Fortgeschrittene IT-Sicherheit - SS 2006
| 18.483 |
|
Oberseminar: Fortgeschrittene IT-Sicherheit |
 |
Organisers: |
Dieter Gollmann (TU), Joachim Posegga |
Time: |
Thursday 18:15-20 (2 SWS)
|
Location: |
Room 221, ESA 1 W - Main Campus
Edmund-Siemers-Allee 1, 20146 Hamburg
|
Driving Directions & Room Description
Address of lecture hall ESA 1 W, room 221:
Edmund-Siemers-Allee 1
20146 Hamburg
More information on this lecture hall
For driving directions please consult the map on the right or use the more detailed map of Hamburg.
_________________________
Auszug aus dem KVV:
Sicherheitsrelevante Themen von Informatiksystemen werden anhand von aktuellen Projekt-, Baccalaureats- und Diplomarbeiten und Dissertationsvorhaben vorgestellt und intensiv diskutiert. Das Seminar wird gemeinsam vom Arbeitsbereich SVA der Technischen Universität Hamburg-Harburg und dem Arbeitsbereich SVS des Fachbereichs Informatik der Universität Hamburg angeboten und soll auch dem Austausch der aktuellen Forschungsergebnisse zwischen den beiden Arbeitsbereichen dienen und die Zusammenarbeit vertiefen.
Das Oberseminar soll Studierenden und Promovierenden, die sich
im Fachgebiet IT- Sicherheit vertiefen, eine Plattform bieten, um
aktuelle Probleme und Forschungsarbeiten im Bereich IT-Sicherheit
vorzustellen und zu diskutieren. Gastvorträge sind im Programm
ebenfalls vorgesehen.
Schedule
| Date |
Location |
Speaker |
Title |
| 2006-04-06 |
Room 221, ESA 1 W Main Campus |
Prof. Dr. Joachim Posegga,
University of Hamburg
Prof. Dr. Dieter Gollmann,
TU Hamburg-Harburg
Henrich Pöhls,
University of Hamburg
|
Introduction
Smartcard Firewalls Revisited |
| 2006-04-13 |
no session
|
--- |
--- |
| 2006-04-20 |
Room 221, ESA 1 W Main Campus |
Jens Ove Lauf,
TU Hamburg-Harburg |
Monitoring and Security of Containers  |
| 2006-04-27 |
Room 221, ESA 1 W Main Campus |
Asem Hassan,
TU Hamburg-Harburg |
Conceptual Design of Identity Management in a Profile-Based
Access Control System |
| 2006-05-04 |
Room 221, ESA 1 W Main Campus |
Michel Galassi,
TU Hamburg-Harburg |
Integration of an hardware acceleration unit for IPsec into
the Linux Kernel |
| 2006-05-11 |
Room 221, ESA 1 W Main Campus |
Harald Sauff,
TU Hamburg-Harburg |
Implementation of a Crypto Framework on Sensor Nodes |
| 2006-05-18 |
no session |
--- |
--- |
Tuesday
2006-05-23
|
TU Harburg
6:15 p.m.
room D 1023, Gebäude D, Schwarzenbergstrasse 95, Hauptcampus
A map of the TU-HH can be found at:
http://www.tu-harburg.de/tuhh/campusplan.html
|
Jan Seedorf,
University of Hamburg
Martin Johns,
University of Hamburg |
Self-Certifying SIP-URIs
Client Side Protection against Session Riding Attacks |
| 2006-05-25 |
Holiday ("Himmelfahrt") |
|
--- |
| 2006-06-01 |
Room 221, ESA 1 W Main Campus |
Bhaskar Kalyan Bysani,
TU Hamburg-Harburg |
Enterprise Application Integration through Secure Web Services |
| 2006-06-08 |
Holiday ("Pfingstferien") |
--- |
--- |
| 2006-06-15 |
Room 221, ESA 1 W Main Campus |
Tilmann Holst,
University of Hamburg
Martin Hinz,
University of Hamburg
|
Possible Threats to PGP key servers
Outsourcing in Software Projects - a risk and protective
measure analysis of data confidentiality and integrity |
| 2006-06-22 |
Room 221, ESA 1 W Main Campus |
Thilo Mende,
University of Hamburg |
Using Compiler Intermediate Representations for Security-related
Static Analysis |
| 2006-06-29 |
TU Harburg
6:15 p.m.
room D 1021, Gebäude D, Schwarzenbergstrasse 95, Hauptcampus
A map of the TU-HH can be found at:
http://www.tu-harburg.de/tuhh/campusplan.html
|
Inga Trusova,
TU Hamburg-Harburg
Andrey Dudakov,
TU Hamburg-Harburg
|
Passive Security for Wireless Sensor Networks
Secure Authentication via Geographical Localization in Sensor
Networks |
| 2006-07-06 |
Room 221, ESA 1 W Main Campus |
Christopher Alm,
University of Hamburg
Björn Bartels,
University of Hamburg
|
Analysis of Manipulation Methods in Operating System Kernels
and Concepts of Countermeasures
(Considering FreeBSD 6.0 as an Example)
Analysis of Security Engineering Techniques and their Implications
on the Software Development Process and Common Criteria Certification
|
| 2006-07-13 |
Room 221, ESA 1 W Main Campus |
Christian Weitendorf,
University of Hamburg
Franjo Severinac,
University of Hamburg
|
Implementing XSS secure web session management for the J2EE
framework
A bridge as a representative exemplified on ISAKMP
|
Abstracts
20.04.2006 - Jens Ove Lauf, TU Hamburg-Harburg
Monitoring and Security of Containers
Abstract: International freight traffic uses the most recent means
of transportation, but the transport processes have not changed
in the last 30 years. At the same time, insurance premiums and the
fear of terrorist attacks using transport containers are rising.
Monitoring the status of containers through sensors could address
both issues and also improve business processes, providing current
and accurate information on the status of container loads. This
talk will discuss various technical and organisational issues that
arise when deploying sensors in transport containers.
27.04.2006 - Asem Hassan, TU Hamburg-Harburg
Conceptual Design of Identity Management in a Profile-Based Access
Control System
Abstract: To help Mobile Network Operators reduce their Total Cost
of Ownership (TCO) and network complexity, Alcatel SEL AG has developed
a solution called the "Intelligent Storage System" (ISS) which allows
the logical centralization of data and separation of business processes
from the network topology. In an ISS-based network, data storage
is separated from applications. In the context of Mobile Network
Operators, the data essentially represents the network subscribers'
information. Applications on the other hand can include (but are
not limited to) Media services, Customer Relationship Management...etc.
Access control to these applications is governed by the users' profiles.
This thesis work proposes a solution to the who-accesses-what access
control problem posed by this new network setting. That is, restricting
user access to the applications based on their access rights. Special
caution is taken to avoid any kind of proprietary solutions and
to solely rely on currently-available open technologies and standards.The
proposed solution utilizes the SAML (Security Assertion Markup Language)
OASIS Framework.
04.05.2006 - Michel Galassi, TU Hamburg-Harburg
Integration of an hardware acceleration unit for IPsec into the
Linux Kernel
Abstract: To reach secure communication in an insecure network
virtual private networks (vpns) allow to protect all application
protocols over a secure channel. IPsec is a very popular possibility
to realise a vpn. If hardware acceleration for IPsec is involved,
the CPU-intensive Encryption from IPsec can be caluclated on special
hardware. The CPU is exonerates and the throughput for the supported
algorithms can be enhanced. For the implementation a hardware platform
based on Intel Network Processor IPX425 with a Linux Kernel 2.6
is used. The small hardware platform allows to use the module in
embedded systems. The presentation covers a introduction into the
used components and the implementation.
11.05.2006 - Harald Sauff, TU Hamburg-Harburg
Implementation of a Crypto Framework on Sensor Nodes
Abstract: The communication in self organizing sensor networks
is usually unencrypted. To be able to use sensor networks in potentially
dangerous environments encryption and other related algorithms have
to be implemented under the restrictions of the used hardware: very
limited resources as RAM, storage capacity, computing power and
electrical energy. This presentation shows the experiences gained
so far from the implementation and optimization of the RC6 blockcipher
on scatterweb sensor nodes, it will discuss issues with the underlying
firmware and give an outlook on further plans.
23.05.2006 - Jan Seedorf, University of Hamburg
Self-Certifying SIP-URIs
Abstract: Recently, it has been proposed to use the Session Initiation
Protocol (SIP) in a Peer-to-Peer (P2P) setting: Instead of SIP-servers,
a structured overlay network is envisioned to support mobility in
SIP communications. This approach, commonly called P2P-SIP, offers
higher reliability and possibly easier configuration. However, the
lack of a central authority in a P2P network introduces new security
problems. In this talk we look at the integrity of SIP location
bindings stored in such an overlay and how it can be protected against
man-in-the-middle attacks. The talk will show how self-certifying
SIP-URIs can be used to protect content-integrity in P2P-SIP. It
will be shown how such a scheme would look like. Further, it will
be discussed what advantages and drawbacks practical usage of self-certifying
SIP-URIs would mean.
23.05.2006 - Martin Johns, University of Hamburg
Client Side Protection against Session Riding Attacks
Abstract: Session Riding (also known as “Cross Site Request Forgery”)
attacks are public at least since 2001. However this class of web
application vulnerabilities is rather obscure compared to attack
vectors like Cross Site Scripting or SQL Injection. As the trend
towards web applications continues and an increasing number of local
programs and appliances like firewalls rely on web based frontends,
the attack surface for Session Riding grows continuously. Session
Riding is an attack that targets the user rather than the web application.
As long as web applications do not take measures to protect their
users against this threat, it is important to investigate possibilities
to implement client side mechanisms. In this talk "RequestRodeo"
is presented, which is, to the best of our knowledge, the first
client-side solution for protection against Session Riding attacks.
01.06.2006 - Bhaskar Kalyan Bysani, TU Hamburg-Harburg
Enterprise Application Integration through secure Web services
Abstract: Web service can be used to integrate different applications
e.g. Enterprise resource Planning (ERP), Supplier Relationship Management
(SRM) systems across the boundaries of an enterprise. But all applications
are not able to support HTTP/ SMTP/ SOAP. An Exchange Infrastructure
(XI) is an Enterprise Application Integrator (EAI) which is used
in BBraun system landscape to enable Web services to such applications.
When providing Web services to customers/ business partners additional
security measures should be taken like access rights of Web service,
checking the content of the elements in Web service request before
allowing it into the organization network, signing and encrypting
the SOAP response to provide integrity and confidentiality. But,
the XI is not able to encrypt the SOAP response. This thesis work
implements a business process as a Web service, its security policies,
and a possible solution to sign and encrypt the part/ full SOAP
response.
15.06.2006 - Tilmann Holst, University of Hamburg
Possible Threats to PGP key servers
Abstract: PGP key servers are used to store and distribute PGP
public keys. Some key servers operate as stand-alone servers, e.
g. for some enterprise. Others are connected with other key servers
and form a key server network where submitted keys are distributed
to each participating server. The worldwide network of PGP key servers
is highly decentralized, but synchronized with each other. This
makes the key server network structure very robust. A key submitted
once is replicated throughout the entire network and stored on all
participating servers. There are several problems arising from this
distributed robustness combined with weaknesses in the principal
design of current key servers in general. The talk will discuss
these issues and give an outlook on possible solutions.
15.06.2006 - Martin Hinz, University of Hamburg
Outsourcing in Software Projects - a risk and protective measure
analysis of data confidentiality and integrity
Abstract: Many large companies develop core business supporting
software by internal IT departments. Cost-driven and influenced
by the progressive movement of globalization companies integrate
external actors into their development processes in different stages
of the software life-cycle. Varying forms of integrating these actors
are applicable. Companies are able to found subsidiaries as well
as chosing external partners to collaborate. Further varieties exist
concerning the place of execution, for example the development onsite,
onshore or offshore. During the diploma thesis potential confidentiality
and integrity gaps inside the software development process as well
as possible protective measures in managing software projects are
discussed. The legal basis is applied to the specific situation.
Different outsourcing forms like BPO and ASP are used to integrate
actual discussion items. This presentation will show the background
and working proceeding of the thesis.
22.06.2006 - Thilo Mende, University of Hamburg
Using Compiler Intermediate Representations for Security-related
Static Analysis
Abstract: The first steps of static analysis tools are usually lexical,
syntax and semantic analysis to generate an unambiguous representation
of the target program. Compilers implement these steps in their
front end and generate data structures, especially during the optimization
phase, that are very useful for static analysis, e.g. Control and
Data flow graphs. In my diploma thesis I investigated how intermediate
representations of the Gnu Compiler Collection can be reused for
security-related static analysis. In this talk I will present the
approach taken and discuss the advantages and drawbacks of this
solution.
06.07.2006 - Christopher Alm, University of Hamburg
Analysis of Manipulation Methods in Operating System Kernels and
Concepts of Countermeasures (Considering FreeBSD 6.0 as an Example)
Abstract: A manipulation of the kernel of an operating system can
give an attacker unimpeded and unrestricted access to any desired
part of the system. Furthermore, since all attempts to detect a
manipulation by means of the affected system rely on the services
of the potentially compromised kernel, sophisticated attackers can
hide all their activities using this approach. In this talk we consider
methods of kernel manipulation presuming that basic protection mechanisms
already have been circumvented. We discuss the effectiveness of
countermeasures are that are designed specifically for this purpose.
The issues are illustrated using the FreeBSD system as an example.
In particular, the question arises whether UNIX-like operating systems
such as FreeBSD are capable at all of effectively avoiding such
an attack.
06.07.2006 - Björn Bartels, University of Hamburg
Analysis of Security Engineering Techniques and their Implications
on the Software Development Process and Common Criteria Certification
Abstract: Governmental regulations like the German Digital Signature
Law for example implicate the need for some kind of security standard
that the supporting IT systems can be compared against to establish
trust that the systems provide an appropriate level of security.
The Common Criteria Evaluation Methodology offers the possibility
to identify commonly needed security functionalities and state those
as requirements that an IT system has to meet. Security engineering
techniques along with other requirements that have to be met by
the developer of the system are used as further requirements in
order to assure that the functionality is carefully implemented.
In this talk we look at some selected security engineering techniques
and discuss the benefits and limitations of these techniques and
of evaluations in general. The completed evaluations of the Windows
XP operating system and of a smart card controller provide examples
for the practical application of these evaluation concepts.
13.07.2006 - Christian Weitendorf, University of Hamburg
Implementing XSS secure web session management for the J2EE framework
Abstract: Cross Site Scripting vulnerabilities are an omnipresent
security threat for web applications. One of the most serious threat
resulting from this kind of vulnerabilities are session hijacking
attacks. In this kind of attack, the attacker tries to steal or
misuse the users's identity information. In my diploma thesis I
investigated a paper of Martin Johns, describing several countermeasures
against session hijacking. I modified these concepts and adapted
them to provide an implementation for the J2EE webcontainer. In
this talk first I will give an overview of the different kinds of
xss session attacks and possible countermeasures against them. Then
I will discuss the modified countermeasure concepts and my implementation
approach.
13.07.2006 - Franjo Severinac, University of Hamburg
A bridge as a representative exemplified on ISAKMP
Abstract: Network traffic between any (two) interconnected hosts
can be secured by the use of IPsec. But it is not always possible
or economical to upgrade the software and configuration of all nodes
participating in the network. One solution to this problem is the
use of a bridge as a security gateway, which applies the relevant
security protocols on behalf of the protected nodes. The OpenBSD
Ethernet bridge is extended to adopt a hosts identity on ISO OSI
network layer and data link layer, with the aim, to be totally transparent
to a protected host and the destination host or gateway. ISAKMP
uses this functionality to exchange key material and afterwards
to encrypt totally transparent. The presentation introduces the
concept of the bridge being a representative.
|
Sitemap 
Search
