Talks at the First International Workshop on Agile Secure Software Development (ASSD’15)

Eric | August 31, 2015

The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Achim Bruker opened the sessions with an overview of the experience of SAP in developing secure software. This was followed by a talk given by Jesus Choliz about the application of Microsoft Secure Software Development process to develop secure systems for election management. Lotfi ben Othmane continued the discussion by showing how to use the B method to detect inconsistencies of access policies in the context of incremental software development. Next, Prof. Juha Röning gave an overview about his experience in developing a security fuzzing software and their use in agile processes. The spin-off that they created out of the project was recently sold to Synopsis.

In the afternoon session, Hela Oueslati discussed the challenges of developing secure software that she found in the literature and the evaluation of the validity of these challenges with respect to the agile values and principles and security practices. She asked the participants to help her in her future empirical studies about the topic. The presentation was followed by the talk of Clemens Teichmann, who shared the experience of his team in evaluating threat modeling methods for fitness to agile development processes used by their clients.

Afterwards, the attendees discussed the common point raised in the talks: the fast feedback and adaptation that agile processes offer helps development teams reducing the cost of developing secure software. Early identification of vulnerabilities allows for fixing them fast (It is easier to fix new code). In addition, development teams can develop, early in the projects, secure programming APIs or techniques to avoid the vulnerabilities they encounter in future development.

Cross-posted from SEEBlog

Comments
Comments Off on Talks at the First International Workshop on Agile Secure Software Development (ASSD’15)
Categories
Research

Karsten Nohl at ESSOS

Eric | August 25, 2015

I was just able to confirm Karsten Nohl as an invited speaker for ESSOS 2016. Thanks a lot for accepting! We hope to see you all there. The submission deadline is just about a month away.

Cross-posted from SEEBlog

Comments
Comments Off on Karsten Nohl at ESSOS
Categories
Research

SSE Group is presenting at Black Hat Europe 2015

Eric | August 20, 2015

At this year Black Hat Europe conference, we will talk about our Backend-As-A-Service investigation, which we published a couple of months ago.

The talk will contain a full disclosure about our investigation including details about our automatic “exploit generator”.

Title of the talk: “(IN-)SECURITY OF BACKEND-AS-A-SERVICE PROVIDERS”
Abstract

If you are around, feel free to join our talk and also to meet at the conference.

Cross-posted from SEEBlog

Comments
Comments Off on SSE Group is presenting at Black Hat Europe 2015
Categories
Research

Ministers Wanka and De Maiziere visit Darmstadt’s “Security Valley”

Eric | August 13, 2015

 

Yesterday our center was visited by the two federal ministers Wanka (minister of education and research) and De Maiziere (minister of the interior). They spent a few hours, discussing IT-security research in Darmstadt’s – as they coined it – “security valley”, and also educated themselves through a range of exhibits we had prepared on the security of the Internet of Things, but also mobile security, encryption etc. More information is available in German here.

Cross-posted from SEEBlog

Comments
Comments Off on Ministers Wanka and De Maiziere visit Darmstadt’s “Security Valley”
Categories
Research

Paper accepted at OOPSLA Onward!

Eric | August 13, 2015

Our paper on “Secure Integration of Cryptographic Software” has been accepted at OOSPLA Onward!. In this paper we propose a new approach for implementing software that uses cryptographic algorithms in a way that is secure by design. With our approach, developers can avoid the pitfalls of complex crypto APIs without having to study crypto theory and implementations first. Instead, they select their high-level goals (e.g., “encrypt a file on disk” or “transmit data over a secure channel”) and let the OpenCCE expert system create implementation blueprints for them. After they have integrated the blueprints into their applications, automatically-derived static analyses make sure that no new issues have accidentally been introduced. This research is performed within the CROSSING CRC.

Cross-posted from SEEBlog

Comments
Comments Off on Paper accepted at OOPSLA Onward!
Categories
Research

Responsible Disclosure: JFrog fixes vulnerability in Artifactory

Eric | August 12, 2015

We have recently discovered and reported a security vulnerability in JFrog’s Artifactory Pro software. The Artifactory is a product used to manage build artifacts and dependencies in a central enterprise repository. Due to the vulnerability, attackers could not only gain credentials for accessing the repository, but under some circumstances to the company-wide single-sign-on (SSO) system. In this worst case, attackers could access arbitrary systems with the identity of the victim.

Artifacts are usually not manually deployed to the Artifactory, but by automatic build processes. With JFrog’s official plugin for Atlassian’s Bamboo continuous integration server, the developer can configure the deployment as an after-build task to be performed once a build succeeded. For this to work, one needs to the specify the credentials of an account with “deploy” privileges on the Artifactory. This combination of user name and password was, however, stored in plain text in the configuration of the build job. Every user with the privilege to configure the build job can obtain it by simply inspecting the HTML source of the build job’s configuration web page. Since a build job is usually not managed by one person alone but, e.g., by a build maintenance / system integration team, this vulnerability allowed everyone in the team to view the Artifactory credentials that have been entered. If the person who created the job put in his personal credentials, his colleagues could then impersonate him against the Artifactory.

Even worse, these hijacked accounts might not even have been restricted to the Artifactory. The JFrog Artifactory can be configured to use a central directory such as a Jira user directory or an LDAP server for authentication. Organizations use this feature to integrate the Artifactory into the organization-wide single-sign-on (SSO) system. This, however, means that the credentials at risk were SSO credentials. Attackers could then not only impersonate the user against the Artifactory, but against any other system or service in the organization. They could, for instance, log into machines, the internal wiki, or other resources.

JFrog has fixed the issue in Version 1.8.1 of the plugin.

Cross-posted from SEEBlog

Comments
Comments Off on Responsible Disclosure: JFrog fixes vulnerability in Artifactory
Categories
Research

[Bachelor-Thesis] Evaluating the Effectiveness of Android Malware Detection Approaches

Eric | August 6, 2015

We are looking for an interested student who wants to write her/his bachelor-thesis at the Secure Software Engineering Group about Android Security.

Title: Evaluating the Effectiveness of Android Malware Detection Approaches

Android is the world’s most popular mobile platform hosting various applications for almost every need in different app stores. This makes Android applications a valuable target for attackers. Indeed, there are many different Android malware families that try to financially harm the victim. This is applied by different techniques, such as sending premium-messages or stealing banking credentials. Since the wish of malware authors is to remain undiscovered as long as possible, different obfuscation techniques are applied that makes it very hard to automatically detect malicious applications.

At the same time, many thousand applications get uploaded to app stores or sent to Anti-Virus companies every day, all of which need to be analyzed for malicious behavior. A manual analysis process is infeasible, fostering the need for precise and efficient automatic malware detection approaches. Researchers have developed many different techniques, such as machine-learning approaches or behavior analysis, to try to automatically argue about the maliciousness of an application, but an important question is how to evaluate those approaches. A representative evaluation requires experiments on realistic malware samples.

The task of the student is to (1) create a benchmark-suite with state-of-the-art malware samples including obfuscated or packed malware (2) evaluate different existing detection approaches on that benchmark-suite (3) develop proposals for possible improvements in the detection approaches.

Requirements:

Knowledge about Android is required (implementation of own Android apps would be beneficial), as is the interest in Android security. Reverse engineering skills, especially in the context of Android applications are beneficial.

Thesis can be written in german or english.

Are you interested? Please contact
 Siegfried Rasthofer at siegfried.rasthofer@cased.de / +49 6151 16-75425

Cross-posted from SEEBlog

Comments
Comments Off on [Bachelor-Thesis] Evaluating the Effectiveness of Android Malware Detection Approaches
Categories
Research

Toward a Just-in-Time Static Analysis

Eric | August 3, 2015

To facilitate an early dissemination, we are today making available the following technical report. It outlines our vision of how static security code-analysis tools can be made more interactive, by allowing for just-in-time interactions. This is a collaboration with Ben Livshits from MSR.

Toward a Just-in-Time Static Analysis (Lisa Nguyen Quang Do, Karim Ali, Eric Bodden, Benjamin Livshits), Technical report TUD-CS-2015-1167, EC SPRIDE, 2015.

Cross-posted from SEEBlog

Comments
Comments Off on Toward a Just-in-Time Static Analysis
Categories
Research

Asking for 10 minutes of your time on Java/crypto research

Eric | August 3, 2015

We are a group of researchers from TU Darmstadt, Germany, who work on creating tools to help developers use cryptography in their Java applications. 

We are looking for developers who use Java cryptography APIs to answer a short 10-minute survey. 

Our goal is to understand what cryptography tasks are usually performed, any difficulties developers face, and what would help Java developers use cryptography more correctly/efficiently.

Your participation is voluntary and completely anonymous. To participate, please fill in the survey at the following link http://tiny.cc/java_crypto_survey
Thanks!

Please feel free to forward this invitation to any Java developers you might know.

Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden

Cross-posted from SEEBlog

Comments
Comments Off on Asking for 10 minutes of your time on Java/crypto research
Categories
Research