State channels and state channel networks allow users of a (decentralized) payment system to perform complex payment transactions securely and privately while avoiding heavy load on the payment system itself. As I will explain in my talk, the key property of the developed state channel framework is its modularity. It not only helps us to formally define and prove security of our multi-party state channel protocols, but also enables future researchers to build on top of the constructed state channels without understanding all the design details.

Software developers' programming security mistakes can threaten millions of end users' data. To deepen insights into developers' security behavior around the security-critical task of user-password storage, Naiakshina et al. conducted laboratory, online, and field studies with computer science students, freelancers, and professional developers from various companies. Besides investigating software developers' processes and security practices while storing user passwords in databases, they tested the usability of different application programming interfaces (APIs) and explored the methodological implications of several security-study parameters, including deception task design, sample variety, and the comparison of qualitative with quantitative research approaches.

Traditionally, the server-side code of websites was written in languages such as PHP or Java for which security issues are well-studied and well-understood. Recently, though, full-stack JavaScript web applications emerged, which have both their client-side and server-side code written in this language. The benefits of such an approach are obvious, e.g., easy knowledge transfer across tiers and uniform usage of tools. However, JavaScript was designed as a scripting language with a thin API and it was expected to run in a tightly-controlled environment, e.g., a sandbox. Taking JavaScript outside of the browser and using it as a general purpose programming language represents a paradigm shift for the web community and, thus, the npm ecosystem emerged to support this change. Npm is supposedly the largest software repository in the world with more than a million reusable packages. Nevertheless, the lack of code isolation and code vetting, the various ways to abuse the JavaScript language, and the plethora of reported vulnerabilities and malware incidents make npm a dangerous ecosystem with unique challenges for the security community.

In this talk, we start by analyzing the attack surface of npm, showing that transitive dependencies and the large number of human agents in the ecosystem represent an important risk. We then continue with showing that vulnerabilities in npm packages affect real-world websites and that a motivated attacker can craft exploits against production websites by analyzing third-party, open-source code. Finally, we present a technique for boosting the recall of existing security analyses on JavaScript code that heavily relies on third-party libraries. More precisely, our approach extracts taint specifications for npm packages by using dynamic analysis and by leveraging test suites available in clients of the target package.

PSI Protokolle sind kryptographische Protokolle zur privaten Schnittmengenberechnung, einer instrumentalen Funktionalität für eine Vielzahl von praktischen Anwendungen. In diesem Vortrag zeigen wir die Schwachstellen von derzeit leider oft genutzten unsicheren Alternativen auf und präsentieren neue, besonders effiziente PSI Protokolle für drei spezifische Anwendungsszenarien: Kontaktermittlung in mobilen Messengern, Authentifizierung für Apple AirDrop und Analyse von verteilten Datenbanken.