Wanted: Research Assistant on the Secure Integration of Cryptographic Software

Featured

Is this for you?

The following code uses the symmetric encryption scheme AES, for instance to store some application data encrypted on disk. The code contains at least four different severe API-usage mistakes that may cause the code to crash or to be insecure:

String secretKey = "x$&78_;:$%$ä0$%=$%4352";
byte[] keyBytes = secretKey.getBytes();
SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES");

Can you spot these mistakes? The more you can find, and the more you enjoy finding them, the more likely the position might be the right one for you. Continue reading

New Course Secure Software Development (SecDev)

Next Semester, the Secure Software Engineering Group will offer a new seminar course “Secure Software Development (SecDev)”. The goal of the course is to provide software developers with the knowledge and first experience they need for developing secure software. Additionally, they will learn how to develop knowledge and share it and how to investigate a research problem on secure software development.The main topics are:

  1. Secure software development life-cycle
  2. Threat modeling
  3. Risk assessment
  4. Security requirements
  5. Security architecture
  6. Secure coding standards
  7. Security code analysis
  8. Security testing
  9. Security code review
  10. Empirical analysis for secure software development

More information can be found on the course website.

 

DroidForce accepted at ARES’14

We are proud that our paper “DROIDFORCE: Enforcing Complex, Data-Centric, System-Wide Policies in Android” has been accepted at this year’s ARES conference. It was a collaborative paper together with Enrico Lovat (TU Munich) from the group of Prof. Dr. Alexander Pretschner. The abstract of the paper:

Smartphones are nowadays used to store and process many kinds of privacy-sensitive data such as contacts, photos, and e-mails. Sensors provide access to the phone’s physical location, and can record audio and video. While this is convenient for many applications, it also makes smartphones a worthwhile target for attackers providing malicious applications. Current approaches to runtime enforcement try to mitigate unauthorized leaks of confidential data. However, they are often capable of enforcing only a very limited set of policies, like preventing data leaks only within single components or monitoring access only to specific sensitive system resources.

In this work, we present DROIDFORCE, an approach for enforcing complex, data-centric, system-wide policies on Android applications. DROIDFORCE allows users to specify fine-grained constraints on how and when which data may be processed on their phones, regardless of whether the malicious behavior is distributed over different colluding components or even applications. Policies can be dynamically exchanged at runtime and no modifications to the operating system nor root access to the phone are required.

DROIDFORCE works purely on the application level. It provides a centralized policy decision point as a dedicated Android application and it instruments a decentralized policy enforcement point into every target application. Analyzing and instrumenting an application takes in total less than a minute and secured applications exhibit no noticeable slowdown in practice. 

The complete paper can be downloaded from here (note: it is only a preprint, the final version will be published at ARES in September).

Easily Extracting (“encrypted”) Messages from Threema, TextSecure, Chadder, WhatsApp, Hangouts and Co.

Max Kolhagen (bachelor student) and Siegfried Rasthofer demonstrate how a malicious application with no permission can be used to read incoming messages from WhatsApps, Hangouts, etc. and even “encrypted” messages sent through Threema, TextSecure or Chadder with ease.

Continue reading

Research Assistants in the Software Lab (Michael Pradel)

We are very happy that in October Michael Pradel will be starting as a new research group leader at EC SPRIDE. Currently he is looking for motivated students interested in joining the Software Lab as research assistants and Ph.D. students.

The Software Lab (SOLA) conducts research at the intersection of software engineering and programming languages, with a focus on tools and techniques for constructing reliable, efficient, and secure software. General areas of research include:

  • Dynamic program analysis
  • Static program analysis
  • Test case generation

More concretely, projects to be worked on may include but are not limited to:

  • Automated analysis of JavaScript-based web applications for security  vulnerabilities
  • Automated analyses that detect malicious behavior in browser extensions
  • Systematic studies of known security problems in web applications

More information is available here.

SOAP 2014: Program is available

The program for the third ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis  (SOAP 2014)  is now available at http://www.sable.mcgill.ca/soap/program.html. The workshop will take place on June 12th, 2014, and is co-located with PLDI in Edinburgh, Scotland.

Besides invited talks by Mayur Naik and Eric Bodden, the workshop features paper presentations on static analyses for software product lines, novel points-to-analyses, slicing approaches, typestate analyses, and taint flow analyses for mobile operating systems. This year’s SOAP workshop is organized by Raul Santelices from the University of Notre Dame and Steven Arzt from the Secure Software Engineering Group.