Staff

Anna-Katharina Wickert M.Sc.

Software Technology Group

Contact

work +49 6151 16-21364

Work S2|02 A226
Hochschulstr. 10
64289 Darmstadt

I am a doctoral researcher in the Software Technology Group. My research interests are focusd on static code analysis, API-misuses and software security. Currently, I focus on security problems caused by API-misuses, e.g., for cryptographic APIs.

A well-known problem of cryptography in software is that cryptographic APIs are used in an insecure way. An example is that developers use ECB as a block mode for encryption which is known to be insecure. Within my research we want to support developers to write secure code.

As part of my research within CROSSING, I am a contributor to the official Eclipse Plugin CogniCrypt which supports developers in using cryptographic APIs securely. Further, I contributed to the explainer video about CogniCrypt.

  • 2017 – now: TU Darmstadt, PhD student, advised by Mira Mezini
  • 2016: University of Uslo, exchange student
  • 2014 – 2017: TU Darmstadt, master's degree
  • 2011 – 2014: Technische Hochschule Bingen, bachelor's degree

Projects

I am a researcher in the project E1 – Secure Integration of Cryptographic Software of the SFB 1119 CROSSING. Within this project, we aim to support software engineers to integrate cryptographic software components correctly and securely. One of our tools to achieve this aim is the Eclipse Plugin CogniCrypt to generate and analyze cryptographic code and the corresponding CLI static analysis. As part of this project, I am also one of the maintainers of CogniCrypt .

During my master's, I was part of the GoRETech: Go Runtime Enforcement Techniques project. One of the aims of the project was to develop an information-flow analysis for the programming language Go which can handle the concurrent nature of many Go programs. Our prototype GoTCHA is an implementation for a taint analysis that can detect SQL injections. We proposed our idea in a paper and presented the preliminary results of my master thesis at NWPT'16.

Open Theses

  • Bachelor Thesis, Master Thesis

    Quantum key distribution provides a means for cryptographic applications to exchange a symmetric key between different parties in a provably secure manner. The security of this method is based on the errors generated during information exchange by an eavesdropping attack – based on principles of quantum mechanics – which are noticeable by the involved parties. Therefore, it is important that the keys are post-processed before they are used. Post-processing consists of error correction of the key and subsequent privacy enhancement.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

    Announcement as

  • Bachelor Thesis, Master Thesis

    Today, many applications use cryptographic components to provide a secure implementation. For a secure implementation, it is essential that a developer is aware of the correct and secure usage of cryptographic components. Recent studies have shown that developers struggle with this. Therefore, applications which are intended to be trustworthy, become insecure.

    Within our research project “Secure Integration of Cryptographic Software” of the SFB CROSSING, we want to support developers when they integrate cryptographic components in an application. To achieve this aim, we have developed an Eclipse plugin which can generate secure cryptographic code and a static analysis which identifies insecure usages. Currently, we have created all rules checked by the analyis by hand. One of our next steps is to determine how we can automatically generate rules for correct and secure usages.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

Ongoing Theses

  • Bachelor Thesis

    Currently, CogniCryptSAST can handle subsequent crypto misuses due to the expressiveness of the used rules set. For example, an insecurely generated initialization vector can cause several misuse reports: a) the insecure call to generate random numbers which will be used as IV b) passing the IV to the cipher object. While the second information is valuable, a developer or security auditor is more interested in the places where they have to fix a misuse.This thesis should investigate if the current architecture of CogniCrypt can report subsequent errors to the users, and implement a potential prototype. Further, we plan to evaluate if the implementation improves the usability, e.g., by an expert interview.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisors: Anna-Katharina Wickert, M.Sc., Michael Schlichtig

  • Master Thesis

    The goal of the thesis is the evaluation of existing algorithms for error correction and key derivation for the use case of quantum key exchange. In previous publications in this area, the quality of the used algorithms was not the main focus. Thus, results are difficult to compare, and we aim to compare different established algorithms for error correction and key derivation in the field of quantum key exchange.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisors: Anna-Katharina Wickert, M.Sc., Maximilian Tippmann

  • Master Thesis

    The goal of this thesis is the identification and analysis of unsafe usages in popular Go applications. The unsafe API allows developers to circumvent the memory-safety functionality in Go. Previous research analyzed the usages and resulting security implications for related APIs in Java and Rust. In this thesis, we aim to evaluate the usage and security issues caused by unsafe usages in Go.

    To achieve this aim, we analyzed possible security vulnerabilities due to unsafe usages in Go. To quantify the unsafe usages in Go, we implemented an analysis, go-geiger, to identify unsafe usages in the application code and its dependencies. Based on an analysis of the usages, we identified the main underlying reasons to integrate the unsafe library into the code. Further, we implemented go-safer to identify security-critical usages.

    The thesis resulted in the publication: Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild by Johannes Lauinger, Lars Baumgärtner, Anna-Katharina Wickert, and Mira Mezini published at TrustCom20.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisors: Anna-Katharina Wickert, M.Sc., Dr. rer. nat. Lars Baumgärtner

  • Master Thesis

    The goal of this thesis is to develop and evaluate an approach to learn cryptographic rules based on the implementation of the crypto library.

    Previous work to learn usage rules for APIs rely on the most-frequent implementations using the respective API, and are successful for other domains. However, for crypto APIs this approach fails as the majority of usages is insecure.

    This thesis evaluated an approach to derive usage rules based on the implementation of a crypto API rather than the on the implementations using the crypto API.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

  • Bachelor Thesis

    The goal of this thesis is to develop and evaluate an approach to learn cryptographic rules based on the implementation of the crypto library.

    Previous work to learn usage rules for APIs rely on the most-frequent implementations using the respective API, and are successful for other domains. However, for crypto APIs this approach fails as the majority of usages is insecure.

    This thesis evaluated an approach to derive usage rules based on the implementation of a crypto API rather than the on the implementations using the crypto API.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

  • Master Thesis

    The goal of this thesis is to develop and evaluate an approach to learn cryptographic rules based on the implementation of the crypto library.

    Previous work to learn usage rules for APIs rely on the most-frequent implementations using the respective API, and are successful for other domains. However, for crypto APIs this approach fails as the majority of usages is insecure.

    This thesis evaluated an approach to derive usage rules based on the implementation of a crypto API rather than the on the implementations using the crypto API.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

  • Bachelor Thesis

    The goal of this thesis is to develop and evaluate an approach to learn cryptographic rules based on the implementation of the crypto library.

    Previous work to learn usage rules for APIs rely on the most-frequent implementations using the respective API, and are successful for other domains. However, for crypto APIs this approach fails as the majority of usages is insecure.

    This thesis evaluated an approach to derive usage rules based on the implementation of a crypto API rather than the on the implementations using the crypto API.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

  • Master Thesis

    The goal of the thesis is to create a data set of parametric crypto misuses into an existing API misuse dataset, MuBench, and enrich some of the misuses with corrected usages. Based upon this data set, existing analyses for crypto misuses should be evaluated.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

  • Master Thesis

    The goal of this thesis is to develop and evaluate an approach to learn cryptographic rules based on the implementation of the crypto library.

    Previous work to learn usage rules for APIs rely on the most-frequent implementations using the respective API, and are successful for other domains. However, for crypto APIs this approach fails as the majority of usages is insecure.

    This thesis evaluated an approach to derive usage rules based on the implementation of a crypto API rather than the on the implementations using the crypto API.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

  • Master Thesis

    The goal of this thesis is to build a dataset of security vulnerabilities in software, integrate the dataset in MuBench and evaluate the dataset against existing API-Misuse and bug detectors. The result will answer the question whether existing API-Misuse and bug detectors can identify software vulnerabilities. Further, the dataset helps future research to benchmark their tools against software vulnerabilities.

    Our approach is to identify CVEs which affect open source projects written in Java. For each application, we want to identify the method which needs to be changed to fix the vulnerability. Further, we provide the necessary information to build the respective versions. All these information will create a misuse dataset which we plan to integrate into the benchmark MuBench to evaluate existing approaches.

    Examiner: Prof. Dr.-Ing. Mira Mezini

    Supervisor: Anna-Katharina Wickert, M.Sc.

Publications

Loading...
Loading data from TUbiblio…

Error on loading data

An error has occured when loading publications data from TUbiblio. Please try again later.

  • {{ year }}

    • ({{ publication.date.toString().substring(0,4) }}):
      {{ publication.title }}. ({{ labels[publication.doc_status] }})
      In: {{ publication.series }}, {{ publication.volume }}, In: {{ publication.book_title }}, In: {{ publication.publication }}, {{ publication.journal_volume}} ({{ publication.number }}), ppp. {{ publication.pagerange }}, {{ publication.place_of_pub }}, {{ publication.publisher }}, {{ publication.institution }}, {{ publication.event_location }}, {{ publication.event_dates }}, ISSN {{ publication.issn }}, e-ISSN {{ publication.eissn }}, ISBN {{ publication.isbn }}, [{{ labels[publication.type]?labels[publication.type]:publication.type }}]
    • […]

Number of items in this list: {{ publicationsList.length }}
Only the {{publicationsList.length}} latest publications are displayed here.

View complete list at TUbiblio View this list at TUbiblio