The preliminary program below is constantly updated.


4. September
5. September
9:00 – 10:30 Dr. Mario Lamberger, NXP

Alice and Bob in Wonderland or A first glimpse into the world of cryptography and security.

Benjamin Böck, XSEC infosec

Break and enter: Lessons (not) learned from professional penetration testing 

and live hacking session

10:30 – 11:00 Coffee Coffee
11:00 – 12:30 Michael Schwarz, TU Graz
Red Team vs Blue Team: Memory Safety, Exploitation, and Countermeasures
Dr. Stefan Kraxberger, secinto

Certification Landscape

Dr. Elisabeth Hödl, ubifacts

Privacy and industry as issues for Big Data and AI

12:30 – 14:00 Lunch Lunch
14:00 – 15:15 Thomas Zefferer, TU Graz

Threat Modeling

Partner Pitch

Peter Vrabec, Redhat
Security in Enterprise Open-source Operating System

Partner Pitch

15:15 – 16:00 Coffee + Project tables Coffee + Project tables
16:00 – 17:30 Prof. Bart Preneel, COSIC KU Leuven and imec

Keynote: Challenges for Security and Privacy

Dr. Thomas Pöppelmann, Infineon

Post-quantum cryptography on embedded microcontrollers

Christoph Striecks, AIT

Trust in Chained Blocks: What is the Blockchain Technology?

17:30 – 19:00 Dinner

“Alte Technik”



Mario Lamberger – Alice and Bob in Wonderland or A first glimpse into the world of cryptography and security.

In a connected Internet of Things, the number of opportunities becomes virtually limitless, but equally, so does the number of
potential vulnerabilities.
This talk tries to give an introduction to crucial concepts of cryptography and security which become more and more relevant every day.
We will cover basic building blocks that play a role in almost every secure solution nowadays and will highlight how easy things can go wrong
on many real-life examples from the recent past.

Michael Schwarz – Red Team vs Blue Team: Memory Safety, Exploitation, and Countermeasures

Memory corruption is a central topic in IT security. From stack-based buffer overflows to sophisticated code-reuse attacks, exploits are a constant threat for nearly three decades. In this talk, we give a brief introduction to the security wargame of the red and blue teams and their goals. We try to define what an exploit actually is, and how the process of exploitation works. Based on different real-world exploitation techniques, we show how complicated it is to come up with countermeasures which lead to non-exploitable programs. We demonstrate both exploits and real-world countermeasures on simple programs, as well as on real-world applications.

Bart Preneel – Challenges for Security and Privacy

This talks looks at the major trends in information technology and their impact on security and privacy: this include the Internet of Things, Big Data, and the shift towards cloud architectures. While society is becoming more and more critically dependent on these technologies, governments are exploiting them for mass surveillance and are escalating a cyber war with a major risk for proliferation of powerful tools. At the same time, the crypto wars of the 1990s are returning to center stage. This talk will reflect on how these new threat models affect future research in cryptology and information security.

Slides are available here.

Peter Vrabec – Security in Enterprise Open-source Operating System

What security technologies are provided in an Enterprise Operating System that is being developed the open-source way? How do we satisfy customer’s needs and cultivate open-source communities at the same time? The talk provides an overview of technologies we develop or contribute to. We explain use cases and future directions. We share the lessons learned from working with open-source communities.

Thomas Pöppelmann – Post-quantum cryptography on embedded microcontrollers

Due to their computing power, quantum computers may have the disruptive potential to break various currently used encryption and authentication algorithms within the next 15 to 20 years. Once available, quantum computers could perform certain calculations much faster than today’s computers and would especially threaten currently used asymmetric algorithms such as RSA and elliptic curve cryptography (ECC). This is an issue as almost all internet security standards like transport layer security (TLS), S/MIME or PGP/GPG use these two essential algorithms to protect data communication with smart cards, computers, and servers or embedded IoT systems. An approach that aims to replace RSA and ECC in next generation security protocols is post-quantum cryptography (PQC). However, to withstand quantum calculation power new schemes and mathematical problem have to be found, evaluated, and implemented. Such implementation can be particularly challenging on constrained devices with limited processing power or small internal memories. In this talk we will provide an overview on latest results regarding the implementation of PQC on microcontrollers and smart cards. Moreover, we briefly discuss the current state of PQC standardization.

Christoph Striecks – Trust in Chained Blocks: What is the Blockchain Technology?

This talk will give an introduction to the Blockchain technology. Thereby, the basic concepts will be explained as well as challenges and opportunities tailored for industries presented. In particular, the focus will be on (a) what the Blockchain is, (b) what the Blockchain is not, and (c) what application areas might benefit from the technology.

Benjamin Boeck – Break and enter: Lessons (not) learned from professional penetration testing

Penetration tests are authorized simulated attacks on computer systems in order to evaluate their security. In this talk, we present interesting and sometimes outrageous results from recent assignments as “professional attackers”. Our targets include technical solutions such as networks, clients and applications – but in social engineering attacks, the human element as the weakest link in information security can be “hacked” as well.

Elisabeth Hoedl – Privacy and industry as issues for Big Data and AI

The concept of privacy defines the limits of human coexistence. Global computer technology and the associated technological networking make privacy an issue of data protection. The heart of data protection is the identifiability of individuals. Industry phenomena – such as the Internet of Things, AI and Big Data – allow more and more data to be linked together. This increases the possibility of identifying persons. And that is both an opportunity and a risk. But one thing is clear: The tasks of the person responsible for the security of this data are growing massively. Data security must, for example, be integrated into the planning of technical systems. Privacy is also becoming a hot topic in cyber security. And this protection is now legally standardized, especially in Europe. The General Data Protection Regulation (GDPR) is thus a central issue. The rules are therefore of the greatest interest to anyone who processes personal data. The presentation sheds light on the meaning of the term and the associated responsibility for industry and business.

Thomas Zefferer – Threat Modeling

Being aware of potential IT-security related risks is vital for any organization, irrespective of its size and domain. Threat modeling appears to be a promising approach to accomplish this endeavor in a systematic way. In our highly dynamic and increasingly complex IT world, threat modeling and the identification of potential risks have become challenging and extensive tasks.
This talk motivates the general ideas behind threat modeling, focusing on the context of risk analysis and risk management within an organization’s IT infrastructure. It introduces fundamental concepts and discusses challenges to overcome when applying these concepts in practice. This way, this talk serves as starting point for organizations seeking to become aware of their security-related risks.