Static Analysis Seminar (SAS) – Winter Semester

We are happy to announce that we are organizing a Static Analysis Seminar (SAS) during the Winter Semester. Interested to know more about various topics related to static analysis such as: pointer analysis, call graphs, theory behind data-flow analysis, usability of static analysis tools, and much more? Then do not hesitate to register yourself in the seminar (TUCaN ID: 20-00-0942).

More information about the seminar and the tentative schedule are available here

ESSOS final call for papers

ESSOS is accepting submissions of abstracts until the 25th and of research papers until October 2nd. We are happy to announce that both David Basin and Karsten Nohl will be presenting as invited speakers! Also, for the first time in the security community, ESSOS this year will offer a voluntary artifact evaluation! Read more in the full CFP below.

Continue reading

SSE Group together with Intel Security are presenting at VirusBulletin 2015 conference

A joint project together with McAfee (Intel Security) revealed very interesting insights into current Android Malware, in particular into Command and Control communications. We will be presenting our results at the VirusBulletin 2015 conference. We are also planning to publish a blog post with more concrete information, but if you are at VirusBulletin conference, feel free to join our talk on Thursday 1 October 09:00 – 09:30.

Title: We know what you did this summer: Android banking trojan exposing its sins in the cloud

Continue reading

Talks at the First International Workshop on Agile Secure Software Development (ASSD’15)

The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Achim Bruker opened the sessions with an overview of the experience of SAP in developing secure software. This was followed by a talk given by Jesus Choliz about the application of Microsoft Secure Software Development process to develop secure systems for election management. Lotfi ben Othmane continued the discussion by showing how to use the B method to detect inconsistencies of access policies in the context of incremental software development. Next, Prof. Juha Röning gave an overview about his experience in developing a security fuzzing software and their use in agile processes. The spin-off that they created out of the project was recently sold to Synopsis.

In the afternoon session, Hela Oueslati discussed the challenges of developing secure software that she found in the literature and the evaluation of the validity of these challenges with respect to the agile values and principles and security practices. She asked the participants to help her in her future empirical studies about the topic. The presentation was followed by the talk of Clemens Teichmann, who shared the experience of his team in evaluating threat modeling methods for fitness to agile development processes used by their clients.

Afterwards, the attendees discussed the common point raised in the talks: the fast feedback and adaptation that agile processes offer helps development teams reducing the cost of developing secure software. Early identification of vulnerabilities allows for fixing them fast (It is easier to fix new code). In addition, development teams can develop, early in the projects, secure programming APIs or techniques to avoid the vulnerabilities they encounter in future development.

The full ARES program, including the workshop program is available here

SSE Group is presenting at Black Hat Europe 2015

At this year Black Hat Europe conference, we will talk about our Backend-As-A-Service investigation, which we published a couple of months ago.

The talk will contain a full disclosure about our investigation including details about our automatic “exploit generator”.

Title of the talk: “(IN-)SECURITY OF BACKEND-AS-A-SERVICE PROVIDERS”
Abstract

If you are around, feel free to join our talk and also to meet at the conference.

Ministers Wanka and De Maiziere visit Darmstadt’s “Security Valley”

 

Yesterday our center was visited by the two federal ministers Wanka (minister of education and research) and De Maiziere (minister of the interior). They spent a few hours, discussing IT-security research in Darmstadt’s – as they coined it – “security valley”, and also educated themselves through a range of exhibits we had prepared on the security of the Internet of Things, but also mobile security, encryption etc. More information is available in German here.

Paper accepted at OOPSLA Onward!

Our paper on “Secure Integration of Cryptographic Software” has been accepted at OOSPLA Onward!. In this paper we propose a new approach for implementing software that uses cryptographic algorithms in a way that is secure by design. With our approach, developers can avoid the pitfalls of complex crypto APIs without having to study crypto theory and implementations first. Instead, they select their high-level goals (e.g., “encrypt a file on disk” or “transmit data over a secure channel”) and let the OpenCCE expert system create implementation blueprints for them. After they have integrated the blueprints into their applications, automatically-derived static analyses make sure that no new issues have accidentally been introduced. This research is performed within the CROSSING CRC.

Responsible Disclosure: JFrog fixes vulnerability in Artifactory

We have recently discovered and reported a security vulnerability in JFrog’s Artifactory Pro software. The Artifactory is a product used to manage build artifacts and dependencies in a central enterprise repository. Due to the vulnerability, attackers could not only gain credentials for accessing the repository, but under some circumstances to the company-wide single-sign-on (SSO) system. In this worst case, attackers could access arbitrary systems with the identity of the victim.

Continue reading