SBA Research is a research center for Information Security funded by the national initiative for COMET Competence Centers for Excellent Technologies. We bring together 25 companies, 4 Austrian universities, one university of applied sciences, a non-university research institute, and many international research partners to jointly work on challenges ranging from organizational to technical security.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


SBA @ Linuxwochen 2016

Researchers from SBA Research are presenting these days at the Linuxwochen Wien 2016:

  • Today at 3:30pm, Katharina Krombholz will present the findings of the user study on security and privacy in Bitcoin.
  • On Saturday, 12am Martin Schmiedecker will talk about digital forensics on Linux and recently published tools that can take investigations to an entirely new level regarding performance and possible insights.

SBA Research at Ruhrsec

Today and tomorrow, researchers from SBA are attending Ruhrsec which is a new & non-profit security conference in Bochum. Well-known presenters from the community include Mario Heiderich, Sebastian Schinzel, Daniel Gruss from IAIK Graz, Marion Marschalek and a keynote from SBA key researcher Thorsten Holz.

RACVIAC CyberSecurity

Edgar Weippl gives a presentation on cybersecurity education and training at the RACVIAC CyberSecurity meeting in Zagreb.


Two papers at DFRWS’16 accepted

Two papers have been accepted at the DFRWS USA ’16 conference on digital forensics, to be held from August 7th to 10th, 2016 in Seattle, WA:

You can find pre-prints of the papers as well as the data sets on the corresponding websites.

Paper accepted @ DBSec16

The paper “Whom You Gonna Trust? A Longitudinal Study on TLS Notary Services” by Georg Merzdovnik, Klaus Falb, Martin Schmiedecker, Artemios Voyiatzis and Edgar Weippl has been accepted for publication in the 30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2016) which takes place from July, 18th-21th, 2016 in Trento, Italy. DBSec 2016 is an A-ranked in CORE.

Abstract: TLS is currently the most widely-used protocol on the Internet to facilitate secure communications, in particular secure web browsing. TLS relies on X.509 certificates as a major building block to establish a secure communication channel. Certificate Authorities (CAs) are trusted third parties that validate the TLS certificates and establish trust relationships between communication entities. To counter prevalent attack vectors – like hacked CAs issuing fraudulent certificates and active man-in-the-middle (MitM) attacks – TLS notary services were proposed as a solution to verify the legitimacy of certificates using alternative communication channels.
In this paper, we are the first to present a long-term study on the effectiveness of TLS notary services. We evaluated the services using active performance measurements over a timespan of one year, and discuss the effectiveness of TLS notary services in practice. Based on our findings we propose the usage of multiple notary services in conjunction with a semi-trusted centralized proxy approach, so as to protect arbitrarily-sized networks on the network level without the need to install any software on the client machines. Lastly, we identify multiple issues that prevent the widespread use of TLS notary services in practice, and propose steps to overcome them.

Cryptocurrencies Tutorial at WWW 2016

Aljosha Judmayr’s Tutorial on Cryptocurrencies at WWW 2016 was very well received.

WWW’s keynote speakers Sir Tim Berners-Lee and Mary Ellen Zurko attended and you can read Mary Ellen’s tweets (tweet (Tweet, more )

Other positive comments by Tactika and Surya Kallumadi.

Screen Shot 2016-04-23 at 11.32.34

The abstract is published in ACM DL. Aljosha Judmayer and Edgar Weippl. 2016. Cryptographic Currencies Crash Course (C4): Tutorial. In Proceedings of the 25th International Conference Companion on World Wide Web (WWW ’16 Companion). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 1021-1024. DOI=

Katharina Krombholz @ “Lange Nacht der Forschung” kick-off event

Katharina Krombholz was invited to participate in the kick-off event and press conference of “Lange Nacht der Forschung” together with Gerald Klug (technology minister), Hannes Androsch (Austrian Council for Research and Technology Development) and Clara Eibensteiner (bmvit-research trainee).

Lange Nacht der Forschung

Martin Schmiedecker and Sebastian Neuer gave insights into how hackers really worked in contrast to the what is portrayed in movies. A second exhibit showed how mobile devices may compromise their owners’ privacy.

You can find the pictures from the OCG here.

Adrian Dabrowski at Ö1

On April 22, 2016, Adrian Dabrowski is a guest at Ö1 “Nachtquartier” and speaks about “to hack or not to hack”. He will answer questions from the audience about the life of a hacker and IT security researcher.

April 22, 2016, 00:05, 

SBA at Alpbach – Breakout Session on Cyber-Security

Under the lead of TU Austria, we organize an Alpbach Breakout Session on Cyber-Security as a fundamental right. Participants include Isao Echizen (NII), Lokke Moerel (Tilburg University), Günter Müller (University of Freiburg), Reinhard Posch (TU Graz), and Bart Preneel (University of Leuven).

Tomasz Miksa PhD defense

Tomek defended his PhD thesis “Verification and Validation of Scientific Workflow Re-executions” successfully and graduated with distinction. Congratulations!

Tomasz Miksa PhD

Guest Talk: “DNS Traffic Analysis: Opportunities, Risks, and (Self-)Defenses”

Dominik Herrmann, post-doctoral researcher in the Security in Distributed Systems Group (SVS) at University of Hamburg, Germany gives a talk about “DNS Traffic Analysis: Opportunities, Risks, and (Self-)Defenses”. Abstract.

Friday, 15.04.2016, 14.00-15.00

This event is hosted by the Vienna ACM SIGSAC Chapter.

ERCIM News No.105

The ERCIM News No. 105 has just been published at

SBA Research contributed with the article “Detection of Data Leaks in Collaborative Data Driven Research” by Peter Kieseberg, Edgar Weippl and Sebastian Schrittwieser.

SBA Research @ Cyber-Physical Systems Week 2016

We will participate in the events of CPS Week 2016 (Vienna, Austria, April 11-14, 2016).

On Monday (April 11), Johanna Ullrich presents our work on “The Quest for Privacy in the Consumer Internet of Things” at the International Workshop on Consumers and the Internet of Things (ConsIoT 2016). A live webcast by the IoEtv will be available for those who cannot physically attend.

On Tuesday (April 12), Johanna Ullrich presents our work on “Secure Cyber-Physical Production Systems: Solid Steps towards Realization” during the inaugural International Workshop on Cyber-Physical Production Systems (CPPS 2016).

Johanna Ullrich is a recipient of a student grant awarded by the Austrian BMVIT for participation in the CPS Week 2016 event.

SBA Research will also attend the ARTEMIS Spring Event 2016, co-located with the CPS Week 2016 on April 13-14.

Finally, SBA Research together with TU Wien organize the Working Group Meetings of the COST Action Multi-Paradigm Modelling for Cyber-Physical System (MPM4CPS) on April 15-16, 2016.

Katharina Krombholz interviewed for APA Science Dossier

Katharina Krombholz has been interviewed about talent promotion for an APA Science Dossier with the title “Ein Praktikum als Türöffner in die Forschung”. The complete article can be found here.

CSUR article online

Our paper on software obfuscation has been published with ACM Computing Survey (CSUR). You can find the paper in the ACM digital library here.

Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis?
Sebastian Schrittwieser, Stefan Katzenbeisser, Johannes Kinder, Georg Merzdovnik, Edgar Weippl

Software obfuscation has always been a controversially discussed research area. While theoretical results indicate that provably secure obfuscation in general is impossible, its widespread application in malware and commercial software shows that it is nevertheless popular in practice. Still, it remains largely unexplored to what extent today’s software obfuscations keep up with state-of-the-art code analysis and where we stand in the arms race between software developers and code analysts. The main goal of this survey is to analyze the effectiveness of different classes of software obfuscation against the continuously improving deobfuscation techniques and off-the-shelf code analysis tools. The answer very much depends on the goals of the analyst and the available resources.

Katharina Krombholz & Edgar Weippl @ GI Sicherheit 2016

Edgar Weippl and Katharina Krombholz are currently attending GI Sicherheit 2016 in Bonn, Germany. On Thursday, April 7, Katharina will present the findings from our comprehensive Bitcoin User Study, that were published in a recent paper at Financial Crypto, to a German audience of researchers and practitioners.

The detailed program can be found here.

Andreas Tomek @ 11. heise Security Tour

Andreas Tomek gave a talk with the title “Von klassischer Malware zu Advanced Persistent Threats (APT) – Bedrohungen und Lösungsansätze” at the 11. heise Security Tour today in Vienna.

More Information can be found here.

Paper accepted @ ISIT 2016

The paper “’Weight Distribution of the Syndrome of Linear Codes and Connections to Combinatorial Designs” by Christoph Pacher (AIT), Philipp Grabenweger (AIT) and Dimitris Simos (SBA Research) has been accepted for publication in the 2016 IEEE International Symposium on Information Theory (ISIT)  which takes place from July, 10th-15th, 2016 in Barcelona, Spain. ISIT is one of the main venues for Information Theory.

Abstract: The expectation and the variance of the syndrome weight distribution of linear codes after transmission of codewords through a binary symmetric channel is derived exactly in closed form as functions of the code’s parity-check matrix and of the degree distributions of the associated Tanner graph. The influence of (check) regularity of the Tanner graph is studied. Special attention is payed to Tanner graphs that have no cycles of length four. We further study the equivalence of some classes of combinatorial designs and important classes of LDPC codes and apply our general results to those more specific structures. Simulations are performed to show the validity of the theoretical approach.