

Our Email:

ruhrsec@hackmanit.de

The RuhrSec conference is organized by Hackmanit - Your Specialist for Web Security and Cryptography.

The company Hackmanit was founded by employees of the Ruhr University Bochum, working at the Horst-Görtz Institute for IT Security. Hackmanit has in-depth knowledge about the security of Web applications (e.g., Cross-Site Scripting, UI-Redressing and Clickjacking), Web services, Single Sign-On, SSL/TLS, and applied cryptography. The company mainly focuses on providing services such as practical trainings, high-quality penetration tests, and customized expertise.