Ultra-Large Scale Systems Security


Das ULS3-Vorhaben hat zum Ziel, Sicherheitsmechanismen für hochskalierbare REST-basierte Systeme zu entwickeln und zu evaluieren. Dabei werden zwei maßgebliche Faktoren im besonderen Maße fokussiert (Projektschwerpunkte): (1) die Entwicklung eines universellen REST-Sicherheitsframeworks, unter Berücksichtigung einer minimalen Interferenz der Sicherheitsmechanismen auf die REST- Architektureigenschaften und (2) die gebrauchstaugliche Ausgestaltung von REST-Security Programmierschnittstellen zur effektiven und effizienten Verwendung durch Softwareentwickler.

Projektdauer: April 2017 - März 2020


Luigi Lo Iacono

Luigi Lo Iacono


+49 2241 865 9557


      • Dr. Hoai Viet Nguyen
      • Dr. Peter Leo Gorski


                    Das Projekt ULS3 (Ultra-Large Scale Systems Security) wird unter dem Förderkennzeichen 13FH016IX6 im Förderprogramm "Forschung an Fachhochschulen" vom Bundesministerium für Bildung und Forschung (BMBF) gefördert.



                    , , , (), p.,


                      author = {P. L. Gorski and S. Möller and S. Wiefling and L. Lo Iacono},
                      journal = {IEEE Transactions on Software Engineering},
                      title = {"I just looked for the solution!" - On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding Practices},
                      year = {2021},
                      publisher = {IEEE},
                      doi = {10.1109/TSE.2021.3094171},
                      url = {https://pub.h-brs.de/files/5631/Gorski2021_IJustLookedForTheSolution.pdf},
                      abstract = {Software developers build complex systems using plenty of third-party libraries. Documentation is key to understand and use the functionality provided via the libraries APIs. Therefore, functionality is the main focus of contemporary API documentation, while cross-cutting concerns such as security are almost never considered at all, especially when the API itself does not provide security features. Documentations of JavaScript libraries for use in web applications, e.g., do not specify how to add or adapt a Content Security Policy (CSP) to mitigate content injection attacks like Cross-Site Scripting (XSS). This is unfortunate, as security-relevant API documentation might have an influence on secure coding practices and prevailing major vulnerabilities such as XSS. For the first time, we study the effects of integrating security-relevant information in non-security API documentation. For this purpose, we took CSP as an exemplary study object and extended the official Google Maps JavaScript API documentation with security-relevant CSP information in three distinct manners. Then, we evaluated the usage of these variations in a between-group eye-tracking lab study involving N=49 participants. Our observations suggest: (1) Developers are focused on elements with code examples. They mostly skim the documentation while searching for a quick solution to their programming task. This finding gives further evidence to results of related studies. (2) The location where CSP-related code examples are placed in non-security API documentation significantly impacts the time it takes to find this security-relevant information. In particular, the study results showed that the proximity to functional-related code examples in documentation is a decisive factor. (3) Examples significantly help to produce secure CSP solutions. (4) Developers have additional information needs that our approach cannot meet. Overall, our study contributes to a first understanding of the impact of security-relevant information in non-security API documentation on CSP implementation. Although further research is required, our findings emphasize that API producers should take responsibility for adequately documenting security aspects and thus supporting the sensibility and training of developers to implement secure systems. This responsibility also holds in seemingly non-security relevant contexts.}
                    	author = {P. L. Gorski and Y. Acar and L. Lo Iacono and S. Fahl},
                    	title = {Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs},
                    	year = {2020},
                    	isbn = {9781450367080},
                    	publisher = {Association for Computing Machinery},
                    	address = {New York, NY, USA},
                    	url = {https://doi.org/10.1145/3313831.3376142},
                    	doi = {10.1145/3313831.3376142},
                    	abstract = {The positive effect of security information communicated to developers through API warnings has been established. However, current prototypical designs are based on security warnings for end-users. To improve security feedback for developers, we conducted a participatory design study with 25 professional software developers in focus groups. We identify which security information is considered helpful in avoiding insecure cryptographic API use during development. Concerning console messages, participants suggested five core elements, namely message classification, title message, code location, link to detailed external resources, and color. Design guidelines for end-user warnings are only partially suitable in this context. Participants emphasized the importance of tailoring the detail and content of security information to the context. Console warnings call for concise communication; further information needs to be linked externally. Therefore, security feedback should transcend tools and should be adjustable by software developers across development tools, considering the work context and developer needs.},
                    	booktitle = {Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems},
                    	pages = {1–13},
                    	numpages = {13},
                    	keywords = {focus groups, software development, developer console, security warning design, cryptographic apis, participatory design},
                    	location = {Honolulu, HI, USA},
                    	series = {CHI ’20}
                      author = {H. V. Nguyen and {L. Lo Iacono}},
                      title = {{CREHMA: Cache-ware REST-ful Authentication Scheme}},
                      booktitle = {{10th ACM Conference on Data and Application Security and Privacy (CODASPY)}},
                      year = {2020},
                      doi = {10.1145/3374664.3375750},
                      url = {https://doi.org/10.1145/3374664.3375750},
                      abstract = {Scalability and security are two important elements of contemporary distributed software systems. The Web vividly shows that while complying with the constraints defined by the architectural style REST, the layered design of software with intermediate systems enables to scale at large. Intermediaries such as caches, however, interfere with the security guarantees of the industry standard for protecting data in transit on the Web, TLS, as in these circumstances the TLS channel already terminates at the intermediate system's server. For more in-depth defense strategies, service providers require message-oriented security means in addition to TLS. These are hardly available and only in the form of HTTP signature schemes that do not take caches into account either.
                      In this paper we introduce CREHMA, a REST-ful HTTP message signature scheme that guarantees the integrity and authenticity of Web assets from end-to-end while simultaneous allowing service providers to enjoy the benefits of Web caches. Decisively, CREHMA achieves these guarantees without having to trust on the integrity of the cache and without requiring making changes to existing Web caching systems. In extensive experiments we evaluated CREHMA and found that it only introduces marginal impacts on metrics such as latency and data expansion while providing integrity protection from end to end. CREHMA thus extends the possibilities of service providers to achieve an appropriate balance between scalability and security.}
                      author = {H. V. Nguyen and L. Lo Iacono and H. Federrath},
                      title = {{Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack}},
                      booktitle = {{26th ACM Conference on Computer and Communications Security (CCS)}},
                      year = {2019},
                      doi = {10.1145/3319535.3354215},
                    	url = {https://cpdos.org/paper/Your_Cache_Has_Fallen__Cache_Poisoned_Denial_of_Service_Attack__Preprint_.pdf},
                      abstract = {{Web caching enables the reuse of HTTP responses with the aim to reduce the number of requests
                      that reach the origin server, the volume of network traffic resulting from resource requests, and the user-
                      perceived latency of resource access. For these reasons, a cache is a key component in modern distributed
                      systems as it enables applications to scale at large. In addition to optimizing performance metrics, caches
                      promote additional protection against Denial of Service (DoS) attacks.
                      In this paper we introduce and analyze a new class of web cache poisoning attacks. By provoking an error on
                      the origin server that is not detected by the intermediate caching system, the cache gets poisoned with the
                      server-generated error page and instrumented to serve this useless content instead of the intended one,
                      rendering the victim service unavailable. In an extensive study of fifteen web caching solutions we analyzed
                      the negative impact of the Cache-Poisoned DoS (CPDoS) attack---as we coined it. We show the practical
                      relevance by identifying one proxy cache product and five CDN services that are vulnerable to CPDoS. Amongst
                      them are prominent solutions that in turn cache high-value websites. The consequences are severe as one simple
                      request is sufficient to paralyze a victim website within a large geographical region. The awareness of the
                      newly introduced CPDoS attack is highly valuable for researchers for obtaining a comprehensive understanding
                      of causes and countermeasures as well as practitioners for implementing robust and secure distributed systems.
                    author={H. C. {Rudolph} and A. {Kunz} and L. {Lo Iacono} and H. V. {Nguyen}},
                    journal={IEEE Communications Standards Magazine},
                    title={{Security Challenges of the 3GPP 5G Service Based Architecture}},
                    url = {https://doi.org/10.1109/MCOMSTD.2019.1800034},
                    abstract = {
                      3GPP is currently finalizing the first publication of 5G specifications in their Release 15. Several new features and concepts are introduced to the radio interface and the core network in order to enhance the softwarization and virtualization of functional entities in the mobile core network. One of the driving new concepts is the service-based architecture (SBA). Service concepts and technologies are already well established in the area of Internet-based platforms and applications. With the 3GPP 5G SBA, flexible and on-demand service composition -- even across organizational boundaries -- provides a new level of flexibility and business opportunities to the mobile industry. However, this type of service orientation comes with new security implications that have not been present to their full extent in previous mobile network generations. This article introduces the foundational security concepts and technologies of SBA in 3GPP 5G, focusing mainly on non-roaming scenarios, and discusses security challenges arising from these architectural changes.
                      author = {L. Lo Iacono and H. V. Nguyen and P. L. Gorski},
                      year = {2019},
                      month = {02},
                      title = {On the Need for a General REST-Security Framework},
                      volume = {11},
                      number = {3},
                      booktitle = {Future Internet },
                      doi = {10.3390/fi11030056},
                      abstract = {{Contemporary software is inherently distributed. The principles guiding the design of such software have been mainly manifested by the service-oriented architecture (SOA) concept. In a SOA, applications are orchestrated by software services generally operated by distinct entities. Due to the latter fact, service security has been of importance in such systems ever since. A dominant protocol for implementing SOA-based systems is SOAP, which comes with a well-elaborated security framework. As an alternative to SOAP, the architectural style representational state transfer (REST) is gaining traction as a simple, lightweight and flexible guideline for designing distributed service systems that scale at large. This paper starts by introducing the basic constraints representing REST. Based on these foundations, the focus is afterwards drawn on the security needs of REST-based service systems. The limitations of transport-oriented protection means are emphasized and the demand for specific message-oriented safeguards is assessed. The paper then reviews the current activities in respect to REST-security and finds that the available schemes are mostly HTTP-centered and very heterogeneous. More importantly, all of the analyzed schemes contain vulnerabilities. The paper contributes a methodology on how to establish REST-security as a general security framework for protecting REST-based service systems of any kind by consistent and comprehensive protection means. First adoptions of the introduced approach are presented in relation to REST message authentication with instantiations for REST-ful HTTP (web/cloud services) and REST-ful constraint application protocol (CoAP) (internet of things (IoT) services).}},
                      url = {https://doi.org/10.3390/fi11030056}
                      author = {H.V. Nguyen and L. Lo Iacono and H. Federrath},
                      title = {{Mind the Cache: Large-Scale Analysis of Web Caching}},
                      booktitle = {{34rd ACM/SIGAPP Symposium on Applied Computing (SAC)}},
                      year = {2019},
                      url = {https://doi.org/10.1145/3297280.3297526},
                      abstract = {{
                      Modern software applications are widely interconnected systems mostly built on web technologies as foundation. Caching is an integral layer of such systems and thus needs to be carefully considered in development and operations. First reported incidents with caches leaking sensitive information emphasize the possible consequences of getting them and their dependencies with the whole system wrong and that those side effects are not solely related to performance.
                      In this paper we argue that proper testing tools are required to enable the diverse stakeholders in carefully acting with shared caches including proxies and CDNs. As such tools are currently lacking in many respects, we propose a cache testing environment which allows to analyze shared caches of any kind. Our developed shared web cache testing tool includes 397 test cases and a simple specification language that allows to easily extend the base test suite. With this testing tool, we analyzed seven distinct shared caching systems. We found that they do behave different in many respect, not always conforming with the respective standardization. Some observed peculiarities do even have the potential for future incidents and they remain unnoticed by system integrators and administrators  without proper tooling. Developers of caching components and researchers can benefit from our tool too, as they can systematically investigate caching properties of interest.
                    author = {P. L. Gorski and L. Lo Iacono and S. Wiefling and S. M{\"o}ller},
                    title = {Warn if Secure or How to Deal with Security by Default in Software Development?},
                    booktitle = {{12th International Symposium on Human Aspects of Information Security and Assurance (HAISA)}},
                    year = {2018},
                    url = {https://www.cscan.org/?page=openaccess&eid=20&id=388},
                    abstract = {{
                    Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
                    In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.
                    @inproceedings {conf/soups2018/gorski,
                    author = {P. L. Gorski and L. Lo Iacono and D. Wermke and C. Stransky and S. M{\"o}ller and Y. Acar and S. Fahl},
                    title = {Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic {API} Misuse},
                    booktitle = {{14th Symposium on Usable Privacy and Security (SOUPS)}},
                    year = {2018},
                    pages = {265--281},
                    url = {https://www.usenix.org/conference/soups2018/presentation/gorski},
                    publisher = {{USENIX} Association},
                    abstract = {{
                    Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e.g. easy-to-use documentation or meaningful warning and error messages) leading to an especially high likelihood of writing functionally correct but insecure code.
                    To support software developers in writing more secure code, this work investigates a novel approach aimed at these hard-to-use cryptographic APIs. In a controlled online experiment with 53 participants, we study the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer. This allows us to address insecure cryptographic choices including encryption algorithms, key sizes, modes of operation and hashing algorithms with helpful documentation in the guise of warnings. Whenever possible, the security advice proposes code changes to fix the responsible security issues. We find that our approach significantly improves code security. 73% of the participants who received the security advice fixed their insecure code.
                    We evaluate the opportunities and challenges of adopting API-integrated security advice and illustrate the potential to reduce the negative implications of cryptographic API misuse and help developers write more secure code.
                    author = {H. V. Nguyen and L. {Lo Iacono} and H. Federrath},
                    title = {{Systematic Analysis of Web Browser Caches}},
                    booktitle = {{2nd International conference on Web Studies (WS)}},
                    year = {2018},
                    url = {https://doi.org/10.1145/3240431.3240443},
                    note = {to be appear},
                    abstract = {{
                    The caching of frequently requested web resources is an integral part of the web ever since. Cacheability is the main pillar for the web's scalability and an important mechanism for optimizing resource consumption and performance. Caches exist in many variations and locations on the path between web client and server with the browser cache being ubiquitous to date. Web developers need to have a profound understanding of the concepts and policies of web caching even when exploiting these advantages is not relevant. Neglecting web caching may otherwise result in more serve consequences than the simple loss of scalability and efficiency. Recent misuse of web caching systems shows to affect the application's behavior as well as privacy and security.
                    In this paper we introduce a tool-based approach to disburden web developers while keeping them informed about caching influences. Our first contribution is a structured test suite containing 397 web caching test cases. In order to make this collection easily adoptable we introduce an automated testing tool for executing the test cases against web browsers. Based on the developed testing tool we conduct a systematic analysis on the behavior of web browser caches and their compliance with relevant caching standards. Our findings on desktop and mobile versions of Chrome, Firefox, Safari and Edge show many diversities as well as discrepancies. Appropriate tooling supports web developers in uncovering such adversities. As our baseline of test cases is specified using a specification language that enables extensibility, developers as well as administrators and researchers can systematically add and empirically explore caching properties of interest even in non-browser scenarios.
                      title = {{Usability von Security-APIs für massiv-skalierbare vernetzte Service-orientierte Systeme}},
                      url = {https://sicherheit2018.in.htwg-konstanz.de/programm/},
                      year = {2018},
                      abstract = {{Kontemporäre Service-orientierte Systeme sind hochgradig vernetzt und haben zudem die Eigenschaft massiv-skalierbar zu sein. Diese Charakteristiken stellen im besonderen Maße Anforderungen an die Datensicherheit der Anwender solcher Systeme und damit primär an alle Stakeholder der Softwareentwicklung, die in der Verantwortung sind, passgenaue Sicherheitsmechanismen effektiv in die Softwareprodukte zu bringen. Die Effektivität von Sicherheitsarchitekturen in service-orientierten Systemen hängt maßgeblich von der richtigen Nutzung und Integration von Security-APIs durch eine heterogene Gruppe von Softwareentwicklern ab, bei der nicht per se ein fundiertes Hintergrundwissen über komplexe digitale Sicherheitsmechanismen vorausgesetzt werden kann. Die Diskrepanz zwischen komplexen und in der Anwendung fehleranfälligen APIs und einem fehlenden Verständnis für die zugrundeliegenden Sicherheitskonzepte auf Seiten der Nutzer begünstigt in der Praxis unsichere Softwaresysteme. Aus diesem Grund ist die Gebrauchstauglichkeit von Security-APIs besonders relevant, damit Programmierer den benötigten Funktionsumfang effektiv, effizient und zufriedenstellend verwenden können. Abgeleitet von dieser Problemstellung, konzentriert sich das Dissertationsvorhaben auf die gebrauchstaugliche Ausgestaltung von Security-APIs und den Herausforderungen die sich aus den Methoden zur Evaluation der Usability in typischen Umgebungen der Softwareentwicklung ergeben.}},
                      booktitle = {{Doctoral Forum - Fachbereichs Sicherheit – Schutz und Zuverlässigkeit der Gesellschaft für Informatik e.V. (Sicherheit)}},
                      author = {P. L. Gorski},
                      note = {{To Appear}}
                      title = {{On the Security Expressiveness of REST-Based API Definition Languages}},
                      url = {https://doi.org/10.1007/978-3-319-64483-7_14},
                      year = {2017},
                      doi = {10.1007/978-3-319-64483-7_14},
                      abstract = {{Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized specification of the service’s functionalities is required. Apart from functional aspects, such an interface definition language needs to offer expressions for specifying important non-functional facets in addition, such as security. With WSDL and WS-Security such a standardized service description language and a mature security framework are available for the SOAP domain. For REST-based web services such standards are, however, missing. To overcome these shortcomings, many distinct sources propose service description languages and security schemes for REST-based web services. This paper provides a systematic analysis of these languages with a specific focus on their ability to express security policies. The obtained results reveal substantial limitations in all analyzed specification languages.}},
                      booktitle = {{International Conference on Trust and Privacy in Digital Business (TrustBus)}},
                      author = {H.V. Nguyen and J. Tolsdorf and L. {Lo Iacono}}
                      author = {L. {Lo Iacono} and P. L. Gorski},
                      title = {{Poster: I Do and I Understand. Not Yet True for Security APIs. So Sad}},
                      booktitle = {{13th Symposium on Usable Privacy and Security (SOUPS)}},
                      year = {2017},
                      url = {https://www.internetsociety.org/sites/default/files/eurousec2017_15_LoIacono_paper.pdf},
                      abstract = {{Usable security puts the users into the center of
                      cyber security developments. Software developers are a very
                      specific user group in this respect, since their points of contact
                      with security are application programming interfaces (APIs). In
                      contrast to APIs providing functionalities of other domains than
                      security, security APIs are not approachable by habitual means.
                      Learning by doing exploration exercises is not well supported.
                      Reasons for this range from missing documentation, tutorials and
                      examples to lacking tools and impenetrable APIs, that makes this
                      complex matter accessible. In this paper we study what abstraction level of security
                      APIs is more suitable to meet common developers’ needs and
                      expectations. For this purpose, we firstly define the term security
                      API. Following this definition, we introduce a classification of
                      security APIs according to their abstraction level. We then
                      adopted this classification in two studies. In one we gathered
                      the current coverage of the distinct classes by the standard set of
                      security functionality provided by popular software development
                      kits. The other study has been an online questionnaire in which we
                      asked 55 software developers about their experiences and opinion
                      in respect of integrating security mechanisms into their coding
                      projects. Our findings emphasize that the right abstraction level
                      of a security API is one important aspect to consider in usable
                      security API design that has not been addressed much so far.}}