Adrian Dabrowski

is a senior researcher at SBA Research.Adrian

  • E-Mail
  • Phone: +43 (1) 505 36 88
  • Fax: +43 (1) 505 88 88
  • PGP ID: 0xDB1E4E76
  • PGP Fingerprint: 43EC 0F2B 8881 E26F 62A5 013F 7959 474F DB1E 4E76
  • Google Scholar

Research Interest

His research interests cover RFID, cyberphysical security, hardware security and privacy enhancing technologies.

Bio

Adrian Dabrowski received his PhD from TU Wien. He participated and later organized the Viennese iCTF team, winning two times. He received the IEEE Austria Diploma Thesis Award and was nominated for the Distinguished Young Alumnus Award of the Faculty of Informatics, UT Vienna. His ACSAC 2014 paper won the Best Student Paper Award.

Before that, he made several media appearances concerning security of systems in public use and taught part-time at a technical high school.

He has been speaker at several Computer Chaos Club (CCC) conferences, as well as SIGINT, B-Sides, PrivacyOS and Forum Alpbach. During his PhD, he visited the Echizen Group at the National Institute of Informatics in Tokyo multiple times.

Top Publications:

  • Dependability in E-Assessment (2007)
    • ARTICLE--
    • Edgar R. Weippl
    • International Journal on E-Learning
    @ARTICLE{Weippl_DependabilityinEAssessment_2007,
       author = {{Edgar R.} Weippl},
       title = {Dependability in E-Assessment},
       journal = {International Journal on E-Learning},
       year = {2007},
       month = {1},
       volume = {6},
       number = {2},
       publisher = {AACE},
       }
  • Security Considerations in M-Learning: Threats and Countermeasures (2007)
    • ARTICLE--
    • Edgar R. Weippl
    • Advanced Technology for Learning
    @ARTICLE{Weippl_SecurityConsiderationsin_2007,
       author = {{Edgar R.} Weippl},
       title = {Security Considerations in M-Learning: Threats and Countermeasures},
       journal = {Advanced Technology for Learning},
       year = {2007},
       month = {1},
       volume = {4},
       number = {2},
       pages = {1--7},
       publisher = {Acta Press},
       }
  • Wikis im {S}ocial {W}eb (2007)
    • INBOOK--
    • Edgar R. Weippl and Bernhard Riedl and Veronika Grascher
    • OCG Austrian Computer Society
    @INBOOK{Weippl_EinsatzvonAuditsinWikisanStellevonZugriffskontrollenalssozioorganisatorischeSicherheitsmassnahme_2007,
       author = {{Edgar R.} Weippl and Bernhard Riedl and Veronika Grascher},
       title = {Wikis im {S}ocial {W}eb},
       year = {2007},
       month = {1},
       chapter = {Einsatz von Audits in Wikis an Stelle von Zugriffskontrollen als sozio-organisatorische Sicherheitsmassnahme},
       pages = {190--198},
       publisher = {OCG Austrian Computer Society},
       }
  • Automatic {N}etwork {P}rotocol {A}nalysis (2007)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek
    • Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}), {S}an {D}iego 2007
    @INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2007,
       author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek},
       title = {Automatic {N}etwork {P}rotocol {A}nalysis},
       booktitle = {Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}),
       {S}an {D}iego 2007},
       year = {2007},
       month = {1},
       }
  • Extending Business Process Management to Determine Efficient IT Investments (2007)
    • INPROCEEDINGS--
    • Thomas Neubauer and Christian Stummer
    • Proceedings of the 2007 ACM Symposium on Applied Computing
    @INPROCEEDINGS{Neubauer_ExtendingBusinessProcess_2007,
       author = {Thomas Neubauer and Christian Stummer},
       title = {Extending Business Process Management to Determine Efficient IT Investments},
       booktitle = {Proceedings of the 2007 ACM Symposium on Applied Computing},
       year = {2007},
       month = {1},
       }
  • Security Ontology: Simulating Threats to Corporate Assets (2006)
    • INPROCEEDINGS--
    • Andreas Ekelhart and Stefan Fenz and Markus Klemen and Edgar R. Weippl
    • Second International Conference on Information Systems Security (ICISS 2006)
    @INPROCEEDINGS{Ekelhart_SecurityOntologySimulating_2006,
       author = {Andreas Ekelhart and Stefan Fenz and Markus Klemen and {Edgar R.} Weippl},
       title = {Security Ontology: Simulating Threats to Corporate Assets},
       booktitle = {Second International Conference on Information Systems Security (ICISS 2006)},
       year = {2006},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/2006 - Ekelhart - Security Ontology Simulating Threats to Corporate Assets.pdf},
       volume = {4332_2006},
       pages = {249--259},
       publisher = {Springer Berlin Heidelberg},
       }
  • Ontology-based Business Knowledge for Simulating Threats to Corporate Assets (2006)
    • INPROCEEDINGS--
    • Andreas Ekelhart and Stefan Fenz and Markus Klemen and A Min Tjoa and Edgar R. Weippl
    • Practical Aspects of Knowledge Management, 6th International Conference, PAKM 2006
    @INPROCEEDINGS{Ekelhart_OntologybasedBusinessKnowledge_2006,
       author = {Andreas Ekelhart and Stefan Fenz and Markus Klemen and {A Min} Tjoa and {Edgar R.} Weippl},
       title = {Ontology-based Business Knowledge for Simulating Threats to Corporate Assets},
       booktitle = {Practical Aspects of Knowledge Management,
       6th International Conference,
       PAKM 2006},
       year = {2006},
       month = {12},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/2006 - Ekelhart - Ontology-based Business Knowledge for Simulating Threats to Corporate Assets.pdf},
       volume = {4333_2006},
       pages = {37--48},
       publisher = {Springer Berlin Heidelberg},
       }
  • Ontology-based IT-Security Planning (2006)
    • INPROCEEDINGS--
    • Stefan Fenz and Edgar R. Weippl
    • Proceedings of the 12th Pacific Rim International Symposium on Dependable Computing, PRDC2006
    @INPROCEEDINGS{Fenz_OntologybasedITSecurityPlanning_2006,
       author = {Stefan Fenz and {Edgar R.} Weippl},
       title = {Ontology-based IT-Security Planning},
       booktitle = {Proceedings of the 12th Pacific Rim International Symposium on Dependable Computing,
       PRDC2006},
       year = {2006},
       month = {12},
       abstract = {IT-security has become a much diversified field and small and medium sized enterprises (SMEs),
       in particular,
       do not have the financial ability to implement a holistic IT-security approach. We thus propose a security ontology,
       to provide a solid base for an applicable and holistic IT-security approach for SMEs,
       enabling low-cost risk management and threat analysis.},
       pdf = {https://www.sba-research.org/wp-content/uploads/publications/2006 - Fenz - Ontology-based IT Security Planning.pdf},
       pages = {389-390},
       publisher = {IEEE Computer Society},
       note = {9353421},
       }
    IT-security has become a much diversified field and small and medium sized enterprises (SMEs), in particular, do not have the financial ability to implement a holistic IT-security approach. We thus propose a security ontology, to provide a solid base for an applicable and holistic IT-security approach for SMEs, enabling low-cost risk management and threat analysis.
  • Extending .NET Security to Unmanaged Code (2006)
    • INPROCEEDINGS--
    • Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff
    • In Proceedings of the 9th Information Security Conference (ISC 2006)
    @INPROCEEDINGS{Klinkoff_Extending_NETSecurity_2006,
       author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff},
       title = {Extending .NET Security to Unmanaged Code},
       booktitle = {In Proceedings of the 9th Information Security Conference (ISC 2006)},
       year = {2006},
       month = {9},
       abstract = {The number of applications that are downloaded from the Internet and executed on-the-fly is increasing every day. Unfortunately,
       not all of these applications are benign,
       and,
       often,
       users are unsuspecting and unaware of the intentions of a program. To facilitate and secure this growing class of mobile code,
       Microsoft introduced the .NET framework,
       a new development and runtime environment where machineindependent byte-code is executed by a virtual machine. An important feature of this framework is that it allows access to native libraries to support legacy code or to directly invoke the Windows API. Such native code is called unmanaged (as opposed to managed code). Unfortunately,
       the execution of unmanaged native code is not restricted by the .NET security model,
       and,
       thus,
       provides the attacker with a mechanism to completely circumvent the framework's security mechanisms. The approach described in this paper uses a sandboxing mechanism to prevent an attacker from executing malicious,
       unmanaged code that is not permitted by the security policy. Our sandbox is implemented as two security layers,
       one on top of the Windows API and one in the kernel. Also,
       managed and unmanaged parts of an application are automatically separated and executed in two different processes. This ensures that potentially unsafe code can neither issue system calls not permitted by the .NET security policy nor tamper with the memory of the .NET runtime. Our proof-of-concept implementation is transparent to applications and secures unmanaged code with a generally acceptable performance penalty. To the best of our knowledge,
       the presented architecture and implementation is the first solution to secure unmanaged code in .NET.},
       }
    The number of applications that are downloaded from the Internet and executed on-the-fly is increasing every day. Unfortunately, not all of these applications are benign, and, often, users are unsuspecting and unaware of the intentions of a program. To facilitate and secure this growing class of mobile code, Microsoft introduced the .NET framework, a new development and runtime environment where machineindependent byte-code is executed by a virtual machine. An important feature of this framework is that it allows access to native libraries to support legacy code or to directly invoke the Windows API. Such native code is called unmanaged (as opposed to managed code). Unfortunately, the execution of unmanaged native code is not restricted by the .NET security model, and, thus, provides the attacker with a mechanism to completely circumvent the framework's security mechanisms. The approach described in this paper uses a sandboxing mechanism to prevent an attacker from executing malicious, unmanaged code that is not permitted by the security policy. Our sandbox is implemented as two security layers, one on top of the Windows API and one in the kernel. Also, managed and unmanaged parts of an application are automatically separated and executed in two different processes. This ensures that potentially unsafe code can neither issue system calls not permitted by the .NET security policy nor tamper with the memory of the .NET runtime. Our proof-of-concept implementation is transparent to applications and secures unmanaged code with a generally acceptable performance penalty. To the best of our knowledge, the presented architecture and implementation is the first solution to secure unmanaged code in .NET.

Further website

See also http://www.seclab.tuwien.ac.at/people/atrox/

 

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close