Open Theses Topics

Thesis LaTeX template

You can download the Master Thesis LaTeX template from here.

Thesis Topics

19 Entries found


20.04.2015

AveDroid: Modeling the Side Effects of the Android SDK

Master Thesis

open


The majority of static analysis tools focus on generating the call graph of the whole program (i.e., both the application and the libraries that the application depends on). A popular compromise to the excessive cost of building a call graph for the whole program is to build an application-only call graph. To achieve this, all the effects of the library code are usually ignored. This results in potential unsoundness in the generated call graph and therefore in analyses that use it.

Ali and Lhoták present and evaluate Averroes, a tool that generates a placeholder library that over-approximates the possible behaviour of an original library. The placeholder library can be constructed quickly without analyzing the whole program. Any existing whole-program call graph construction framework can use the placeholder library as a replacement for the actual libraries to efficiently construct a sound and precise application call graph. A natural extension to Averroes would be applying it to large Java frameworks (e.g., Android, J2EE, Eclipse Plug-ins). In particular, applying Averroes to the Android framework will lead to an easier means of analyzing client apps without the need to analyze the Android SDK. Like a library, the Android SDK satisfies the separate compilation assumption because it is developed without knowledge of the client apps that will be developed for it.

In this thesis, you will extend Averroes to support generating analyzable placeholder libraries for the Android SDK. One major challenge is that in Android, the main entry point to the program resides in the framework rather than in the client app. Additionally, there are lots of callbacks that the Android SDK makes into the client app. Therefore, improving the precision of Averroes for handling library callbacks would be necessary to achieve better results. Finally, Averroes has to somehow reason about the lifecycle of an Android app, similar to what FlowDroid does. Otherwise, unrealizable paths would be present in the analyses used by Averroes, which will render the genereated the placeholder library highly imprecise.

Ideal candidates have experience with static analysis, in particular for Java. Prior knowledge of developing static analyses in Soot and Android app development is helpful but not necessary.

 

Thesis opening as PDF

 

Interested? Please contact Karim Ali at karim.ali@remove-this.cased.de

25.09.2014

Hybrid Data Flow Analysis for Java and Native Code

Bachelor Thesis

open


Many modern Android applications make heavy use of native code written in C or C++ to speed up computation-intensive operations such as scene rendering for games or photo/video processing. While such unmanaged code is helpful or even required for application development, it however also poses new security challenges. State-of-the-art static data flow trackers for Android such as FlowDroid do not support analyzing native code and instead apply heuristics on the effect of calls into such code. Pure native code analysis tools on the other hand usually have no notion of the interaction of the code with an Android app and its environment. This gap in analysis techniques allows malware to hide behavior from automated vetting processes by mixing Android and native code in the same application. Manually linking the data flows from both worlds is a cumbersome undertaking quickly becomes infeasible for larger applications.
In this thesis, you will evaluate existing tools for native code analysis and how they can be integrated into the FlowDroid data flow tracker for Android apps. You will implement a hybrid data flow analysis which can track flows between Android code and native libraries and evaluate it on real-world benign and malware apps.


Requirements: Ideal candidates have a profound understanding of the Java and C/C++ programming languages and experience with good software design and efficient programming. Prior knowledge of static analysis is helpful, but not absolutely necessary. 

 

Ausschreibung als PDF

 

Interested? Please contact Steven Arzt at Steven.Arzt@remove-this.ec-spride.de

16.09.2014

Semantic Data Flow Aggregation for Security

Bachelor Thesis

open


Scanning large Android apps or Java programs for data leaks or other security weaknesses usually results in hundreds, if not thousands, of findings. Existing tools display these findings in isolation even though many of them have a common cause such as a missing validation or a common vulnerable component. Much time can be saved if these findings could be aggregated, pointing the human analyst directly to the common parts of similar findings and proposing possible places for fixes or further inspection.

The problem is aggravated by the presence of false positives. One false positive in heavily re-used code can lead to hundreds of false data flows being reported. In existing tools, all these findings must be checked and marked as false positives in isolation. An ideal tool would however allow the analyst to mark the common mistake as a false positive and then automatically apply this knowledge to filter all consequences of this mistake.

In this thesis, you will explore possibilities to aggregate data flows using exact (common subgraphs) and inexact (machine learning) techniques and raise the level of abstraction in the interaction with static analysis tools. You will apply your techniques to the FlowDroid open-source taint tracking tool and its existing Eclipse plugin for visualization.

Requirements: Ideal candidates have a profound understanding of the Java language and experience with good software design and efficient programming. Prior knowledge of static analysis is helpful, but not absolutely necessary.

Thesis opening as PDF

Interested? Please contact Steven Arzt at Steven.Arzt@remove-this.ec-spride.de

28.02.2014

Security Assurance Cases for Incremental Software Development

Master Thesis

open


Security assurance enables developing coherent objective argumentation that supports claiming that a software product mitigates its security risks. A security assurance case, a semi-formal approach for security assurance, is a collection of security-related claims, arguments, and evidences. Security assurance cases are currently developed separated from the software.

The goal of the proposed thesis is to investigate associating security assurance cases to software code. Questions to investigate may include: How to model evidence collection activities? And what are the impacts of code changes on the security assurance cases of software? The work includes the development of an Eclipse plugin to model security assurance cases and to associate the artifacts of the assurance cases with software code.


Candidates should have good experience with Java and Eclipse and be interested in engineering secure software.


Are you interested? Please contact Lotfi ben Othmane at lotfiben.othmane[at]cased.de


Announcement as PDF

08.10.2013

A code-analysis tool for crypto libraries

Master Thesis

open



Announcement as PDF

06.08.2015

Evaluating the Effectiveness of Android Malware Detection Approaches

Bachelor Thesis

ongoing


Android is the world’s most popular mobile platform hosting various applications for almost every need in different app stores. This makes Android applications a valuable target for attackers. Indeed, there are many different Android malware families that try to financially harm the victim. This is applied by different techniques, such as sending premium-messages or stealing banking credentials. Since the wish of malware authors is to remain undiscovered as long as possible, different obfuscation techniques are applied that makes it very hard to automatically detect malicious applications. At the same time, many thousand applications get uploaded to app stores or sent to Anti-Virus companies every day, all of which need to be analyzed for malicious behavior. A manual analysis process is infeasible, fostering the need for precise and efficient automatic malware detection approaches. Researchers have developed many different techniques, such as machine-learning approaches or behavior analysis, to try to automatically argue about the maliciousness of an application, but an important question is how to evaluate those approaches. A representative evaluation requires experiments on realistic malware samples.

 

The task of the student is to (1) create a benchmark-suite with state-of-the-art malware samples including obfuscated or packed malware (2) evaluate different existing detection approaches on that benchmark-suite (3) develop proposals for possible improvements in the detection approaches.

 

Requirements:

Knowledge about Android is required (implementation of own Android apps would be beneficial), as is the interest in Android security. Reverse engineering skills, especially in the context of Android applications are beneficial.

Thesis can be written in german or english.


Announcement as PDF

16.09.2014

Program Analysis for the MS .net Framework

Bachelor Thesis

ongoing


The Soot framework has become a widely-used platform for static program analysis and dynamic instrumentation over the last decade. Researchers have used Soot for program optimization, compiler construction, and security. The FlowDroid data flow tracker for Android is, among other analysis and enforcement techniques, based on Soot.
At the moment, Soot supports Java class files, Java sources files, and Android dex/apk files. It can read these formats, transfer them to a common intermediate language, allow for changes, and write them back out. The goal of this thesis is to extend Soot with support for Microsoft .net assemblies. As an exemplary use-case, the existing FlowDroid data flow tracker will be applied to a .net application for Windows Phones.
In this thesis, you will explore possibilities to read .net assemblies and represent them in the Jimple intermediate language. You will evaluate which ones of the existing Java / Android analyses can be re-used for Microsoft .net and where substantial differences between the platforms prevent such re-use.
Requirements: Ideal candidates have a profound understanding of the Microsoft .net platform and are interested in programming languages and program analysis. Prior knowledge on static analysis is helpful, but not required.

Thesis opening as PDF

Interested? Please contact Steven Arzt at Steven.Arzt@remove-this.ec-spride.de

08.10.2013

Test-case generation for static code analyses for Android and Java

Bachelor Thesis, Master Thesis

ongoing



Announcement as PDF

16.09.2014

A Callgraph Algorithm for Large Java Libraries

Bachelor Thesis, Master Thesis

open


Java programs are built on large libraries like the JDK and a wealth of third-party components. Android are based on the Android SDK. All these libraries perform a multitude of tasks ranging from simple data type conversions to complex mathematical computations which must all be understood to correctly reason about a program in a static analysis. If we want to find out whether an App spies on us, we need to know its interactions with the libraries it uses.
However, analyzing the library anew together with every target program is forbiddingly inefficient, taking hours of computation time. We thus aim at analyzing libraries as such and computing summaries which can then be used as black boxes when analyzing applications.
One key component in understanding Java code is the callgraph: What code is actually called when e.g. List.add() is invoked? Which implementers of List are possible candidates? Is there an implementation MaliciousList that actually sends all the data it gets to an attacker?
Existing callgraph algorithms are either highly precise and thus often not applicable to libraries where one cannot simply enumerate all possible usage patterns or they are by far too imprecise to yield practically usable results.
In this master thesis, a new callgraph algorithm for analyzing large Java libraries shall be developed. The student will investigate how much precision can still be achieved without having to know the concrete code that will later use the library.

 

Requirements: Ideal candidates should have profound knowledge of and experience in using the Java programming languages. Students will instantly become part of a dynamic and diverse team working on Java and Android analysis, will deepen their understanding of the concepts behind programming languages and will learn a lot about static analysis. Prior knowledge on static analysis is not required.

 

Thesis opening as PDF

 

Interested? Please contact Steven Arzt at Steven.Arzt@remove-this.ec-spride.de

Detecting bad Behavior of Push Advertisements in Android Apps

Bachelor Thesis

finished


„Push advertisements“ in Android apps – They are annoying and sometimes violate the Google Content Policy!

Maybe you also recognized it once you installed a new Android app: After some time you suddenly get different icons on your launcher without installing an app, get popup-messages or notifications containing advertisement. This behavior usually comes from push advertisement frameworks integrated in the app you installed.

From a user’s perspective, to eliminate the advertisement one can only de- install the app. Unfortunately, most of the time it is not possible to determine which app caused the advertisement alerts, such as notifications in the notification bar. This behavior violates the Google policy and has to be mitigated.

The student should design and implement an Android component that informs a mobile device user about apps with bad push advertisements. As a second step the student will design and implement mitigation techniques for bad alerts. The technique will turn non-compliant alerts into compliant ones.

Good programming skills (Java and/or Android) are necessary. Students gain insights in current Android security research and will instantly become part of a research team working on Android application security. The supervision can be in English or German and the thesis may be written in either language.


Announcement as PDF