Florian Fankhauser

At the moment I'm writing my PhD thesis in the field of VoIP security. In cooperation with Christian Schanes I'm operative head of the IT security research team ESSE. I'm involved in teaching several lectures about IT security.

Contact

e-mail:
florian.fankhauser@inso.tuwien.ac.at
Fingerprint GPG Key:
    DA0E 0588 31A8 6EE4 408A 0F66 9FE3 9667 732F 11DB
Office Location:
    Wiedner Hauptstraße 76/2/2
    1040 Vienna
    Austria
Office Hours:
    see the ESSE Office Hours: please write me an e-mail to check whether I will be there myself.
Office Hours during holidays:
    by appointment

Research Interests

Teaching

Since a few years I'm involved in teaching several lectures about IT security, e.g. Introducton to Security VU, Seminar aus Security SEM, Security for Systems Engineering VU, Advanced Security for Systems Engineering VU, IT Security in Large IT Infrastructures VU, Security VU, Internet Security VU, Advanced Internet Security VU. For more information have a look at the available lectures.

Publications

BibTex

Markus Gruber, Dirk Hoffstadt, Adnan Aziz, Florian Fankhauser, Christian Schanes, Erwin Rathgeb and Thomas Grechenig. Global voip security threats – large scale validation based on independent honeynets. In IFIP networking conference (ifip networking), 2015 (pp. 1–9) (May 2015). [ DOI: 10.1109/IFIPNetworking.2015.7145329 ]
Voice over IP (VoIP) gains more and more attractiveness by large companies as well as private users. Therefore, the risk increases that VoIP systems get attacked by hackers. In order to effectively protect VoIP users from misuse, researchers use, e.g., honeynets to capture and analyze VoIP attacks occurring in the Internet. Global VoIP security threats are analyzed by studying several millions of real-world attacks collected in independent VoIP honeynet solutions with different capture mechanisms over a long period of time. Due to the validation of results from several honeynet designs we have achieved a unique, much broader view on large scale attacks. The results show similar attacker behavior, confirm previous assumptions about attacks and present new insights in large scale VoIP attacks, e.g., for toll fraud.

Keywords: Engines;IP networks;Internet;Monitoring;Protocols;Security;Servers;Communication system security;Internet telephony;Intrusion detection;Security

Clemens Hlauschek, Markus Gruber, Florian Fankhauser and Christian Schanes. Prying open pandoras box: KCI attacks against tls. In 9th usenix workshop on offensive technologies (woot 15) (August 2015). Washington, D.C.: USENIX Association. [ Download: https://www.usenix.org/conference/woot15/workshop-program/presentation/hlauschek ]
Protection of Internet communication is becoming more common in many products, as the demand for privacy in an age of state-level adversaries and crime syndicates is steadily increasing. The industry standard for doing this is TLS. The TLS protocol supports a multitude of key agreement and authentication options which provide various different security guarantees. Recent attacks showed that this plethora of cryptographic options in TLS (including long forgotten government backdoors, which have been cunningly inserted via export restriction laws) is a Pandoras box, waiting to be pried open by heinous computer whizzes. Novel attacks lay hidden in plain sight. Parts of TLS are so old that their foul smell of rot cannot be easily distinguished from the flowery smell of “strong” cryptography and water-tight security mechanisms. With an arcane (but well-known among some theoretical cryptographers) tool, we put new cracks into Pandoras box, achieving a full break of TLS security. This time, the tool of choice is KCI, or Key Compromise Impersonation. The TLS protocol includes a class of key agreement and authenticationmethods that are vulnerable to KCI attacks: non-ephemeralDiffie-Hellman key exchange with fixed Diffie-Hellman client authentication – both on elliptic curve groups, as well as on classical integer groups modulo a prime. We show that TLS clients that support these weak handshakes pose serious security concerns in modern systems, opening the supposedly securely encrypted communication to full-blown Man-in-the-Middle (MitM) attacks. This paper discusses and analyzes KCI attacks in regard to the TLS protocol. We present an evaluation of the TLS software landscape regarding this threat, including a successful MitM attack against the Safari Web Browser on Mac OS X. We conclude that the insecure TLS options that enable KCI attacks should be immediately disabled in TLS clients and removed from future versions and implementations of the protocol: their utility is extremely limited, their raison d’etre is practically nil, and the existence of these insecure key agreement options only adds to the arsenal of attack vectors against cryptographically secured communication on the Internet.

Markus Gruber, Christian Schanes, Florian Fankhauser, Martin Moutran and Thomas Grechenig. Architecture for trapping toll fraud attacks using a voip honeynet approach. In Proceedings of the 7th international conference on network and system security (nss) (June 2013).
Voice over IP systems are more and more replacing Public Switched Telephone Network infrastructures. The number of voice telephony installations and the number of Session Initiation Protocol users is constantly increasing. Attacks against Voice over IP systems are becoming more imaginative and many attacks can cause financial damage, e.g., attackers gain money or create costs for the victim. Therefore, the dependency on available and secure Voice over IP systems to conduct secure business is given. We provide an environment to uncover real-world toll fraud attacks by collecting data using a Voice over IP honeynet solution.

Keywords: Communication System Security, Honeynet, Fraud

Markus Gruber, Christian Schanes, Florian Fankhauser and Thomas Grechenig. Voice calls for free: How the black market establishes free phone calls – trapped and uncovered by a voip honeynet. In Proceedings of the international conference on privacy, security and trust (pst) (July 2013).
The complexity of IT systems and the criticality of robust IT systems is constantly increasing. Testing a system requires consideration of different protocols and interfaces, which makes testing hard and expensive. Test automation is required to improve the quality of systems without cost explosion. Many standards like HTML and FTP are semiformally defined in RFCs, which makes a generic algorithm for test data generation based on RFC relevant. The proposed approach makes it possible to automatically generate test data for protocols defined as ABNF in RFCs for robustness tests. The introduced approach was shown in practice by generating SIP messages based on the RFC specification of SIP. This approach shows the possibility to generate data for any RFC that uses ABNF, and provides a solid foundation for further empirical evaluation and extension for software testing purposes.

Keywords: Security, Internet telephony, Intrusion detection, Communication system security

Christian Schanes, Stefan Taber, Karin Popp, Florian Fankhauser and Thomas Grechenig. Security test approach for automated detection of vulnerabilities of sip-based voip softphones. International Journal On Advances in Security, 4, 95–105 (September 2011). IEEE Computer Society Press.
Voice over Internet Protocol based systems replace phone lines in many scenarios and are in wide use today. Automated security tests of such systems are required to detect implementation and configuration mistakes early and in an efficient way. In this paper we present a plugin for our fuzzer framework fuzzolution to automatically detect security vulnerabilities in Session Initiation Protocol based Voice over Internet Protocol softphones, which are examples for endpoints in such telephone systems. The presented approach automates the interaction with the Graphical User Interface of the softphones during test execution and also observes the behavior of the softphones using multiple metrics. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented plugin for our fuzzing framework.

Keywords: Software testing; Computer network security; Graphical user interfaces; Internet telephony; Fuzzing

Markus Gruber, Florian Fankhauser, Stefan Taber, Christian Schanes and Thomas Grechenig. Security status of voip based on the observation of real-world attacks on a honeynet. In The third ieee international conference on information privacy, security, risk and trust (passat) (October 2011a).
VoIP (Voice over IP) systems more and more replacing PSTN (Public Switched Telephone Network) infrastructures what increases dependency of available and secure VoIP systems for successful business. Attacks against VoIP systems are becoming more imaginative and many attacks can cause damage, e.g., gain money for attackers or create costs for the victim. Therefore, in this paper the current security status of VoIP systems are described with observations of VoIP attacks in a honeynet. The achieved results can help to adapt existing prevention system to avoid the recognized and analyzed attacks in a productive environment.

Keywords: Security, Internet telephony, Intrusion detection, Communication system security

Christian Schanes, Florian Fankhauser, Stefan Taber and Thomas Grechenig. Generic data format approach for generation of security test data. In The third international conference on advances in system testing and validation lifecycle, october 2011, barcelona, spain (October 2011). IEEE Computer Society Press.
Security testing is an important and at the same time also expensive task for developing robust and secure systems. Test automation can reduce costs of security tests and increase test coverage and, therefore, increase the number of detected security issues during development. A common data format as the basis for specific test cases ensures that the implementation of the generation logic for security test data is only needed once and can be used for various data formats by transforming the data to the common data format, generating the test data and transforming back to the original data format. The introduced approach enables to generate test data for various formats using a single implementation of the generation algorithm and applying the results for specific test cases in different data formats.

Keywords: Software testing; Computer network security; Fuzzing

Florian Fankhauser, Maximilian Ronniger, Christian Schanes and Thomas Grechenig. Security test environment for voip research. International Journal for Information Security Research, 1, 53–60 (March 2011). Infonomics Society.
Voice over IP (VoIP) is in wide use today, replacing phone lines in many scenarios. However, often, security isn’t considered well enough, even though many security attacks are already known. More research on VoIP security is needed to enhance the level of security of VoIP systems and to show the implications of failing to take appropriate security measures. This paper presents a short introduc- tion in testing VoIP components, proposes an architecture and implementation of a robust, flexible and efficient VoIP test environment for security related tests. Experiences us- ing the implemented environment for different VoIP security tests are shown to demonstrate the suitability of the pro- posed test environment for research and teaching purposes.

Markus Gruber, Florian Fankhauser, Stefan Taber, Christian Schanes and Thomas Grechenig. Trapping and analyzing malicious voip traffic using a honeynet approach. In The 6th international conference on internet technology and secured transactions (icitst) (December 2011b).
Since several years the number of VoIP (Voice over IP) infrastructures increases and, consequently, the number of VoIP users increases too. Under these circumstances VoIP systems get more and more attractive for attackers, since the probability of successful attacks increases and attackers gain benefits, e.g., money with fee-based telephone numbers. Therefore, this paper describes a solution to capture, monitor and report VoIP attacks to gain more knowledge on current and new VoIP attacks.

Keywords: Security, Internet telephony, Intrusion detection, Communication system security

Maximilian Ronniger, Florian Fankhauser, Christian Schanes and Thomas Grechenig. A robust and flexible test environment for voip security tests. In Internet technology and secured transactions (icitst), 2010 international conference for (pp. 1–6) (November 2010).
Voice over IP (VoIP) is in wide use today, replacing phone lines in many scenarios. However, often, security isn’t considered well enough, even though many security attacks are already known. More research on VoIP security is needed to enhance the level of security of VoIP systems and to show the implications of failing to take appropriate security measures. This paper presents an architecture and implementation of a robust and flexible VoIP test environment for security related tests. Experiences using the implemented environment for different VoIP security tests are shown to demonstrate the suitability of the proposed test environment for research purposes.

Andreas Mauczka, Christian Schanes, Florian Fankhauser, Mario Bernhart and Thomas Grechenig. Mining security changes in freebsd. In Mining software repositories (msr), 2010 7th ieee working conference on (pp. 90–93) (feb--mar 2010). [ DOI: 10.1109/MSR.2010.5463289 ]
Current research on historical project data is rarely touching on the subject of security related information. Learning how security is treated in projects and which parts of a software are historically security relevant or prone to security changes can enhance the security strategy of a software project. We present a mining methodology for security related changes by modifying an existing method of software repository analysis. We use the gathered security changes to find out more about the nature of security in the FreeBSD project and we try to establish a link between the identified security changes and a tracker for security issues (security advisories). We give insights how security is presented in the FreeBSD project and show how the mined data and known security problems are connected.

Peter Steinbacher, Florian Fankhauser, Christian Schanes and Thomas Grechenig. Work in progress: Black-Box approach for testing quality of service in case of security incidents on the example of a SIP-based VoIP service. In Principles, systems and applications of ip telecommunications (iptcomm’10) (pp. 101–110) (August 2010). New York, NY, USA: ACM. [ DOI: http://doi.acm.org/10.1145/1941530.1941545 ]
One of the main security objective for internet systems which provide services like Voice over Internet Protocol (VoIP) is to ensure robustness against security attacks to fulfill Quality of Service (QoS). To avoid system failures during attacks, service providers have to integrate countermeasures which have to be tested. This work evaluates a test approach to determine the efficiency of countermeasures to fulfill QoS for Session Initiation Protocol (SIP) based VoIP systems even under attack. The main objective of the approach is the evaluation of service availability of a System Under Test (SUT) during security attacks, e.g., Denial of Service (DoS) attacks. Therefore, a simulated system load based on QoS requirements is combined with different security attacks. The observation of the system is based on black-box testing. By monitoring quality metrics of SIP transactions the behavior of the system is measurable. The concept was realized as a prototype and was evaluated using different VoIP systems. For this, multiple security attacks are integrated to the testing scenarios. The outcome showed that the concept provides sound test results, which reflect the behavior of SIP systems availability under various attacks. Thus, security problems can be found and QoS for SIP-based VoIP communication under attack can be predicted.

Keywords: ESSE, Software/Program Verification;Security;Verification;Reliability;Performance;

Stefan Taber, Christian Schanes, Clemens Hlauschek, Florian Fankhauser and Thomas Grechenig. Automated security test approach for sip-based voip softphones. In The second international conference on advances in system testing and validation lifecycle, august 2010, nice, france (August 2010). IEEE Computer Society Press.
Voice over Internet Protocol based systems become more and more part of business critical IT infrastructures. To increase the robustness of voice applications, automated security testing is required to detect security vulnerabilities in an efficient way. In this paper we present a fuzzer framework to detect security vulnerabilities in Voice over Internet Protocol Softphones, which implement Session Initiation Protocol. The presented approach automates the Graphical User Interface interaction for softphones during fuzzing and also observes the behavior of the softphone Graphical User Interfaces to automatically detect application errors. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented fuzzer and some vulnerabilities were found that are only detectable by using Graphical User Interface observation.

Keywords: ESSE, Software testing; Computer network security; Graphical user interfaces; Internet telephony; Fuzzing

Christian Schanes, Florian Fankhauser, Thomas Grechenig, Michael Schafferer, Kai Behning and Dieter Hovemeyer. Problem space and special characteristics of security testing in live and operational environments of large systems exemplified by a nationwide it infrastructure. In The first international conference on advances in system testing and validation lifecycle, september 2009, porto, portugal (September 2009). IEEE Computer Society Press.
The paper discusses foundations and requirements for testing security robustness aspects in operational environments while adhering to defined protection values for data. It defines the problem space and special characteristics of security testing in large IT infrastructures. In this area there are different environments with varying characteristics, e.g., regarding confidentiality of data. Common environments based on an existing IT project are defined. Testing in dedicated test environments is state of the art, however, sometimes this is not sufficient and testing in operational environments is required. Case studies showed many restrictions in the security test process, e.g., limited access for testers, which have to be addressed. The problems of testing in these operational environments are pointed out. Experiences and some current solution approaches for testing these special environments are shown (e.g., usage of disaster/recovery mechanism).

Keywords: Data security; Testing; Privacy; Communication system operations and management

Stefan Bachl, Andreas Mauczka, Wolfgang Schramm and Florian Fankhauser. Softwaretechnik – mit fallbeispielen aus realen entwicklungsprojekten. In (1st ed., pp. 651–668) (2009). München: Pearson Studium. [ Download: http://www.inso.tuwien.ac.at/publications/softwaretechnik/ ]

Florian Fankhauser, Christian Schanes and Christian Brem. Softwaretechnik – mit fallbeispielen aus realen entwicklungsprojekten. In (1st ed., pp. 593–650) (2009). München: Pearson Studium. [ Download: http://www.inso.tuwien.ac.at/publications/softwaretechnik/ ]

Florian Fankhauser, Thomas Grechenig, Detlef Hühnlein and Manfred Lohmaier. Die Basiskonzepte der Sicherheitsarchitektur bei der Einführung der eGK. In P. Horster (Ed.), D*A*CH security 2007 (pp. 326–337) (2007). syssec.
Bei der Einführung der elektronischen Gesundheitskarte (eGK) in Deutschland und der dafür notwendigen Telematikinfrastruktur spielen Datenschutz und die Datensicherheit zentrale Rollen. Die grundsätzliche Konzeption der Sicherheitsarchitektur abgeleitet aus den Prämissen des Deutschen Datenschutzes und seinen Ausprägungen für persönliche Gesundheitsdaten wird dargestellt. Die Kernaspekte der Sicherheitsarchitektur der Telematikinfrastruktur (TI) für die Anwendungen der elektronischen Gesundheitskarte werden erläutert. Die im Feld sicherheitserzeugenden Komponenten werden anhand ihrer Rolle und Funktion in der Gesamtarchitektur erläutert.

Back to Top