Program

The preliminary program below is constantly updated.

---

WED, SEPTEMBER 18TH

SECURITY & CRYPTOGRAPHY FOR THE INTERNET OF TRUST

IT and – more recently – IoT, the Internet of Things, has invaded almost every part of our daily life. Our society is increasingly reliant on smart devices and services, from home automation to manufacturing, medicine, finance and transport. The fact that everything is connected very often means that the connections can also be made by unauthorized entities as well as intended users. Consequently, as a society and global economy, we have become very exposed to a plethora of new IoT security-related threats that never existed before, some of which have the potential to impact profoundly not only the security of our devices but also our own. Academia, industry, governments, standardization bodies and service providers need to work together to transform the Internet of Things to the Internet of Trust. In this talk we will introduce basic concepts that have to be part of virtually all security solutions nowadays. Additionally, we will show many real-life examples that highlight how quickly things can go from “hero” to “zero”.

 A BRIEF INTRODUCTION TO MEMORY SAFETY, EXPLOITATION, AND COUNTERMEASURES

Memory corruption is a central topic in IT security. From stack-based buffer overflows to sophisticated code-reuse attacks, exploits are a constant threat for nearly three decades. Unfortunately, when looking at the statistics, it does not look as this is changing any time soon. In this talk, we give a brief introduction to the security wargame of offensive and defensive security teams and their goals. We try to define what an exploit actually is, and how the process of exploitation works. Based on different real-world exploitation techniques, we show how complicated it is to come up with countermeasures, which lead to secure programs. We demonstrate both exploits and real-world countermeasures on simple programs, as well as on real-world applications.

PENTESTING, A HANDS-ON INTRODUCTION

Pentesting is the art of simulating a hacker attack to ensure the security of the own infrastructure and (IoT-) hardware. We’ll start with an introduction to the stages of a pentest. In it you’ll learn what’s the difference between white and black boxes, the role of social engineering, in other words exploiting the human factor, in modern pentests. Afterwards we’ll provide a short summary of the most common vulnerabilities and tools to exploit them before starting into a hands-on demonstration. The demonstration will show both the attacker’s as well as the victims view of some of the vulnerabilities and their relevance for the enterprise. After the presentation you’ll have an impression of the factors to a successful attack and how they play together.

FACTOR HUMAN IN CYBER SECURITY

The talk presents the sociological and ethical aspects that arise in the development and everyday use of information and communication technologies (ICT) by Styrian small and medium enterprises. The focus is on the structure of sociotechnical cybersecurity networks and the development of a Criteria Catalogue as part of a trustworthy ICT environment. The work is conducted as part of the project CyberSecInStyria funded by the Government of Styria and implemented by the University of Graz in cooperation with Evolaris GmbH and WKO – Cyber-Security-Hotline.

SECURED TRUSTWORTHY IoT PLATFORM (STIP)

Today, there are several limiting factors of successful IoT solutions such as inadequate security protection, limited customer demand, marketplace fragmentation or the diversity of standards and technology barriers. The Secured Trustworthy IoT Platform (STIP) addresses these challenges by focusing on HW security and identification using a scalable and open framework (firmware, application) in order to address market place demands for Industry 4.0, Industrial Automation or Predictive Maintenance applications. The consortium is built up to cover the whole supply chain from HW manufacturer (NXP,TUG) to gateway-implementation (CISC, TUG) to an IoT-integrator (IOT40) and leads to the front-end-provider (trinitec) as the last part in the chain. The STIP partner Silicon Alps Cluster (SAC) has at its disposal a network of actually over 112 partners covering the entire value chain of electronic based systems in Austria.

---

THU, SEPTEMBER 19TH

SECURE DEVELOPMENT LIFECYCLE

Software Security has become an important concept in information security. It tries to provide a common understanding what secure software is and how it can be created. To achieve software security it is not only necessary to improve individual (developer) skills but even more to implement work flows and methodologies for every phase of software development. Thus, a Secure Development Life Cycle provides guidance for secure software throughout the whole process. The three talks will try to shed some light onto this topic from different perspectives and with the speakers respective experiences.

AUTOMOTIVE SECURITY

In recent years, vehicles and automotive systems have become an increasingly rewarding target for hackers. Not only that vehicles have become datacenters on wheels, also the attraction of both with and black hat hackers have has risen exponentially. Moreover, the attacking entities seems to shift from benevolent security researchers to cybercriminals. This session will provide an overview on problems and methods for both attacking and defending automotive systems including technical and industrial perspectives.

SECURITY TESTING

As more and more devices get connected to networks, the security of these devices becomes of crucial importance. Numerous incidents in the past recent years have shown that the current situation is an alarm signal for the future, where we can expect billions of devices connected and influencing our lives. Especially, the IoT space has shown a significant lack of security resulting in almost daily incidents and millions of potentially unsecure but operated devices. Hence, the market needs to increase the security testing effort. As one of many initiatives the EU Cyber Security Act is the beginning of new regulations for the market targeting the security of such devices. Soon these products will have to fulfill specific security requirements and will require a security certification, an independent security test. Security standards and certification schemes do already exist and in this session will have a look at the relevant standards and provide an overview of mentioned initiatives. Many of these standards and schemes have specific requirements with regards to tests. 

In particular, Fuzzing – also known as brute-force vulnerability discovery – is an emerging topic in the realm of security testing and is required by various certification schemes (for the certification of electronic products such as IoT devices) and conformance-testing evaluations. In contrast to traditional vulnerability analysis methods, fuzzing is considered as a cost-efficient and effective technique to identify vulnerabilities. Especially with the rising number of IoT devices entering the market and the increasing complexity of software projects, automated testing techniques like fuzzing are a vital part of security testing in order to discover security vulnerabilities – before attackers do. In this session, we will give an introduction to fuzzing techniques, the state-of-the art of fuzzing and how security evaluation laboratories try to incorporate fuzzing in their security evaluations.

Many wide spread vulnerabilities in today’s connected devices use so called logical security flaws. That means that software bugs and implementation mistakes are used by an attacker. However, there is a second class of attacks that has been applied in the last 20 years, namely physical attacks. These attacks use physical properties and behavior of the hardware or software to perform successful attacks.

High-secure products have been including protection against these kind of attacks to achieve the highest levels of security certification. In this session we want to give insight in how these attacks work and live demonstrate how easy it is to mount these attacks against various targets. As a famous saying in the security community goes: Attacks always get better, never worse.  

FUTURE-PROOF COMMUNICATION SECURITY

Many of the cryptographic schemes used to secure today’s communication were not designed with the functionality and the security requirements in mind that come along with tomorrow’s envisioned use-cases. Cryptography which is future-proof, however, needs to consider a setting with a potentially huge number of users to which data is communicated simultaneously and even with restriction who is allowed to read what. Additionally, it needs to be flexible enough to work on both ends of the spectrum, i.e., resource constrained IoT devices as well as cloud-powered services. What is more, one needs to even consider the increasing importance of cryptographic schemes which are resilient against strong attacks (such as key-leakage or subverted implementations) as well as new security aspects such as readiness for a post-quantum era. For the latter, one also needs to reconsider the choice of standard schemes (such as signatures), which still need to find their way into deployments. This workshop features talks which cover the following aspects of future-proof secure communication (1) flexibility in terms of decryption  capabilities (e.g., attribute-based encryption), (2) strong security features (e.g., forward security by design) and (3) security in the presence of powerful quantum computers, i.e., schemes that provide post-quantum security (e.g., post-quantum secure signature schemes).

---