Ultra-Large Scale Systems Security


Das ULS3-Vorhaben hat zum Ziel, Sicherheitsmechanismen für hochskalierbare REST-basierte Systeme zu entwickeln und zu evaluieren. Dabei werden zwei maßgebliche Faktoren im besonderen Maße fokussiert (Projektschwerpunkte): (1) die Entwicklung eines universellen REST-Sicherheitsframeworks, unter Berücksichtigung einer minimalen Interferenz der Sicherheitsmechanismen auf die REST- Architektureigenschaften und (2) die gebrauchstaugliche Ausgestaltung von REST-Security Programmierschnittstellen zur effektiven und effizienten Verwendung durch Softwareentwickler.

Projektdauer: April 2017 - März 2020


Luigi Lo Iacono

Luigi Lo Iacono


ZW 10-4
+49 221-8275-2527
Hoai Viet Nguyen

Hoai Viet Nguyen

Wissenschaftlicher Mitarbeiter

ZW 10-2/3
+49 221-8275-2783
Peter Leo Gorski

Peter Leo Gorski

Wissenschaftlicher Mitarbeiter

ZW 10-2/3
+49 221-8275-2782


Das Projekt ULS3 (Ultra-Large Scale Systems Security) wird unter dem Förderkennzeichen 13FH016IX6 im Förderprogramm "Forschung an Fachhochschulen" vom Bundesministerium für Bildung und Forschung (BMBF) gefördert.



, , , (), p.,


author = {P. L. Gorski and L. Lo Iacono and S. Wiefling and S. M{\"o}ller},
title = {Warn if Secure or How to Deal with Security by Default in Software Development?},
booktitle = {{12th International Symposium on Human Aspects of Information Security and Assurance (HAISA)}},
year = {2018},
url = {http://www.haisa.org/},
abstract = {{
Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.

@inproceedings {conf/soups2018/gorski,
author = {P. L. Gorski and L. Lo Iacono and D. Wermke and C. Stransky and S. M{\"o}ller and Y. Acar and S. Fahl},
title = {Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic {API} Misuse},
booktitle = {{14th Symposium on Usable Privacy and Security (SOUPS)}},
year = {2018},
pages = {265--281},
url = {https://www.usenix.org/conference/soups2018/presentation/gorski},
publisher = {{USENIX} Association},
abstract = {{

Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e.g. easy-to-use documentation or meaningful warning and error messages) leading to an especially high likelihood of writing functionally correct but insecure code.

To support software developers in writing more secure code, this work investigates a novel approach aimed at these hard-to-use cryptographic APIs. In a controlled online experiment with 53 participants, we study the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer. This allows us to address insecure cryptographic choices including encryption algorithms, key sizes, modes of operation and hashing algorithms with helpful documentation in the guise of warnings. Whenever possible, the security advice proposes code changes to fix the responsible security issues. We find that our approach significantly improves code security. 73% of the participants who received the security advice fixed their insecure code.

We evaluate the opportunities and challenges of adopting API-integrated security advice and illustrate the potential to reduce the negative implications of cryptographic API misuse and help developers write more secure code.

author = {H. V. Nguyen and L. {Lo Iacono} and H. Federrath},
title = {{Systematic Analysis of Web Browser Caches}},
booktitle = {{2nd International conference on Web Studies (WS)}},
year = {2018},
url = {https://doi.org/10.1145/3240431.3240443},
note = {to be appear},
abstract = {{
The caching of frequently requested web resources is an integral part of the web ever since. Cacheability is the main pillar for the web's scalability and an important mechanism for optimizing resource consumption and performance. Caches exist in many variations and locations on the path between web client and server with the browser cache being ubiquitous to date. Web developers need to have a profound understanding of the concepts and policies of web caching even when exploiting these advantages is not relevant. Neglecting web caching may otherwise result in more serve consequences than the simple loss of scalability and efficiency. Recent misuse of web caching systems shows to affect the application's behavior as well as privacy and security.

In this paper we introduce a tool-based approach to disburden web developers while keeping them informed about caching influences. Our first contribution is a structured test suite containing 397 web caching test cases. In order to make this collection easily adoptable we introduce an automated testing tool for executing the test cases against web browsers. Based on the developed testing tool we conduct a systematic analysis on the behavior of web browser caches and their compliance with relevant caching standards. Our findings on desktop and mobile versions of Chrome, Firefox, Safari and Edge show many diversities as well as discrepancies. Appropriate tooling supports web developers in uncovering such adversities. As our baseline of test cases is specified using a specification language that enables extensibility, developers as well as administrators and researchers can systematically add and empirically explore caching properties of interest even in non-browser scenarios.

  title = {{Usability von Security-APIs für massiv-skalierbare vernetzte Service-orientierte Systeme}},
  url = {https://sicherheit2018.in.htwg-konstanz.de/programm/},
  year = {2018},
  abstract = {{Kontemporäre Service-orientierte Systeme sind hochgradig vernetzt und haben zudem die Eigenschaft massiv-skalierbar zu sein. Diese Charakteristiken stellen im besonderen Maße Anforderungen an die Datensicherheit der Anwender solcher Systeme und damit primär an alle Stakeholder der Softwareentwicklung, die in der Verantwortung sind, passgenaue Sicherheitsmechanismen effektiv in die Softwareprodukte zu bringen. Die Effektivität von Sicherheitsarchitekturen in service-orientierten Systemen hängt maßgeblich von der richtigen Nutzung und Integration von Security-APIs durch eine heterogene Gruppe von Softwareentwicklern ab, bei der nicht per se ein fundiertes Hintergrundwissen über komplexe digitale Sicherheitsmechanismen vorausgesetzt werden kann. Die Diskrepanz zwischen komplexen und in der Anwendung fehleranfälligen APIs und einem fehlenden Verständnis für die zugrundeliegenden Sicherheitskonzepte auf Seiten der Nutzer begünstigt in der Praxis unsichere Softwaresysteme. Aus diesem Grund ist die Gebrauchstauglichkeit von Security-APIs besonders relevant, damit Programmierer den benötigten Funktionsumfang effektiv, effizient und zufriedenstellend verwenden können. Abgeleitet von dieser Problemstellung, konzentriert sich das Dissertationsvorhaben auf die gebrauchstaugliche Ausgestaltung von Security-APIs und den Herausforderungen die sich aus den Methoden zur Evaluation der Usability in typischen Umgebungen der Softwareentwicklung ergeben.}},
  booktitle = {{Doctoral Forum - Fachbereichs Sicherheit – Schutz und Zuverlässigkeit der Gesellschaft für Informatik e.V. (Sicherheit)}},
  author = {P. L. Gorski},
  note = {{To Appear}}

  title = {{On the Security Expressiveness of REST-Based API Definition Languages}},
  url = {https://doi.org/10.1007/978-3-319-64483-7_14},
  year = {2017},
  doi = {10.1007/978-3-319-64483-7_14},
  abstract = {{Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized specification of the service’s functionalities is required. Apart from functional aspects, such an interface definition language needs to offer expressions for specifying important non-functional facets in addition, such as security. With WSDL and WS-Security such a standardized service description language and a mature security framework are available for the SOAP domain. For REST-based web services such standards are, however, missing. To overcome these shortcomings, many distinct sources propose service description languages and security schemes for REST-based web services. This paper provides a systematic analysis of these languages with a specific focus on their ability to express security policies. The obtained results reveal substantial limitations in all analyzed specification languages.}},
  booktitle = {{International Conference on Trust and Privacy in Digital Business (TrustBus)}},
  author = {H.V. Nguyen and J. Tolsdorf and L. {Lo Iacono}}

  author = {L. {Lo Iacono} and P. L. Gorski},
  title = {{Poster: I Do and I Understand. Not Yet True for Security APIs. So Sad}},
  booktitle = {{13th Symposium on Usable Privacy and Security (SOUPS)}},
  year = {2017},
  url = {https://www.internetsociety.org/sites/default/files/eurousec2017_15_LoIacono_paper.pdf},
  abstract = {{Usable security puts the users into the center of
  cyber security developments. Software developers are a very
  specific user group in this respect, since their points of contact
  with security are application programming interfaces (APIs). In
  contrast to APIs providing functionalities of other domains than
  security, security APIs are not approachable by habitual means.
  Learning by doing exploration exercises is not well supported.
  Reasons for this range from missing documentation, tutorials and
  examples to lacking tools and impenetrable APIs, that makes this
  complex matter accessible. In this paper we study what abstraction level of security
  APIs is more suitable to meet common developers’ needs and
  expectations. For this purpose, we firstly define the term security
  API. Following this definition, we introduce a classification of
  security APIs according to their abstraction level. We then
  adopted this classification in two studies. In one we gathered
  the current coverage of the distinct classes by the standard set of
  security functionality provided by popular software development
  kits. The other study has been an online questionnaire in which we
  asked 55 software developers about their experiences and opinion
  in respect of integrating security mechanisms into their coding
  projects. Our findings emphasize that the right abstraction level
  of a security API is one important aspect to consider in usable
  security API design that has not been addressed much so far.}}