SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT

News

SCOTT project proposal favorably evaluated under the H2020-ECSEL-2016-2 call

ecsel-logoThe results for the H2020-ECSEL-2016-2-IA call of ECSEL JU are now out and we are glad that the project proposal “SCOTT: Secure Connected Trustable Things” is ranked the second best among all submitted and is retained for co-funding by the EU H2020 program.

The SCOTT consortium brings together 57 partners from 12 countries (Europe and Brazil), including SBA Research.

The project will be coordinated by VIRTUAL VEHICLE, an international research and development center located in Austria and supported by the COMET K2 research program “K2-Mobility – Sustainable Vehicle Technologies”, which is active in the field of application-oriented vehicle development.

More information:

  • ECSEL JU: Electronic Components and Systems for European Leadership Joint Undertaking, the public-private partnership keeping Europe at the forefront of technology development.
  • Official press release by ECSEL JU
  • Announcement of results for the H2020-ECSEL-2016-2-IA call

Paper accepted @ ICST 2017

The paper “Coveringcerts: Combinatorial Methods for X.509 Certificate Testing” by Kristoffer Kleine and Dimitris Simos has been accepted for publication in the 10th IEEE International Conference on Software Testing, Verification and Validation (ICST 2017). ICST is one of the leading conferences for software testing and validation. The results of this work establish a new application domain for combinatorial testing, i.e. protocol testing.

In total, 36 out of 135 submissions were accepted (acceptance rate: 26%). The 10th IEEE International Conference on Software Testing, Verification and Validation will be held on March 13-18, 2017 in Tokyo, Japan

Paper: Coveringcerts: Combinatorial Methods for X.509 Certificate Testing
Abstract: Correct behaviour of X.509 certificate validation code in SSL/TLS implementations is crucial to ensure secure communication channels. Recently there have been major efforts in testing these implementations, namely frankencerts and mucerts, which provide new ways to generate test certificates which are likely to reveal errors in the implementations of X.509 validation code. However, it remains a significant challenge to generate effective test certificates.

In this paper, we explore the applicability of a prominent combinatorial method, namely combinatorial testing, for testing of X.509 certificates. We demonstrate that combinatorial testing provides the theoretical guarantees for revealing errors in the certificate validation logic of SSL/TLS implementations. Our findings indicate that the introduced combinatorial testing constructs, coveringcerts,  compare favorably to existing testing methods by encapsulating the semantics of  the validation logic in the input model and employing combinatorial strategies that significantly reduce the number of tests needed. Besides the foundations of  our approach, we also report on experiments that indicate its practical use.

SBA @ MPM4CPS

This week Peter Kieseberg from SBA Research joined a meeting of the MPM4CPS COST-action in Malaga. The MPM4CPS action deals with multi-paradigm modelling in the area of cyber-physical systems and SBA will bring a more security-related perspective to the consortium, especially since cyber-physical systems have been identified as one of the major targets for … Continue reading COST-Action MPM4CPS.

peter-mpm4cps

Guest talk: “Reverse-engineering CPUs for fun and profit”

Clémentine Maurice, postdoctoral researcher in the Secure Systems Group of the Institute of Applied Information Processing and Communications of TU Graz, gives a talk on “Reverse-engineering CPUs for fun and profit“. Abstract

Friday, November 25, 2016, 15:30 – 17:00, SBA Research

This event is hosted as a joint activity by the Vienna ACM SIGSAC Chapter and the IEEE CS/SMCS Austria Chapter.

acm_chapter_symieee

 

RuCTFe: top 10 position for We_0wn_Y0u

Last Saturday, students and faculty of SBA Research and the Vienna University of Technology participated as members of the team We_0wn_Y0u in the 2016 RuCTFe competition. The team scored 9th of 451 registered teams worldwide.

Students are primarily recruited from our “(Advanced) Internet Security” lecture series which is taught together with the Secure Systems Lab of TU Wien. The class is known as the “hacker lecture” at TU Wien. In this lecture students have to circumvent the security of an application apx. every two weeks in a safe environment. This prepares our students for security competitions like this one, as well as for securing commercial servers and networks in the future.

SBA supports this team financially and organizationally.

SBA at BSidesVienna

Today BSidesVienna is happening at TU Wien, HS 13. You can find the program here.

Numerous members of SBA are on-site, and some will present their recent work. Chat us up!

img_1911

Bill Binney in Vienna

This coming Thursday, Nov. 10th, Markus Huber and Martin Schmiedecker managed to organize a screening of the movie “A Good American” at 10am in Vienna. Its a movie about Bill Binney and the NSA, whereas he is a whistleblower on the NSAs dragnet surveillance predating Edward Snowden. You can find the trailer here.

Whats more, Bill Binney will give a teach-in at the TU Wien at 4pm in the TU Audimax. Both events are part of their course at TU Wien on Privaty Enhancing Technologies, but they are open to anyone. Send Martin Schmiedecker an email with an RSVP if you’d like to attend.

SBA Research at IT-SeCX 2016

SBA Research attended the IT-SeCX, the annual security exchange event of the FH St. Pölten, which took place on November 4th 2016. Researchers of SBA Research presented multiple talks at the IT-SeCX 2016, including Peter Kieseberg, Martin Schmiedecker, Damjan Buhov, and Adrian Dabrowski.

SBA@IT-SeCX2016

You can find the subset of the talks that have been recorded both here from the Großer Festsaal and here from the kleiner Festsaal.

Johanna Ullrich defended her PhD thesis

Johanna gave an excellent presentation and she’s our second PhD student who will graduate sub auspiciis Praesidentis.
img_5981

ACM CCS 2016 organized by SBA Research

Today is the official start of the ACM Conference on Computer and Communications Security (CCS’16) in the Hofburg, Vienna, Austria. The first keynote was held by Dr. Hellman, recipient of the 2015 ACM A.M. Turing Award. Numerous members of SBA are around as well as staffing our info desk on the ground floor – chat us up!

Media coverage:
OnlineStandard, Krone.at.

European Cybersecurity Talks and Security Rockstars Finals

The European Cybersecurity Talks event took place during the ACM CCS conference on October, 24 at Hofburg Vienna. The event was organized by SBA Research in cooperation with KSÖ and BM.I, supported by the City of Vienna (Vienna Business Agency) and a number of various sponsors, such as KPMG, University of Applied Sciences Upper Austria, Next Layer, Veracode and many more.

Congratulations to xorlab and all the finalists and winners of the start-up competition Security Rockstars!

Press:

Futurezone
Report
Kurier
Economy.at

October is ENISA Cyber Security Month

As part of the ENISA Cyber Security Month (this October), SBA Research is presenting at the Security Potpourri 2016, organized by FH Technikum Wien. Martin Schmiedecker will give an overview of recent conferences, current trends in research as well as the cyber grand challenge, organized by DARPA. You can find the program here.

SBA Research @ SENTER event

SBA Research participates in the conference “Empowering EU Security Research through co-Innovation, co-Creation and co-Implementation” held on October 19-21, 2016 in Vilnius, Lithuania and presents its activities and initiatives as the Austrian Center of Excellence (CoE) and an Associate Partner of the project “Strengthening European Network Centres of Excellence in Cybercrime” (SENTER) co-funded by the European Commission.

senter-vilnius

Paper accepted @ IEEE EuroS&P 2017

Our paper titled “Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools” has been accepted for publication at IEEE EuroS&P 2017.

The paper is a joint work of SBA Research (G. Merzdovnik, D. Buhov, S. Neuner, M. Schmiedecker, and E. Weippl), FH St. Pölten (M. Huber), and Stony Brook University (N. Nikiforakis).

In total, 38 out of 194 submissions were accepted (acceptance rate: 19.6%). The 2nd IEEE European Symposium on Security and Privacy will be held on April 26-28, 2017 in Paris, France.

Abstract of the paper:
Online third-party tracking has become a widespread practice on the Internet, with serious implications for the privacy of users. While users are often unaware that their online behaviour is being monitored by omnipresent third-party trackers, trackers continuously expand their coverage and the methods by which they ensure the longevity of their tracking identifiers.

In this paper, we quantify the effectiveness of third-party tracker blockers on a large scale. First, we analyze the architecture of various, state-of-the-art blocking solutions and discuss the advantages and disadvantages of each method. Second, we perform a two-part measurement study on the effectiveness of popular tracker-blocking tools. Our analysis quantifies the protection offered against trackers present on more than 100,000 popular websites and 10,000 popular Android applications. We provide novel insights into the ongoing arms race between trackers and developers of blocking tools, and which tools, under what circumstances, achieve the best results. Among others, we discover that rule-based browser extensions outperform learning-based ones, trackers with smaller footprints are more successful at avoiding being blocked, and CDNs pose a major threat towards the future of tracker-blocking tools.

Cyber Security Advanced Training Course Held at RACVIAC

Gernot Goluch and Edgar Weippl taught courses on cyber security at RACVIAC in Croatia (more).

2016-10-20-19-29-23

CALGO team @ ICTSS2016

Ludwig Kampel presents the paper „Set-based Algorithms for Combinatorial Test Set Generation” (joint work with Dimitris E. Simos) at ICTSS 2016 taking place October 17 – 19 2016, in Graz.

This paper proposes a modular algorithmic framework for the generation of covering arrays based on the notion of independent family of sets (IFS). Experimental results reported compare favorably to the existing greedy algorithmic techniques for binary covering arrays, the underlying mathematical primitive used to construct test sets in combinatorial testing applications.

CST team @ ICTSS2016

Kristoffer Kleine and Bernhard Garn presented the paper „A Combinatorial Approach to Analyzing Cross-Site Scripting (XSS) Vulnerabilities in Web Application Security Testing” at ICTSS 2016 taking place October 17 – 19 2016, in Graz.

This work is a joint contribution between SBA Research (Dimitris E. Simos, Kristoffer Kleine  and Bernhard Garn) with the University of Texas at Arlington (Laleh Shikh Gholamhossein Ghandehari and Yu Lei) and represents a novel combination of CT with fault-localization techniques to find the root cause of XSS vulnerabilities. As XSS remains in the top web application security risks and this work paves the way for a fully automated analysis of security vulnerabilities of web applications, it is a further strengthening of CST.

SBA Research at the PrivacyWeek

Adrian Dabrowski and Martin Schmiedecker will present at the upcoming PrivacyWeek. This new event is organized by the Chaos Computer Club Wien (c3w.at), and will happen between Oct. 24th and Oct. 30th in Vienna.

You can find the full program including highlights such as the Austrian Big Brother Awards and “Chaos Macht Schule” here.

moi