We have just kicked off a new project financed by the BSI which has the goal to perform a security evaluation of the current TrueCrypt code base. Do you have any particular insights about TrueCrypt security? Do you want to discuss with us more about what the advisory on the TrueCrypt homepage really means? Then meet with me at 31C3 or drop me a line. You can find my contact data and PGP key here.
Cross-posted from SEEBlog
We are currently looking for a research assistant who supports us in modeling cryptographic API’s with the use of Clafer.
So if you are interested in cryptography and are currently looking for a theses topic or a paid HiWi project, have a look in the attached proposal and contact us!
Cross-posted from SEEBlog
For 2015 and 2016, Eric Bodden has been invited to participate, and accepted membership in the Program Committees for the following top conferences:
Cross-posted from SEEBlog
On Thursday, SPLlift, our approach for Analyzing Software Product Lines in Minutes instead of Years, was awarded the second price at the German IT-Sicherheitspreis. This was joint work with Mira Mezini (to the right), Claus Brabrand, Marcio Ribeiro, Paulo Borba and Tarsis 
Toledo. Many thanks for the fruitful collaboration! And Many thanks to Horst Görtz and his Foundation for donating this award!
1st place went to Kastel’s project on Blurry-Box Cryptography, the first provably secure software-protection dongle. Congrats!
Cross-posted from SEEBlog
We have moved! You now find us in the new shiny Fraunhofer building at Rheinstraße 75!
Cross-posted from SEEBlog
Am 16.10. veranstalten Eric Bodden und Thomas Schreck (Siemens CERT) zusammen mit CAST einen Workshop zum Thema Sicherheit im Lebenszyklus von Open Source. Dies ist der erste CAST Workshop im Neubau des Fraunhofer SIT. Es erwartet Sie ein spannendes Programm mit hochkarätigen Vortragenden.
Cross-posted from SEEBlog
Together with Gerold Hübner, Chief Product Security Officer (CPSO), SAP, Germany, and with Frances Paulisch, Head of the Software Initiative/Vice Chairman, Siemens AG/SAFECode, Germany, Eric Bodden will be participating in the opening panel of ISSE’14 at Brussels, on the topic of Secure Software – we need it more than ever: SAFECODE and more.
Cross-posted from SEEBlog
On 7th November, we are presenting our “Denial-of-App Attack” at the SPSM 2014 workshop in Scottsdale, Arizona (USA).
Abstract:
We describe a novel class of attacks called denial-of-app that allows adversaries to inhibit the future installation of attacker- selected applications on mobile phones. Adversaries can use such attacks to entrap users into installing attacker-preferred applications, for instance to generate additional revenue from advertisements on a competitive app market or to increase the rate of malware installation. Another possibility is to block anti-virus applications or security workarounds to complicate malware detection and removal.
We demonstrate such an attack that works on arbitrary unmodified stock Android phones. It is even possible to block many applications from a list predefined by the attacker in- stead of just a single app. Even more, we propose an attack for banning applications from Google Play Store regardless of the user’s phone by exploiting similar vulnerabilities in the market’s app vetting process. Unblocking an application blocked by our attack requires either root privileges or a complete device reset. The Android security team has confirmed and fixed the vulnerability in Android 4.4.3 (bug 13416059) and has given consent to this publication within a responsible-disclosure process. To the best of our knowledge, the attack applies to all versions prior to Android 4.4.3.
The Paper can be downloaded soon.
The PoC Exploit can be downloaded here.
The Android Security Team released a fix in Android 4.4.3. Details about the fix are here.
Cross-posted from SEEBlog
Next Semester, the Secure Software Engineering Group will offer a new seminar course “Secure Software Development (SecDev)”. The goal of the course is to provide software developers with the knowledge and first experience they need for developing secure software. Additionally, they will learn how to develop knowledge and share it and how to investigate a research problem on secure software development.The main topics are:
More information can be found on the course website.
Cross-posted from SEEBlog
