Interested in TrueCrypt security? Talk to us

Eric | December 14, 2014

We have just kicked off a new project financed by the BSI which has the goal to perform a security evaluation of the current TrueCrypt code base. Do you have any particular insights about TrueCrypt security? Do you want to discuss with us more about what the advisory on the TrueCrypt homepage really means? Then meet with me at 31C3 or drop me a line. You can find my contact data and PGP key here.

Cross-posted from SEEBlog

Comments
Comments Off on Interested in TrueCrypt security? Talk to us
Categories
Research

Wanted: Research assistant in CROSSING project

Eric | December 10, 2014

We are currently looking for a research assistant who supports us in modeling cryptographic API’s with the use of Clafer.

So if you are interested in cryptography and are currently looking for a theses topic or a paid HiWi project, have a look in the attached proposal and contact us!

Proposal

Cross-posted from SEEBlog

Comments
Comments Off on Wanted: Research assistant in CROSSING project
Categories
Research

2015 and 2016 Program committees

Eric | December 9, 2014

For 2015 and 2016, Eric Bodden has been invited to participate, and accepted membership in the Program Committees for the following top conferences:

  • ICSE 2016
  • OOPSLA 2016
  • ECOOP 2015
  • ISSTA 2015
  • MODULARITY/AOSD 2015
  • ONWARD 2015
  • PLDI 2015
  • RV 2015

Cross-posted from SEEBlog

Comments
Comments Off on 2015 and 2016 Program committees
Categories
Research

SPLlift awarded the IT-Sicherheitspreis (2nd place)

Eric | October 25, 2014

On Thursday, SPLlift, our approach for Analyzing Software Product Lines in Minutes instead of Years, was awarded the second price at the German IT-Sicherheitspreis. This was joint work with Mira Mezini (to the right), Claus Brabrand, Marcio Ribeiro, Paulo Borba and Tarsis Toledo. Many thanks for the fruitful collaboration! And Many thanks to Horst Görtz and his Foundation for donating this award!

1st place went to Kastel’s project on Blurry-Box Cryptography, the first provably secure software-protection dongle. Congrats!

Cross-posted from SEEBlog

Comments
Comments Off on SPLlift awarded the IT-Sicherheitspreis (2nd place)
Categories
Research

Eric | October 1, 2014

We have moved! You now find us in the new shiny Fraunhofer building at Rheinstraße 75!

 

Cross-posted from SEEBlog

Comments
Comments Off on
Categories
Research

CAST Workshop Sicherheit im Lebenszyklus von Open Source

Eric | October 1, 2014

Am 16.10. veranstalten Eric Bodden und Thomas Schreck (Siemens CERT) zusammen mit CAST einen Workshop zum Thema Sicherheit im Lebenszyklus von Open Source. Dies ist der erste CAST Workshop im Neubau des Fraunhofer SIT. Es erwartet Sie ein spannendes Programm mit hochkarätigen Vortragenden.

Cross-posted from SEEBlog

Comments
Comments Off on CAST Workshop Sicherheit im Lebenszyklus von Open Source
Categories
Research

Register now for FSE

Eric | September 18, 2014

FSE 2014 has now opened its registration portal. Register by October 5th to benefit from early-bird rates!

Cross-posted from SEEBlog

Comments
Comments Off on Register now for FSE
Categories
Research

Panel discussion at ISSE’14

Eric | September 18, 2014

Together with Gerold Hübner, Chief Product Security Officer (CPSO), SAP, Germany, and with Frances Paulisch, Head of the Software Initiative/Vice Chairman, Siemens AG/SAFECode, Germany, Eric Bodden will be participating in the opening panel of ISSE’14 at Brussels, on the topic of Secure Software – we need it more than ever: SAFECODE and more.

Cross-posted from SEEBlog

Comments
Comments Off on Panel discussion at ISSE’14
Categories
Research

Denial-of-App Attack on Android will be presented at SPSM 2014

Eric | August 31, 2014

On 7th November, we are presenting our “Denial-of-App Attack” at the SPSM 2014 workshop in Scottsdale, Arizona (USA). 

Abstract:

We describe a novel class of attacks called denial-of-app that allows adversaries to inhibit the future installation of attacker- selected applications on mobile phones. Adversaries can use such attacks to entrap users into installing attacker-preferred applications, for instance to generate additional revenue from advertisements on a competitive app market or to increase the rate of malware installation. Another possibility is to block anti-virus applications or security workarounds to complicate malware detection and removal.

We demonstrate such an attack that works on arbitrary unmodified stock Android phones. It is even possible to block many applications from a list predefined by the attacker in- stead of just a single app. Even more, we propose an attack for banning applications from Google Play Store regardless of the user’s phone by exploiting similar vulnerabilities in the market’s app vetting process. Unblocking an application blocked by our attack requires either root privileges or a complete device reset. The Android security team has confirmed and fixed the vulnerability in Android 4.4.3 (bug 13416059) and has given consent to this publication within a responsible-disclosure process. To the best of our knowledge, the attack applies to all versions prior to Android 4.4.3. 

The Paper can be downloaded soon.

The PoC Exploit can be downloaded here.

The Android Security Team released a fix in Android 4.4.3. Details about the fix are here.

Cross-posted from SEEBlog

Comments
Comments Off on Denial-of-App Attack on Android will be presented at SPSM 2014
Categories
Research

New Course Secure Software Development (SecDev)

Eric | August 4, 2014

Next Semester, the Secure Software Engineering Group will offer a new seminar course “Secure Software Development (SecDev)”. The goal of the course is to provide software developers with the knowledge and first experience they need for developing secure software. Additionally, they will learn how to develop knowledge and share it and how to investigate a research problem on secure software development.The main topics are:

  1. Secure software development life-cycle
  2. Threat modeling
  3. Risk assessment
  4. Security requirements
  5. Security architecture
  6. Secure coding standards
  7. Security code analysis
  8. Security testing
  9. Security code review
  10. Empirical analysis for secure software development

More information can be found on the course website.

 

Cross-posted from SEEBlog

Comments
Comments Off on New Course Secure Software Development (SecDev)
Categories
Research