Dieses Semester wurde das Seminar vom Lehrstuhl für Netz- und Datensicherheit organisiert. Untenstehend finden Sie eine ­Liste der Termine und Vorträge für das ganze Semester.

Datum Vortragende Person Zugehörigkeit Titel Raumnummer
21. Oktober 2010 Cristian Thiago Moecke Universidade Federal de Santa Catarina, Brazil PKI research and projects in brazilian group "LabSEC" ID 03/445
27. Oktober 2010 Wayne Burleson University of Massachussetts, USA Hardware Security in Nanometer CMOS ID 03/411
28. Oktober 2010 Falk Schellenberg Ruhr-Universität Bochum, Deutschland Comparing Power and Electromagnetic Analysis of Embedded Devices ID 03/445
3. November 2010 Mario Heiderich Ruhr-Universität Bochum, Deutschland HTML 5 Security ID 03/445
08. November 2010 Viktor Fischer Jean Monnet University Saint-Etienne, France Recent Advances in True Random Numbers Generation for Cryptography ID 03/445
12. November 2010 Felix Gröbert Google, Schweiz From XSS to Ring 0 ID 03/445
24. November 2010 Sebastian Schinzel Virtual Forge GmbH, Deutschland Side Channel Vulnerabilities on the Web - Detection and Prevention ID 03/445
02. Dezember 2010 Johannes Kinder TU Darmstadt, Deutschland Analyzing x86 Executables with Jakstab ID 03/445
08. Dezember 2010 Ilya Kizhvatov University of Luxembourg Outperforming DPA with Collision and Cache-Collision Side Channel Attacks ID 03/445
09. Dezember 2010 Ralf-Philipp Weinmann University of Luxembourg All Your Baseband Are Belong To Us ID 03/445
16. Dezember 2010 Benno Lomb Ruhr-Universität Bochum, Germany HGI Dobbertin-Wettbewerb 2010: Kryptanalyse eines Festplattenverschlüsselungssystems ID 03/445
17. Dezember 2010 Vadim Lyubashevsky École Normale Supérieure, Paris On Ideal Lattices and Learning with Errors Over Rings ID 03/445
03. Februar 2011 Ernesto Damiani University of Milan, Italy Open issues in cloud and service security ID 03/411
16. März 2011 Selcuk Baktir National Research Institute of Electronics and Cryptology (UEKAE), Turkey IC Trust through Fingerprinting ID 03/411
29. März 2011 Kevin Fu University of Massachussetts, USA Trustworthy Medical Device Software ID 03/401
01. April 2011 Sebastian Gajek Tel-Aviv University, Israel Playing Games in UC ID 03/411

PKI research and projects in brazilian group "LabSEC"

Cristian Thiago Moecke

This presentation is divided on two major topics. The first one is about the research projects that are currently active on our research group on Brazil. The group, named LabSEC, is a laboratory of the Santa Catarina's Federal University, on south of Brazil. It's focused on applied cryptography topics, specially PKI, digital signatures and protocols. LabSEC has a strong influence on the deployment of the open platform for the brazilian government PKI (ICP-Brasil), and also on other important projects like the Educational PKI (ICPEDU) and the Brazilian Digital Signature Standard. The second major topic is the (ongoing) master's project of the speaker, that is a proposal of a new PKI model. This model is being conceived from the experience of the research group with the limitations of traditional PKI, and aims on producing easily verifiable digital signatures, without loosing the generality expected from a PKI. The proposal is based on changing the form that the user certificate is issued and modifying the responsibilities of a Certification Authorities by creating a Validation Authority, that also replaces the main function of Time Stamping Authority on digital signatures. Criticize and suggestions are very welcome to the development of the proposal.

Hardware Security in Nanometer CMOS

Wayne Burleson Wayne

As computer systems become ubiquitous, security concerns are paramount. Security systems are typically heavily layered but ultimately rely on low-level hardware primitives and assumptions. Lightweight applications such as RFID, Smart cards and Smart dust require very lightweight security primitives that can withstand a range of attacks. In this talk, we explore the design of very lightweight True Random Number Generators and Chip Identification circuits in CMOS technologies at 45nm and below. We also show side-channel vulnerabilities that arise in advanced CMOS technologies due to process variation and noise. Some existing countermeasures are shown to be weak in advanced technologies, and new countermeasures are proposed. We will discuss hardware Trojans and their potential impact on semiconductor security. Finally, we will discuss applications in Transportation Payment Systems and Implantable Medical Devices, among others. This work is supported by NSF, SRC, Intel and Cisco and also gives insight into methods for statistical design beyond security.

Comparing Power and Electromagnetic Analysis of Embedded Devices

Falk Schellenberg

Implementation attacks describe the extraction of information from the physical behaviour of a target device. As shown by various authors, regardless of the mathematical security of a cryptographic algorithm, there may be a leak of some information, which reveals, e.g., a secret key. However, the way of measuring this information introduces several crucial parameters which decide about the efficiency or success of revealing the secret key of a target device. In this thesis, we compare different so called side-channels, namely power consumption and electromagnetic emanation, and evaluate methods and parameters for a differential correlation analysis. Furthermore, we capture the electromagnetic emanation with various probes at different positions, e.g., in the near-field and on the surface of the integrated circuit. In addition, we compare the practical influence of different measurement parameters, e.g., sample rate and quantisation, and, in order to improve the results, different preprocessing techniques, e.g., alignment, transformation to the frequency domain, and peak extraction. Two popular 8 bit microcontrollers running the Advanced Encryption Standard with a well-known vulnerability are chosen as target devices. Yet, our results can be universally adapted to other devices and ciphers as well.

Recent Advances in True Random Numbers Generation for Cryptography

Viktor Fischer Fischer

True Random Number Generators (TRNGs) play very important role in cryptography since they are used to generate confidential keys and other critical security parameters. Implementation of TRNGs in logic devices is an active research area bringing new approaches, methodologies and testing strategies. In the fist part of our presentation, we will present basic TRNG design issues such as exploitation of available sources of randomness and randomness extraction, random bitstream post-processing, stochastic models and entropy estimators and other TRNG implementation issues. We will compare a classical approach of the TRNG design with a new methodology based on early bitstream evaluation and entropy estimation. We will present this new methodology introduced in AIS31 in more details and explain its main objectives. In the second part of our presentation, we will show the importance of this new approach on two TRNG designs that feature different security critical attempts. Numerous experiments that illustrate the danger of the classical TRNG design approach and advantage of the modern methodology will be presented.

From XSS to Ring 0

Felix Gröbert Groebert

While exe­cu­ting code at ring 0 can be the most fun and pro­fit for an at­ta­cker, there are usual­ly many steps in­vol­ved to get there. By show­ca­sing re­cent se­cu­ri­ty bugs from 2009 and 2010 the talk de­mons­tra­tes such a mul­ti-tier at­tack in­clu­ding the dif­fe­rent ap­proa­ches to a vul­nerabi­li­ty: fin­ding / ex­ploit­ing / patching, with a focus on the first two. The de­mons­tra­ted vul­nerabi­li­ties range from a wide va­rie­ty of off-the-shelf soft­ware and bug clas­ses. The talk will also fea­ture an op­tio­nal hands-on. Stu­dents wil­ling to par­ti­ci­pa­te in the hands-on should bring a lap­top with in­ter­net ac­cess and Linux.

Side Channel Vulnerabilities on the Web - Detection and Prevention

Sebastian Schinzel Schinzel

Seitenkanalschwachstellen erlauben es Angreifern anhand des Verhaltens einer anfälligen Anwendung auf sensible Informationen zu schließen. So kann der Angreifer anhand kleiner Unterschiede in der Server-Response Rückschlüsse auf sensible Informationen ziehen (Storage-Seitenkanal). In einem weiteren Szenario kann der Angreifer beispielsweise anhand der Antwortseit der Web-Anwendung auf die Existenz einzelner Datensätze oder sogar auf die Anzahl der vorhanden Informationen schließen (Timing-Seitenkanal). In dieser Präsentation stelle ich meine bisherigen Ergebnisse zur Erforschung von Seitenkanalschwachstellen in netzwerkbasierten Softwareanwendungen vor und geben einen Ausblick auf die künftigen Herausforderungen.

HTML 5 Security

Mario Heiderich Heiderich

In diesem Talk dreht sich alles um HTML5 - aber ausnahmsweise nicht aus der Sicht des begeisterten Entwicklers. Der Talk präsentiert neue Sichtweisen auf HTML5, zeigt wie bereits heute Angreifer die reichhaltigen Möglichkeiten für subtile Attacken nutzen können - und warum das Gesamt-Konzept in vielerlei Hinsicht eher als Regression zu begreifen ist. Im letzten Teil des Talks wird ein grausiger Wandertag durch die morastigen Untiefen des HTML Cheat Sheets unternommen - der zeigt was Angreifer und Verteidiger aus den Fehlern der Browserhersteller lernen können.

Analyzing x86 Executables with Jakstab

Johannes Kinder

This work is concerned with static analysis of binary executables in a theoretically well-founded, sound, yet practical way. The major challenge is the reconstruction of a correct control flow graph in presence of indirect jumps, pointer arithmetic, and untyped variables.

We argue for the integration of disassembly, control flow reconstruction, and static analysis in a unified process. We introduces a framework for simultaneous control and data flow analysis on low level binary code, which is proven to yield the most precise control flow graph with respect to the precision of the data flow domain. A very precise domain that lends itself well to control flow reconstruction is introduced in Bounded Address Tracking, a combined pointer and value analysis that supports pointer arithmetic. It tracks variable valuations up to a tunable bound on the number of values per variable per program location. Its path sensitivity generally allows strong updates to memory, i.e., heap regions are uniquely identified, and equips it with context sensitivity without assuming a correct layout of procedures.

These building blocks are combined into an extensible program analysis architecture, which is implemented in the novel binary analysis tool Jakstab. Jakstab works directly on binaries and disassembles instructions on demand while exploring the program's state space, allowing it to handle low level features such as overlapping instructions, which cause difficulties for regular disassemblers. The architecture is highly configurable to allow a wide range of analyses, from sound abstract interpretation to heuristics-supported disassembly. Its practical feasibility and improvements over existing approaches are shown through case studies on device driver binaries and system executables found on a regular desktop PC.

Outperforming DPA with Collision and Cache-Collision Side Channel Attacks

Ilya Kizhvatov Kizhvatov

To date, Differential Power Analysis (DPA) is known as the most practical side-channel attack. There are however side channel attacks that use more information about the algorithm and therefore can be more efficient than DPA. In this talk, we focus on two examples of such "analytic" attacks: collision and cache-collision attacks. First, we suggest how to combine collision attacks with DPA (and any other divide-an-conquer SCA) and how to improve collision detection. Second, we present trace-driven cache-collision attacks that are tolerant to errors in distinguishing cache hits from cache misses. Our experiments with real devices show that the presented attacks work in a practical setting and require less side-channel measurements than DPA. The talk is based on the recent joint work with Jean-François Gallais and Mike Tunstall (eprint:2010/408), and with Andrey Bogdanov (eprint:2010/590).

All Your Baseband Are Belong To Us

Ralf-Philipp Weinmann Weinmann

The primary attack vectors against smartphones have concentrated on getting code running on the application processor. The operating systems running on these processors are getting hardened; in some cases exploitation of mobile devices can be more difficult than of widespread desktop operating systems. In contrast, the security of the GSM/3GPP stack running on the baseband processor has been severely neglected. The advent of open-source solutions for running GSM base stations enables another, undervalued attack vector: Malicious base stations are not considered in the attack model assumed by the GSMA and the ETSI; similarly vendors of baseband stacks seem to not have taken malicious input from the network side into account. We investigate this attack surface and demonstrate the viability of memory corruptions against two widespread stacks used by baseband processors of popular smartphones supporting GSM.

HGI Dobbertin-Wettbewerb 2010: Kryptanalyse eines Festplattenverschlüsselungssystems

Benno Lomb

Der HGI Dobbertin-Wettbewerb gibt allen ITS/ET und AI-Studenten der RUB die Möglichkeit, ein Verschlüsselungssystem unter praxisnahen Bedingungen zu untersuchen und im besten Fall sogar zu brechen. Obwohl das Sicherheitsverfahren, welches dieses Jahr auf den Prüfstand gekommen ist, auf den ersten Blick ziemlich wasserdicht aussieht (eine großunternehmenstaugliche Festplattenverschlüsselung mit 2048 Bit Diffie-Hellman-Schlüsselaustausch, sowie AES-128 CBC Verschlüsselung der Rohdaten) gibt es dennoch gravierende Schwachstellen, die es im Rahmen dieses Wettbewerbs aufzudecken galt. Benno Lomb, als erster Einsender der korrekten Lösung und damit Gewinner des diesjährigen Preises, wird im Rahmen des HGI-Seminars seine Lösung vorstellen.

On Ideal Lattices and Learning with Errors Over Rings

Vadim Lyubashevsky Vadim

The "learning with errors'' (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions and related primitives.

We resolve this question in the affirmative by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms.

This is joint work with Chris Peikert and Oded Regev that appeared at Eurocrypt 2010.

Open issues in cloud and service security

Ernesto Damiani Damiani

The talk will describe some open problems in service security and the relationship to cloud security. Specific security pattern addressing these issues will be discussed together with the problem of proving or testing their correctness.

Ernesto Damiani is currently a Professor at the Università degli Studi di Milano and the director of the Università degli Studi di Milano’s Ph.D. program in computer science. He has held visiting positions at a number of international institutions, including George Mason University in Virginia, LaTrobe University in Melbourne, Australia, University of Technology in Sydney, Australia and the Institut National des Sciences Appliquées (INSA) at Lyon, France.

Prof. Damiani leads the SESAR lab of the Università degli Studi di Milano, whose researchers have been involved in several projects funded by the EC under FP5 (FASTER), FP6 (PRIME) and FP7 (Aristotele, ASSERT4SOA, SecureSCM, PrimeLife). His areas of interest include business process representation, Web services security, processing of semi and unstructured information (e.g., XML), models and platforms supporting open source development, and semantics-aware content engineering for multimedia.

He is an Associate Editor of the IEEE Transactions on Service Oriented Computing, Area Editor of the Journal of System Architecture and a member of various editorial boards. He has published several books and about 200 papers and international patents. Prof. Damiani is a Senior Member of the IEEE and ACM Distinguished Scientist, and he received the Chester Hall Award for the best paper published in the IEEE Transaction on Consumer Electronics.

IC Trust through Fingerprinting

Selcuk Baktir Selcuk

Hardware manufacturers are increasingly outsourcing their IC fabrication overseas due to their much lower cost structure, however this poses a security risk for the ICs used in sensitive applications such as in military and banking. Attackers can exploit this loss of control to insert a Trojan circuit into the design or mask used for fabrication. In this talk, we will talk about a technique based on side-channel cryptanalysis which can be used to mitigate this threat. In this technique, a golden fingerprint is constructed for a genuine IC family which potentially allows one to non-invasively test the genuinity of any other IC by comparing its fingerprint against the golden one. We will show the simulation results obtained using the power side-channel where Trojans that are 3-4 orders of magnitude smaller than the main circuit can be detected. The Trojan detection resolution of the technique could be improved by utilizing other side-channels in addition to the power side-channel.

Trustworthy Medical Device Software

Kevin Fu Kevin-Fu

Today it would be difficult to find a medical device that does not critically rely on computer software in its function, manufacture, or use in clinical decision making. Despite the lessons learned by the radiation accidents of the Therac-25 twenty years ago, medical devices that rely on software (e.g., drug infusion pumps, linear accelerators for radiation) continue to injure or kill patients in preventable ways. Why is it so hard to create trustworthy software for medical devices? Devices are not isolated devices. They are systems of systems. And software plays a significant role for control of these critical systems that can significantly affect patient safety, either positively or negatively, depending on its trustworthiness. Failure to meaningfully specify requirements, complacency, and lack of care for human factors further erode trustworthiness. The lack of trustworthy medical device software leads to shortfalls in properties such as safety, effectiveness, dependability, reliability, security, and privacy. Good systems engineering and the adoption of modern software engineering techniques can address many of the risks of medical device software---leading to devices that help patients lead more normal, healthy lives.

Playing Games in UC

Sebastian Gajek Gajek

Universally Composable (UC) security provides a very strong guarantee: A UC-secure protocol maintains its security properties when used in any execution environment. In many cases, however, full universal composability is not required; milder and more specific composability guarantees suffice.

We formulate a refinement of UC security, called UC with Specialized Environments (SPUC), that allows asserting and proving security properties that withstand only partial and restricted composition operations. The refined operation provides a versatile and powerful tool for asserting security properties for realistic protocols. For instance, it can be used to capture several (global) trusted set-up assumptions, network and input restrictions, and game-based notions of security. In fact, we show that game-based definitions can be casted as a special case of our framework.

We then demonstrate the power of SPUC security by using it to capture for the first time the security properties of CPA-secure symmetric encryption and message authentication codes, as single instance protocols in a composable security framework. This allows us to analyze the security of hybrid encryption, and several common secure communication session protocols in a way that is modular, abstract, and amenable to efficient automation.

Joint work with Ran Canetti.