CAST/GI Promotionspreis IT-Sicherheit 2022

Termin: 6.4.2022
Dauer: 14:00-18:00
Ort: GI Sicherheit 2022
Diese Veranstaltung wird als Weiterbildung im Sinne der T.I.S.P.-Rezertifizierung anerkannt


14:30 Eröffnung
Kristina Hostakova
Kristina Hostakova
Foundations of Generalized State Channel Networks

State channels and state channel networks allow users of a (decentralized) payment system to perform complex payment transactions securely and privately while avoiding heavy load on the payment system itself. As I will explain in my talk, the key property of the developed state channel framework is its modularity. It not only helps us to formally define and prove security of our multi-party state channel protocols, but also enables future researchers to build on top of the constructed state channels without understanding all the design details.

Alena Naiakshina
Alena Naiakshina
Don't Blame Developers! Examining a Password-Storage Study Conducted with Students, Freelancers, and Company Developers

Software developers' programming security mistakes can threaten millions of end users' data. To deepen insights into developers' security behavior around the security-critical task of user-password storage, Naiakshina et al. conducted laboratory, online, and field studies with computer science students, freelancers, and professional developers from various companies. Besides investigating software developers' processes and security practices while storing user passwords in databases, they tested the usability of different application programming interfaces (APIs) and explored the methodological implications of several security-study parameters, including deception task design, sample variety, and the comparison of qualitative with quantitative research approaches.

15:45 Kaffeepause
Cristian-Alexandru Staicu
Cristian-Alexandru Staicu
Enhancing the Security and Privacy of Full-Stack JavaScript Web Applications

Traditionally, the server-side code of websites was written in languages such as PHP or Java for which security issues are well-studied and well-understood. Recently, though, full-stack JavaScript web applications emerged, which have both their client-side and server-side code written in this language. The benefits of such an approach are obvious, e.g., easy knowledge transfer across tiers and uniform usage of tools. However, JavaScript was designed as a scripting language with a thin API and it was expected to run in a tightly-controlled environment, e.g., a sandbox. Taking JavaScript outside of the browser and using it as a general purpose programming language represents a paradigm shift for the web community and, thus, the npm ecosystem emerged to support this change. Npm is supposedly the largest software repository in the world with more than a million reusable packages. Nevertheless, the lack of code isolation and code vetting, the various ways to abuse the JavaScript language, and the plethora of reported vulnerabilities and malware incidents make npm a dangerous ecosystem with unique challenges for the security community.

In this talk, we start by analyzing the attack surface of npm, showing that transitive dependencies and the large number of human agents in the ecosystem represent an important risk. We then continue with showing that vulnerabilities in npm packages affect real-world websites and that a motivated attacker can craft exploits against production websites by analyzing third-party, open-source code. Finally, we present a technique for boosting the recall of existing security analyses on JavaScript code that heavily relies on third-party libraries. More precisely, our approach extracts taint specifications for npm packages by using dynamic analysis and by leveraging test suites available in clients of the target package.

Christian Weinert
Christian Weinert
Practical Private Set Intersection Protocols for Privacy-Preserving Applications

PSI Protokolle sind kryptographische Protokolle zur privaten Schnittmengenberechnung, einer instrumentalen Funktionalität für eine Vielzahl von praktischen Anwendungen. In diesem Vortrag zeigen wir die Schwachstellen von derzeit leider oft genutzten unsicheren Alternativen auf und präsentieren neue, besonders effiziente PSI Protokolle für drei spezifische Anwendungsszenarien: Kontaktermittlung in mobilen Messengern, Authentifizierung für Apple AirDrop und Analyse von verteilten Datenbanken.

17:00 Diskussion und Abstimmung

Informationen und Kontakt

Wenn Sie noch Fragen haben, wenden Sie sich bitte an:


Zoltán Mann, University of Amsterdam,
Michael Nüsken, b-it Bonn,

Christian Wressnegger, KIT,
Andreas Heinemann, CAST e.V.,


Simone Zimmermann
Tel.: +49 6151 869-230



Rheinstraße 75
64295 Darmstadt

Kommende CAST Veranstaltungen

23nd International Conference of the Biometrics Special Interest Group (BIOSIG 2024) 25.-27.09.2024
Forensik / Internetkriminalität 28.11.2024
ID:SMART Workshop 2025 19.-20.02.2025