SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT

News

Project SESC started

The project “Secure Execution of Smart Contracts” (SESC) started on January 1, 2017. SESC is an R&D project supported by the BRIDGE 1 Programme of the Austrian Research Promotion Agency (FFG). The first project consortium meeting was hosted by SBA Research on March 21, 2017.

SESC focuses on research addressing the emerging requirements for supporting the whole lifecycle of smart contract infrastructures in the long term. Learn more about SESC at https://www.sba-research.org/research/projects/sesc/

Dimitris Simos @ ICST 2017

Dimitris Simos gives a talk on “Coveringcerts: Combinatorial Methods for X.509 Certificate Testing”, a joint work with Kristoffer Kleine, on March 14, 2017 at the 10th IEEE International Conference on Software Testing, Verification and Validation (ICST 2017).

ICST 2017 takes place during March 13-18, 2017 in Tokyo, Japan at Waseda University and is one of the leading conference for software testing and validation.

The results of this work establish a new research field for combinatorial testing and testing of security protocols.

Blocks & Chains – The Age of Cryptocurrency Technologies

SBA Research will offer a series of evening trainings focusing on the hot topic “Blocks & Chains”. We will discuss specialized contents such as smart contracts, blockchain interlinking, privacy, and regulations attempts regarding cryptocurrencies.

The series starts with a tutorial, covering general information about cryptocurrencies and their underlying technology. During each of the following four evening trainings we will discuss one specialized topic in depth.

More details can be found here: Blocks & Chains

Tutorial on Applied Research in Network Security

Edgar Weippl gives a tutorial at NetSys17 on Applied Research in Network Security.

Dimitris Simos @ IWCT 2017

Dimitris Simos chairs the Sixth  International Workshop on Combinatorial Testing (IWCT 2017) on March 13, 2017.

He is also giving a talk on “Combinatorial Methods for Modelling Composed Software Systems” (joint with Ludwig Kampel and Bernhard Garn).

IWCT 2017 takes place in Tokyo, Japan and is collocated with ICST 2017, the 10th IEEE International Conference on Software Testing, Verification and Validation during March 13-18, 2017.

Start of the Android Security Symposium 2017

Today starts the Android Security Symposium at the Technical University of Vienna, courtesy of the Josef Ressel Center u’smile. The upcoming three days are packed with presentations surrounding the entire Android security ecosystem, ranging from presentations about the security architecture of Android by Google and AT&T right this morning, to secure app development, novel attacks, and much more.

You can find the entire program here, and may watch #AndroidSecuritySymposium on Twitter for updates.

CTF team We_0wn_Y0u secured 3rd place in academic International Capture the Flag (iCTF) contest

Last weekend, the SBA-supported CTF team “We_0wn_Y0u” (W0Y) of the TU Wien again showcased its outstanding capabilities. In the academic International Capture the Flag (iCTF) contest they secured the third place out of 78 participating universities worldwide in an 8-hour race. W0Y started receiving points late in the game but managed to overtake the field leaving only Moscow State University (1st) and Saarbrücken University (2nd) in front.

As a novelty, this year, the iCTF also included a 24-hour non-academic contest where W0Y scored 4th out of 317 teams. The 24 hours meant three times more fun (by time), but also unique challenges regarding rest times and shift operations.

W0Y has a long-standing tradition in participating iCTF since 2005. They managed to be in the top-10 every time and won the competition twice. They comprise outstanding students and teaching staff of the “Internet Security” and “Advanced Internet Security” course-series taught at TU Wien. The courses are a cooperation of the Institute of Computer Aided Automation and the Institute for Software and Interactive Systems.  The lectures are sometimes called hacking-course since they teach the unique offensive perspective to enable students to understand attackers and develop secure software in the future.

The iCTF is a so-called “attack-defense” competition. Every team has the same copy of a server to defend against other teams and simultaneously to attack the competitors. Each server provides about a couple of services. Attack points are awarded for every service that a team manages to overtake from another team by stealing a “flag”. Flags are files containing a secret unique to that team and service. Defense points are awarded for keeping the own services running and secure (i.e., not losing any flags).

Rest of the team after 24h / Photo: Georg Merzdovnik

The team likes to thank the UC Santa Barbara and Arizona State University for organizing the competition.

https://www.w0y.at
http://www.ictf2017.net
https://shellweplayagame.org/
https://ictf.cs.ucsb.edu/pages/archive.html

Hollywood Hacking @ FM4

FM4 is broadcasting parts of the “myth-buster”-session “Hollywood Hacking by SBA Research”, created by Adrian Dabrowski. Every now and then, a movie excerpt is aired to give an amusing rollercoaster ride through the ups and downs of screenwriters imagination on computer security.

James Bond, Independence Day, Jurassic Park and Matrix Reloaded were already part of the series.

Adrian Dabrowski about PNR security

Adrian Dabrowski is – due to the Amadeus-“Hack” – speaking about PNR security in the magazine “Faktum” (2/2017).

Faktum 2/2017

NIS Guideline: Panel Discussion at IRIS 2017 in Salzburg

Stephan Eder invited Edgar Weippl to a panel discussion on the NIS guidelines (IRIS program).

Josef Ressel Center TARGET successful mid-term evaluation

Sebastian Schrittwieser’s Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (TARGET) successfully passed the mid-term evaluation and SBA Research hopes to join the research project in the next few months.

Congratulation to the excellent presentations!

Guest talk: “Trust Management for securing the IoT networks”

Zeeshan Ali Khan, an ERCIM Postdoc Fellow with the Department of Telematics of the Norwegian University of Science and Technology (NTNU), gave a talk on “Trust Management for securing the IoT networks”. Abstract

acm_chapter_symThis event is hosted by the Vienna ACM SIGSAC Chapter.

SBA Research is hosting an ERCIM Postdoc Fellow

In the context of the ERCIM Research Exchange Programme, SBA Research is hosting between February 23 and March 1, 2017 Dr. Zeeshan Ali Khan.

Zeeshan is an ERCIM Postdoc Fellow with the Department of Telematics of the Norwegian University of Science and Technology (NTNU) working under the supervision of Prof. Peter Herrmann on “Trust based Security Solutions for Resource Constrained IoT Devices”.

Panel on the Future of Cyber Security Research & Tutorial on Ethics and Research Methods in Security Research

At the ICISSP 2017 conference Edgar Weippl is on Steve Furnell’s panel discussing the future of research in cyber security with Elisa Bertino. Later today, Edgar teaches a tutorial on Research Ethics and Research Methods in Applied Information Security Research.

SBA Research at RECODIS meetings

Artemios G. Voyiatzis from SBA Research represents Austria in the Management Committee (MC) and the Working Group (WG) meetings of the COST Action RECODIS on February 13-14, 2017 in Wroclaw, Poland.

The objective of the COST Action “Resilient Communication Services Protecting End-user Applications from Disaster-based Failures” (RECODIS) is to introduce the set of techniques of resilient communications, as well as recommendations on how to deploy/update topologies of communication networks to make them resistant to disruptions that can be applied in practice by network equipment operators and national/international network providers at the European level.

We will also present our research on “Algorithms and techniques for resilient routing involving edge devices” in the context of Working Group 4 “Malicious human activities”.

Network-Based Secret Communication in Clouds: A Survey

Our journal article “Network-Based Secret Communication in Clouds: A Survey” from Johanna Ullrich, Tanja Zseby, Joachim Fabini and Edgar Weippl has been published in the high-impact journal IEEE Communications Surveys & Tutorials. It is now available online.

You can find a preprint here.

Project TRUC started

Last week, project TRUC was officially started, with the first lectures happening at SBA. Focus of this FFG “Qualifizierungsnetz” will be to teach partner companies the state-of-the-art regarding cybersecurity, and defense-in-depth, to enable them towards developing secure software for e.g. Industrie 4.0 or cyber-physical systems.

German abstract: Trusted Code (TRUC) umfasst die Planung und Umsetzung hochspezialisierter Module und Wissensaustausch zum Thema “Sichere Softwareentwicklung”. Ziel ist es, benötigtes Spezialwissen aus relevanten Informationssicherheitsbereichen zu kombinieren, um damit das Detailwissen der beteiligten MitarbeiterInnen der Partnerfirmen auf ein – im internationalen Vergleich – Spitzenniveau zu heben. Dafür kombiniert TRUC neuste Erkenntnisse aus verschiedenen Bereichen, z.B. sprach-basierte Sicherheit, maximale Laufzeit-Analyse und formale Verifikation, um den Partnerfirmen ein umfassendes Wissen zu vermitteln. Damit sollen sie verschiedene neuer artige Sicherheitsprobleme und Aufgabenstellungen in unterschiedlichen Themengebieten – von Cyber-Physical Systems bis hin zu Sicherheit von neuen Produktionsmethoden in Industrie 4.0 – kompetent meistern können.

Martin Schmiedecker at HackPra, Bochum

Today, Martin Schmiedecker presents at the HackPra lecture at RUB, Bochum. He joins an impressive list of previous speakers, among others Mario Heiderich, Stefan Esser, Ange Albertini or Felix ‘FX’ Lindner.

Title: Turning Incident Response to Eleven
Abstract: We’ve all been there – this one course at university where they tell you to actually read the log files, do proper incident response, and document everything. And its all fun and games, until you get hit by reality and have to analyze a possible security incident with a laterally moving attacker, and possibly more than 100 affected systems. Or 1000. Or even more … Next thing you remember is waking up in a room without windows, packed with hard drives that are labeled obscurely, and a hardware write blocker that only does USB 2.0.

In this talk I’ll show which analysis techniques and tools that work at scale, namely for many systems in parallel. And central logging is just a tiny piece in the puzzle. In particular I will present the new open-source tools GRR, bulk_extractor/fiwalk and peekaTorrent.

You can find the video of the talk here.

Talk about “Improving the Quality Assurance of Secure Software through Combinatorial Methods”

Dimitris Simos highlight the great need to ensure an attack-free environment of software implementations by giving a talk about “Improving the Quality Assurance of Secure Software through Combinatorial Methods” at the Faculty of Informatics at TU Wien.

The Abstract can be found here.

Katharina Krombholz defended her PhD

Better late than never: late last year already, Katharina defended her PhD thesis and graduated with distinction. Her thesis is substantial for the field of usable security and privacy. It spans user-centric research on a variety of topics such as smartphone authentication, Bitcoin and its user expectations, and TLS deployments. Kudos from all of us!

A full list of her published papers can be found here or on her Google Scholar Profile.