For his Master's thesis - 'File system fuzzing applied to the BSD operating system family', Christopher Krah, a Graduate of the Department of Computer Science at the Rheinische Friedrich-Wilhelms-Universität Bonn and a Scientist in the Applied System Analysis research group at the Fraunhofer Institute for Communication, Information Processing, and Ergonomics FKIE since July, was awarded the first prize in the AFCEA Academic Award 2019, endowed with 5,000 Euros.
File systems
"File systems are deeply rooted in operating systems and, despite years of development and daily endurance tests by users, they can be exploited by a wide variety of vulnerabilities," says Awardee Christopher Krah, explaining the motivation behind his Master's thesis, which takes an exhaustive look at this topic in BSD operating systems.
For users, these vulnerabilities play out in a variety of scenarios: the computer might immediately crash if prompted to process a deliberately manipulated file system or there could be more serious consequences, such as an information leak or the overwriting of sensitive data. This would not normally be immediately apparent to a normal user, but it could cause significant damage.
50 different vulnerabilities
Disguised malware, this is one of the reasons why you should never use third-party or unchecked USB sticks"
These vulnerabilities can be found in the most common file systems, like those found on USB sticks. "This, along with a high risk of infection from disguised malware, is one of the reasons why you should never use third-party or unchecked USB sticks," says Christopher Krah.
With his analysis, the 27-year-old not only showed whether vulnerabilities can be detected in file systems, a core component of operating systems, but also which ones exist and where they are located. While working on his Master's thesis, Krah revealed more than 50 different vulnerabilities, some 40 percent of which were fixed on the basis of Krah's analysis.
Christopher Krah's master's thesis
Christopher Krah's Master's thesis was supervised by Professor Peter Martini, Head of the Institute for Computer Science 4 at Bonn University and also director of Fraunhofer FKIE. His career is just beginning but the talented young computer scientist already has a very strong connection to the research institute. His Bachelor's thesis was supervised by a Fraunhofer FKIE scientist, who also brought him directly to the institute as a student assistant.
Following his Master's thesis, Christopher Krah was employed as a Research Assistant in the Cyber Analysis and Defense Department (CA&D). That is why Professor Martini and Department Head - Dr. Elmar Padilla did not miss the opportunity to participate in the award ceremony at the IT conference in Koblenz.
AFCEA Academic Award
The AFCEA Academic Award has been awarded annually since 2008: a total of 20,000 euros is shared amongst the winners. The association thus promotes the academic qualification of young scientists who have distinguished themselves through outstanding theses in the fields of applied computer science, communications engineering, or automation technology.
In addition to the academic quality of the work, the award recognizes novelty and practical applicability in solving the underlying problem.
BSD-based operating systems
There has not been very extensive research on vulnerability analysis in file systems"
His in-depth work with file system vulnerabilities has definitely paid off for Krah. And not only because of the AFCEA academic award, which he was visibly proud to receive.
"Up to now there has not been very extensive research on vulnerability analysis in file systems, particularly not in the context of BSD-based operating systems," says Christopher Krah.
benefits of the findings
Moreover, Christopher Krah will continue to reap the benefits of the experience and his findings. He said, "In the course of analysis, we became aware of very specific problem sets."
Christopher Krah adds, "The knowledge acquired in the course of the Master's thesis and the dynamic analysis techniques devised for that purpose can easily be refined in the future and adapted to similar problems."