Service and Application Security

Security for distributed applications

Devices in the Internet of Things, mobile applications and cloud infrastructures — the challenges for IT security are constantly getting more complex due to the growing number of components and the heterogeneity of the platforms. Formerly monolithic programs have long since evolved into distributed architectures in which applications and services work together.

The field of Service & Application Security is primarily concerned with the security and data protection of distributed applications as well as secure cloud and container infrastructures. Novel solutions are developed and implemented based on current results from security research.

Fields of Research

Applied Privacy Technologies

The research field Applied Privacy Technologies addresses the dichotomy between deriving value from data processing and data protection. The goal is to support digital self-determination. This includes practical applications of state-of-the-art cryptography, such as attribute-based encryption (ABE), searchable encryption (SE) and the use of privacy-enhancing technologies (PETs). Our experts design secure, decentralized services and architectures for the future Internet technologies such as self-sovereign identities (SSI).

Secure Data Ecosystems

The research field Secure Data Ecosystems focuses on technologies which enable companies to exchange data in a secure environment. The main topics are the analysis, conceptual design and further development of all components that are essential for a data ecosystem. This includes secure gateways for data exchange, the transformation to trustworthy cloud infrastructures and all topics around International Dataspaces and GAIA-X. We help with analysing the status quo and assist with the certification or evaluation of components and systems.


Software Security

The focus of the research area Software Security is the exploration and application of techniques for the analysis and evaluation of software artifacts, such as backend applications or mobile applications. This includes novel capabilities for dynamic and static code analysis, such as code property graphs. Our solutions, some of which are published as open source, enable use cases such as the correct use of cryptographic libraries.



Our experts work on future topics in the field of service and application security in a wide range of laboratories. For example, our employees and customers have access to an extensive Secure Data Ecosystems lab, where new types of technologies for secure data exchange can be tested. The closely related Cloud Security lab provides hands-on experience in container virtualization with Kubernetes and access to public cloud systems such as Azure and AWS. A range of radio-based communications technology, such as Bluetooth, LTE and 5G (under construction), completes the lab offerings.

Cloud Security Lab

The Cloud Security Lab at Fraunhofer AISEC enables a wide range of evaluation services for securing cloud services.

Software Security Lab

Fraunhofer AISEC studies and evaluates the security of software and applications in a state-of-the-art laboratory environment.

Secure Data Ecosystems

The Secure Data Ecosystems research lab provides the necessary infrastructure for the development, planning and implementation of trusted data spaces.



Our goal is to work closely with our customers and partners to systematically improve the ability to assess the security of systems and products, to evaluate system reliability, design systems to be secure, and sustainably maintain security throughout the lifecycle.

Evaluate security

  • As part of threat and risk assessments, we evaluate the security of distributed systems. Typical systems consist, for example, of a web application and an associated backend.
  • In practical security audits and penetration tests, we act as the attacker and uncover security vulnerabilities in mobile application or cloud system on your behalf.
  • Through source code audits with a focus on Java, TypeScript and C++, we provide detailed insights into the security of your applications.
  • An as-is analysis of existing solutions allows us to identify options on how to build secure data ecosystems. 

Design security 

  • During the development process, we give advise on how to design your applications regarding security and data protection.
  • In a collaboration with the customer, we show the potential of new security technologies such as Self-Sovereign Identities or Searchable Encryption. We also prototype innovative concepts, such as information flow and data usage control in IoT architectures.

Maintain security

  • Offers around compliance and assurance monitoring (e.g. of cloud systems) complete our portfolio.
  • Consulting on the security and compliance of cloud computing and container solutions and accompany you in the preparation of certification projects.

Selected Projects



Clouditor helps organizations to automatically comply with critical security and compliance requirements.




With re:claimID, Fraunhofer AISEC created a tool for self-sovereign management of digital identities. It enables users to securely manage digital identities and personal information and share them with other parties over a decentralized directory.



In this project, an automatic tool was developed for the BSI that validates whether cryptographic libraries are being used correctly. 




The Service and Application Security department provides its cybersecurity expertise in the field of "code analysis" in the BMBF research project "6G-ANNA".

Selected Initiatives and Collaborations


Sovereign Data Exchange

International Data Spaces

The International Data Spaces enable the sovereign, and thus self-determined, sharing of data across company borders.


Fraunhofer CCIT

Trackchain Technology

In order to enhance digitalization on an international scale, logistics needs an internet with cognitive capabilities and secure networked data spaces. As part of the Fraunhofer CCIT, Fraunhofer AISEC is developing trustworthy goods tracking with cognitive sensor technology and blockchain technology.



  • Christian Banse, Immanuel Kunz, Nico Haas and Angelika Schneider. “A Semantic Evidence-based Approach to Continuous Cloud Service Certification”. In: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing. SAC ’23. New York, NY, USA: Association for Computing Machinery, 2023.
  • Alexander Küchler, Leon Wenning and Florian Wendland. “AbsIntIO: Towards Showing the Absence of Integer Overflows in ARM Binaries”. In: Proceedings of ACM Asia Conference on Computer and Communications Security. ASIA CCS ’23. 2023.
  • Immanuel Kunz, Konrad Weiss, Angelika Schneider and Christian Banse. “Privacy Property Graph: Towards Automated Privacy Threat Modeling via Static Graph-based Analysis”. In: Proceedings on Privacy Enhancing Technologies. 2023.

  • Alexander Küchler and Christian Banse. “Representing LLVM-IR in a Code Property Graph”. In: Information Security. Ed. by Willy Susilo, Xiaofeng Chen, Fuchun Guo, Yudi Zhang, and Rolly Intan. ISC ’22. Springer, 2022, pp. 360–380.
  • Immanuel Kunz, Angelika Schneider, Christian Banse, Konrad Weiss, and Andreas Binder. “Poster: Patient Community – A Test Bed for Privacy Threat Analysis”. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. CCS ’22. 2022. DOI: 10.1145/ 3548606.3564253.
  • Antoine d’Aligny, Emmanuel Benoist, Florian Dold, Christian Grothoff, Özgür Kesim, and Martin Schanzenbach. “Who comes after us? The correct mindset for designing a Central Bank Digital Currency”. In: SUERF Policy Note 279 (2022). URL:
  • Özgür Kesim, Christian Grothoff, Florian Dold, and Martin Schanzenbach. “Zero-Knowledge Age Restriction for GNU Taler”. In: Proceedings of 27rd European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science. Springer, 2022.
  • Immanuel Kunz and Andreas Binder. “Application-Oriented Selection of Privacy Enhancing Technologies”. In: Annual Privacy Forum. Springer. 2022, pp. 75–87.
  • Immanuel Kunz, Angelika Schneider, and Christian Banse. “A Continuous Risk Assessment Methodology for Cloud Infrastructures”. In: 2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid). IEEE. 2022, pp. 1042–1051.
  • Florian Lauf, Marcel Klöttgen, Hendrik Meyer zum Felde, and Robin Brandstädter. “Donating Medical Data as a Patient Sovereignly: A Technical Approach”. In: 15th International Conference on Health Informatics (HEALTHINF 2022). 2022.
  • Konrad Weiss and Christian Banse. A Language Independent Analysis Platform for Source Code. 2022. arXiv: 2203.08424 [cs.CR]. URL:

  • C. Banse, I. Kunz, A. Schneider, and K. Weiss. “Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis”. In: 2021 IEEE 14th International Conference on Cloud Computing (CLOUD). Los Alamitos, CA, USA: IEEE Computer Society, 2021, pp. 13–19. DOI: 10.1109/CLOUD53861.2021.00014.
  • Christian Banse. “Data Sovereignty in the Cloud Wishful Thinking or Reality?” In: Proceedings of the 2021 on Cloud Computing Security Workshop. CCSW ’21. Virtual Event, Republic of Korea: Association for Computing Machinery, 2021, 153–154. ISBN: 9781450386531. DOI: 10.1145/3474123.3486792.
  • Christian Banse, Florian Wendland, and Konrad Weiss. “Automatisierte Compliance-Prüfung in Software-Artefakten”. In: Deutschland. Digital. Sicher. 30 Jahre BSI. SecuMedia Verlag, 2021. ISBN: 9783922746836.
  • Georg Bramm, Matthias Hiller, Christian Hofmann, Stefan Hristozov, Maximilian Oppelt, Norman Pfeiffer, Martin Striegel, Matthias Struck, and Dominik Weber. “CardioTEXTIL: Wearable for Monitoring and End-to-End Secure Distribution of ECGs”. In: IEEE 17th International Conference on Wearable and Implantable Body Sensor Networks (BSN). 2021. DOI: to appear.
  • Felicitas Hetzelt, Martin Radev, Robert Buhren, Mathias Morbitzer, and Jean-Pierre Seifert. “VIA: Analyzing Device Interfaces of Protected Virtual Machines”. In: 37th Annual Computer Security Applications Conference (ACSAC 2021). 2021.
  • Alexander Küchler, Alessandro Mantovani, Yufei Han, Leyla Bilge, and Davide Balzarotti. “Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes”. In: Network and Distributed Systems Security (NDSS) Symposium. 2021.
  • Hendrik Meyer zum Felde, Mathias Morbitzer, and Julian Schütte. “Securing Remote Policy Enforcement by a Multi-Enclave based Attestation Architecture”. In: 19th IEEE international conference on embedded and ubiquitous computing (EUC 2021). 2021.
  • Mathias Morbitzer, Sergej Proskurin, Martin Radev, Marko Dorfhuber, and Erick Quintanar Salas. “SEVerity: Code Injection Attacks against Encrypted Virtual Machines”. In: 15th IEEE Workshop on Offensive Technologies (WOOT). 2021.
  • Martin Schanzenbach, Christian Grothoff, Hansjürg Wenger, and Maximilian Kaul. “Decentralized Identities for Self-sovereign End-users (DISSENS)”. In: Open Identity Summit 2021. Ed. by Heiko Roßnagel, Christian H. Schunck, and Sebastian Mödersheim. Bonn: Gesellschaft für Informatik e.V., 2021, pp. 47–58.

  • Georg Bramm and Julian Schütte. “cipherPath: Efficient Traversals over Homomorphically Encrypted Paths.” In: ICETE. 2020.
  • Immanuel Kunz, Christian Banse, and Philipp Stephanow. “Selecting Privacy Enhancing Technologies for IoT-Based Services”. In: International Conference on Security and Privacy in Communication Systems. Springer. 2020.
  • Immanuel Kunz, Valentina Casola, Angelika Schneider, Christian Banse, and Julian Schütte. “Towards Tracking Data Flows in Cloud Architectures”. In: IEEE International Conference on Cloud Computing (CLOUD). IEEE. 2020.
  • Immanuel Kunz, Philipp Stephanow, and Christian Banse. “An Edge Framework for the Application of Privacy Enhancing Technologies in IoT Communications”. In: International Conference on Communications (ICC). IEEE. 2020.
  • Luca Wilke, Jan Wichelmann, Mathias Morbitzer, and Eisenbarth Thomas. “SEVurity: No Security Without Integrity Breaking Integrity Free
    Memory Encryption with Minimal Assumptions”. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, MAY 1820, 2020. IEEE. 2020.
  • Dorian Knoblauch and Christian Banse. “Reducing implementation efforts in continuous auditing certification via an Audit API”. In: 2019 IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). 2019.
  • Mathias Morbitzer. “Scanclave: Verifying Application Runtime Integrity in Untrusted Environments”. In: 2019 IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). 2019.
  • Mathias Morbitzer, Manuel Huber, and Julian Horsch. “Extracting Secrets from Encrypted Virtual Machines”. In: Proceedings of the Ninth ACM on Conference on Data and Application Security and Privacy. CODASPY ’19. Richardson, Texas, USA: ACM, 2019, p. 10. ISBN: 9781450360999. DOI: 10.1145/3292006.3300022.
  • Martin Schanzenbach, Thomas Kilian, Julian Schütte, and Christian Banse. “ZKlaims: Privacy-preserving Attribute-based Credentials using Non-interactive Zero-knowledge Techniques”. In: Proceedings of the 16th International Conference on Security and Cryptography (SECRYPT 2019), part of ICETE. 2019.
  • Julian Schütte and Dennis Titze. “liOS: Lifting iOS Apps for Fun and Profit”. In: Proceedings of the International Workshop on Secure Internet of Things (SIoT). Luxembourg: IEEE, 2019.
  • Konrad Weiss and Julian Schütte. “Annotary: A Concolic Execution System for Developing Secure Smart Contracts”. In: Proceedings of 24rd European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science. Springer, Sept. 2019.
  • Georg Bramm, Mark Gall, and Julian Schütte. “BDABE-Blockchain-based Distributed Attribute based Encryption.” In: ICETE (2). 2018, pp. 265–276
  • Manuel Huber Gerd S. Brost, Julian Schütte Michael Weiß Mykolai Protsenko, and Sascha Wessel. “An Ecosystem and IoT Device Architecture for Building Trust in the Industrial Data Space”. In: CPSS’18: The 4th ACM CyberPhysical System SecurityWorkshop. CPSS’18. Incheon, Republic of Korea: ACM, 2018, pp. 39–50. ISBN: 9781450357555. DOI: 10.1145/3198458.3198459.
  • Wolfgang Gräther, Sabine Kolvenbach, Rudolf Ruland, Julian Schütte, Christof Torres, and Florian Wendland. “Blockchain for Education: Lifelong Learning Passport”. In: Proceedings of 1st ERCIM Blockchain Workshop 2018. Reports of the European Society for Socially Embedded Technologies: vol. 2, no. 10. European Society for Socially Embedded Technologies (EUSSET), 2018.
  • Mathias Morbitzer, Manuel Huber, Julian Horsch, and Sascha Wessel. “SEVered: Subverting AMD’s Virtual Machine Encryption”. In: Proceedings of the 11th European Workshop on Systems Security. EuroSec’18. Porto, Portugal: ACM, 2018. ISBN: 9781450356527. DOI: 10.1145/3193111.
  • Martin Schanzenbach, Christian Banse, and Julian Schütte. “Practical Decentralized Attribute-Based Delegation Using Secure Name Systems”. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). 2018, pp. 244–251. DOI: 10.1109/TrustCom/BigDataSE.2018.00046.
  • Martin Schanzenbach, Georg Bramm, and Julian Schütte. “reclaimID: Secure, Self-Sovereign Identities Using Name Systems and Attribute-Based Encryption”. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). 2018, pp. 946–957. DOI: 10.1109/TrustCom/BigDataSE.2018.00134.
  • Julian Schütte and Gerd Brost. “LUCON: Data Flow Control for Message-Based IoTSystems”. In: Proceedings of the International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). Aug. 2018.
  • Florian Wendland and Christian Banse. “Enhancing NFV Orchestration with Security Policies”. In: ARES 2018: International Conference on Availability, Reliability and Security, August 27–30, 2018, Hamburg, Germany. New York, NY, USA: ACM, 2018. ISBN: 9781450364485/18/08. DOI: 10.1145/3230833.3233253.