Status: zu vergeben

Student: N.N.

Description:

One of the most daunting problems of secure software engineering is that of insecure supply chains: applications tend to include 90% of their code from untrusted third-party libraries, many of which even have known vulnerabilities. Some of these vulnerabilities are due to memory corruption (use-after-free, double-free, buffer overflow), predominantly in native library code that was compiled from C/C++ (e.g. CVE-2009-1097). It might be possible to block the successful exploitation of such vulnerabilities by sandboxing the library code’s execution within a separate memory space. Approaches to this extent include Robusta [1], Arabica [2], RLBox/ WebAssembly [3] and others [4,5]. Yet, other vulnerabilities, for instance the infamous log4shell, likely would allow remote code execution even despite such sandboxing.

For this master thesis, your main task is to assess the top vulnerability types for the Java programming language and platform, and to assess which of these vulnerability types can be effectively mitigated by purely a memory-based library sandboxing. To this end you should build a prototype that implements such sandboxing, for instance using RLBox/WebAssembly, and demonstrate which classes of attacks can or cannot be blocked, and explain in detail why this is the case.

Excellent master students will go beyond this and suggest additional methods (e.g. based on type systems or static analysis) that may help mitigate even those vulnerability classes that the above sandboxing cannot mitigate already.

What you bring

• Basic knowledge of IT security, particularly defense in depth

• Some experience knowledge of Java and ideally also C/C++

• Willingness to work on both programming-language level and systems-level security

[1] Siefers, Joseph, Gang Tan, and Greg Morrisett. "Robusta: Taming the native beast of the JVM." Proceedings of the 17th ACM conference on Computer and communications security. 2010.

[2] Sun, Mengtao, and Gang Tan. "Jvm-portable sandboxing of java’s native libraries." Computer Security–ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings 17. Springer Berlin Heidelberg, 2012.

[3] Narayan, Shravan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. "Retrofitting fine grain isolation in the Firefox renderer." In Proceedings of the 29th USENIX Conference on Security Symposium, pp. 699-716. 2020.

[4] Sun, Mengtao, and Gang Tan. "Nativeguard: Protecting android applications from third-party native libraries." Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks. 2014.

[5] Coker, Z., Maass, M., Ding, T., Le Goues, C., & Sunshine, J. (2015, December). Evaluating the flexibility of the Java sandbox. In Proceedings of the 31st Annual Computer Security Applications Conference (pp. 1-10)