ESSE team members conduct research in and around various subject areas. Some of our core areas are outlined below. Moreover, we offer an overview of current suggestions for projects, bachelor, and master theses that we are eager to supervise. Some of our past research results have been published at international conferences and in journals.
At ESSE, we have very strong ties to powerful partners in industry and governments. Backed by years of academic research, we tightly integrate our academic experience directly into real-world projects and applications. Our research has direct impact in the following areas, which constitute our current cornerstones that motivate much of our academic endeavors and quests.
The topics listed above require knowledge and expertise from various different subject areas in IT security. At ESSE, researchers together with motivated students work on creating and furthering highly specialized knowledge in the following areas.
In our society, traditional cash is increasingly becoming less important as electronic payments evolve in different fields and become more and more ubiquitious: Credit and debit card payments have evolved from (completely insecure, cloneable, skimmable) magnetic stripe technology, over to smartcard-based EMV chip-and-pin systems (with inherent cryptographic design issues and pitfalls), then over to contactless, NFC-based methods turning your smartphone or smartwatch into a digital wallet.
For Internet payments and person-to-person money transfers, almost uncountable solutions exist and compete with each other. Some electronic payment methods clearly overshadow traditional cash both in terms of security and usability for both merchants and customers, and, in addition, easily support loyalty and reward programs.
However, this also comes at a price: the anonymity property of traditional cash is hard to achieve for practical electronic payments; yet there clearly is much societal and economic value for anonymous and untrackable payments (limited to small, everyday amounts) in a society that, as it is, suffers from overly enthusiastic surveillance efforts by powerful global actors. Ever since Satoshi Nakamota invented bitcoins, decentralized, blockchain-based currencies are all the rage and spawned new exciting research with direct applicability to real-world projects that have significant market volumes. For the first time since David Chaum invented blind RSA signatures in the early 80s, cryptographic payment schemes that offer strong anonymity properties are now being rolled out and tested in practice, using most modern, state-of-the-art cryptographic primitives such as novel, efficient non-interactive zero knowledge proof schemes.
At the ESSE group, we have several experts researching and working with different aspects of electronic payment systems. ESSE researchers work together with strong industry and government partners, e.g., at combating skimming fraud, securing EMV payment solutions using state-of-the-art cryptographic engineering principles, designing secure and PCI compliant payment terminal hardware, and conceiving and constructing tomorrow's payment technologies. We not only have vast experience with interacting with and contributing valuable research insights to the established payment processing industry (EMV, PCI), but also engage in and conduct research as well as practical work on many alternative fronts, including blockchain-based payment processing as well as payment schemes with strong anonymity properties. Especially in this field, ample opportunities for prospective ESSE researchers exist (preferable outstanding, strongly self-motivated students), with a wide range of possibilities for combining academic master-level and PhD work with fruitful industry cooperation that has direct applicability to real-world systems.
It is often thought that IT security measures are straight forward and can be applied in the same way in small as well as large IT infrastructures. However, this is not the case.
Many ESSE members have expertise with IT security challenges in large IT infrastructures and the experience has shown that not all IT security measures that work in small scales do also work that good in larger scales.
Therefore, at ESSE we are researching different aspects of IT security in large IT infrastructures such as identification, Public Key Infrastructures, security testing, etc.
Moreover, we are also holding a lecture IT Security in Large IT Infrastructures.
IT solutions used in modern cars are getting more and more complex and powerful. Such IT solutions are not only exclusively used within the cars without being connected to outside networks, however, more and more cars do have some form of Internet access and, e.g., different apps can be used to remotely start heating of the car or collect information about the usage.
As a result, IT security aspects of such solutions are vital. Together with industry partners we conduct research to make connected cars more secure.
What level of anonymity can be achieved by solutions such as Tor, I2P, or Tribler? What are the advantages and ultimate limits of Dining-Cryptographer based anonymity solutions such as Dissent? How can one construct and implement a secure, anonymous marketplace for ideas or goods? How can one incentivize participation in anonymous communications networks and minimize the harm caused by freeriders without endangering anonymity guarantees?
Secure communication on the Internet does not just entail the encryption of messages between two recipients. Multi-party authenticated key exchange paired with authenticated encryption primitives enables confidential, integrity-protected group conversations. Additionally, the successful hiding of metadata, the hiding of the fact that communication between two or several parties takes place at all might be as important. What about deniability when secret key material leaks or gets compromised?
Secure and anonymous communication used to be a given in any liberal, democratic society. At the very least since the Snowden-revelations, we know this does not apply anymore to today's hyperconnected world. History tells us, once surveillance and totalitarianism takes hold, societies tend to collapse. At ESSE, we conduct both theoretical and applied research on how to allow technology to mimic properties of behaviors and conditions taken for granted in meatspace (meatspace used to denote the physical world, as opposed to cyberspace, terms invented at a time when this distinction was still possible), be it the casual, unrecorded conversation with an acquaintance at the edge of a swimming pool, or the strolling through the flea market at Naschmarkt, Vienna. We also directly apply our knowledge to industry projects where privacy is crucial.
The term meatspace was coined at the same time as the term cyberspace by science fiction and dystopian cyberpunk authors in the early 80s. Meatspace denotes the physical world, as opposed to cyberspace, which denotes the environment in which communication occurs over computer networks. It is telling that only the second term survived and made it into mainstream language: Fast-forwarding to the future, almost everything in the physical world is already connected to computer networks or is in the process of getting connected to computer networks: Your light switch, your coffee machine, your heater, maybe soon even your shower and your bed? Meatspace, as something distinct from cyberspace, simply ceases to exist.
This development creates massive security problems, because (1) the deployment of cheap low-cost equipment connected to the Internet without proper security guards integrated into our daily private and professional lives invariably increases the attack surface for remote malicious hackers, and because (2) traditional companies (such as a heating company) effectively have to become IT companies in order to be able to compete, but often this process happens without the management and knowledge structures and the know-how in place to enable an informed and optimal transition from their traditional domain to IT, often resulting in security-critical knowledge gaps that can be and are exploited by attackers throughout the world.
At ESSE, we not only have longstanding experience in designing and implementing security-critical embedded systems providing security-relevant input to and extracting knowledge and experience from various industry projects, but we also conduct academic research on privacy issues stemming from the Internet of Things revolution as well as ways to solve them.
In many businesses, e.g., in large IT infrastructures, banks, or eHealth, there exist thorough requirements on how to operate IT systems securely.
Governance, Risk and Compliance requirements have the goal to increase the level of IT security in such fields. We are researching on different methods to implement such requirements, e.g., monitoring systems, incident management or security tests.
Today, healthcare is widely supported by IT, often saving healthcare information in different forms in different services. Such information may be stored in large data centers, but also, e.g., on smartphones.
However, such personal information is highly sensitive data. A loss of such information could be critical for the patient. Therefore, confidentiality, integrity, authenticity and other security goals need to be achieved. Solutions must be found that support these security goals.
At ESSE we are researching mobile as well as stationary secure solutions that support eHealth.
Security certified systems, such as PCI Standard compliant systems, need to be regularly exposed to penetration testing teams. However, the scale and methodology of penetration tests and security audits can vary significantly, and the minimal effort necessary to pass security certifications often only exposes the most obvious flaws, and leaves subtle but critical issues buried, ready to be found by dedicated attackers and malicious hackers striving to make a profit. Highly-sensitive systems need to be evaluated and tested very differently than systems where the possible damage can be contained by non-technical means. Hands-on experience with strong industry partners and thorough penetration testing and security audit experience is a precondition to work on research questions such as, what is the most effective penetration testing methodology for a particular system, how much effort is needed to identify most critical bugs that a dedicated attacker with specific resources would be likely to find, etc.
Researchers at ESSE have thorough and longstanding hands-on experience with penetration testing methods and security audits in a wide range of industries, including government services and the health sector. We have deep insight into many different aspects of banking, payment, and financial systems. We also know that, sometimes, fulfilling the requirements to pass security certifications runs contrary to an actually effective implementation of useful security measures because of misplaced priorities dictated by the certification requirements. Finding the optimal compromise for correctly allocating available security-relevant resources is an interesting challenge that is in critical need of both academic input as well as comprehensive input from industry experience.
The research conducted by ESSE regarding security tests targets many different aspects and builds on experience and know-how from a wide array of different projects, productive live-systems as well as projects in different development stages, ranging from minimal tests to fulfill basic certification requirements to highly critical tests and evaluations where a compromise might have detrimental consequences for individual lives or even for society as a whole.
Effective security tests require highly specific and deep knowledge from a range of different domains, depending on the targeted system, and thus ESSE always welcomes new (prospective) specialists with deep technological understandings and strong motivations to dig deep and thoroughly through the inards of IT systems and to study potential weaknesses of specific technologies.
Although there clearly is a big difference between testing for and finding security vulnerabilities in real systems, actively participating in our capture the flag team defragmented.brains is a very good possibility to train the eye and to get and stay up-to-date with all kinds of common and novel security flaws (And hey, participation is free, and we always have a lot of fun together as well)!
Correct identification is the foundation for most aspects of modern computing and way beyond that. Only knowing who an identity (e.g., person, machine) that wants to access (e.g., "e;read"e;, "e;write"e;) a resource is, enables to authorize further actions.
To implement an information security policy in heterogeneous service structures, models, procedures and technologies for homogenization of the different authentication and authorization mechanisms are investigated, as well as eID solutions.
In order to build secure systems all involved parties (e.g., system architects or programmers) need IT security know how. Therefore, it is essential that teaching this security know how is done in an effective way.
At ESSE we are researching different ways on how teaching IT security can be done in an effective and efficient way so students learn about the multiple IT security aspects and are excited to dig deeper in the knowledge domain.
To understand and assess IT security threats, theoretical knowledge alone is not enough. Without an accurate picture on currently used attack and hacking tools, worms and malware, risk evaluations of IT systems remain highly speculative. While studying the techniques and methods used by different attackers such as script kiddies, criminal hackers, or state actors and powerful industrial spies, as well as their ways of organizing, collaborating, and trading within underground economies and black markets is itself a very interesting experience, up-to-date knowledge on real-world threats is crucial for being able to, e.g., accurately prioritize security measures for critical IT systems, or to react most effectively to intrusions or formulate useful incidence response plans.
The motivation for this research area could not be better expressed than by the words of the legendary Chinese military general Sun Tzu, written more than two thousand years ago: "If you know the enemy and know yourself, you need not fear the result of a hundred battles".
When thinking about IT security, physical security aspects are often neglected. However, when physical access to IT systems is possible for attackers, physically securing such devices is critical.
At ESSE we try to break physical components such as embedded devices and research on methods to enhance the physical security.
The gap between the cryptographic research community and the systems security community is very deep, if not abysmal. Similarly, the gap between academic knowledge generated by academic cryptographers and the actual industrial practice is immense. Major industrial players that design and implement cryptographic protocols today more than often ignore ample amounts of relevant academic knowledge accumulated over the last decades. Most flaws in standard protocols (such as TLS) that have been discovered over the last years were not novel at the time of their discovery and are just another expression of this gap between theorists and practitioners. In IT, the work of theorists is often regarded as pretty useless by many engineers who actually build systems. IT Security is one of the fields where it is trivial to prove them wrong. At ESSE, we are bridging this gap. To do so it is essential to be able to understand, work on, and generate both theoretical as well as practical results.
Many vulnerabilities such as buffer overflows have become very difficult to exploit in modern systems due to a range of mitigation techniques activated by default. Still, up-to-now, no single mitigation mechanism is perfect. Many techniques from the research literature still induce too much overhead while posing only marginal disadvantages to a skilful attacker. Understanding and knowing the art of advanced software exploitation is a prerequisite for designing novel and practical mitigation techniques. In addition, for people with the right mindset, exploit development is much fun and a very rewarding experience in itself.
At ESSE, students and researchers work on understanding current exploitation techniques as used by various actors in the real world. Leveraging this knowledge, we work on novel contributions to effective exploit mitigation techniques.
We also train and play at international hacking contests. These events are a perfect playground, and participation in our CTF Team defragmented.brains is a good opportunity to learn and train with people of different skill levels. If you are interesting in doing academic work in this field (e.g, for a bachelor, master, or Phd thesis), preferably join our team first and play and learn with us.
Once a vulnerability has been exploited and a system is compromised, an attacker often wants to establish a permanent presence on the target. Doing so without risking detection is anything but trivial. Advanced rootkits usually modify kernel structures and may reside in peripheral firmware, such as SSD controllers. This makes detection of advanced rootkits very difficult.
At ESSE we work on furthering the knowledge in the area of malicious rootkits and rootkit detection and work with industry partners to directly apply this knowledge to secure critical IT systems and large IT infrastructures.
In addition to classic Intrusion Detection methods, honeypots, -nets and -tokens can be used for recognition and exploration of attacks on IT systems in order to increase the security of IT infrastructures. The benefit of those mechanisms is that there are no false positives, because every access is principally suspicious. Therefore, it stands to reason to combine classic Intrusion Detection Systems with Honey* systems.
In our research group we already implemented a honeynet in 2005 and are currently operating several different honeynets. As a result, we were able to gain profound experience for the operation of honeynets and, therefore, the increase of security in IT infrastructures. Honey* technologies also provide basic data, which are currently used in other research areas.
Together with researchers from other universities we are continuing to improve the IT security of various systems through Honey* solutions.
An application of these honeynets is also our research of VoIP security.
In times of growing networking of systems, the enormous increase of bandwidths, the ever-increasing penetration of cloud solutions, the issue of confidentiality of information is gaining in importance. Within this key subject, different mechanisms and technologies are examined in order to ensure the confidentiality of information and to simplify its application.
Smartphones are now ubiquitous. They are general computing platforms equipped with privacy-critical sensors, and often contain highly sensitive personal and professional data. From an attacker's perspective, the misuse potential is vast, and a compromise might be more concerning than the compromise of a traditional desktop computer: A compromised modern smartphone is a very effective tracking and spying device.
At ESSE, we conduct research on various aspects of mobile phone security. We work closely with industry partners to apply academic knowledge in order to help secure critical smartphone applications. We also operate our own test GSM network and conduct security research on the mobile network layer.
Public Key Infrastructures (PKIs) provide an important basis in large IT infrastructures for implementing identity as well as confidentiality, integrity and authenticity measures. Due to this central role in many projects a secure PKI is essential in many IT systems.
ESSE is researching mechanisms in order to verify the functionality and security of the relevant individual sub systems of such Public Key Infrastructures as well as attack possibilities in order to circumvent mechanisms/protocols secured by PKIs.
More and more Voice Over IP (VoIP) systems are used by companies in critical IT infrastructures. This application of VoIP requires a risk and threat analysis that lists and evaluates security relevant issues in order to protect the infrastructures.
Within this research domain ESSE researches mechanisms to increase the security level of VoIP systems. Different security measures need to be defined and implemented in order to operate a critical VoIP system in a secure way.
Some publications of our VoIP security research and additional information can be found on our VoIP security research website.
Digital forensics deals with the analysis of data, which is left by various activities on digital systems. By analyzing this data, an attempt is made to reproduce system (mis)behavior, to restore deliberately deleted data, or to determine the damage after hacker attacks. The collected and prepared information can contribute to enhance the analyzed systems, or could be used in justice (law enforcement).
In this research area, methods for the efficient extraction and interpretation of information (from data dumps) are discussed.
One specific application of digital forensics is the analysis of devices used for skimming at ATMs.
Modern societies strongly depend on the Internet to provide continuous and reliable access to a variety of services nowadays, e.g., services used for work and private communication. Supported by tons of easy-to-use applications and services provided in application stores and alike, computer system design patterns have evolved towards concepts such as "cloud computing".
With cloud computing though, personal information collected by smartphones or IoT devices may be sent to the cloud, leaving the data owners without means to control over his or her data.
With our research we investigate means of improving privacy protection for personal information used within cloud-based services and applications.
Security-by-design solutions are designed to reduce security risks by implementation and in operation with improper use or misconfiguration. The user has to be supported so that the use of devices and services is intuitively safe and trustable. Platform independent solutions are required to establish context-related and adaptive security measures in highly networked, complex and interoperable networks.
A decisive part in the perceived quality of software systems is their resistance to malicious attacks (security) as well as their operational stability (safety). Despite extensive testing, many errors occur only after a system has been transferred to productive operation.
This research area focuses on the question of how a software engineering process must be implemented in order to enable the construction of both safer and more stable as well as reliable systems. In addition to the requirements phase which is based on a threat and risk analysis, the design phase, the development and testing process itself, an important aspect is the design of the interface between development and operation.
Back to Top