SBA Research is a research center for Information Security funded by the national initiative for COMET Competence Centers for Excellent Technologies. We bring together 25 companies, 4 Austrian universities, one university of applied sciences, a non-university research institute, and many international research partners to jointly work on challenges ranging from organizational to technical security.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


ITEA2-action DIAMONDS received EUREKA-award

We are proud to announce that the ITEA2-action DIAMONDS where SBA Research participated through the MobseTip project received the prestigious EUREKA-award.

For more information on relevant project aspects please contact Dimitris Simos.

SBA Research at IFIP Networking 2016

Damjan Buhov presents today our paper “Pin It! Improving Android Network Security At Runtime” (by Damjan Buhov, Markus Huber, Georg Merzdovnik, and Edgar Weippl) at the IFIP Networking 2016 Conference. IFIP Networking is a CORE A-ranked conference.

Talk at Blackhat USA 2016 accepted

Aaron Zauner, one of our researchers, has gotten a talk accepted at Blackhat USA 2016. Together with Sean Devlin, Hanno Böck and Philipp Jovanovic they identified a nonce re-use attack in the TLS GCM modes that can be used to inject additional content in the worst case. Overall, they identified more than 70,000 vulnerable websites on the Internet. You can read the abstract here.

Update: the corresponding paper is now online, you can find it here.

Dimitris Simos @ HCSS 2016

Dimitris Simos gives a talk on May, 11th about “Combinatorial Coverage Analysis of Subsets of the TLS Cipher Suite Registry” joint work with Kristoffer Kleine (SBA Research), Rick Kuhn (NIST), Raghu Kacker (NIST).

HCSS 2016 takes place from May 10th to May 12th in Annapolis, MD, USA. HCSS is organized by the NITRD group and brings together researchers from academia, industry and government agencies.

ERCIM News – Special Issue on Cybersecurity – Submission Deadline May 17

ERCIM News No. 106 (July 2016)

Please read the guidelines below before submitting an article

The Special Theme and the Research and Innovation sections contain articles presenting a panorama of European research activities. The Special Theme focuses on a sector which has been selected by the editors from a short list of currently “hot” topics whereas the Research and Innovation section contains articles describing scientific activities, research results, and technical transfer endeavours in any sector of Information and Communication Science and Technology (ICST), telecommunications or applied mathematics. Submissions to the Special Theme section are subjected to an external review process coordinated by invited guest editors whereas submissions to the Research and Innovation section are checked and approved by the ERCIM News editorial board.

Special Theme: “Cybersecurity”
Guest editors:

Fabio Martinelli (IIT-CNR, Italy)
Edgar Weippl (SBA Research, Austria)

Browser Fingerprinting: you are (de-facto) alone

Recently there were numerous papers on browser fingerprinting i.e. measuring the entropy of browser configurations to make them uniquely stand out among all others. Usually these methods run analysis on UserAgent strings, canvas fingerprinting, system fonts or the installed plugins. SBA Research has now setup its own fingerprinting website, which includes most methods available until today.

Please visit, and measure how unique your browser configuration is.

In case of questions, don’t hesitate to contact us at

SBA @ Linuxwochen 2016

Researchers from SBA Research are presenting these days at the Linuxwochen Wien 2016:

  • Today at 3:30pm, Katharina Krombholz will present the findings of the user study on security and privacy in Bitcoin.
  • On Saturday, 12am Martin Schmiedecker will talk about digital forensics on Linux and recently published tools that can take investigations to an entirely new level regarding performance and possible insights.

SBA Research at Ruhrsec

Today and tomorrow, researchers from SBA are attending Ruhrsec which is a new & non-profit security conference in Bochum. Well-known presenters from the community include Mario Heiderich, Sebastian Schinzel, Daniel Gruss from IAIK Graz, Marion Marschalek and a keynote from Thorsten Holz.

© RuhrSec
© RuhrSec

RACVIAC CyberSecurity

Edgar Weippl gives a presentation on cybersecurity education and training at the RACVIAC CyberSecurity meeting in Zagreb.


Two papers at DFRWS’16 accepted

Two papers have been accepted at the DFRWS USA ’16 conference on digital forensics, to be held from August 7th to 10th, 2016 in Seattle, WA:

You can find pre-prints of the papers as well as the data sets on the corresponding websites.

Paper accepted @ DBSec16

The paper “Whom You Gonna Trust? A Longitudinal Study on TLS Notary Services” by Georg Merzdovnik, Klaus Falb, Martin Schmiedecker, Artemios Voyiatzis and Edgar Weippl has been accepted for publication in the 30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2016) which takes place from July, 18th-21th, 2016 in Trento, Italy. DBSec 2016 is an A-ranked in CORE.

Abstract: TLS is currently the most widely-used protocol on the Internet to facilitate secure communications, in particular secure web browsing. TLS relies on X.509 certificates as a major building block to establish a secure communication channel. Certificate Authorities (CAs) are trusted third parties that validate the TLS certificates and establish trust relationships between communication entities. To counter prevalent attack vectors – like hacked CAs issuing fraudulent certificates and active man-in-the-middle (MitM) attacks – TLS notary services were proposed as a solution to verify the legitimacy of certificates using alternative communication channels.
In this paper, we are the first to present a long-term study on the effectiveness of TLS notary services. We evaluated the services using active performance measurements over a timespan of one year, and discuss the effectiveness of TLS notary services in practice. Based on our findings we propose the usage of multiple notary services in conjunction with a semi-trusted centralized proxy approach, so as to protect arbitrarily-sized networks on the network level without the need to install any software on the client machines. Lastly, we identify multiple issues that prevent the widespread use of TLS notary services in practice, and propose steps to overcome them.

Cryptocurrencies Tutorial at WWW 2016

Aljosha Judmayr’s Tutorial on Cryptocurrencies at WWW 2016 was very well received.

WWW’s keynote speakers Sir Tim Berners-Lee and Mary Ellen Zurko attended and you can read Mary Ellen’s tweets (tweet (Tweet, more )

Other positive comments by Tactika and Surya Kallumadi.

Screen Shot 2016-04-23 at 11.32.34

The abstract is published in ACM DL. Aljosha Judmayer and Edgar Weippl. 2016. Cryptographic Currencies Crash Course (C4): Tutorial. In Proceedings of the 25th International Conference Companion on World Wide Web (WWW ’16 Companion). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 1021-1024. DOI=

Katharina Krombholz @ “Lange Nacht der Forschung” kick-off event

Katharina Krombholz was invited to participate in the kick-off event and press conference of “Lange Nacht der Forschung” together with Gerald Klug (technology minister), Hannes Androsch (Austrian Council for Research and Technology Development) and Clara Eibensteiner (bmvit-research trainee).

Lange Nacht der Forschung

Martin Schmiedecker and Sebastian Neuer gave insights into how hackers really worked in contrast to the what is portrayed in movies. A second exhibit showed how mobile devices may compromise their owners’ privacy.

You can find the pictures from the OCG here.

Adrian Dabrowski at Ö1

On April 22, 2016, Adrian Dabrowski is a guest at Ö1 “Nachtquartier” and speaks about “to hack or not to hack”. He will answer questions from the audience about the life of a hacker and IT security researcher.

April 22, 2016, 00:05, 

SBA at Alpbach – Breakout Session on Cyber-Security

Under the lead of TU Austria, we organize an Alpbach Breakout Session on Cyber-Security as a fundamental right. Participants include Isao Echizen (NII), Lokke Moerel (Tilburg University), Günter Müller (University of Freiburg), Reinhard Posch (TU Graz), and Bart Preneel (University of Leuven).