SCG News

An Investigation into Vulnerability Databases

Brian Schweigler. An Investigation into Vulnerability Databases. Bachelor’s thesis, University of Bern, May 2020. Details.


The vulnerability databases’ affiliations and contributions are non-trivial and have not yet been studied in depth. This raises a major concern regarding the correctness of the data used in numerous existing studies. To investigate this problem, we first collected publicly available data from the websites of five major database providers, and then we normalized and correlated the individual entries to track them within different vulnerability databases. 370,298 security reports were extracted, 89% of which were accessible at more than one provider. Surprisingly, many reports were inconsistent with respect to scores and detail descriptions. In the scoring system CVSS version 3.0, for example, we found on average a difference of 0.8 on NVD and Snyk, whereas CVSS version 2.0 remains largely consistent with a difference of only 0.1 between NVD and RAPID7. Furthermore, we discovered that the security-related popularity differs for widely used software, and we show that shared code bases but not library usages can be predicted by aggregating security reports over periods of time. Finally in visualizations, software release cycles become visible.

Posted by scg at 25 May 2020, 1:47 pm comment link

Investigating Phishing on Demand

Pascal Gerig. Investigating Phishing on Demand. Bachelor’s thesis, University of Bern, May 2020. Details.


Gathering protected information by disguising an attacker as a trustworthy contact in electronic communication, also known as “phishing, is the primary technique attackers use to steal sensitive data. Phishing websites are mainly static and barely synchronize with the original website. We investigate “Phishing on Demand, a technique to dynamically replicate any website for phishing purposes. The replicas are available with a few clicks and are always in sync with the original web pages. Our studies with a proof of concept show that this phishing technique is highly effective. For instance, we could successfully run phishing campaigns against major Swiss e-banking websites with two-factor authentication. With this thesis, we show that there is a demand for more robust visual similarity algo- rithms for websites that are able to track changes applied to original sites such as insertions of banners, rewritings of text, or alterations to graphics.

Posted by scg at 22 May 2020, 9:15 am comment link

Debugging Spark Applications — A Study on Debugging Techniques of Spark Developers

Melike Geçer. Debugging Spark Applications — A Study on Debugging Techniques of Spark Developers. Masters thesis, University of Bern, May 2020. Details.


Debugging is the main activity to investigate software failures, identify their root causes, and eventually fix them. Debugging distributed systems in particular is burdensome, due to the challenges of managing numerous devices and concurrent operations, detecting the problematic node, lengthy log files, and real-world data being inconsistent. Apache Spark is a distributed framework which is used to run analyses on large-scale data. Debugging Apache Spark applications is difficult as no tool, apart from log files, is available on the market. However, an application may produce a lengthy log file, which is challenging to examine. In this thesis, we aim to investigate various techniques used by developers on a distributed system. In order to achieve that, we interviewed Spark application developers, presented them with buggy applications, and observed their debugging behaviors. We found that most of the time, they formulate hypotheses to allay their suspicions and check the log files as the first thing to do after obtaining an exception message. Afterwards, we use these findings to compose a debugging flow that can help us to understand the way developers debug a project.

Posted by scg at 20 May 2020, 10:15 am comment link

Assessing and Improving the Software Quality of an iOS App Framework

Alain Stulz. Assessing and Improving the Software Quality of an iOS App Framework. Bachelor’s thesis, University of Bern, February 2020. Details.


Creating and maintaining high-quality software is an essential topic in Software Engineering. While mobile application development is a relatively young discipline, it has evolved particularly rapidly. The quick pace requires complex mobile projects to be highly flexible and easily maintainable to stay relevant over time. In this thesis, we examine a framework designed to build iOS applications, which was created in the early 2010s and seems to have fallen behind in some areas. We answer "How can we assess the quality of our system?" by defining our understanding of software quality and subsequently collecting and analyzing data from several sources. In a second step, we address "How to improve the existing system’s quality?" through setting conventions for developers, performing maintenance, and refactoring specific areas in the code. In this context, we also explore different techniques to increase unit test coverage. Furthermore, we analyze the question "What would constitute a better software design?" by selectively rewriting parts of the system’s functionality. Finally, we take a look at the project’s future and recommend that the company should consider a rewrite over refactoring to better cope with changed software requirements and technology.

Posted by scg at 10 February 2020, 6:15 pm comment link

Automatically Retrofitting Cordova Applications for Stricter Content Security Policies

Basil Schöni. Automatically Retrofitting Cordova Applications for Stricter Content Security Policies. Bachelor’s thesis, University of Bern, February 2020. Details.


Content Security Policy (CSP), a feature present in Android’s WebView for many years, has the potential to protect against most types of code injection attacks. However, adoption rates are low and existing policies often apply weak restrictions. We investigate attack methods against WebView and how CSP can prevent them. We found that there is a wide variety of injection vectors, ranging from external sources like NFC communications to internal ones like Android’s inter-app communication. The impacts include breaches of privacy, credential stealing and further spreading of malicious code. CSP mitigates such attacks by blocking various classes of code execution, loading external data, exfiltration of data, UI manipulation and insecure connections. We propose a tool that generates such CSP definitions for pre-existing, real-world Cordova apps. To improve the strictness of these CSP definitions, our tool attempts to rewrite all Javascript APIs that are restricted by CSP. We evaluated the tool using a large data set and found that we can avoid the "script-src unsafe-inline" definition in 84.28% and the "style-src unsafe-inline" definition in 25.88% of cases. Conversely, for the "script-src unsafe-eval" definition, no application could benefit from our rewriting and for "style-src unsafe-eval", loosening strictness could only be avoided for 2.89% of applications. From this we conclude that while our approach provides significant benefits with respect to the "unsafe-inline" keywords, it is mostly ineffective in rewriting to avoid the "unsafe-eval" keywords. We identified six patterns which limit either the strictness or the non-breaking behavior of our generated policies and two use cases which make the static generation of non-breaking policies completely impossible. We conclude that any static rewriting of Javascript APIs should apply in-depth flow analysis and be able to deal with special syntaxes introduced by the most common UI frameworks. Approaches like ours that do not apply these measures may work well for smaller applications, but will cause breaking for more complex ones.

Posted by scg at 7 February 2020, 6:15 pm comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by admin on 21 April 2009