Refine
Year
- 2021 (71) (remove)
Publication Type
- Conference Proceeding (71) (remove)
Keywords
Faculty
- Wirtschaft (MSB) (15)
- Physikingenieurwesen (PHY) (10)
- Maschinenbau (MB) (9)
- Chemieingenieurwesen (CIW) (8)
- Elektrotechnik und Informatik (ETI) (7)
- Energie · Gebäude · Umwelt (EGU) (5)
- Gesundheit (MDH) (4)
- Oecotrophologie · Facility Management (OEF) (4)
- Bauingenieurwesen (BAU) (3)
- Sozialwesen (SW) (3)
TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation adds complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.
We perform the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduce EAST, a semi-automatic testing toolkit with more than 100 test cases covering a wide range of variants of STARTTLS stripping, command and response injections, tampering attacks, and UI spoofing attacks for email protocols. Our analysis focuses on the confidentiality and integrity of email submission (email client to SMTP server) and email retrieval (email client to POP3 or IMAP server). While some of our findings are also relevant for email transport (from one SMTP server to another), the security implications in email submission and retrieval are more critical because these connections involve not only individual email messages but also user credentials that allow access to a user's email archive.
We used EAST to analyze 28 email clients and 23 servers. In total, we reported over 40 STARTTLS issues, some of which allow mailbox spoofing, credential stealing, and even the hosting of HTTPS with a cross-protocol attack on IMAP. We conducted an Internet-wide scan for the particularly dangerous command injection attack and found that 320.000 email servers (2% of all email servers) are affected. Surprisingly, several clients were vulnerable to STARTTLS stripping attacks. In total, only 3 out of 28 clients did not show any STARTTLS-specific security issues. Even though the command injection attack received multiple CVEs in the past, EAST detected eight new instances of this problem. In total, only 7 out of 23 tested servers were never affected by this issue. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided.
In der Lebensgeschichte spielen bedeutsame Orte eine große Rolle, die auch in der Biografiearbeit zum Tragen kommt. Der Umgebungsradius älterer Menschen, die in Altenpflegeeinrichtungen leben, kann aufgrund gesundheitlicher und finanzieller Begrenzungen sehr eingeschränkt sein, Reisen können unter Umständen unmöglich sein. Aktuelle VR-Tech- nologie mit der Erfahrung der Immersion, des Eintauchens in die virtuelle Umgebung, könnte eine Möglichkeit sein, Orte (wieder) zu erleben, die schwierig oder unmöglich zu besuchen sind, und so in der Biografiearbeit genutzt werden. Die vorliegende Studie weist auf positive Effekte auf das Wohlbefinden hin und ermittelt Gratifikationseffekte der Nut- zung. Dabei sind besonders wichtige Kategorien Genuss, Hilfe beim Wiedererinnern und Erlebnis.
We present our latest results on a refined unimorph deformable mirror which was developed in the frame of the ESA GSTP activity ”Enabling Technologies for Piezo-Based Deformable Mirrors in Active Optics Correction Chains”. The identified baseline concept with the soft piezoceramic material PIC151 successfully sustained all vibration requirements (17.8 gRMS random and 20 g sine) and shock testing (300 g SRS). We cover the mirror design development which reduces the stress in the brittle piezo-ceramic by 90 % compared to the design from
a former GSTP activity. We briefly address the optical characterization of the deformable mirror, namely the achieved Zernike amplitudes as well as the unpowered surface deformation (1.7 µm) and active flattening (12.3 nmRMS). The mirror produces low-order Zernike modes with a stroke of several tens of micrometer over a correction aperture of 50 mm, which makes the mirror a versatile tool for space telescopes.
Process-Driven Applications flourish through the interaction between an executable BPMN process model, human tasks, and external software services. All these components operate on shared process data, so it is even more important to check the correct data flow. However, data flow is in most cases not explicitly defined but hidden in model elements, form declarations, and program code. This paper elaborates on data-flow anomalies acting as indicators for potential errors and how such anomalies can be uncovered despite implicit and hidden data-flow definitions. By considering an integrated view, it goes beyond other approaches which are restricted to separate data-flow analysis of either process model or source code. The main idea is to merge call graphs representing programmed services into a control-flow representation of the process model, to label the resulting graph with associated data operations, and to detect anomalies in that labeled graph using a dedicated data-flow analysis. The applicability of the solution is demonstrated by a prototype designed for the Camunda BPM platform.
A data sender in an IP based network is only capable to efficiently use a network path if it knows the packet size limit of the path, i.e., the Path Maximum Transmission Unit (PMTU). The IETF recently specified a PMTU discovery framework for transport protocols like QUIC. This paper complements this specification by presenting a search algorithm. In addition, it defines several metrics and shows results of analyses for the algorithm with various PMTU candidate sequences using these metrics. We integrated the PMTU discovery with our algorithm into a QUIC simulation model. This paper describes the integration and presents measurements obtained by simulations.