SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


#12th Place at RuCTF Finals in Yekaterinburg for We_0wn_Y0u

Last Sunday, students and faculty of SBA Research and TU Wien participated in the 2017 RuCTF Finals competition held in Yekaterinburg, Russia, as members of the team We_0wn_Y0u.

Students are primarily recruited from our “(Advanced) Internet Security” lecture series which is taught together with the Secure Systems Lab of TU Wien. The class is known as the “hacker lecture” at TU Wien. In this lecture students have to circumvent the security of an application approximately every two weeks in a safe environment. This prepares our students for security competitions like this one, as well as for securing commercial servers and networks in the future.

SBA supports this team financially and organizationally.

Martin Schmiedecker becomes expert witness

Martin Schmiedecker passed the exam to become a certified expert witness for the judicial system, for the areas of digital forensics (68.62) and computer security (68.60). Congratulations!

Edgar Weippl in OE1 interview: How to secure your passwords

Scientific director Edgar Weippl has been interviewed by Austrian Broadcasting (ORF) radio channel OE1 on how to cope with password issues. The abstract of the interview can be found at, mobile version here.

Whitepaper on Data Management Plans seeds the 9th Research Data Alliance Plenary

Tomasz Miksa co-authored a whitepaper on machine-actionable data management plans (maDMPs). The whitepaper was used to seed the discussions at the 9th RDA Plenary in Barcelona, Spain and will lead to the establishment of new RDA groups.

The paper is published in the open-access Research Ideas and Outcomes (RIO) journal under DOI 10.3897/rio.3.e13086 and available for comments from the community, in the true spirit of open science.

The paper presents selected community-generated use cases that reflect the needs of various stakeholders. It also articulates a consensus about the need for a common standard for machine-actionable data management plans to enable future work in this area, thus making research outputs FAIR, i.e., Findable, Accessible, Interoperable, and Reusable.

ERCIM News 109 published

The ERCIM News No. 109 has just been published at with a special theme on “Autonomous Vehicles“.

SBA Research contributes two articles in the “Research and Innovation” section of the issue. The first article is by Peter Kieseberg, Peter Frühwirt, and Sebastian Schrittwieser on “Security Testing for Mobile Applications“. The second article is by Georg Merzdovnik, Damjan Buhov, Artemios G. Voyiatzis, and Edgar Weippl on “u’smile – Secure Mobile Environments.

The full issue is available in PDF format here.

SBA Research at the Security Forum

Members of SBA Research are at the Hagenberg IT Security Forum 2017.

Peter Kieseberg will present about Security in Industry 4.0 and IoT. The description of his talk can be found here. See also the full agenda.

Visit at ETH

Last Thursday, Katharina Krombholz visited Srdjan Capkun’s group at ETH Zurich and gave a talk on her research in usable security and privacy in the course of the ZISC lunch time seminar series.

The abstract of her talk can be found here.

SBA Research at Troopers’17

Numerous members of SBA Research are at TROOPERS17, happening this week in Heidelberg. You can find the agenda here.

If you spot one of us, chat us up!

Project SESC started

The project “Secure Execution of Smart Contracts” (SESC) started on January 1, 2017. SESC is an R&D project supported by the BRIDGE 1 Programme of the Austrian Research Promotion Agency (FFG). The first project consortium meeting was hosted by SBA Research on March 21, 2017.

SESC focuses on research addressing the emerging requirements for supporting the whole lifecycle of smart contract infrastructures in the long term. Learn more about SESC at

Dimitris Simos @ ICST 2017

Dimitris Simos gives a talk on “Coveringcerts: Combinatorial Methods for X.509 Certificate Testing”, a joint work with Kristoffer Kleine, on March 14, 2017 at the 10th IEEE International Conference on Software Testing, Verification and Validation (ICST 2017).

ICST 2017 takes place during March 13-18, 2017 in Tokyo, Japan at Waseda University and is one of the leading conference for software testing and validation.

The results of this work establish a new research field for combinatorial testing and testing of security protocols.

Blocks & Chains – The Age of Cryptocurrency Technologies

SBA Research will offer a series of evening trainings focusing on the hot topic “Blocks & Chains”. We will discuss specialized contents such as smart contracts, blockchain interlinking, privacy, and regulations attempts regarding cryptocurrencies.

The series starts with a tutorial, covering general information about cryptocurrencies and their underlying technology. During each of the following four evening trainings we will discuss one specialized topic in depth.

More details can be found here: Blocks & Chains

Tutorial on Applied Research in Network Security

Edgar Weippl gives a tutorial at NetSys17 on Applied Research in Network Security.

Dimitris Simos @ IWCT 2017

Dimitris Simos chairs the Sixth  International Workshop on Combinatorial Testing (IWCT 2017) on March 13, 2017.

He is also giving a talk on “Combinatorial Methods for Modelling Composed Software Systems” (joint with Ludwig Kampel and Bernhard Garn).

IWCT 2017 takes place in Tokyo, Japan and is collocated with ICST 2017, the 10th IEEE International Conference on Software Testing, Verification and Validation during March 13-18, 2017.

Start of the Android Security Symposium 2017

Today starts the Android Security Symposium at the Technical University of Vienna, courtesy of the Josef Ressel Center u’smile. The upcoming three days are packed with presentations surrounding the entire Android security ecosystem, ranging from presentations about the security architecture of Android by Google and AT&T right this morning, to secure app development, novel attacks, and much more.

You can find the entire program here, and may watch #AndroidSecuritySymposium on Twitter for updates.

CTF team We_0wn_Y0u secured 3rd place in academic International Capture the Flag (iCTF) contest

Last weekend, the SBA-supported CTF team “We_0wn_Y0u” (W0Y) of the TU Wien again showcased its outstanding capabilities. In the academic International Capture the Flag (iCTF) contest they secured the third place out of 78 participating universities worldwide in an 8-hour race. W0Y started receiving points late in the game but managed to overtake the field leaving only Moscow State University (1st) and Saarbrücken University (2nd) in front.

As a novelty, this year, the iCTF also included a 24-hour non-academic contest where W0Y scored 4th out of 317 teams. The 24 hours meant three times more fun (by time), but also unique challenges regarding rest times and shift operations.

W0Y has a long-standing tradition in participating iCTF since 2005. They managed to be in the top-10 every time and won the competition twice. They comprise outstanding students and teaching staff of the “Internet Security” and “Advanced Internet Security” course-series taught at TU Wien. The courses are a cooperation of the Institute of Computer Aided Automation and the Institute for Software and Interactive Systems.  The lectures are sometimes called hacking-course since they teach the unique offensive perspective to enable students to understand attackers and develop secure software in the future.

The iCTF is a so-called “attack-defense” competition. Every team has the same copy of a server to defend against other teams and simultaneously to attack the competitors. Each server provides about a couple of services. Attack points are awarded for every service that a team manages to overtake from another team by stealing a “flag”. Flags are files containing a secret unique to that team and service. Defense points are awarded for keeping the own services running and secure (i.e., not losing any flags).

Rest of the team after 24h / Photo: Georg Merzdovnik

The team likes to thank the UC Santa Barbara and Arizona State University for organizing the competition.

Hollywood Hacking @ FM4

FM4 is broadcasting parts of the “myth-buster”-session “Hollywood Hacking by SBA Research”, created by Adrian Dabrowski. Every now and then, a movie excerpt is aired to give an amusing rollercoaster ride through the ups and downs of screenwriters imagination on computer security.

James Bond, Independence Day, Jurassic Park and Matrix Reloaded were already part of the series.

Adrian Dabrowski about PNR security

Adrian Dabrowski is – due to the Amadeus-“Hack” – speaking about PNR security in the magazine “Faktum” (2/2017).

Faktum 2/2017