Tilo Müller's research while affiliated with Hof University of Applied Sciences and other places
What is this page?
This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
Publications (50)
While modern-day static analysis tools are capable of finding standard vulnerabilities as well as complex patterns, implementing those tools is expensive regarding both development time and runtime performance. During the last years, domain specific languages like Datalog have gained popularity as they simplify the development process of analyses a...
File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in...
As known for a decade, cold boot attacks can break software-based disk encryption when an attacker has physical access to a powered-on device, including Android smartphones. Raw memory images can be obtained by resetting a device and rebooting it with a malicious boot loader, or—on systems where this is not possible due to secure boot or restrictiv...
In contrast to the common habit of taking full bitwise copies of storage devices before analysis, selective imaging promises to alleviate the problems created by the increasing capacity of storage devices. Imaging is selective if only selected data objects from an image that were explicitly chosen are included in the copied data. While selective im...
In contrast to the common habit of taking full bitwise copies of storage devices before analysis, selective imaging promises to alleviate the problems created by the increasing capacity of storage devices. Imaging is selective if only selected data objects from an image that were explicitly chosen are included in the copied data. While selective im...
Since its launch in 2008, the Android platform has seen a lot of development and improvements to this day. Android developer studios had to refine their understanding and available codebases considerably in the past decade since Android’s conception. For example, they had to handle monumental changes in the OS, like the introduction of ART or the c...
We investigate the amount of information leakage through unencrypted metadata in Android's file-based encryption (FBE) which was introduced as an alternative to the previously dominating full-disk encryption (FDE) in Android 7.0. We propose a generic method, and provide appropriate tooling, to reconstruct forensic events on Android smartphones encr...
Android's accessibility API was designed to assist users with disabilities, or preoccupied users unable to interact with a device, e.g., while driving a car. Nowadays, many Android apps rely on the accessibility API for other purposes, including password managers but also malware. From a security perspective, the accessibility API is precarious as...
We present TEEshift, a tool suite that protects the confiden- tiality and integrity of code by shifting selected functions into TEEs. Our approach works entirely on binary-level and does not require the adaption of source code projects or build environments, nor does it require compiler-level patches. Programmers provide a list of ELF symbols point...
Code similarity measures create a comparison metric showing to what degree two code samples have the same functionality, e.g., to statically detect the use of known libraries in binary code. They are both an indispensable part of automated malware analysis, as well as a helper for the detection of plagiarism (IP protection) and the illegal use of o...
With SDN/NFV, the telecom industry embraces operational flexibility and cost optimization, while facing new risks from off-premise cloud computing, known as introspection by malicious operators. Introspection is identified as a serious risk only by the IT industry in general when considering cloud operation. To mitigate it, processor vendors have i...
The continued popularity of smartphones has led companies from all business sectors to use them for security-sensitive tasks like two-factor authentication. Android, however, suffers from a fragmented landscape of devices and versions, which leaves many devices unpatched by their manufacturers. This security gap has created a vital market of commer...
This paper looks at N26, a pan-European banking startup and the poster child for young FinTech companies. We assess how security is treated by startups that provide disruptive technologies in the financial sector. In an area that has been committed to security, we find that FinTech companies have modern designs and outstanding user experience as th...
Software piracy in general and repackaged apps with attached malware in particular pose serious threats for the Android ecosystem. In this paper, we present a cloud-compilation approach enabling sophisticated hardening of apps for non-rooted stock Android. Our design is based on off-device ahead-of-time compilation made possible by the Android Runt...
We present VMAttack, a deobfuscation tool for virtualization-packed binaries based on automated static and dynamic analysis, which offers a simplified view of the disassembly. VMAttack is implemented as a plug-in for IDA Pro and as such, integrates seamlessly with manual reverse engineering. The complexity of the disassembly view is notably reduced...
The Sancus security architecture for networked embedded devices was proposed in 2013 at the USENIX Security conference. It supports remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running u...
A wide adoption of obfuscation techniques by Android application developers, and especially malware authors, introduces a high degree of complication into the process of reverse engineering, analysis, and security evaluation of third-party and potentially harmful apps.
In this paper we present the early results of our research aiming to provide rel...
Apps written in JavaScript are an easy target for reverse engineering attacks, e.g. to steal the intellectual property or to create a clone of an app. Unprotected JavaScript apps even contain high level information such as developer comments, if those were not explicitly stripped. This fact becomes more and more important with the increasing popula...
For the first time, we practically demonstrate that Intel SGX enclaves are vulnerable against cache-timing attacks. As a case study, we present an access-driven cache-timing attack on AES when running inside an Intel SGX enclave. Using Neve and Seifert's elimination method, as well as a cache probing mechanism relying on Intel PMC, we are able to e...
In this paper, we present a novel approach on isolating operating system components with Intel SGX. Although SGX has not been designed to work in kernel mode, we found a way of wrapping Linux kernel functionality within SGX enclaves by moving parts of it to user space. Kernel components are strictly isolated from each other such that a vulnerabilit...
We present RamCrypt, a solution that allows unmodified Linux processes to transparently work on encrypted data. RamCrypt can be deployed and enabled on a per-process basis without recompiling user-mode applications. In every enabled process, data is only stored in cleartext for the moment it is processed, and otherwise stays encrypted in RAM. In pa...
The main memory of today’s computers contains lots of sensitive data, in particular from applications that have been used recently. As data within RAM is stored in cleartext, it is exposed to attackers with physical access to a system. In this paper we introduce Exzess, a hardware-based mitigation against physical memory disclosure attacks such as,...
The invasive computing paradigm offers applications the possibility to dynamically spread their computation in a multicore/multiprocessor system in a resource-aware way. If applications are assumed to act maliciously, many security problems arise. In this acticle, we discuss different ways to deal with security problems in a resource-aware way. We...
Protecting the intellectual property of software that is distributed to third-party devices which are not under full control of the software author is difficult to achieve on commodity hardware today. Modern techniques of reverse engineering such as static and dynamic program analysis with system privileges are increasingly powerful, and despite po...
Despite the fact that protection mechanisms like Stack-Guard, ASLR and NX are widespread, the development on new defense strategies against stack-based buffer overflows has not yet come to an end. In this paper, we present a compiler-level protection called SCADS: Separated Control-and Data-Stacks. In our approach, we protect return addresses and s...
Due to the proliferation of cloud computing, cloud-based systems are becoming an increasingly attractive target for malware. In an Infrastructure-as-a-Service (IaaS) cloud, malware located in a customer’s virtual machine (VM) affects not only this customer, but may also attack the cloud infrastructure and other co-hosted customers directly. This pa...
Despite the fact that protection mechanisms like StackGuard, ASLR and NX are widespread, the development on new defense strategies against stack-based buffer overflows has not yet come to an end. In this article, we present a novel compiler-level protection called SCADS: Separated Control and Data Stacks that protects return addresses and saved fra...
Physical access to a system allows attackers to read out RAM through cold boot and DMA attacks. Thus far, counter measures protect only against attacks targeting disk encryption keys, while the remaining memory content is left vulnerable. We present a bytecode interpreter that protects code and data of programs against memory attacks by executing t...
Having about 80 % of the market share, Android is currently the clearly dominating platform for mobile devices. Application theft and repackaging remains a major threat and a cause of significant losses, affecting as much as 97 % of popular paid apps. The ease of decompilation and reverse engineering of high-level bytecode, in contrast to native bi...
In the work at hand, we first demonstrate that Android malware can bypass current automated analysis systems, including AV solutions, mobile sandboxes, and the Google Bouncer. A tool called Sand-Finger allowed us to fingerprint Android-based analysis systems. By analyzing the fingerprints of ten unique analysis environments from different vendors,...
We experimentally compare the strength of different source code obfuscation techniques by measuring the performance of human analysts. We describe an experimental setup by which it is possible to compare different obfuscation techniques with each other. As techniques, we considered name overloading and opaque predicates, as well as the combination...
The weakest link in software-based full disk encryption is the authentication procedure. Since the master boot record must be present unencrypted in order to launch the decryption of remaining system parts, it can easily be manipulated and infiltrated by bootkits that perform keystroke logging; consequently, password-based authentication schemes be...
We study the problem of data exposure in main memory caused by insecure deallocation, which is still the default in all common memory management schemes. We propose declarative approaches to handle unreasonably long data lifetime at the programming language level, and present several directions on how current platforms can be improved to minimize t...
In this paper, we propose a new approach for the static detection of Android malware by means of machine learning that is based on software complexity metrics, such as McCabe’s Cyclomatic Complexity and the Chidamber and Kemerer Metrics Suite. The practical evaluation of our approach, involving 20,703 benign and 11,444 malicious apps, witnesses a h...
In this paper, we demonstrate that Android mal-ware can bypass all automated analysis systems, including AV solutions, mobile sandboxes, and the Google Bouncer. We propose a tool called Sand-Finger for the fingerprinting of Android-based analysis systems. By analyzing the fingerprints of ten unique analysis environments from different vendors, we w...
Cold boot attacks exploit the fact that data in RAM gradually fades away over time, rather than being lost immediately when power is cycled off. An attacker can gain access to all memory contents by a restart or short power-down of the system, a so called cold boot. Consequently, sensitive data in RAM like cryptographic keys are exposed to attacker...
At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently encrypts user partitions. On the downside, encrypted smartphones are a nightmare for IT forensics and law enforcement, because brute force appe...
The weakest link in software-based full disk encryption is the authentication procedure. Since the master boot record must be present unencrypted in order to launch the decryption of remaining system parts, it can easily be manipulated and infiltrated by bootkits that perform keystroke logging; consequently password-based authentication schemes bec...
Software-based disk encryption techniques store necessary keys in main memory and are therefore vulnerable to DMA and cold boot attacks which can acquire keys from RAM. Recent research results have shown operating system dependent ways to overcome these attacks. For example, the TRESOR project patches Linux to store AES keys solely on the microproc...
Current disk encryption techniques store necessary keys in RAM and are therefore susceptible to attacks that target volatile memory, such as Firewire and cold boot attacks. We present TRESOR, a Linux kernel patch that implements the AES encryption algorithm and its key management solely on the microprocessor. Instead of using RAM, TRESOR ensures th...
This document gives an overview over current research within the security group at Friedrich-Alexander-University Erlangen-Nuremberg, Germany, and attempts to describe the future research roadmap of the group. This roadmap is structured around the landscape of cyber crime with its three main groups of actors (attackers, users and investigators) and...
![Figure 1: AES operation SubBytes [10].](profile/Andreas-Dewald/publication/220970649/figure/fig1/AS:305365192331270@1449816143700/AES-operation-SubBytes-10_Q320.jpg)
![Figure 2: AES operation ShiftRows [10].](profile/Andreas-Dewald/publication/220970649/figure/fig2/AS:305365192331271@1449816143725/AES-operation-ShiftRows-10_Q320.jpg)
Cold boot attacks exploit the fact that memory contents fade with time and that most of them can be retrieved after a short power-down (reboot). These attacks aim at retrieving encryption keys from memory to thwart disk drive encryption. We present a method to implement disk drive encryption that is resistant to cold boot attacks. More specifically...
Citations
... Accessing this data is normally impossible as each app runs in its own sandbox. Spyware apps achieve these capabilities primarily by abusing the accessibility permission which does not require rooting, echoing prior literature [34][35][36][37][38][39][40] that investigates how accessibility can be abused. ...
... A fuzz testing approach is used by Kalysch et al. [95] to detect defects in the communication between Android applications. The fuzzer identies the structure of the data encapsulated by Intents and is able to generate random values that t the expected structures. ...
... For both the analysis phases, when searching for weaknesses and vulnerabilities, we followed the methodology set out in the OWASP mobile security testing guide [3]. Actually, more or less the same methodology have been followed by [4] regarding static analysis, [5,6] regarding dynamic analysis, and [7,8] for both types of analysis. ...
... Once the confidential code is delivered to the enclave, it can be executed in isolation. Recent years have seen the emergence of several designs that generally follow this approach, use different TEEs, and offer various trade-offs, both as academic proposals [6,7,8,9,10,11,12,13] and commercial solutions [14,15,16,17]. ...
![[object Object]](https://i1.rgstatic.net/ii/profile.image/1141872533749760-1649255035171_Q64/Vincent-Lefebvre-5.jpg)
... QEMU is an emulator and virtualization tool that can be used to virtualize the hardware of an AVD. With QEMU, the emulator can configure a virtualized environment [13]. However, with QEMU, it can be difficult to analyze the malware, because the malware can easily recognize the emulator environment by checking directories such as /dev/qemu pipe, /dev/socket/qemud or QEMU inspection command through the getprop command. ...
![[object Object]](https://i1.rgstatic.net/ii/profile.image/369020692910080-1464992797049_Q64/Daniela-Oliveira-14.jpg)
![[object Object]](https://i1.rgstatic.net/ii/profile.image/272710349619203-1442030622204_Q64/Paulo-De-Geus.jpg)
... While SGX focuses on a per-process Root of Trust (RoT), aiming at Digital Rights Management (DRM), SEV focuses on the protection of entire VMs, gearing towards cloud computing. Although there are projects which provide a unified solution across different TEEs [131,132], none of them enables the exclusive protection of user-mode processes on top of real SEV hardware. Exclusively protecting applications with SEV is a challenging task, as these need to be transparently virtualized and encrypted. ...
... 1) Malware analysis. For efficient and accurate malware detection, the authors in [33] investigated code reuse in legitimate and malicious mobile apps, and code similarity measurement techniques were improved in [34]. There are many evasion techniques against static and dynamic malware analyses such as code obfuscation and reflection. ...
... However, their study used static analysis techniques, which are susceptible to errors due to obfuscation, and did not cover all the resiliency requirements set forth by the OWASP. Prior works have also extensively evaluated app hardening techniques [14], audited runtime protection mechanisms [13], or scrutinized specific defense mechanisms such as anti-root [12] or defense libraries such as ProGuard [15]. While previous studies used static analysis and focused on the usage of specific protection methods, the presence of a defense mechanism against a specific type of attack does not guarantee safety against any tampering attack. ...
![[object Object]](https://i1.rgstatic.net/ii/profile.image/296721298018315-1447755279185_Q64/Dominik-Maier-2.jpg)
... PSPs can hire in-house developers to design production rules that create dynamic fraud detection algorithms, including device monitoring, biometrics evaluation, and behavioural pattern analytics [51]. When device ID is inconsistent with historical records, remote access is detected, or session length is longer than normal, rules can be triggered to prompt a Two-Step Verification (TSV) for authentication, or block / suspend accounts [57], [58], [51]. If PSPs use an accelerometer, a tap gesture (light and steady vs. strong and shaky) can be used as an indicator to determine if the customer is under distress [51]. ...
... Arvidsson (2014) investigated consumer attitudes towards mobile phone payments in a study that included Swedish consumers and founded that the adoption of a new payment system is linked to perceived ease of use, age, income, trust, perceived security risks. Security is considered to be a major issue in mobile payment and studies have shown that attackers could have access to customer's accounts due to server security vulnerabilities (Haupert et al., 2017). ...
