1 - 10 of 13
-
PublicationGAIA-X and IDS(International Data Spaces Association, 2021)
-
PatentVerfahren zur Verifikationsprüfung eines Sicherheitsdokuments mit einem gedruckten Sicherheitsmerkmal, Sicherheitsmerkmal und Anordnung zur Verifikation( 2019)Die vorliegende Erfindung betrifft ein Verfahren zur Authentizitäts- und/oder Integritäts-Prüfung eines Sicherheitsdokuments (01) mit einem gedruckten Sicherheitsmerkmal (02). Das Verfahren umfasst die Schritte: Bestrahlen des Sicherheitsdokuments (01) mit einer elektromagnetischen Strahlung, Aufnahme mehrerer Einzelbilder in zeitlich definierten Abständen mittels eines mobilen Endgerätes (06), Überprüfen der erfassten Einzelbilder mittels einer Datenverarbeitungseinheit und Ausgabe des Ergebnisses der Überprüfung. Weiterhin betrifft die Erfindung ein gedrucktes Sicherheitsmerkmal (02) für ein Sicherheitsdokument (01) sowie eine Anordnung zur Authentizitäts- und/oder Integritäts-Prüfung eines Sicherheitsdokuments (01).
-
PublicationSEVered: Subverting AMD's virtual machine encryption( 2018)AMD SEV is a hardware feature designed for the secure encryption of virtual machines. SEV aims to protect virtual machine memory not only from other malicious guests and physical attackers, but also from a possibly malicious hypervisor. This relieves cloud and virtual server customers from fully trusting their server providers and the hypervisors they are using. We present the design and implementation of SEVered, an attack from a malicious hypervisor capable of extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines. SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine. We verify the effectiveness of SEVered on a recent A MD SEV-enabled server platform running different services, such as web or SSH servers, in encrypted virtual machines. With these examples, we demonstrate that SEVered reliably and efficiently extracts all memory contents even in scenarios where the targeted virtual machine is under high load.
-
PublicationA Rapid Innovation Framework for Connected Mobility Applications(Fraunhofer ESK, 2018)Connected Mobility Applications help to continuously improve traffic safety and efficiency. Today, much time and effort have to be invested to bring an idea into a safe prototype and to finally launch a reliable product.Software development tools have to adapt to these requirements. They have to support a rapid and continuous development process, that allows to test and validate the distributed application as one overall system. When developing cooperative applications, a higher design complexity has to be handled, as components are distributed over heterogeneous systems that interact with a varying timing behavior and less data confidence. Also, test and validation become more complex. Our Innovation Framework is intended to rapidly bring an idea for a connected application into a prototype so the investment risk for innovative applications is reduced. In this whitepaper we describe the approach of a Rapid InnovationTool Kit that is intended to speed up the development process for connected mobility applications. Thereby, a safe and secure prototype is available at an early development phase to gain experience within field tests that help to rapidly improve the intended application. Our software tool kit is able to find deviations from the specified behaviour and also it can instantly locate and identify erroneous functions within distributed systems. Extensive security tests can then be applied on the implemented application to ensure a secure operation. Another use case for the described testbed is to evaluate communication technologies and to find the most suitable transmission technology for a certain application. For example, short range communication with the 802.11p WLAN technology or the upcoming LTE enhancement LTE-V2X are comparable within specific scenarios. This evaluation can help to reduce the investment risk for the deployment of connected applications.
-
PublicationSafety & security testing of cooperative automotive systems( 2018)Cooperative behavior of automated traffic participants is one next step towards the goals of reducing the number of traffic fatalities and optimizing traffic flow. The notification of a traffic participant's intentions and coordination of driving strategies increase the reaction time for safety functions and allow a foresighted maneuver planning. When developing cooperative applications, a higher design complexity has to be handled, as components are distributed over heterogeneous systems that interact with a varying timing behavior and less data confidence. In this paper, we present a solution for the development, simulation and validation of cooperative automotive systems together with an exemplary development flow for safety and security testing.
-
PublicationTransCrypt: Transparent main memory encryption using a minimal ARM hypervisor( 2017)Attacks on memory, revealing secrets, for example, via DMA or cold boot, are a long known problem. In this paper, we present TransCrypt, a concept for transparent and guest-agnostic, dynamic kernel and user main memory encryption using a custom minimal hypervisor. The concept utilizes the address translation features provided by hardware-based virtualization support of modern CPUs to restrict the guest to a small working set of recently accessed physical pages. The rest of the pages, which constitute the majority of memory, remain securely encrypted. Furthermore, we present a transparent and guest-agnostic mechanism for recognizing pages to be excluded from encryption to still ensure correct system functionality, for example, for pages shared with peripheral devices. The detailed evaluation using our fully functional prototype on an ARM Cortex-A15 development board running Android shows that TransCrypt is able to effectively protect secrets in memory while keeping the p erformance impact small. For example, the system is able to keep the E-mail account password of a typical user in the Android mail app's memory encrypted 98.99% of the time, while still reaching 81.7% and 99.8% of native performance in different benchmarks.
-
PublicationCoKey: Fast token-based cooperative cryptography( 2016)Keys for symmetric cryptography are usually stored in RAM and therefore susceptible to various attacks, ranging from simple buffer overflows to leaks via cold boot, DMA or side channels. A common approach to mitigate such attacks is to move the keys to an external cryptographic token. For low-throughput applications like asymmetric signature generation, the performance of these tokens is sufficient. For symmetric, data-intensive use cases, like disk encryption on behalf of the host, the connecting interface to the token often is a serious bottleneck. In order to overcome this problem, we present CoKey, a novel concept for partially moving symmetric cryptography out of the host into a trusted detachable token. CoKey combines keys from both entities and securely encrypts initialization vectors on the token which are then used in the cryptographic operations on the host. This forces host and token to cooperate during the whole encryption and decryption process. Our concept strongly and efficiently binds encrypted data on the host to the specific token used for their encryption, while still allowing for fast operation. We implemented the concept using Linux hosts and the USB armory, a USB thumb drive sized ARM computer, as detachable crypto token. Our detailed performance evaluation shows that our prototype is easily fast enough even for data-intensive and performance-critical use cases like full disk encryption, thus effectively improving security for symmetric cryptography in a usable way.
-
PublicationImproving mobile device security with operating system-level virtualization( 2015)In this paper, we propose a lightweight mechanism to isolate one or more Android userland instances from a trustworthy and secure entity. This entity controls and manages the Android instances and provides an interface for remote administration and management of the device and its software. We provide an administrative solution for dynamically modifying, removing or adding multiple Android instances remotely and locally. Furthermore, we present a secure device provisioning and enrollment solution for our system. Our approach includes several security extensions for secure network access, integrity protection of data on storage devices, and secure access to the touchscreen of mobile devices. Our implementation requires only minimal modification to the software stack of a typical Android-based smartphone, which allows easy porting to other devices when compared to other virtualization techniques. Practical tests show the feasibility of our approach regarding runtime overhead and battery lifetime impact.
-
PublicationTransparent page-based kernel and user space execution tracing from a custom minimal ARM hypervisor( 2015)In this paper, we present a framework for transparent kernel and user execution tracing from a minimal ARM hypervisor. The framework utilizes hardware-supported virtualization on modern ARM CPUs to restrict the number of executable pages in the system without interfering with the traced guest. The resulting page faults give the framework access to page-granular control flow information. The framework is transparent and agnostic to kernel and user space software not requiring any changes or additional components in the traced guest. The application scenarios for the framework include malware analysis, malware detection and runtime integrity protection. We furthermore present a detailed example application for the framework which uses the provided trace data to enforce a particular page-granular control flow to defend the guest against control flow hijacking attacks like return-oriented programming. The detailed performance analysis of our prototype implementation running on a Cortex-A15 development board with Android shows that the framework and the example application perform well even in adverse benchmarking scenarios. Therefore, the framework not only can be useful for realizing virtualization-based security mechanisms known and researched on x86 platforms for ARM, but also shows that the very lightweight ARM hardware virtualization support allows for new mechanisms relying on very frequent interaction with the hypervisor.
-
PublicationUser identity verification based on touchscreen interaction analysis in web contexts( 2015)The ever-increasing popularity of smartphones amplifies the risk of loss or theft, thus increasing the threat of attackers hijacking critical user accounts. In this paper, we present a framework to secure accounts by continuously verifying user identities based on user interaction behavior with smartphone touchscreens. This enables us to protect user accounts by disabling critical functionality and enforcing a reauthentication in case of suspicious behavior. We take advantage of standard mobile web browser capabilities to remotely capture and analyze touchscreen interactions. This approach is completely transparent for the user and works on everyday smartphones without requiring any special software or privileges on the user's device. We show how to successfully classify users even on the basis of limited and imprecise touch interaction data as is prevalent in web contexts. We evaluate the performance of our framework and show that the user identification accuracy is higher than 99% after collecting about a dozen touch interactions.
