RuhrSec Day 2022
This year, RuhrSec becomes RuhrSec Day 2022!
Exciting talks, great coffee, and the long-awaited reunion of the RuhrSec community - that's RuhrSec Day
2022.
The safety of our community is our first priority. To protect your health in the best possible
way, RuhrSec will take place in a smaller, more exclusive event this year.
All information and details
about COVID-19 protection measures can be found here.
We can’t wait to
celebrate the RuhrSec comeback with you and to enjoy an exciting day full of IT security.
Ruhr's IT security conference
Since 2016, RuhrSec is the annual English speaking non-profit IT security conference with cutting-edge
security talks by renowned experts. The conference is hosted at the Ruhr University Bochum in Germany,
directly in the heart of Bochum near the river Ruhr. RuhrSec provides academic and industry talks, the
typical University feeling, and a highly recommended social event.
Get the latest RuhrSec news on Twitter or by subscribing to our newsletter.
Organizers / Sponsors / Supporters
Program
Conference (Ruhr University Bochum): Thursday, 05.05.22
The order of the talks might be adjusted before the conference.
08:00 – 09:00 | Registration and Biscuits/Coffee |
09:00 – 09:15 | Opening, Marcus Niemietz |
09:15 – 10:00 | I Wanna Deploy You, but My Senses Tell Me to Stop! – CSP’s Past, Present and Future?, Sebastian Roth and Ben Stock |
10:00 – 10:30 | Coffee Break |
10:30 – 11:15 | Secure Cache Designs: The State of the Art and Beyond, Lukas Giner and Daniel Gruss |
11:15 – 12:00 | Why TLS is better without STARTTLS, Damian Poddebniak and Fabian Ising |
12:00 – 13:30 | Lunch |
13:30 – 14:15 | The Cyber-Triad - TTPs, Nightmares and Epic Fails All Things IR, Reverse Engineering and Red Teaming, Sascha Schimmler, Jasper Bongertz, and Tatjana Ljukovic |
14:15 – 15:00 | DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale, Aurore Fass |
15:00 – 15:45 | Coffee Break |
15:45 – 16:30 | Modern Single Sign-On: On the Security of Single Sign-On Flows in Popups and IFrames, Louis Jannett |
16:30 – 17:15 | For Smarter Authentication, We Might Need to Use the Brain, Patricia Arias-Cabarcos |
17:15 – Open End | Social Event (incl. Dinner) |
Talks
Patricia Arias-Cabarcos
(Paderborn University) – Talk
Talk. For Smarter Authentication, We Might Need to Use the Brain
Abstract. We deserve smarter authentication mechanisms to move on from the current password-dominated scene. With the democratization of neurotechnologies, the usage of brain biometrics in everyday life becomes a tangible possibility. In this talk, we will present research contributions towards practical brainwave-based user authentication, covering both security and usability aspects.
Biography. Patricia Arias-Cabarcos is Professor of IT Security at Paderborn University. Her research interests lie in the area of human-centered security and privacy, with a special focus on usable authentication, behavioral data protection, and data-driven transparency. She publishes in major conferences in the field, such as CCS and USENIX Security, having also served on the technical program committee for this type of venues, including CCS, ESORICS and EuroUSEC.
Twitter: @patriAriasC
Jasper Bongertz
(G DATA Advanced Analytics GmbH) – Talk
Talk. The Cyber-Triad - TTPs, Nightmares and Epic Fails All Things IR, Reverse Engineering and Red Teaming
Abstract. IT security incidents occur in many forms and characteristics. The reasons for a successful attack and the resulting incident are also diverse.
Using current examples from the last two years, this presentation explains in a realistic manner how Reverse Engineering, Incident Response/Readiness and various topics from the offensive side interact when dealing with an incident and where are limitations. Furthermore, fundamental obstacles and show-stoppers in the area of analyzing and dealing with IT security incidents are also discussed.
Biography. Jasper Bongertz is a network security expert with a focus on network forensics and incident response. He works as Head of Incident Response at G DATA Advanced Analytics in Bochum.
Aurore Fass
(Stanford University) – Talk
Talk. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale
Abstract. Browser extensions have elevated privileges compared to web pages, thus attracting the interest of attackers. While prior work focused on detecting malicious extensions, we consider vulnerable extensions. In fact, a web page under the control of an attacker can send malicious payloads to a vulnerable extension, leading to, e.g., universal XSS.
To uncover such attacks, we built DoubleX, our static analyzer detecting suspicious external data flows between an attacker and security- or privacy-critical APIs in extensions. On the 155k Chrome extensions analyzed, DoubleX has both high precision (89%) and recall (93%). Overall, we could exploit 184 extensions under our threat model (2021), 87% of which were already vulnerable in 2020.
We hope that our work will increase the awareness of well-intentioned developers toward unsafe programming practices leading to security and privacy issues.
Biography. Aurore Fass is a Visiting Assistant Professor of Computer Science at Stanford University (U.S.) and a Research Group Leader at CISPA (Germany). Aurore got her PhD from CISPA & Saarland University in 2021, jointly supervised by Michael Backes and Ben Stock. Her PhD thesis revolves around studying JavaScript security through static analysis.
Aurore's research focuses on Web Security & Privacy, Web Measurements, and Machine Learning. Specifically, she is interested in detecting malware & vulnerabilities on the Web and collecting data to better understand and improve user security and privacy.
Twitter: @AuroreFass
Lukas Giner
(Graz University of Technology) – Talk
Talk. Secure Cache Designs: The State of the Art and Beyond
Abstract. In recent years, the advent of microarchitectural attacks has brought with it a renewed interest in secure cache designs. The prominent strategies that have emerged in secure cache designs to mitigate side-channel attacks are randomization or partitioning. Following initial designs, other works have shown that even these improved designs are limited in the face of more advanced attacks, starting a theoretical (cache) arms race.
In this talk, we give an overview of traditional and secure caches designs, as well as their respective attacks. We outline the mechanisms of the most prominent designs and discuss their properties. We take a detailed look at which design assumptions were broken by new attacks and where designs may have had flaws to begin with. Finally, we present a new cache design that aims to avoid currently known attacks and sidestep the mechanisms on which they are built.
Biography. Lukas Giner is a PhD Student at Graz University of Technology in the CoreSec group of Daniel Gruss. His research focuses on microarchitectural security, from attacks like Fallout to secure hardware designs like Scattercache.
Twitter: @redrabbyte
Daniel Gruss
(Graz University of Technology) – Talk
Talk. Secure Cache Designs: The State of the Art and Beyond
Abstract. In recent years, the advent of microarchitectural attacks has brought with it a renewed interest in secure cache designs. The prominent strategies that have emerged in secure cache designs to mitigate side-channel attacks are randomization or partitioning. Following initial designs, other works have shown that even these improved designs are limited in the face of more advanced attacks, starting a theoretical (cache) arms race.
In this talk, we give an overview of traditional and secure caches designs, as well as their respective attacks. We outline the mechanisms of the most prominent designs and discuss their properties. We take a detailed look at which design assumptions were broken by new attacks and where designs may have had flaws to begin with. Finally, we present a new cache design that aims to avoid currently known attacks and sidestep the mechanisms on which they are built.
Biography. Daniel Gruss is an Assistant Professor at Graz University of Technology. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on side channels and transient execution attacks. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues.
Twitter: @lavados
Fabian Ising
(Münster University of Applied Sciences) – Talk
Talk. Why TLS is better without STARTTLS
Abstract. TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation added complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.
We performed the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduced a semi-automatic testing toolkit (EAST) to analyze email clients. We used EAST to analyze 28 email clients and 23 email servers, resulting in over 40 STARTTLS related issues. Only 3 out of 28 clients and 7 out of 23 servers did not show any STARTTLS-specific security issues. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided.
Biography. Fabian Ising is a security researcher and PhD candidate at Münster University of Applied Sciences and Ruhr Uni Bochum. He is interested in applied cryptography, especially in email security and network protocols. Apart from applied cryptography, he spends time on medical security and web security. He also has experience as a penetration tester and code auditor. Bugs love him and tend to jump at him as soon as he uses software. He/Him.
Twitter: @murgi
Louis Jannett
(Ruhr University Bochum) – Talk
Talk. Modern Single Sign-On: On the Security of Single Sign-On Flows in Popups and IFrames
Abstract. Single Sign-On (SSO) protocols like OpenID Connect are cornerstones of user authentication on the web. Until now, HTTP redirects empowered the login flow to transfer authentication tokens from identity providers like Facebook and Google to arbitrary websites. With a rising demand for streamlined login experience, many websites adopted proprietary modern login flows that are executed in popups and iframes. Thereby, in-browser communications gradually replace the redirects, shifting SSO security closely towards the web security's territory. In this talk, we dive into the deployment of modern SSO. We discuss its new attack surface and showcase real-world vulnerabilities on popular sites like AliExpress and NYTimes to demonstrate our research impact. Further, we summarize the lessons learned and security best practices mitigating the issues such that developers can protect their login flows.
Biography. Louis Jannett is a first-year PhD candidate at the Chair for Network and Data Security at Ruhr University Bochum, supervised by Jörg Schwenk. His current research interests are focused on how web security threats enable new attacks on the security and privacy of user authorization and authentication on the web. He especially investigates the prevalence, security, and privacy of popular Single Sign-On protocols like OAuth and OpenID Connect, paying close attention to SDKs and custom implementations in the wild.
Twitter: @iphoneintosh
Tatjana Ljukovic
(G DATA Advanced Analytics GmbH) – Talk
Talk. The Cyber-Triad - TTPs, Nightmares and Epic Fails All Things IR, Reverse Engineering and Red Teaming
Abstract. IT security incidents occur in many forms and characteristics. The reasons for a successful attack and the resulting incident are also diverse.
Using current examples from the last two years, this presentation explains in a realistic manner how Reverse Engineering, Incident Response/Readiness and various topics from the offensive side interact when dealing with an incident and where are limitations. Furthermore, fundamental obstacles and show-stoppers in the area of analyzing and dealing with IT security incidents are also discussed.
Biography. Tatjana Ljucovic is studying for her Master's degree in Internet Security. Over the past 10 years, she has gained profound knowledge in various fields of IT security and has focused in particular on secure network communication.
Damian Poddebniak
(Independent Researcher) – Talk
Talk. Why TLS is better without STARTTLS
Abstract. TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation added complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.
We performed the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduced a semi-automatic testing toolkit (EAST) to analyze email clients. We used EAST to analyze 28 email clients and 23 email servers, resulting in over 40 STARTTLS related issues. Only 3 out of 28 clients and 7 out of 23 servers did not show any STARTTLS-specific security issues. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided.
Biography. Damian Poddebniak is a software engineer and security researcher interested in email security, network protocols, and applied cryptography. He recently defended his dissertation about the limitations of end-to-end encrypted email and now seeks opportunities to sustainably improve the status quo of software security. He believes in free software, open access to knowledge, and a world with net-zero greenhouse gas emissions. Rustacean. He/Him.
Twitter: @dues__
Sebastian Roth
(CISPA Helmholtz Center for Information Security) – Talk
Talk. I Wanna Deploy You, but My Senses Tell Me to Stop! – CSP’s Past, Present and Future?
Abstract. The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. Throughout the last years we have conducted several research projects that deal with topics around the Content Security Policy. In this talk, we want to highlight the lessons learned from those research projects. We show how the seemingly straightforward task of getting your own site CSP-compliant is undermined by third parties. Further, we discuss the insights of our study with 12 developers and the roadblocks that they face, such that you can avoid them when deploying a CSP for your Web applications.
Biography. Sebastian Roth is a third-year PhD student in the Secure Web Applications Group at the CISPA Helmholtz Center for Information Security, where he is supervised by Ben Stock. His research interest is focused on client-side Web Security as well as Usable Security for developers. Thus, he is collaborating with the research group of Katharina Krombholz. Currently, he is specifically looking into the prevalence, the usage, and the usability of security header present in Web applications.
Twitter: @s3br0th
Sascha Schimmler
(G DATA Advanced Analytics GmbH) – Talk
Talk. The Cyber-Triad - TTPs, Nightmares and Epic Fails All Things IR, Reverse Engineering and Red Teaming
Abstract. IT security incidents occur in many forms and characteristics. The reasons for a successful attack and the resulting incident are also diverse.
Using current examples from the last two years, this presentation explains in a realistic manner how Reverse Engineering, Incident Response/Readiness and various topics from the offensive side interact when dealing with an incident and where are limitations. Furthermore, fundamental obstacles and show-stoppers in the area of analyzing and dealing with IT security incidents are also discussed.
Biography. Sascha Schimmler works as Head of Offensive Security Services at G DATA Advanced Analytics GmbH, where he is responsible for offensive penetration tests and security audits.
Ben Stock
(CISPA Helmholtz Center for Information Security) – Talk
Talk. I Wanna Deploy You, but My Senses Tell Me to Stop! – CSP’s Past, Present and Future?
Abstract. The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. Throughout the last years we have conducted several research projects that deal with topics around the Content Security Policy. In this talk, we want to highlight the lessons learned from those research projects. We show how the seemingly straightforward task of getting your own site CSP-compliant is undermined by third parties. Further, we discuss the insights of our study with 12 developers and the roadblocks that they face, such that you can avoid them when deploying a CSP for your Web applications.
Biography. Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web security, with a recent focus in particular on CSP and its connections to aspects of usability. His group regularly publishes at major security conferences such as USENIX Security, CSS, and NDSS, and Ben also serves on the PC and as track chair of the venues. His group also regularly shares insights outside the scientific community, such as at OWASP AppSec or Ruhrsec.
Twitter: @kcotsneb
Location
Conference
Address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum
Google Maps: Link to the conference building
Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in our event center ("VZ" or "Veranstaltungszentrum"). You can find parking spaces for your car directly under the conference location (University Center/"Universität Mitte", parking spaces P4-P8). Otherwise, you can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building.
Flight and Train Information
The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "SkyTrain" from the airport to the train station "Düsseldorf Flughafen Bahnhof". Afterward, you should take a train to "Bochum Hauptbahnhof" (aka. "Bochum Hbf"). From there we recommend taking a taxi to the conference center (about 10 euros). Otherwise, you can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building.
Please notice:
- Please pay for the SkyTrain (about 2 euros).
- To get your train tickets, you can use a ticket machine after the SkyTrain. They allow you to choose English for the UI and you can (often) pay with your credit cards. Please be sure to bring enough cash (euro) with you, because it is possible that the ticket machine does not accept your credit card. The ticket price should be about 2 euros (SkyTrain) and 20 euros (train).
- Please do not forget to validate your train ticket with one of the stamp machines. Otherwise, it is not valid.
If you want to check when your train will arrive you can use this web page: https://reiseauskunft.bahn.de/bin/query.exe/en
Accommodation
We do not offer any hotel room reservation service. From our experience, it is cheaper to use a common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.
Directly in the heart of Bochum and near the central station, we recommend two hotels:
- ibis Styles Bochum Hauptbahnhof Hotel (about 70 euros/night)
- Mercure Hotel Bochum City (about 130 euros/night)
Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous "Bermuda Dreieck" - with a lot of good bars and German beer.
More Information
-
Anfahrt zum Veranstaltungszentrum
(German, pdf) -
2022 edition:
Arrival by plane and train
(English, pdf) -
Directions to the conference building
(English, pdf) -
Directions to the conference building – details
(English, pdf)
Social Event
G DATA, the well-known inventor of the antivirus, is the sponsor of the awesome evening event of RuhrSec.
Every participant with a valid conference ticket is invited to be our guest at the social event. G Data provides awesome people, tasty food and high quality drinks. Feel free to join us and to talk with other security interested people, including the speakers.
Details
Location: G DATA Academy, Königsallee 178, D-44799 Bochum
How to get there: After the conference we will go to the location by using public transport systems together. More information is given before the first talk.
German way description: Download PDF
Time: After the first conference day (>=17:00 o'clock)
Contact us
The RuhrSec conference is organized by Hackmanit.
The company Hackmanit was founded by employees of the Ruhr
University Bochum, working at the Horst-Görtz Institute for IT Security. Hackmanit has in-depth
knowledge about the security of Web applications (e.g., Cross-Site Scripting, UI-Redressing and
Clickjacking), Web services, Single Sign-On, SSL/TLS, and applied cryptography. The company mainly
focuses on providing services such as practical trainings, high-quality penetration tests, and
customized expertise.
In case you have any questions regarding the conference, please contact us via mail:
Email usHackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum
Our Phone:
+49 (0)234 / 54459996
Fax:
+49 (0)234 / 54427593