Joint Android Hacking Event in Darmstadt & Paderborn

On the evening of June 1st we will be jointly organizing a CTF-style Android Hacking Event. At Fraunhofer SIT & TU Darmstadt the organization is lead by team[SIK], at Paderborn University & Fraunhofer IEM by the Software Engineering Group. As a “local hacker” you will be able to physically attend either event, either at Fraunhofer SIT (Rheinstr.) or at Zukunftsmeile 1 in Paderborn. We will try to have a video feed between the two events.

You can also participate as a remote hacker. Remote participants will be listed separately, as we expect them to be more advanced than the student hackers that we actually target with this event. Prices will only be given out to local student hackers.

To qualify, you must register (and solve a couple of challenges) by May 11th here.

ISSTA Artifact Evaluation

We have put online information about ISSTA’s artifact evaluation. Note that this year you may provide artifacts ahead of time to positively influence the decision of paper acceptance!

Thanks for the positive feedback

20160310_131142Thanks for the positive feedback to my keynote at the Entwicklertag in Frankfurt! Let’s hope that the insights I shared about our BaaS-Analysis will help make the world a bit more secure…
And thanks a lot to Siegfried, Steven, Robert and Max for the great work! Keep it going!


ESSoS keynotes by Karsten Nohl and David Basin

Karsten Nohl

David Basin

We have just put online information about our two keynote presentations at ESSoS by Karsten Nohl and David Basin. Karsten Nohl will ask the question How much security is too much?, citing some lessons learned from introducing security into a new, large telecommunications startup, while David Basin will elaborate on the quirks of Security Testing and what it actually all means. I am looking forward to two exciting presentations!

Eric Bodden named Associate Editor of IEEE TSE

As of today, I have joined the editorial board of the IEEE Transactions on Software Engineering (TSE) as an associate editor. I am looking forward to receiving your very best submissions!

Eric Bodden appointed as ISSTA 2018 Program Chair

I am glad to report that I have just been appointed Program Chair of the 2018 International Symposium of Software Testing and Analysis (ISSTA). ISSTA is the leading research symposium on software testing and analysis, bringing together academics, industrial researchers, and practitioners to exchange new ideas, problems, and experience on how to analyze and test software systems. I wish to thank the organizing chair Frank Tip as well as the entire steering committee for this great honor.

ISSTA 2018 will be co-located with the European Conference on Object-Oriented Programming (ECOOP), in beautiful Amsterdam, Netherlands. Let’s make it a great event!

CYSEC researchers score five ICSE publications

ICSE is the premier academic conference for Software Engineering. In total, researchers of CYSEC managed to publish at least five ICSE publications this year, two with contributions from SSE:

“Looking for crypto backdoors is like searching camouflaged needles in a haystack” – Deutschlandfunk reports about our TrueCrypt study (German only)

Recently, our team member Andreas Poller gave an interview at Deutschlandfunk. The radio report shone a light on the reasons why the German Federal Office for Information Security (BSI) asked us to investigate TrueCrypt, how we executed the study, and what common users shall consider when using harddisk encryption.

The interview is available in German here.

Looking for Research Assistants (doctoral or post-doc) at University of Paderborn

As I announced a few weeks ago, in 2016 I will be moving to the University of Paderborn to start a tenured professorship there. As part of this move, I am looking for a number of new Ph.D. students and also PostDocs. The positions come with full funding for a number of years. You can find more information about these positions here. As stated, please direct your applications to

If you have a deep interest in software engineering, especially software security, the I am very much looking forward to your application!

Releasing our in-depth Security Analysis of TrueCrypt

Over the timeframe of about six months, together with other colleagues from Fraunhofer SIT, our group has performed a comprehensive security analysis of the encryption software TrueCrypt. The study was conducted for the German Federal Office for Information Security (BSI), who is releasing the report today on its website. (English version here.)

In June 2014, the open-source disk-encryption solution TrueCrypt was abandoned by its anonymous developers, while at the same time hinting the many users of the solution at potential vulnerabilities. On behalf of the BSI, we examined TrueCrypt for vulnerabilities, both conceptually and on the level of program code. As part of this task, we also considered and reviewed the results of previous security assessments.

On previously reported vulnerabilities in the driver component

Our general conclusion is that TrueCrypt is safer than previous examinations suggest. About a month ago, for instance, Google’s Project Zero had discovered two previously unknown vulnerabilities in TrueCrypt, one of them classified as critical. The error allows such malicious code that already has access to the running computer system to acquire expanded system rights. The vulnerability should be fixed, as privilege escalation opens the door for other attacks. But similar problems could arise with any kernel-level driver. Importantly, the problem found does not provide an attacker simplified access to encrypted data. To exploit the vulnerability, the attacker would have to have far-reaching access to the system anyway, for example, via a Trojan Horse or some other form of remote or direct access.

It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system. This is because when a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations. Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure. In result, TrueCrypt provides good protection mostly when storing encrypted data offline. If keeping a backup stored offline on a hard drive, for example, or keeping encrypted data on a USB flash drive to be sent via a human carrier, then this can be considered relatively secure.

On buffer overflows reported by OCAP

The Open Crypto Audit Project (OCAP) has carefully examined TrueCrypt in the past. We have analyzed the report and also conducted a brief email exchange with the people behind OCAP. We examined closely a number of buffer overflows their study had revealed. Using the usage of static-analysis tools such as the KLEE virtual machine we were able to prove, though, that these buffer overflows cannot actually occur at runtime, and thus cannot possibly be exploited. It’s great to see that tools such as KLEE can nowadays cope with such practical problems – a manual analysis would have been too complicated since many complex path conditions needed to be considered.

Weak retrieval of random numbers

If you look more closely at our report you will see that we did find some weaknesses in the way TrueCrypt retrieves the random numbers it uses for encryption. With a lack of randomness, an attacker can theoretically guess your encryption key more easily. This problem only occurs in non-interactive mode, though, or when using certain access-control policies on Windows. In result, it is unlikely that this problem has actually affected users in he wild. The problem is that if volumes were created with a weak key then afterwards there is no way to tell. To be on the safe side it would therefore be advisable to re-encrypt volumes with a version of TrueCrypt in which this flaw has been fixed.


In conclusion, I would say that the TrueCrypt code base is probably alright for the most parts. The flaws we found were minor, and similar flaws can occur also in any other implementation of cryptographic functions. In that sense TrueCrypt seems not better or worse than its alternatives. Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation. But generally the software does what it was designed for.

Note that the original designers documented all along a threat model stating that TrueCrypt cannot actually properly protect data on a running system. This matches our findings. If such protection is desired, one cannot get around solutions that use smartcards or other hardware-based key storage such that the encryption key can be better kept a secret. Also such systems can be broken, but they raise the bar significantly.

We hope that folks find our report useful. Thanks to everyone who supported our study, in particular to the BSI for funding it! We hope to be able to conduct further similar analyses in the future.

Update: First press coverage

Ars Technica: TrueCrypt is safer than previously reported, detailed analysis concludes
Threatpost: German Government Audits TrueCrypt
Digital Trends: Why TrueCrypt might not be so insecure after all

ZDNet: Fraunhofer-Institut: TrueCrypt ist „nur in sehr seltenen Fällen angreifbar“
MacLife: Truecrypt-Verschlüsselungssoftware sicherer als erwartet

Update: Cloudwards has a nice article about TrueCrypt alternatives