Secure blockchains in network transition periods
Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform Analyses
Rational protocol design
Hardware-friendly arithmetization-oriented cryptographic primitives
VIRAS: A Conflict-Driven Descision Procedure for mixed Integer-Real Arithmetic
End-to-end Verification of Side Channel Properties
Trapdoor Memory-Hard Functions
Hyperproperties: from Theory to Practice
Hyperproperties are a general framework to reason about properties requiring comparing multiple system executions, like security properties or robustness requirements. In this workshop, we want to bring together practitioners from different backgrounds with theoreticians developing frameworks for specifying hyperproperties. The workshop format will focus on discussions and promoting the interchange of ideas between different communities.
Secure implementation of the masking countermeasure on different platforms
Invited talk by Frank Leymann (Universität Stuttgart) and discussion on Post-Quantum Security.
Invited talk by Michele Orrù (Sorbonne Université) and discussion on elastic SNARKs.
SpyCoDe researchers participate in ACM CCS 2023.
Five representatives from SpyCoDe actively contributed to the ACM Conference on Computer and Communications Security (CCS) held in Copenhagen, Denmark, from November 26 to 30, 2023. This conference serves as the annual flagship event of the Special Interest Group on Security, Audit, and Control (SIGSAC) within the Association for Computing Machinery (ACM), attracting information security researchers, practitioners, developers, and users worldwide to explore cutting-edge ideas and results.
During November 27-29, the conference featured the presentation of the following research contributions:
CheckMate: Automated Game-Theoretic Security Reasoning by Lea Salome Brugger, Laura Kovács, Anja Petković Komel, Sophie Rain, and Michael Rawson, all from TUW, in the track “Formal Methods and Programming Languages”,
Let’s Go Eevee! A Friendly and Suitable Family of AEAD Modes for IoT-to-Cloud Secure Computation by Amit Singh Bhati (KU Leuven, Belgium), Erik Pohle (KU Leuven, Belgium), Aysajan Abidin (KU Leuven, Belgium, Elena Andreeva (TUW), Bart Preneel (KU Leuven, Belgium) in the track: “Applied Cryptography”,
Cryptographically Enforced Memory Safety by Martin Unterguggenberger, David Schrammel, Lukas Lamster, Pascal Nasahl and Stefan Mangard, all from Graz University of Technology, in the track “Software Security”,
IoTFlow: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis by David Schmidt (TUW), Carlotta Tagliaro (TUW), Kevin Borgolte (Ruhr University Bochum, Germany) and Martina Lindorfer (TUW) in the track “Network Security”.
These insightful presentations showcase SpyCoDe’s commitment to advancing knowledge and innovation in the realm of computer and communications security.
Martina Lindorfer joined as a speaker for the iMentor Workshop.
Individualized Cybersecurity Research Mentoring (iMentor ) Workshop co-located with the ACM Conference on Computer and Communications Security (ACM CCS) virtually. It is dedicated to attracting, mentoring, and providing career guidance to early-stage graduate students from underrepresented communities who aspire to pursue a career in computer security.
Martina gave a talk titled “IoTFlow the Making-Of: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis.” Using the preparation of her article presented at ACM CCS 2023 as an example, she shared with the iMentor cohort the behind-the-scenes journey of the IoTFlow paper — from its initial conception to the different iterations and revisions it underwent.
Abstract. The number of “smart” devices, that is, devices making up the Internet of Things (IoT), is steadily growing. They suffer from vulnerabilities just as other software and hardware. Automated analysis techniques can detect and address weaknesses before attackers can misuse them. Applying existing techniques or developing new approaches that are sufficiently general is challenging though. Contrary to other platforms, the IoT ecosystem features various software and hardware architectures. We introduce IoTFlow, a new static analysis approach for IoT devices that leverages their mobile companion apps to address the diversity and scalability challenges. IoTFlow combines Value Set Analysis (VSA) with more general data-flow analysis to automatically reconstruct and derive how companion apps communicate with IoT devices and remote cloud-based backends, what data they receive or send, and with whom they share it. We analyzed 9,889 manually verified companion apps with IoT-Flow to understand and characterize the current state of security and privacy in the IoT ecosystem. We discovered various IoT security and privacy issues, such as abandoned domains, hard-coded credentials, expired certificates, and sensitive personal information being shared.
Maria Eichlseder received the Hedy Lamarr Prize from the City of Vienna.
Prof. Eichlseder was honored for her contributions to the development of new methods for cryptanalysis. She is one of the designers who developed the Ascon algorithm, which earlier this year was selected by the US National Institute of Standards and Technology (NIST) as the standard for lightweight cryptography. It also won the 2019 CAESAR competition for authenticated encryption in the lightweight applications category.
Lightweight cryptography deals with cryptographic methods that are particularly suitable for use in resource-constrained environments, such as RFID tags or sensors, due to their low resource requirements. This applies in particular to the Internet of Things with its numerous small sensors and actuators, as only little energy and power are available here. Ascon is also suitable for miniature technologies such as medical implants or keyless car openers.
Hedy Lamarr Prize recognizes female researchers in Austria for their outstanding achievements in the field of information technology. The prize is named after the Vienna-born Hollywood actress and scientist Hedy Lamarr. The award winners serve as role models for the next generation and motivate young women to pursue a career in the IT industry.
Invited talk by Christof Ferreira Torres (ETH Zurich) and discussion on the privacy aspects of Web3 wallets
Maria Eichlseder has been awarded a prize for excellence in teaching
Maria Eichlseder, an assistant professor at IAIK, was one of the four recipients honored with a prize for excellence in teaching 2022/23 at Graz University of Technology. She received the accolade for her outstanding lecture in Cryptography.
Krzysztof Pietrzak gave a talk on “Sustainable Blockchains“
Abstract. The Bitcoin blockchain achieves consensus in an open setting, i.e., where everyone can participate. This was believed to be impossible, the key idea to make this possible was to use computing power rather than some kind of identities for voting through “proofs of work”. Unfortunately, this approach is not sustainable: the Bitcoin blockchain burns roughly as much electricity as a country like Austria. We will outline sustainable alternatives for achieving a Bitcoin-like blockchain, with a focus on using disk-space instead of computation and how this is realized in the Chia Network blockchain."
Jonas Juffinger presented “CSI:Rowhammer“ at the Hardwear.io Security Trainings and Conference 2023
The research addresses Rowhammer, a severe security problem in DRAM that allows an unprivileged adversary to gain kernel privileges by inducing electrical disturbance errors. CSI:Rowhammer is a hardware-software co-designed Rowhammer mitigation with principled cryptographic security and integrity guarantees, intentionally avoiding a focus on specific Rowhammer properties. Due to its generic design, the system provides protection against all Rowhammer attacks.
The presentation delved into the comprehensive details of designing a system like CSI:Rowhammer, covering aspects such as implementing low-latency hardware correction, maximizing software correction potential, securing correction routines in software against bit flips, managing possible race conditions, ensuring compatibility with virtual machines, evaluating the entire system, and more.
Outreach to society
Engaging school children and young people in STEM activities.
In two articles featured in the release of doIT 2/2023 in “Der Standard,” SpyCoDe members explore the significance of involving children in STEM activities and investigate the opportunities available in IT for the younger generation.
Sophie Rain introduces the “Abenteuer Informatik für Volksschule” initiative, where elementary school children visit the university to playfully delve into the world of algorithms. While programming education is now accessible to 8-year-old children, adapting content and delivery methods to align with their developmental needs and capabilities is essential. The TU Wien team is dedicated to creating an educational playground for primary and secondary school classes, fostering their interest in STEM. Sophie underscores the initiative’s crucial role in empowering girls to overcome stereotypes suggesting that technology is not for them.
Professor Maria Eichlseder shares her journey in establishing a successful career in IT. A small holiday project involving an encryption algorithm revealed to her the truly exciting nature of cryptography. Despite having limited prior knowledge in informatics from school, her fascination with cryptoanalysis led her to co-author Ascon, an authenticated encryption and hashing algorithm that has become an international standard. Today, Maria characterizes IT as an inspiring environment where individuals can initiate diverse projects, collaborate in dynamic teams, and contribute to their unique interests. The job landscape is expansive, featuring numerous companies and startups in Austria with promising earning potential. Addressing young people, she encourages them by stating, “Getting involved is fun and helps you develop personally!”
Invited talk by Chrysoula Stathakopoulou (Chainlink Labs) and discussion on BBCA
Giulia Scaffino listed amongst Top 30 @ TU Wien Under 30.
In 2023, Giulia Scaffino (27) is listed amongst the “TUW Under 30”, a list of selected TU Wien students and employees. Similar to the” Forbes Under 30”, this list features young and extraordinary researchers and entrepreneurs from the TUW, being able to present exceptional achievements in their area of research. Giulia graduated in nuclear physics and is doing her PhD at the Security& Privacy Research Group of Matteo Maffei. She specializes on Blockchain-protocols and is currently working on a blockchain bridge called “Glimpse”, enabling cross-currency transaction between Krypto-currencies. Giulia presented her results at the renowned IT conference USENIX Security Symposium. For more details see the article featured in the current print issue of the TUW Magazine #02-2023 “Schwerpunkt: Under 30” (pages 26-28) and also her bio online .
Sophie Rain listed amongst Top 30 @ TU Wien Under 30.
Sophie Rain (28) is amongst the “TUW Under 30” in 2023, a list of selected TU Wien students and employees. Similar to the “Forbes Under 30”, this list features young and extraordinary researchers and entrepreneurs from the TUW, being able to present exceptional achievements in their area of research. Sophie is a PhD student in Laura Kovacs’ Research Unit of Formal Methods in Systems Engineering. Her work focuses on the security verification of Blockchain applications by applying mathematical concepts such as game theory, logic and most importantly automated reasoning. Her work was presented at major security conferences such as CAV 2021 and CSF 2023. Furthermore, she is leading the TU Wien initiative “Abenteuer Informatik für Volksschule”, organizing workshops for pupils. For more details see the article featured in the current print issue of the TUW Magazine #02-2023 “Schwerpunkt: Under 30” and also her bio online .
Daniel Gruss gave a talk on “Sustainable Security.“
The talk is a part of the Public Lecture Series ‘Sustainability in Computer Science’ under the auspices of Informatik Austria . This lecture series, a pioneering initiative in Austria, unites all Austrian CS departments and faculties to emphasize the vital role of sustainability in computer science. It showcases research solutions for real-world challenges and inspires progress towards a sustainable future.
Abstract. Global ICT electricity consumption is already beyond 11 percent of the worldwide electricity production and still increasing. By 2030 it may reach around 25 percent. Previous approaches to improve efficiency and performance have often sacrificed security, leading to disastrous security issues like Meltdown and Spectre. Patching just these two vulnerabilities increases power consumption on affected computers by a seemingly harmless 5 percent. By 2030, this may be more than 1 percent of the global electricity production by just a single out of thousands of patches. This development is not sustainable, and in this talk, we will discuss both the problem and potential revolutionary solutions."
The TU Wien cryptography expert Prof. Elena Andreeva was featured in the Puls4 documentary Angriff aus dem Internet (Attack from the Internet).
Prof. Andreeva opens the doors to her research space and group at TU Wien, explaining the role of cryptography in today’s digital world. She also discusses how everyday devices like mobile phones can be vulnerable to cyber attacks.
The documentary sheds light on the importance of preventing cyber attacks, given their ubiquitous growth worldwide, and more specifically, in Austria. As the attackers range from criminals to state-run organizations, the targets vary from public administration and states to critical infrastructure and, not least, private individuals. The documentary presents several cyber attacks and discusses directions for prevention.
The interview with Elena Andreeva is available for reading in TU Wien Informatics News.
2023-09-04 Summer School
Graz Security Week 2023 , organized by the Institute of Applied Information Processing and Communication (IAIK) at Graz University of Technology, is set to take place. This event is specifically tailored for graduate students who are enthusiastic about delving into the intricacies of security and correctness in computing devices. The school will cover a diverse range of topics, including Runtime Security, Side-Channels, Privacy, Secure Cryptographic Implementations, and Security Verification. It offers a unique opportunity for participants to deepen their knowledge and engage in discussions surrounding these critical aspects of computer security.
Giulia Scaffino presented “Glimpse“ at the the prestigious “USENIX Security Symposium“
Glimpse stands out as an innovative protocol, facilitating secure cross-chain token transfers in a fully decentralized manner, eliminating the need for large commercial crypto-depots. This accomplishment is the result of collaborative efforts by Giulia Scaffino, Lukas Aumayr, Zeta Avarikioti, and Matteo Maffei.
Notably, the Glimpse protocol is compatible with blockchains that have limited scripting languages. The authors provide a specific implementation of Glimpse for the Liquid Network, a Bitcoin pegged sidechain. The protocol’s security is proven within the Universal Composability (UC) framework, instilling a high level of confidence in its security guarantees. The researchers conducted an economic analysis of the Glimpse protocol, revealing that verifying a simple transaction on Bitcoin-like chains using Glimpse incurs a maximum of 700 bytes of on-chain overhead, resulting in a one-time fee of $3. This fee is only twice as much as a standard Bitcoin transaction, highlighting the cost efficiency of Glimpse. Overall, the presented advancements unlock exciting possibilities for the world of cryptocurrencies.
Verification of Game-Theoretic Security Properties for Blockchain Protocols
PYTHIA: Supercharging Parallel Smart Contract Execution with the help of Optimistic Predictions
2023-04-18 Kick-off event
On April 18, the Technical University of Vienna (TUW) hosted the highly anticipated kick-off event of SPyCoDe, a groundbreaking research program focused on the Semantic and Cryptographic Foundations of Security and Privacy through Composite Design. Generously funded by the Austrian Science Fund (FWF), this initiative aims to delve into the complexities of security and privacy in the digital landscape. The event successfully brought together a diverse group of project participants, fostering an atmosphere of collaboration and innovation.
The presentation of the SPyCoDe program covered its purpose, methodology, research plans, 14 projects, and expected results. It captivated not only the students but also garnered approval from esteemed members of the Advisory Board, including Prof. Véronique Cortier (French National Scientific Research Center (CNRS)), Prof. Bart Preneel (Research group COSIC, KU Leuven), and Prof. Christoph Paar (Ruhr-Universität Bochum). The ensuing discussion proved fruitful, providing invaluable insights and advice crucial to the program’s success in achieving its goals.
Throughout the day, participants seized the opportunity to connect with one another, engaging in informal conversations, knowledge exchange, and thought-provoking discussions. These interactions delved into the complex topics underlying the research activities of the program. A series of cross-cutting sessions facilitated collaborative efforts between the PIs and students, fostering interdisciplinary cooperation and kick-starting joint research. These sessions focused on studying various aspects of security analysis, compositionality, reasoning, and other pertinent subjects, fostering intensive and illuminating dialogue.
The Kickoff event marked a promising beginning for the SPyCoDe research program, which aims to shed light on the intricate world of security and privacy in the digital realm. With a diverse array of projects and a dedicated team of researchers, the program is poised to make significant strides in advancing our understanding and addressing the challenges of this ever-evolving field.