CodeInspect awarded at the HIGHEST Startup Contest

highest2016

CodeInspect was awarded the second prize at the HIGHEST startup contest at TU Darmstadt. In a multi-stage selection process, we had to convince the judges about our business concept for the need of more security in the mobile world. All in all, we competed against 74 other business ideas from different departments at the TU Darmstadt such as mechanical engineering, chemistry, etc.

More information about the other winners and the ceremony can be found here.

 

ESSoS keynotes by Karsten Nohl and David Basin

Karsten Nohl

David Basin

We have just put online information about our two keynote presentations at ESSoS by Karsten Nohl and David Basin. Karsten Nohl will ask the question How much security is too much?, citing some lessons learned from introducing security into a new, large telecommunications startup, while David Basin will elaborate on the quirks of Security Testing and what it actually all means. I am looking forward to two exciting presentations!

GaLity accepted at ESSoS 2016

We’re happy to announce that our paper “Analyzing the Gadgets – Towards a Metric to Measure Gadget Quality” has been accepted at ESSoS 2016. In this paper we present four metrics that allow assessing the usefulness of a set of gadgets (short fragments of assembly, which are the cornerstone of ROP exploits). We applied our metrics to binaries compiled with MPX, a new exploit mitigation technique by Intel, that, among other things, transforms binaries to check for buffer overflows. This transformation introduces additional gadgets and, using GaLity, we show, that such a binary contains more gadgets useful in ROP attacks than the same binary compiled without MPX.

GaLity also received the artifact evaluation award.

Eric Bodden appointed as ISSTA 2018 Program Chair

I am glad to report that I have just been appointed Program Chair of the 2018 International Symposium of Software Testing and Analysis (ISSTA). ISSTA is the leading research symposium on software testing and analysis, bringing together academics, industrial researchers, and practitioners to exchange new ideas, problems, and experience on how to analyze and test software systems. I wish to thank the organizing chair Frank Tip as well as the entire steering committee for this great honor.

ISSTA 2018 will be co-located with the European Conference on Object-Oriented Programming (ECOOP), in beautiful Amsterdam, Netherlands. Let’s make it a great event!

CYSEC researchers score five ICSE publications

ICSE is the premier academic conference for Software Engineering. In total, researchers of CYSEC managed to publish at least five ICSE publications this year, two with contributions from SSE:

“Looking for crypto backdoors is like searching camouflaged needles in a haystack” – Deutschlandfunk reports about our TrueCrypt study (German only)

Recently, our team member Andreas Poller gave an interview at Deutschlandfunk. The radio report shone a light on the reasons why the German Federal Office for Information Security (BSI) asked us to investigate TrueCrypt, how we executed the study, and what common users shall consider when using harddisk encryption.

The interview is available in German here.

Harvester will be presented at NDSS 2016

We are happy to announce our new publication “Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques” which will be presented at NDSS 2016. Harvester combines static and dynamic code analysis techniques to extract runtime values (e.g. URLs, SMS messages/numbers, etc.) from Android binaries. Furthermore, it can also be used for de-obfuscating Android applications. More details can be found here.

Looking forward to a great conference.

SSE Group contributes to McAfee’s Q4 Threat Report

As a follow up to our BlackHat EU 2015 presentation about benign applications not securing user data in the cloud (Backend-as-a-Service) we also looked into malicious applications whether we can find similar data leakages. In a collaboration with McAfee Security Lab (Intel Security Lab) we analyzed 294,817 malware-laden mobile apps and found that 16 of them are connected with vulnerable Backend-as-a-Service instances implemented in Facebook Parse. Since the malware authors did not secure the backend (BaaS-backend) securely we had access to the complete database including Command&Control (C&C) communications and tasks for victims. This gave us very interesting insights about current state-of-the-art C&C communication/protocols in the context of mobile malware.
The results were presented at VirusBulletin 2015 and AVAR 2015. More details can be looked up from our whitepaper and the corresponding slides. This project is also part of McAfee’s Q4 Threat report.

Media report: