Service and Application Security

Security for distributed applications

Devices in the Internet of Things, mobile applications and cloud infrastructures — the challenges for IT security are constantly getting more complex due to the growing number of components and the heterogeneity of the platforms. Formerly monolithic programs have long since evolved into distributed architectures in which applications and services work together.

The field of Service & Application Security is primarily concerned with the security and data protection of distributed applications as well as secure cloud and container infrastructures. Novel solutions are developed and implemented based on current results from security research.

Fields of Research

Applied Privacy Technologies

The research field Applied Privacy Technologies addresses the dichotomy between deriving value from data processing and data protection. The goal is to support digital self-determination. This includes practical applications of state-of-the-art cryptography, such as attribute-based encryption (ABE), searchable encryption (SE) and the use of privacy-enhancing technologies (PETs). Our experts design secure, decentralized services and architectures for the future Internet technologies such as self-sovereign identities (SSI).
 

Secure Data Ecosystems

The research field Secure Data Ecosystems focuses on technologies which enable companies to exchange data in a secure environment. The main topics are the analysis, conceptual design and further development of all components that are essential for a data ecosystem. This includes secure gateways for data exchange, the transformation to trustworthy cloud infrastructures and all topics around International Dataspaces and GAIA-X. We help with analysing the status quo and assist with the certification or evaluation of components and systems.

 

Software Security

The focus of the research area Software Security is the exploration and application of techniques for the analysis and evaluation of software artifacts, such as backend applications or mobile applications. This includes novel capabilities for dynamic and static code analysis, such as code property graphs. Our solutions, some of which are published as open source, enable use cases such as the correct use of cryptographic libraries.

 

Labs

Our experts work on future topics in the field of service and application security in a wide range of laboratories. For example, our employees and customers have access to an extensive Secure Data Ecosystems lab, where new types of technologies for secure data exchange can be tested. The closely related Cloud Security lab provides hands-on experience in container virtualization with Kubernetes and access to public cloud systems such as Azure and AWS. A range of radio-based communications technology, such as Bluetooth, LTE and 5G (under construction), completes the lab offerings.

Cloud Security Lab

The Cloud Security Lab at Fraunhofer AISEC enables a wide range of evaluation services for securing cloud services.

Software Security Lab

Fraunhofer AISEC studies and evaluates the security of software and applications in a state-of-the-art laboratory environment.

Secure Data Ecosystems

The Secure Data Ecosystems research lab provides the necessary infrastructure for the development, planning and implementation of trusted data spaces.

 

Offerings

Our goal is to work closely with our customers and partners to systematically improve the ability to assess the security of systems and products, to evaluate system reliability, design systems to be secure, and sustainably maintain security throughout the lifecycle.

Evaluate security

  • As part of threat and risk assessments, we evaluate the security of distributed systems. Typical systems consist, for example, of a web application and an associated backend.
  • In practical security audits and penetration tests, we act as the attacker and uncover security vulnerabilities in mobile application or cloud system on your behalf.
  • Through source code audits with a focus on Java, TypeScript and C++, we provide detailed insights into the security of your applications.
  • An as-is analysis of existing solutions allows us to identify options on how to build secure data ecosystems. 

Design security 

  • During the development process, we give advise on how to design your applications regarding security and data protection.
  • In a collaboration with the customer, we show the potential of new security technologies such as Self-Sovereign Identities or Searchable Encryption. We also prototype innovative concepts, such as information flow and data usage control in IoT architectures.

Maintain security

  • Offers around compliance and assurance monitoring (e.g. of cloud systems) complete our portfolio.
  • Consulting on the security and compliance of cloud computing and container solutions and accompany you in the preparation of certification projects.

Selected Projects

 

Clouditor

Clouditor helps organizations to automatically comply with critical security and compliance requirements.

 

 

re:claimID

With re:claimID, Fraunhofer AISEC created a tool for self-sovereign management of digital identities. It enables users to securely manage digital identities and personal information and share them with other parties over a decentralized directory.

 

CODYZE

In this project, an automatic tool was developed for the BSI that validates whether cryptographic libraries are being used correctly. 

 

Selected Initiatives and Collaborations

 

Sovereign Data Exchange

International Data Spaces

The International Data Spaces enable the sovereign, and thus self-determined, sharing of data across company borders.

 

Fraunhofer CCIT

Trackchain Technology

To be able to continue the path of increasing digitalization on an international scale, logistics needs an Internet with cognitive capabilities and secure networked data spaces. As part of Fraunhofer CCIT, Fraunhofer AISEC is developing seamless trustworthy goods tracking with cognitive sensor technology and blockchain technology.

 

Publications

  • Christian Banse, Florian Wendland, and Konrad Weiss. “Automatisierte Compliance-Prüfung in Software-Artefakten”. In: Deutschland. Digital. Sicher. 30 Jahre BSI. SecuMedia Verlag, 2021. ISBN: 978-3-922746-83-6.
  • Georg Bramm, Matthias Hiller, Christian Hofmann, Stefan Hristozov, Maximilian Oppelt, Norman Pfeiffer, Martin Striegel, Matthias Struck, and Dominik Weber. “CardioTEXTIL: Wearable for Monitoring and End-to-End Secure Distribution of ECGs”. In: IEEE 17th International Conference on
    Wearable and Implantable Body Sensor Networks (BSN). 2021.
  • Felicitas Hetzelt, Martin Radev, Robert Buhren, Mathias Morbitzer, and Jean-Pierre Seifert. “VIA: Analyzing Device Interfaces of Protected Virtual Machines”. In: 37th Annual Computer Security Applications Conference (ACSAC 2021). 2021.
  • Christian Banse, Immanuel Kunz, Angelika Schneider, and Konrad Weiss. “Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis”. In: 2021 IEEE 14th International Conference on Cloud Computing (CLOUD). IEEE. 2021.
  • Alexander Küchler, Alessandro Mantovani, Yufei Han, Leyla Bilge, and Davide Balzarotti. “Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes”. In: Network andDistributed Systems Security (NDSS) Symposium. 2021.

  • Georg Bramm and Julian Schütte. “cipherPath: Efficient Traversals over Homomorphically Encrypted Paths.” In: ICETE. 2020.
  • Immanuel Kunz, Christian Banse, and Philipp Stephanow. “Selecting Privacy Enhancing Technologies for IoT-Based Services”. In: International Conference on Security and Privacy in Communication Systems. Springer. 2020.
  • Immanuel Kunz, Valentina Casola, Angelika Schneider, Christian Banse, and Julian Schütte. “Towards Tracking Data Flows in Cloud Architectures”. In: IEEE International Conference on Cloud Computing (CLOUD). IEEE. 2020.
  • Immanuel Kunz, Philipp Stephanow, and Christian Banse. “An Edge Framework for the Application of Privacy Enhancing Technologies in IoT Communications”. In: International Conference on Communications (ICC). IEEE. 2020.
  • Luca Wilke, Jan Wichelmann, Mathias Morbitzer, and Eisenbarth Thomas. “SEVurity: No Security Without Integrity Breaking Integrity Free
    Memory Encryption with Minimal Assumptions”. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, MAY 1820, 2020. IEEE. 2020.
  • Dorian Knoblauch and Christian Banse. “Reducing implementation efforts in continuous auditing certification via an Audit API”. In: 2019 IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). 2019.
  • Mathias Morbitzer. “Scanclave: Verifying Application Runtime Integrity in Untrusted Environments”. In: 2019 IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). 2019.
  • Mathias Morbitzer, Manuel Huber, and Julian Horsch. “Extracting Secrets from Encrypted Virtual Machines”. In: Proceedings of the Ninth ACM on Conference on Data and Application Security and Privacy. CODASPY ’19. Richardson, Texas, USA: ACM, 2019, p. 10. ISBN: 9781450360999. DOI: 10.1145/3292006.3300022.
    URL: https://doi.org/10.1145/3292006.3300022.
  • Martin Schanzenbach, Thomas Kilian, Julian Schütte, and Christian Banse. “ZKlaims: Privacy-preserving Attribute-based Credentials using Non-interactive
    Zero-knowledge Techniques”. In: Proceedings of the 16th International Conference on Security and Cryptography (SECRYPT 2019), part of ICETE. 2019.
  • Julian Schütte and Dennis Titze. “liOS: Lifting iOS Apps for Fun and Profit”. In: Proceedings of the International Workshop on Secure Internet of Things (SIoT). Luxembourg: IEEE, 2019.
  • Konrad Weiss and Julian Schütte. “Annotary: A Concolic Execution System for Developing Secure Smart Contracts”. In: Proceedings of 24rd European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science. Springer, Sept. 2019.

  • Georg Bramm, Mark Gall, and Julian Schütte. “BDABE-Blockchain-based Distributed Attribute based Encryption.” In: ICETE (2). 2018, pp. 265–276
  • Manuel Huber Gerd S. Brost, Julian Schütte Michael Weiß Mykolai Protsenko, and Sascha Wessel. “An Ecosystem and IoT Device Architecture for Building Trust in the Industrial Data Space”. In: CPSS’18: The 4th ACM CyberPhysical
    System SecurityWorkshop. CPSS’18. Incheon, Republic of Korea: ACM, 2018, pp. 39–50. ISBN: 9781450357555. DOI: 10.1145/3198458.3198459.
    URL: https://doi.org/10.1145/3198458.3198459.
  • Wolfgang Gräther, Sabine Kolvenbach, Rudolf Ruland, Julian Schütte, Christof Torres, and Florian Wendland. “Blockchain for Education: Lifelong Learning Passport”. In: Proceedings of 1st ERCIM Blockchain Workshop 2018. Reports of the European Society for Socially Embedded Technologies: vol. 2, no. 10. European Society for Socially Embedded Technologies (EUSSET), 2018.
  • Mathias Morbitzer, Manuel Huber, Julian Horsch, and Sascha Wessel. “SEVered: Subverting AMD’s Virtual Machine Encryption”. In: Proceedings of the 11th European Workshop on Systems Security. EuroSec’18. Porto, Portugal: ACM, 2018. ISBN: 9781450356527. DOI: 10.1145/3193111.
    3193112.
    URL: https://doi.org/10.1145/3193111.3193112.
  • Martin Schanzenbach, Christian Banse, and Julian Schütte. “Practical Decentralized Attribute-Based Delegation Using Secure Name Systems”. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). 2018, pp. 244–251. DOI: 10.1109/TrustCom/BigDataSE.2018.00046.
  • Martin Schanzenbach, Georg Bramm, and Julian Schütte. “reclaimID: Secure, Self-Sovereign Identities Using Name Systems and Attribute-Based Encryption”. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). 2018, pp. 946–957. DOI: 10.1109/TrustCom/BigDataSE.2018.00134.
  • Julian Schütte and Gerd Brost. “LUCON: Data Flow Control for Message-Based
    IoTSystems”. In: Proceedings of the International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). Aug. 2018.
  • Florian Wendland and Christian Banse. “Enhancing NFV Orchestration with Security Policies”. In: ARES 2018: International Conference on Availability, Reliability and Security, August 27–30, 2018, Hamburg, Germany. New York, NY, USA: ACM, 2018. ISBN: 9781450364485/18/08. DOI: 10.1145/3230833.3233253.