Aurore Fass

Aurore Fass

Saarbrücken, Saarland, Deutschland
1077 Follower:innen 500+ Kontakte

Anmelden, um das Profil zu sehen

Info

I am a Tenure-Track Faculty at CISPA Helmholtz Center for Information Security, and I am…

Aktivitäten

Anmelden, um alle Aktivitäten zu sehen

Berufserfahrung

Ausbildung

  • Universität des Saarlandes Grafik

    Universität des Saarlandes

    See description "Ph.D. Student + Postdoc" at CISPA above.

  • Studied three years (3rd, 4th and 5th years after high school graduation) at the IT Engineering school TELECOM Nancy (a French Grande École) to get a Computer Engineering Degree specializing in Telecommunication, Network, and Security.
    Also followed an additional Master of Science in "Security of Computer Systems"​ (Université de Lorraine).
    First one out of 136 students: had the honour to give the valedictorian speech (in front of ~500 people).

  • Preparation for the highly competitive nationwide entrance examination to the French Grandes Écoles, specializing in mathematics, physics, and computer science.

  • Baccalauréat S with distinction, equivalent to A-levels (Mathematics, Physics, Biology).
    European section: special emphasis on languages, some subjects were taught and tested in German.

Bescheinigungen und Zertifikate

  • Goethe-Zertifikat C1 with distinction: 88/100 Grafik

    Goethe-Zertifikat C1 with distinction: 88/100

    Goethe-Institut e.V.

    Ausgestellt:

  • TOEIC test: 910/990

    TOEIC® Program

    Ausgestellt:

  • Full clean driving license

    -

    Ausgestellt:

Veröffentlichungen

  • DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale

    ACM CCS

    Browser extensions are popular to enhance users' browsing experience. By design, they have access to security- and privacy-critical APIs to perform tasks that web applications cannot traditionally do. Even though web pages and extensions are isolated, they can communicate through messages. Specifically, a vulnerable extension can receive messages from another extension or web page, under the control of an attacker. Thus, these communication channels are a way for a malicious actor to elevate…

    Browser extensions are popular to enhance users' browsing experience. By design, they have access to security- and privacy-critical APIs to perform tasks that web applications cannot traditionally do. Even though web pages and extensions are isolated, they can communicate through messages. Specifically, a vulnerable extension can receive messages from another extension or web page, under the control of an attacker. Thus, these communication channels are a way for a malicious actor to elevate their privileges to the capabilities of an extension, which can lead to, e.g., universal cross-site scripting or sensitive user data exfiltration. To automatically detect such security and privacy threats in benign-but-buggy extensions, we propose our static analyzer DoubleX. DoubleX defines an Extension Dependence Graph (EDG), which abstracts extension code with control and data flows, pointer analysis, and models the message interactions within and outside of an extension. This way, we can leverage this graph to track and detect suspicious data flows between external actors and sensitive APIs in browser extensions.

    We evaluated DoubleX on 154,484 Chrome extensions, where it flags 278 extensions as having a suspicious data flow. Overall, we could verify that 89% of these flows can be influenced by external actors (i.e., an attacker). Based on our threat model, we subsequently demonstrate exploitability for 184 extensions. Finally, we evaluated DoubleX on a labeled vulnerable extension set, where it accurately detects almost 93% of known flaws.

    Andere Autor:innen
    Veröffentlichung anzeigen

  • Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild

    Dependable Systems and Networks (DSN)

    JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance.

    In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend…

    JavaScript is both a popular client-side programming language and an attack vector. While malware developers transform their JavaScript code to hide its malicious intent and impede detection, well-intentioned developers also transform their code to, e.g., optimize website performance.

    In this paper, we conduct an in-depth study of code transformations in the wild. Specifically, we perform a static analysis of JavaScript files to build their Abstract Syntax Tree (AST), which we extend with control and data flows. Subsequently, we define two classifiers, benefitting from AST-based features, to detect transformed samples along with specific transformation techniques. Besides malicious samples, we find that transforming code is increasingly popular on Node.js libraries and client-side JavaScript, with, e.g., 90% of Alexa Top 10k websites containing a transformed script. This way, code transformations are no indicator of maliciousness. Finally, we showcase that benign code transformation techniques and their frequency both differ from the prevalent malicious ones.

    Andere Autor:innen
    • Marvin Moog
    • Markus Demmel
    • Michael Backes
    Veröffentlichung anzeigen

  • Studying JavaScript Security Through Static Analysis

    Doctoral thesis, Saarland University

    As the Internet keeps on growing, so does the interest of malicious actors. While the Internet has become widespread and popular to interconnect billions of people, this interconnectivity also simplifies the spread of malicious software. Specifically, JavaScript has become a popular attack vector, as it enables to stealthily exploit bugs and further vulnerabilities to compromise the security and privacy of Internet users.

    In this thesis, we approach these issues by proposing several…

    As the Internet keeps on growing, so does the interest of malicious actors. While the Internet has become widespread and popular to interconnect billions of people, this interconnectivity also simplifies the spread of malicious software. Specifically, JavaScript has become a popular attack vector, as it enables to stealthily exploit bugs and further vulnerabilities to compromise the security and privacy of Internet users.

    In this thesis, we approach these issues by proposing several systems to statically analyze real-world JavaScript code at scale. First, we focus on the detection of malicious JavaScript samples. To this end, we propose two learning-based pipelines, which leverage syntactic, control and data-flow based features to distinguish benign from malicious inputs. Subsequently, we evaluate the robustness of such static malicious JavaScript detectors in an adversarial setting. For this purpose, we introduce a generic camouflage attack, which consists in rewriting malicious samples to reproduce existing benign syntactic structures. Finally, we consider vulnerable browser extensions. In particular, we abstract an extension source code at a semantic level, including control, data, and message flows, and pointer analysis, to detect suspicious data flows from and toward an extension privileged context. Overall, we report on 184 Chrome extensions that attackers could exploit to, e.g., execute arbitrary code in a victim's browser.

    Veröffentlichung anzeigen

  • JStap: A Static Pre-Filter for Malicious JavaScript Detection

    Annual Computer Security Applications Conference (ACSAC)

    Given the success of the Web platform, attackers have abused its main programming language, namely JavaScript, to mount different types of attacks on their victims. Due to the large volume of such malicious scripts, detection systems rely on static analyses to quickly process the vast majority of samples. These static approaches are not infallible though and lead to misclassifications. Also, they lack semantic information to go beyond purely syntactic approaches.

    In this paper, we…

    Given the success of the Web platform, attackers have abused its main programming language, namely JavaScript, to mount different types of attacks on their victims. Due to the large volume of such malicious scripts, detection systems rely on static analyses to quickly process the vast majority of samples. These static approaches are not infallible though and lead to misclassifications. Also, they lack semantic information to go beyond purely syntactic approaches.

    In this paper, we propose JStap, a modular static JavaScript detection system, which extends the detection capability of existing lexical and AST-based pipelines by also leveraging control and data flow information. Our detector is composed of ten modules, including five different ways of abstracting code, with differing levels of context and semantic information, and two ways of extracting features. Based on the frequency of these specific patterns, we train a random forest classifier for each module.

    In practice, JStap outperforms existing systems, which we reimplemented and tested on our dataset totaling over 270,000 samples. To improve the detection, we also combine the predictions of several modules. A first layer of unanimous voting classifies 93% of our dataset with an accuracy of 99.73%, while a second layer--based on an alternative modules' combination--labels another 6.5% of our initial dataset with an accuracy over 99%. This way, JStap can be used as a precise pre-filter, meaning that it would only need to forward less than 1% of samples to additional analyses. For reproducibility and direct deployability of our modules, we make our system publicly available.

    Andere Autor:innen
    Veröffentlichung anzeigen

  • HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs

    ACM CCS

    In the malware field, learning-based systems have become popular to detect new malicious variants. Nevertheless, attackers with specific and internal knowledge of a target system may be able to produce input samples which are misclassified. In practice, the assumption of strong attackers is not realistic as it implies access to insider information.

    We instead propose HideNoSeek, a novel and generic camouflage attack, which evades the entire class of detectors based on syntactic features,…

    In the malware field, learning-based systems have become popular to detect new malicious variants. Nevertheless, attackers with specific and internal knowledge of a target system may be able to produce input samples which are misclassified. In practice, the assumption of strong attackers is not realistic as it implies access to insider information.

    We instead propose HideNoSeek, a novel and generic camouflage attack, which evades the entire class of detectors based on syntactic features, without needing any information about the system it is trying to evade. Our attack consists of changing the constructs of malicious JavaScript samples to reproduce a benign syntax. For this purpose, we automatically rewrite the Abstract Syntax Trees (ASTs) of malicious JavaScript inputs into existing benign ones. In particular, HideNoSeek uses malicious seeds and searches for isomorphic subgraphs between the seeds and traditional benign scripts. Specifically, it replaces benign sub-ASTs by their malicious equivalents (same syntactic structure) and adjusts the benign data dependencies--without changing the AST--, so that the malicious semantics is kept.

    In practice, we leveraged 23 malicious seeds to generate 91,020 malicious scripts, which perfectly reproduce ASTs of Alexa top 10,000 web pages. Also, we can produce on average 14 different malicious samples with the same AST as each Alexa top 10. Overall, a standard trained classifier has 99.98% false negatives with HideNoSeek inputs, while a classifier trained on such samples has over 88.74% false positives, rendering the targeted static detectors unreliable.

    Andere Autor:innen
    Veröffentlichung anzeigen

  • JaSt: Fully Syntactic Detection of Malicious (Obfuscated) JavaScript

    Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)

    JavaScript is a browser scripting language initially created to enhance the interactivity of web sites and to improve their user-friendliness. However, as it offloads the work to the user's browser, it can be used to engage in malicious activities such as Crypto Mining, Drive-by Download attacks, or redirections to web sites hosting malicious software. Given the prevalence of such nefarious scripts, the anti-virus industry has increased the focus on their detection. The attackers, in turn, make…

    JavaScript is a browser scripting language initially created to enhance the interactivity of web sites and to improve their user-friendliness. However, as it offloads the work to the user's browser, it can be used to engage in malicious activities such as Crypto Mining, Drive-by Download attacks, or redirections to web sites hosting malicious software. Given the prevalence of such nefarious scripts, the anti-virus industry has increased the focus on their detection. The attackers, in turn, make increasing use of obfuscation techniques, so as to hinder analysis and the creation of corresponding signatures. Yet these malicious samples share syntactic similarities at an abstract level, which enables to bypass obfuscation and detect even unknown malware variants.

    In this paper, we present JaSt, a low-overhead solution that combines the extraction of features from the abstract syntax tree with a random forest classifier to detect malicious JavaScript instances. It is based on a frequency analysis of specific patterns, which are either predictive of benign or of malicious samples. Even though the analysis is entirely static, it yields a high detection accuracy of almost 99.5% and has a low false-negative rate of 0.54%.

    Andere Autor:innen
    Veröffentlichung anzeigen

Projekte

  • Group manager: response to a call for tenders

    Objective: to respond to and to win an actual call for tenders in the IT field.

    We completed all the administrative documents, provided a technical answer and defended our offer in front of the client. Finally, we won the bid.

    As the group manager (10 people), I organized and divided the workload, motivated, encouraged and represented the team. Besides, I organized and chaired the meetings, listen to the team members, arbitrated some decisions-making.
    The excellent…

    Objective: to respond to and to win an actual call for tenders in the IT field.

    We completed all the administrative documents, provided a technical answer and defended our offer in front of the client. Finally, we won the bid.

    As the group manager (10 people), I organized and divided the workload, motivated, encouraged and represented the team. Besides, I organized and chaired the meetings, listen to the team members, arbitrated some decisions-making.
    The excellent communication inside the group, the work management, the group work and the inherent technical skills, as well as the motivation, of each member of the team finally enabled us to be distinguished from the other groups and to win the offer.

    Andere Mitarbeiter:innen

  • Compilation project

    Objective: to write a SCOOL (Small Compiler Of Original Language) compiler for the Tiger language.
    This compiler will produce some code in Assembly Language, in output.

    Step 1: complete definition of the grammar and construction of the abstract tree
    Step 2: construction of the symbol table and semantic controls
    Step 3: code production (Assembly Language)

    Andere Mitarbeiter:innen

  • Snake-type video game, in C

    Objective: to implement and design a video game in C, with some GFX and that can interact with the player(s).
    We chose to create a Snake-type video game in C with graphics, sounds, musics, scores… using library SDL2.

    Andere Mitarbeiter:innen

Auszeichnungen/Preise

  • Top Reviewer Award

    ACM CCS

    Top 10% Reviewer (30 selected out of 300).
    https://twitter.com/AuroreFass/status/1591109188352372736

  • PC Members Honorable Mentions

    TheWebConf

    https://www2022.thewebconf.org/awards/

  • Inspiring Career

    TELECOM Nancy

    1 of 3 invited alumni (out of 2,300 alumni).

    Had the honor to give a speech about my career path for the 30th anniversary of the French Grande École TELECOM Nancy (~400 people).

  • Saarland University's program of excellence 2019-2022

    Saarland University

    Mentoring, Coaching, Networking

    --> Exzellenzprogramm für Wissenschaftlerinnen der Universität des Saarlandes: http://exzellenz.uni-saarland.de/

  • Valedictorian at TELECOM Nancy 2014-2017

    TELECOM Nancy

    First one out of 136 students (based on my scores upon the three years at TELECOM Nancy).

    Had the honour to give the valedictorian speech in front of around 500 people.

  • Best Student Recognition Event (BSRE) 2016 - IBM

    IBM - TELECOM Nancy

    Selected by TELECOM Nancy to attend BSRE 2016 at IBM's largest European development laboratory in Hursley (UK).

    BSRE 2016 is a 3-day event to give 80 carefully selected business and technical students from countries across Europe, the Middle East and Africa insights into IBM’s strategy, business and research.

    The invited students have spent 3 intensive days at IBM's largest European development laboratory, been inspired by some of IBM's technical leaders, networked with peers and…

    Selected by TELECOM Nancy to attend BSRE 2016 at IBM's largest European development laboratory in Hursley (UK).

    BSRE 2016 is a 3-day event to give 80 carefully selected business and technical students from countries across Europe, the Middle East and Africa insights into IBM’s strategy, business and research.

    The invited students have spent 3 intensive days at IBM's largest European development laboratory, been inspired by some of IBM's technical leaders, networked with peers and IBMers and gained hands-on practical experience with some of IBM's leading technology in Cloud computing and the Internet of Things.

Prüfungsergebnisse

  • C1 Certificate in German

    Prüfungsergebnis: 88/100

    Goethe-Zertifikat C1 in German:
    • written expression: 19.5/25
    • oral comprehension: 20/25
    • oral expression: 24/25
    • written comprehension: 24.5/25

  • TOEIC test in English

    Prüfungsergebnis: 910/990

Sprachen

  • French

    Muttersprache oder zweisprachig

  • English

    Muttersprache oder zweisprachig

  • German

    Muttersprache oder zweisprachig

  • Spanish

    Grundkenntnisse

Weitere Aktivitäten von Aurore Fass

Aurore Fass’ vollständiges Profil ansehen

  • Herausfinden, welche gemeinsamen Kontakte Sie haben
  • Sich vorstellen lassen
  • Aurore Fass direkt kontaktieren
Mitglied werden. um das vollständige Profil zu sehen

Weitere ähnliche Profile

Weitere Beiträge entdecken

Entwickeln Sie mit diesen Kursen neue Kenntnisse und Fähigkeiten

Alle Kurse anzeigen