Fraunhofer Institute for Applied and Integrated Security
Fraunhofer Institute for Applied and Integrated Security

Security Evaluation

IT systems are nowadays part of our daily lives and part of many common devices. They perform various sophisticated, and sometimes safety-critical tasks. Security has a direct impact on safety. Lack of security can cause loss of reputation, loss of revenue, and even liability claims.

Many security holes are caused by design or implementation faults. Often developers are not aware of the whole bandwidth of possible attacks on their system. An analysis and evaluation of the system's security aspects is often never done. In addition, security rivals with other goals as costs, duration of the development process, and functionality.

A security evaluation is a crucial part of a high-quality system development. With a security evaluation during the development process, threats can be detected and corrected early. But also after the end of a project, a security evaluation can be useful to know existing threats and potential vulnerabilities of your system, e.g., to avoid them in future systems.

Expertise

Fraunhofer AISEC offers comprehensive and independent tests for the security evaluation of distributed and embedded systems, hardware and software products, or web-based and cloud services. For this purpose, Fraunhofer AISEC can resort to its modern test labs to conduct security tests, compliance tests, and interoperability tests.

  • Hardware lab

    Our hardware testing laboratory, equipped with the newest devices, allows us to perform a huge variety of attacks on embedded systems, reveal vulnerabilities, and develop solutions for their mitigation together with our customers. The bandwidth of our test possibilities ranges from simple attacks on embedded systems, like attacks over open interfaces (JTAG), to passive side-channel attacks and semi-invasive fault-attacks. Our advanced hardware test lab with adequate tool chains ensures that the security of embedded components can be tested with the most recent classes of attacks. 

  • GSM test lab

    Fraunhofer AISEC operates an own GSM test network with a workbench that allows to perform attacks over the mobile network on mobile end devices. The GSM test lab offers the possibility to test various mobile end devices regarding vulnerabilities of the GSM stack. In addition, the lab provides the potential to simulate future payment applications over GSM/UMTS in a realistic way.

  • Smart metering lab

    In Fraunhofer AISEC's testing environment, we analyze commercial smart meter components and evaluate them regarding their security properties, as for the protection profile for smart meter of the German BSI. We help our customers to increase the quality of their products and advise users on the selection of suitable smart meter components. In addition, we develop dedicated security solutions for our customers, which are tailored to their needs, or we support our costumers in improving their products towards more security.

  • Mobile payment lab

    Mobile payment with NFC has a high market potential, since a setup of a complex payment infrastructure is not needed, and transactions can be conducted with passive components without an own power supply. Mobile payment with NFC inherently leads to security challenges. Security properties are here not limited to mobile end devices, but also the communication with readers has to be trustworthy and secure. In our NFC test lab, we analyze and evaluate the security of specific NFC implementations in order to obtain an evidence about the security of NFC-based payment transaction systems.

  • Automotive lab

    Fraunhofer AISEC operates an own test lab, where the security properties of software and hardware components of automotive systems, like ECUs, head units, and interfaces for maintenance and diagnosis, can be validated. This environment is made available for OEMs, suppliers, manufacturers, or system integrators, in order to perform security tests.

  • Cloud Lab

    In the CloudLab of the Fraunhofer AISEC, we run functionality, reliability and interoperability as well as risk assessment and benchmarking tests. In these tests and in close cooperation with our customers, we analyze all components of a cloud ecosystem. In addition, we accompany all relevant development phases, starting with the design of separate service, the prototypes over to the security analysis of market-ready systems. Fraunhofer AISEC tests products and solutions around cloud computing, identity management and the underlying components of service-oriented architectures. Open source solutions, such as Ubuntu and Eucalyptus, comprise the technical foundation of the private cloud operated by us. This enables us to conduct comparative analysis of the security functionality using flexible and efficient, pre-configured virtual machines (VMs) and the services based on them. Beyond this, our offering consists of CloudLabs interoperability tests, which always pose a great challenge when it comes to the operation of identity management systems.

Skills and services at a glance

  • analysis of vulnerabilities of products and solutions
  • technical pre-auditing
  • side channel analysis and fault-attacks on embedded systems
  • fault-detection and fault-tolerance in digital circuits
  • embedded system security evaluation
  • tamper-resistant design strategies
  • development and improvement of countermeasures
  • penetration tests
  • analysis of systems and applications
  • development of test cases
  • security evaluation of cloud services and platforms, also in compliance with the minimal requirements of the BSI
  • verification of privacy issues of cloud services, web servers, etc.

Publications

  • F. Unterstein, J. Heyszl, F. De Santis, R. Specht and G. Sigl. “One Final Improvement Prevents HighResolution EM Attacks against LeakageResilient PRFs Even for FPGAs”. In: Cryptographers Track RSA Conference (CTRSA 2018). Springer, to be published 2018.
  • V. Immler, R. Specht and F. Unterstein. “Your Rails Cannot Hide From Localized EM: How Dual-Rail Logic Fails on FPGAs”. In: Conference on Cryptographic Hardware and Embedded Systems, CHES 2017.
  • J. Obermaier, R. Specht and G. Sigl. “FuzzyGlitch: A Practical Ring Oscillator Based Clock Glitch Attack”. In: 22nd International Conference on Applied Electronics. To appear. IEEE, Sept. 2017.
  • F. Unterstein, J. Heyszl, F. De Santis and R. Specht. “Dissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks A Practical Security Evaluation on FPGA”. In: Proceedings of 8th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE 2017). Springer. 2017.
  • A. Zankl, J. Heyszl and G. Sigl. “Automated Detection of Instruction Cache Leaks in Modular Exponentiation Software”. In: Smart Card Research and Advanced Applications: 15th International Conference, CARDIS 2016, Cannes, France, November 7–9, 2016, Revised Selected Papers. Ed. by K. Lemke-Rust and M. Tunstall. Cham: Springer International Publishing, 2017, pp. 228–244.
  • F. Kilic, H. Laner and C. Eckert. “Interactive Function Identification Decreasing the Effort of Reverse Engineering”. In Proceedings of the 11th International Conference on Information Security and Cryptology (Inscrypt 2015), pages 468–487, Springer International Publishing, 2016.

Related Links: