Smart cyber-physical systems: Too big to fail, too smart to be secure?

Attending ICSE? Then consider coming two days earlier to attend SEsCPS, the 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems, where I will be giving a keynote on the current state and challenges of CPS security. Abstract:

Many industrialized nations are currently pushing for smart cyber-physical systems as a major hope for new revenue models. But such systems become smart through connectivity, which opens them up to a whole range of new attack vectors. One may ask: why are current software-heavy cyber-physical systems as insecure as they are? My answer would be: why shouldn’t they be? Many such systems are designed and engineered by companies who never developed software engineering as a core competency. And how should such companies succeed where even the most prominent software vendors struggle? In this talk I will discuss my view of the challenges in secure software engineering and how the inclusion of hardware brings a whole new set of challenges to the game. I will outline my vision of secure systems engineering and raise a set of challenges that need to be addressed to make this vision become reality.

Joint Android Hacking Event in Darmstadt & Paderborn

On the evening of June 1st we will be jointly organizing a CTF-style Android Hacking Event. At Fraunhofer SIT & TU Darmstadt the organization is lead by team[SIK], at Paderborn University & Fraunhofer IEM by the Software Engineering Group. As a “local hacker” you will be able to physically attend either event, either at Fraunhofer SIT (Rheinstr.) or at Zukunftsmeile 1 in Paderborn. We will try to have a video feed between the two events.

You can also participate as a remote hacker. Remote participants will be listed separately, as we expect them to be more advanced than the student hackers that we actually target with this event. Prices will only be given out to local student hackers.

To qualify, you must register (and solve a couple of challenges) by May 11th here.

CodeInspect awarded at the HIGHEST Startup Contest


CodeInspect was awarded the second prize at the HIGHEST startup contest at TU Darmstadt. In a multi-stage selection process, we had to convince the judges about our business concept for the need of more security in the mobile world. All in all, we competed against 74 other business ideas from different departments at the TU Darmstadt such as mechanical engineering, chemistry, etc.

More information about the other winners and the ceremony can be found here.


ESSoS keynotes by Karsten Nohl and David Basin

Karsten Nohl

David Basin

We have just put online information about our two keynote presentations at ESSoS by Karsten Nohl and David Basin. Karsten Nohl will ask the question How much security is too much?, citing some lessons learned from introducing security into a new, large telecommunications startup, while David Basin will elaborate on the quirks of Security Testing and what it actually all means. I am looking forward to two exciting presentations!

GaLity accepted at ESSoS 2016

We’re happy to announce that our paper “Analyzing the Gadgets – Towards a Metric to Measure Gadget Quality” has been accepted at ESSoS 2016. In this paper we present four metrics that allow assessing the usefulness of a set of gadgets (short fragments of assembly, which are the cornerstone of ROP exploits). We applied our metrics to binaries compiled with MPX, a new exploit mitigation technique by Intel, that, among other things, transforms binaries to check for buffer overflows. This transformation introduces additional gadgets and, using GaLity, we show, that such a binary contains more gadgets useful in ROP attacks than the same binary compiled without MPX.

GaLity also received the artifact evaluation award.