Security Engineering Group Computer Science Department Technische Universität Darmstadt
Associated with the Center for Advanced Security Research Darmstadt (CASED) and the Computer Architecture and Security Laboratory at Yale University (CASLab)
Security in Virtualization Technologies and Cloud Computing
Network Security (Intrusion and Anomaly Detection, Honeypots)
System Security (Trusted Computing, Malware Detection, IT-Forensics)
Data Mining and Machine Learning
Sebastian Biedermann, Stefan Katzenbeisser, Jakub Szefer "Hard Drive Side-Channel Attacks using Smartphone Magnetic Field Sensors"[abstract] 19th International Conference on Financial Cryptography and Data Security (FC), San Juan, Puerto Rico, January 2015
In this paper we present a new class of side-channel attacks on computer hard drives. Hard drives contain one or more spinning disks made of a magnetic material. In addition, they contain different magnets which rapidly move the head to a target position on the disk to perform a write or a read. The magnetic fields from the disk's material and head are weak and well shielded. However, we show that the magnetic field due to the moving head can be picked up by sensors outside of the hard drive. With these measurements, we are able to deduce patterns about ongoing operations. For example, we can detect what type of the operating system is booting up or what application is being started. Most importantly, no special equipment is necessary. All attacks can be performed by using an unmodified smartphone placed in proximity of a hard drive.
Sebastian Biedermann, Stefan Katzenbeisser, Jakub Szefer "Hot-Hardening: Getting More Out of Your Security Settings"[abstract] 30th Annual Computer Security Applications Conference (ACSAC), New Orleans, USA, December 2014
Applying optimized security settings to applications is a difficult and laborious task. Especially in cloud computing, where virtual servers with various pre-installed software packages are leased, selecting optimized security settings is very difficult. In particular, optimized security settings are not identical in every setup. They depend on characteristics of the setup, on the ways an application is used or on other applications running on the same system. Configuring optimized settings given these interdependencies is a complex and time-consuming task. In this work, we present an autonomous agent which improves security settings of applications which run in virtual servers. The agent retrieves custom-made security settings for a target application by investigating its specific setup, it tests and transparently changes settings via introspection techniques unbeknownst from the perspective of the virtual server. During setting selection, the application's operation is not disturbed nor any user interaction is needed. Since optimal settings can change over time or they can change depending on different tasks the application handles, the agent can continuously adapt settings as well as improve them periodically. We call this approach hot-hardening and present results of an implementation that can hot-harden popular networking applications such as Apache2 and OpenSSH.
Frederico Araujo, Kevin W. Hamlen, Sebastian Biedermann, Stefan Katzenbeisser "From Patches to Honey-Patches: Lightweight Attacker-Misdirection, Deception, and Disinformation"[abstract] 21st Conference on Computer and Communications Security (CCS), Scottsdale, USA, November 2014
Traditional software security patches often have the unfortunate side-effect of quickly alerting attackers that their attempts to exploit patched vulnerabilities have failed. Attackers greatly benefit from this information; it expedites their search for unpatched vulnerabilities, it allows them to reserve their ultimate attack payloads for successful attacks, and it increases attacker confidence in stolen secrets or expected sabotage resulting from attacks. To overcome this disadvantage, a methodology is proposed for reformulating a broad class of security patches into honey-patches - patches that offer equivalent security but that frustrate attackers' ability to determine whether their attacks have succeeded or failed. When an exploit attempt is detected, the honey-patch transparently and efficiently redirects the attacker to an unpatched decoy, where the at- tack is allowed to succeed. The decoy may host aggressive software monitors that collect important attack information, and deceptive files that disinform attackers. An implementation for three production-level web servers, including Apache HTTP, demonstrates that honey-patching can be realized for large-scale, performance-critical software applications with minimal overheads.
Sebastian Biedermann, Jakub Szefer "SystemWall: An Isolated Firewall using Hardware-based Memory Introspection"[abstract] 17th Information Security Conference (ISC), Hongkong, Oktober 2014
Memory introspection can be a powerful tool for analyzing contents of a system's memory for any malicious code. Current approaches based on memory introspection have focused on Virtual Machines and using a privileged software entity, such as a hypervisor, to perform the introspection. Such software-based introspection, however, is susceptible to variety of attacks that may compromise the hypervisor and the introspection code. Furthermore, a hypervisor setup is not always wanted. In this work, we present a hardware-based approach to memory introspection. Dedicated hardware is introduced to read and analyze memory of the target system, independent of any hypervisor or OSes running on the system. We apply the new hardware approach to memory introspection to built-up an architecture that uses DMA and fine-grained memory introspection techniques in order to match network connections to the application-layer while being isolated and undetected from the operating system or the hypervisor. We call the proposed architecture SystemWall since it can be a standalone physical device which can be added as an expansion card to the mother board or a dedicated external box. The architecture is transparent and cannot be manipulated or deactivated by potential malware on the target system. We use the SystemWall in the evaluation to analyze the target system for malicious code and prevent unknown (malicious) applications from establishing network connections which can be used to spread viruses, spam or malware and to leak sensitive information.
Sebastian Biedermann, Tobias Ruppenthal, Stefan Katzenbeisser "Data-Centric Phishing Detection based on Transparent Virtualization Technologies"[abstract] 12th International Conference on Privacy, Security and Trust (PST), Toronto, July 2014
We propose a novel phishing detection architecture based on transparent virtualization technologies and isolation of the own components. The architecture can be deployed as a security extension for virtual machines (VMs) running in the cloud. It uses fine-grained VM introspection (VMI) to extract, filter and scale a color-based fingerprint of web pages which are processed by a browser from the VM's memory. By analyzing the human perceptual similarity between the fingerprints, the architecture can reveal and mitigate phishing attacks which are based on redirection to spoofed web pages and it can also detect "Man-in-the-Browser" (MitB) attacks. To the best of our knowledge, the architecture is the first anti-phishing solution leveraging virtualization technologies. We explain details about the design and the implementation and we show results of an evaluation with real-world data.
Sebastian Biedermann, Stefan Katzenbeisser, Jakub Szefer "Leveraging Virtual Machine Introspection for Hot-Hardening of Arbitrary Cloud-User Applications"[abstract] 6th Usenix Workshop on Hot Topics in Cloud Computing (HotCloud), Philadelphia, USA, June 2014
Correctly applying security settings of various different applications is a time-consuming and in some cases a very difficult task. Moreover, with explosion in cloud computing popularity, cloud users are able to download and run pre-packaged virtual appliances. Many users may assume that these come with correct security settings and never bother to check or update these settings. In this paper we propose an architecture that can automatically and transparently improve security settings of arbitrary network applications in a cloud computing setup. Users can deploy virtual machines with different applications, and our system will attempt to find and test better security settings tailored towards their specific setup. We call this approach "hot-hardening" since our techniques are applied to running applications.
Jakub Szefer, Sebastian Biedermann "Towards fast hardware memory integrity checking with skewed Merkle trees"[abstract] 3rd Workshop on Hardware and Architectural Support for Security and Privacy (HASP), Minneapolis, USA, June 2014
Protection of a computer's memory's integrity is crucial in situations where physical attacks on the computer system are a threat. Such attacks can happen during physical break in into a data center or when a mobile device is lost or stolen. Since the memory modules can be easily removed or manipulated, the integrity of their contents cannot be trusted under threat of physical attacks. To counter this, hardware memory integrity checking schemes have been proposed, and realized in a number of security microprocessor architectures. At the core of these schemes is usually some form of a Merkle tree. All previous work on security architectures, however, uses full, balanced Merkle trees. In this paper, we propose a new solution to hardware memory integrity checking based on skewed Merkel trees. Because not all memory locations are accessed equally frequently in a modern computer system, a skewed Merkle three offers better performance as the frequently accessed memory locations can be located on the leaves of the skewed Merkle tree that have shorter path to the root - thus fewer nodes of the tree have to be accessed during integrity checks. Skewed Merkle trees offer better system performance when considering realistic memory access patterns where some page are accessed more frequently than others, they do not impact caches as much as full Merkle trees, and they do not require more storage than full, balanced Merkle trees.
Michael Riecker, Sebastian Biedermann, Rachid El Bansarkhani, Matthias Hollick "Lightweight Energy Consumption Based Intrusion Detection System for Wireless Sensor Networks"[abstract] Extended version of the ACM SAC 2013 paper as special issue paper in the International Journal of Information Security, April 2014
Wireless sensor networks are increasingly used in industrial settings and in safety-critical applications, generating a financial and social impact. Complementing to cryptographic means to protect the communication, it is desirable to monitor the performance of the system and detect attackers during operation. However, existing intrusion detection systems are too resource-demanding. In this paper, we propose a lightweight, energy-efficient system, which makes use of mobile agents to detect intrusions based on the energy consumption of the sensor nodes as a metric. A linear regression model is applied to predict the energy consumption. Simulation results indicate that denial-of-service attacks, such as flooding, can be detected with high accuracy, while keeping the number of false-positives very low.
Sebastian Biedermann, Nikolaos P. Karvelas, Thorsten Strufe, Stefan Katzenbeisser, Andreas Peter "ProofBook: An Online Social Network based on Proof-of-Work and Friend-Propagation"[abstract] 40th International Conference on Current Trends in Therory and Practice of Computer Science, High Tatras, Slovakia, January 2014
Online Social Networks (OSNs) enjoy high popularity, but their centralized architectures lead to intransparency and mistrust in the providers who can be the single point of failure. A solution is to adapt the OSN functionality to an underlying and fully distributed peer-to-peer (P2P) substrate. Several approaches in the field of OSNs based on P2P architectures have been proposed, but they share substantial P2P weaknesses and they suffer from low availability and privacy problems. In this work, we propose a distributed OSN which combines an underlying P2P architecture with friend-based data propagation and a Proof-of-Work (PoW) concept. ProofBook provides availability of user data, stability of the underlying network architecture and privacy improvements while it does not limit simple data sharing based on social relations.
Sebastian Biedermann, Stefan Katzenbeisser "POSTER: Event-based Isolation of Critical Data in the Cloud"[abstract] 20th ACM Conference on Computer and Communications Security (CCS), Poster Session, Berlin, Germany, November 2013
In this poster, we present TrustDraw, a transparent security extension for the cloud which combines Virtual Machine Introspection (VMI) and Trusted Computing (TC). TrustDraw provides secure storage of critical data like keys or passwords and allows to temporarily insert this data into a running virtual machine (VM) if required. TrustDraw improves security by allowing access to the critical data only if certain previously defined conditions are met. This way, the stealing of critical data by bypassing access permissions based on successfully executed attacks can be mitigated. TrustDraw runs isolated and transparent. No software modifications are required on a target VM. We evaluated an implementation of TrustDraw in a realistic scenario in which it only caused an acceptable run-time delay.
Sebastian Biedermann, Martin Zittel, Stefan Katzenbeisser "Improving Security of Virtual Machines during Live Migrations"[abstract] 11th International Conference on Privacy, Security and Trust (PST), Tarragona, Catalonia, July 2013
Live migration of virtual machines (VMs) enables the transfer of a running VM to a new hardware component with minimal and hardly noticeable interrupt. In cloud architectures, users are almost not able to detect live migrations of their VMs nor can they prevent them from happening. Especially, if a VM is live migrated to a distant data center crossing national borders, security and privacy problems arise. This way, internal data can become subject to new national legislation without even notifying the owner of the live-migrated VM. In this paper, we propose methods to detect live migrations from the inside of an affected VM. Furthermore, we analyze how the live migration procedure can be delayed and how the additional gained time can be used to take security-related measures until the live migration is completely finished. We developed a ``live migration defence framework'' (LMDF) which can be used for security policy enforcement within a VM. We evaluated the proposed methods and techniques in our cloud setup and partially in the Amazon Elastic Computing Cloud (EC2).
Sascha Hauke, Sebastian Biedermann, Dominik Heider "On the Application of Supervised Machine Learning to Trustworthiness Assessment"[abstract] 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Melbourne, Australia, July 2013
State-of-the art trust and reputation systems seek to apply machine learning methods to overcome generalizability issues of experience-based Bayesian trust assessment. These approaches are, however, often model-centric instead of focussing on data and the complex adaptive system that is driven by reputation-based service selection. This entails the risk of unrealistic model assumptions. We outline the requirements for robust probabilistic trust assessment using supervised learning and apply a selection of estimators to a real-world data set, in order to show the effectiveness of supervised methods. Furthermore, we provide a representational mapping of estimator output to a belief logic representation for the modular integration of supervised methods with other trust assessment methodologies.
Michael Riecker, Sebastian Biedermann, Matthias Hollick "Lightweight Energy Consumption Based Intrusion Detection System for Wireless Sensor Networks"[abstract] 28th ACM Symposium On Applied Computing (SAC), Coimbra, Portugal, March 2013
Wireless sensor networks are increasingly used in industrial settings and in safety-critical applications, generating a financial and social impact. Complementing to cryptographic means to protect the communication, it is desirable to monitor the performance of the system and detect attackers during operation. However, existing intrusion detection systems are too resource-demanding. In this paper, we propose a lightweight, energy-efficient system which makes use of mobile agents to detect intrusions based on the energy consumption of the sensor nodes as a metric. A linear regression model is applied to predict the energy consumption. Simulation results indicate that denial-of-service attacks such as flooding can be detected with high accuracy, while keeping the number of false positives very low.
Michael Riecker, Ana Barroso, Matthias Hollick, Sebastian Biedermann "On Data-centric Intrusion Detection in Wireless Sensor Networks"[abstract] IEEE International Conference on Cyber, Physical and Social Computing, Besançon, France, November 2012
Wireless sensor networks (WSN) are increasingly used to support critical applications - especially in enterprise settings. If the sensor data collected through the network is incorrect, such applications cannot run reliably. Thus, detecting the occurrence of abnormal sensor values is crucial. In this paper we develop three decentralized, lightweight data anomaly detection mechanisms that can be run directly on sensor nodes. These algorithms are evaluated with a real dataset to which we added plausible attacks. Further, they are compared to standard centralized anomaly detection mechanisms.
Sebastian Biedermann, Martin Mink, Stefan Katzenbeisser "Fast Dynamic Extracted Honeypots in Cloud Computing"[abstract] 4th Cloud Computing Security Workshop (CCSW2012), Raleigh, NC, USA, October 2012
In this paper, we describe the design, the implementation and the evaluation of a dynamic honeypot architecture which can be offered as an additional security service for cloud users in a cloud that offers Infrastructure-as-a-Service (IaaS). Honeypots can protect original systems while revealing new and unknown attacks at the same time. The proposed dynamic honeypot architecture detects potential attacks in the initial phases and delays these attacks until a new honeypot virtual machine (VM) is extracted from the original VM which is under attack. The extraction process is a modifying VM live cloning process which leaves sensible data behind and prevents internal data loss. This way, the newly created honeypot VM runs the same software in exactly the same up-to-date configuration. The honeypot controller redirects the delayed attack to the extracted honeypot VM and analyses its impact without risking the integrity of the original target VM. The proposed architecture benefits from the flexibility and adaptability of the cloud. It efficiently protects VMs of cloud users from contemporary network attacks while only few additional cloud resources are temporarily needed. The architecture deceives and misleads an attacker or an attacking source but does not influence the normal work-flow of the original VMs in the cloud. Based on a defined reporting format, cloud users can learn from attacks which have targeted their VMs and discover current misconfigurations and unknown vulnerabilities.
Sami Alsouri, Stefan Katzenbeisser, and Sebastian Biedermann "Trustable Outsourcing of Business Processes to Cloud Computing Environments"[abstract] 5th International Conference on Network and System Security (NSS2011), Milan, Italy, September 2011
Cloud Computing, the next generation of Internet-based services, will allow cost-effective outsourcing of applications and business processes. However, outsourcing business processes to potentially untrusted servers poses significant security and privacy problems. Despite having no direct control over the hardware platform on which the business processes run, clients still need to obtain assurance of correct execution. In this paper, we propose an architecture based on Trusted Computing technologies that allows fine-granular and policy-based remote attestation of outsourced business processes running on remote hosts. In particular, we let the provider generate, during execution of the business process, secure execution logs that allow to verify correct execution of the process at a later time by the client. Our architecture allows a cloud provider to host business processes for multiple tenants, considering at the same time multi-instance processes. We show how such an architecture can be implemented using Trusted Computing technologies, traditional virtualization technologies like Xen and the ODE process engine.
Sebastian Biedermann, Stefan Katzenbeisser "Detecting Computer Worms in the Cloud" [abstract] 26th International Information Security Conference (IFIP SEC2011), iNetSec Workshop, Luzern, Switzerland, June 2011
Computer worms are very active and new sophisticated versions continuously appear. Signature-based detection methods work with a low false-positive rate, but previously knowledge about the threat is needed. Anomaly-based intrusion detection methods are able to detect new and unknown threats, but meaningful information for correct results is necessary. We propose an anomaly-based intrusion detection mechanism for the cloud which directly profits from the virtualization technologies in general. Our proposed anomaly detection system is isolated from spreading computer worm infections and it is able to detect unknown and new appearing computer worms. Using our approach, a spreading computer worm can be detected on the spreading behavior itself without accessing or directly influencing running virtual machines of the cloud.
Tobias Hoßfeld, Raimund Schatz, Sebastian Biedermann, Alexander Platzer, Sebastian Egger, Markus Fiedler "The Memory Effect and Its Implications on Web QoE Modeling"[abstract] 23rd International Teletraffic Congress (ITC 2011), San Francisco, USA, September 2011
Quality of Experience (QoE) has gained enormous attention during the recent years. So far, most of the existing QoE research has focused on audio and video streaming applications, although HTTP traffic carries the majority of traffic in the residential broadband Internet. However, existing QoE models for this domain do not consider temporal dynamics or historical experiences of the user's satisfaction while consuming a certain service. This psychological influence factor of past experience is referred to as the memory effect. The first contribution of this paper is the identification of the memory effect as a key influence factor for Web QoE modeling based on subjective user studies. As second contribution, three different QoE models are proposed which consider the implications of the memory effect and imply the required extensions of the basic models. The proposed Web QoE models are described with a) support vector machines, b) iterative exponential regressions, and c) two-dimensional hidden Markov models.
Daniel Eck, Sebastian Biedermann, Klaus Schilling "Adjustment of the hand throttle of a mobility scooter for elderly people"[abstract] 55th Internationales Wissenschaftliches Kolloquium, Ilmenau, Germany, September 2010
In the last years assistive technologies to preserve elderly people a self determined and independent life receive growing attention. Mobility is one of the biggest issues for a self-determined life, in particular for elderly people. Social participation and daily activities like shopping, errands or doctor visits require mobility. Therefore mobility is a prerequisite to maintain autonomy and self-determination in old age. Mobility scooter are able to preserve the mobility of elderly people, but it is very challenging to control such a vehicle, especially for elderly people. Therefore this paper presents some drive assistance function to support the operator and increase the safety. Three different functions to improve the security and decrease the challenging control will be introduced: a hand throttle regulation, a drive off function and an emergency stop. Some of these functions were validated and tested by several elderly people to find the best configuration.
Technical Reports / ePrint Archive
Sebastian Biedermann, Erik Tews "How to enable Live Cloning of Virtual Machines using the Xen Hypervisor"[pdf]
Nikolaos P. Karvelas, Andreas Peter, Stefan Katzenbeisser, Sebastian Biedermann "Efficient Privacy-Preserving Big Data Processing through Proxy-Assisted ORAM"[pdf]