Fortgeschrittene IT-Sicherheit - WS 2005/06
| 18.483 |
|
Oberseminar: Fortgeschrittene IT-Sicherheit |
 |
Organisers: |
Dieter Gollmann (TU), Joachim Posegga |
Time: |
Thursday 18-20 (2 SWS)
1st session: 27.10.2005 - 18:15 |
Location: |
Main Campus - ESA 1 W, Room 221
Edmund-Siemers-Allee 1, 20146 Hamburg
|
Driving Directions & Room description
Address of lecture hall ESA 1 W, room 221:
Edmund-Siemers-Allee 1
20146 Hamburg
More information on this lecture hall
For driving directions please consult the map on the right or use the more detailed map of Hamburg.
Schedule
| Date |
Speaker |
Location |
Title |
| 27.10.2005 |
Dieter Gollmann, Joachim Posegga
Murugaraj Shanmugam, Siemens |
ESA 1 W,
room 221 |
Introduction
Emergency Services for Voice over Internet Protocol |
31.10.2005
|
Gene Tsudik,
UC Irvine |
HS20, Raum 0.21,
TU Hamburg-Harburg |
Secret Handshakes, or Privacy-Preserving Interactive
Authentication |
| 10.11.2005 |
Peter Wirnsperger,
Deloitte & Touche |
ESA 1 W,
room 221 |
IT-Security Penetration Testing –
Snake oil or Profession
Are penetration tests just snake oil or a necessary approach
to get a real idea of the security setup in companies?
 |
| 17.11.2005 |
Peter Schoo, DoCoMo Euro-Labs, Munich |
ESA 1 W,
room 221 |
Secure seamless mobility in future mobile communication
systems |
| 24.11.2005 |
Thomas J. Wilke, TU Berlin |
ESA 1 W,
room 221 |
Fortgeschrittenes Sicherheitsmanagement und durchgängige
Durchsetzung von Sicherheitspolitiken für komplexe IT-Infrastrukturen
|
| 01.12.2005 |
No Session |
--- |
--- |
08.12.2005,18:30 |
Dr. Heike Neumann, Philips Semiconductors |
TU Hamburg-Harburg
18:30 - 20:00
SBS95 D1023 |
Trusted Computing |
| 15.12.2005 |
Yves Younan, Katholieke Universiteit Leuven |
ESA 1 W,
room 221 |
A Methodology for Designing Countermeasures against Current
and Future Code Injection Attacks |
| 22.12.2005 |
Marlene Knigge, University of Hamburg |
ESA 1 W,
room 221 |
Access Control in ERP-Systems ,ppt |
| 29.12.2005 and 05.01.2006 - Christmas
vacation |
| 12.01.2006 |
Jan Seedorf, University of Hamburg |
ESA 1 W,
room 221 |
Security Considerations for P2P-SIP |
| 19.01.2006 |
no session |
no session |
no session |
| 26.01.2006 |
Thilo Mende,
University of Hamburg
Stephan Schirmer, University of Hamburg |
ESA 1 W,
room 221 |
Using Compiler Intermediate Representations for Security-related
Static Analysis
Machine-aided Tracking and Archiving of Security Updates
of a free Unix-derivation |
| 02.02.2006 |
Robert Christian, Solsoft |
ESA 1 W,
room 221 |
Network Security Policy Management |
| 09.02.2006 |
Florian Kessler, Zoltan Mados, University of Hamburg |
ESA 1 W,
room 221 |
Problems and Possible Solutions for a Firewall on a SmartCard |
Abstracts
October 27th, 2005: Murugaraj Shanmugam, Siemens
"Emergency Services for Voice over Internet Protocol"
Abstract:
As telephone functionality moves from circuit-switched telephony to Internet telephony, there is a need to provide the core functionality, such as emergency services, at least as well as like the older technology. In PSTN, which is constrained on geographic and regional configuration, the calls are intended to be delivered to special call centers to manage emergency response. Since PSTN and IP follow different design principles, their architecture is quite different. So the IP networks cannot use the same technique as PSTN and require re-thinking of the traditional emergency calling architecture. Moreover, the use of VPNs, mobility issues, and overlay networks in the IP network complicates the emergency handling scenario. This challenge also offers an opportunity to improve the working of emergency calling technology, while potentially lowering its cost and complexity and providing other features like instant messaging and multimedia capability for the emergency callers. This talk describes the overall emergency call flow and infrastructural details of the IP based emergency architecture. It analyzes the security threats and proposes some security requirements for the emergency services when using IP as a medium of communication.
October 31st, 2005: Gene Tsudik, UC Irvine
"Secret Handshakes, or Privacy-Preserving Interactive Authentication"
Abstract:
Individual privacy is being gradually eroded in the modern world: cameras record events in public and private spaces, search engines store search queries and their results and connectivity of personal devices (e.g., PDAs and cellphones) are being tracked by connectivity providers. This motivates research into privacy-preserving techniques for well-understood security primitives such as authentication and authorization / access control. This work focuses on privacy-preserving security services, including secure information delivery using so-called "oblivious envelopes" and authentication protocols using so-called "secret handshakes". We show that such techniques can preserve the privacy of the participants in an efficient and provably secure fashion. Furthermore, they prompt a number of new and interesting research challenges.
November 10th, 2005: Peter Wirnsperger, Deloitte & Touche
"IT-Security Penetration Testing – Snake oil or Profession"
Are penetration tests just snake oil or a necessary approach to get a real idea of the security setup in companies?
(download as pdf:)
Summary of presentation:
When enterprises started to connect their internal networks to the
internet, they suddenly had to worry about perimeter defence and
the security posture of the implemented system architecture. A new
trade was born when responsible IT-managers asked students or security
professionals to review the perimeter defence and make a penetration
test over the internet against the system barriers of the company.
Today this trade has grown up and many consulting companies offer
security audits to the market. One can even gain IT-security certifications
like the BS7799/ISO 17799 or the German BSI Baseline Security Certificate
out of a successful security audit. Many different methodologies
are being applied, too many certifications can be achieved, and
audit results vary extremely, depending on the skills of the auditor
and real goals of the customers. Nevertheless, IT-security audits
have become an important service in the IT and the audit industry
has become more professional, too. This lecture will attempt to
give a brief - but probably incomplete - overview of different penetration
test scenarios, applied methodologies, their results, and what customers
can use them for.
The author:
Peter J. Wirnsperger is a Senior Manager in the German Enterprise Risks Services Group with the responsibility for delivering technical and organisational security services. He leads the security consulting team with a special focus on implementing and testing security management and infrastructure security. Peter has 10 years of IT project experience and a strong track record of penetration testing and security assessments in the financial sector, manufacturing industry, and media corporations. He has gained broad experience in developing attack vectors for vulnerability assessments. Prior to Deloitte he worked for @stake and Oracle. Peter is Chair of the Committee for IT-Security of Hamburg@work and appointed to the Committee of Internet Economy of the Chamber of Commerce in Hamburg / Germany. Peter lives in Hamburg / Germany and is 40 years old.
November 17th, 2005: Peter Schoo, DoCoMo Euro-Labs, Munich
"Secure seamless mobility in future mobile communication systems"
(slides are confidential and cannot be published)
Abstract:
Future mobile communication systems will benefit from an innovative use of a new radio interface and also from the integration of existing network technologies. In a security perspective, the integration of these network technologies is quite challenging as the different technologies come with their own security solutions not prepared to interwork. We will describe characteristics of and consequences for the security of future mobile communication systems and their main assumptions regarding secure mobility management and regarding multilateral relations between operators and users towards inter-domain handovers.
CV:
Mr. Peter Schoo, Dipl.-Inform., is Head of the Security Technology Lab and executive researcher with DoCoMo Euro-Labs in Munich since 2001. This lab is active in the area of security for systems Beyond 3G, both on the application layer and the protocol and network security side. Mr. Schoo is engaged in the research on fast handover mechanisms and inter-domain agreement procedures. Mr. Schoo received from the University of Hamburg the degree of Diplom-Informatiker in 1986. From 1987 to 2001 he was researcher at the Fraunhofer institute FOKUS (formerly GMD FOKUS) working on formal methods, software architectures and object-oriented support for middleware platforms. During this period he participated in several ESPRIT, RACE and ACTS projects and several industry projects in the telecommunication industries, gave lectures at the TU of Berlin and participated actively in the ISO standardizations.
November 24th, 2005: Thomas J. Wilke (TU Berlin)
"Fortgeschrittenes Sicherheitsmanagement und durchgängige Durchsetzung von Sicherheitspolitiken für komplexe IT-Infrastrukturen"
(download as pdf:)
Abstract:
IT-Systeme sind für Unternehmen inzwischen ein essentielles Instrumentarium. Deren Verfügbarkeit, Flexibilität und Leistungsfähigkeit entscheidet in Marktsystemen, die auf Konkurrenz basieren, über bloße Existenz oder Dominanz und damit letztendlich über wirtschaftlichen Erfolg oder Niederlage. Der umfassende Einsatz von IT-Technologien stellt die Unternehmen jedoch zunehmend an sicherheitstechnische Herausforderungen, die mit den IT-Sicherheitsverfahren der gegenwärtigen IT-Sicherheitspraxis nicht mehr zu bewältigen sind. Grundlage dieser Herausforderungen bilden die unterschiedlichen Wirkungsgesetze von IT-Systemen und Gesellschaftsorganisation. Der Vortrag stellt Paradigmen und Verfahren vor, mit denen Sicherheitspolitiken in komplexen und heterogenen IT-Infrastrukturen organisiert und durchgesetzt werden können, um eine umfassende und durchgängige Absicherung dieser IT-Infrastrukturen zu erreichen. Es soll eine technische Grundlage aufzeigt werden wie monetäre und rechtliche Werte in IT-Infrastrukturen gewahrt werden können.
December 15th, 2005: Yves Younan, Katholieke Universiteit Leuven
"A Methodology for Designing Countermeasures against Current and Future
Code Injection Attacks"
(slides are confidential and cannot be published)
Vulnerabilities that lead to code injection attacks are still one of the most important security-related vulnerabilities: 24 of the 28 CERT advisories for 2003 were related to these vulnerabilities. Many countermeasures have been built to try and protect against code injection attacks, however they are usually built in an ad-hoc manner and as a result attackers have often developed techniques to bypass them. In this talk I will describe our more structured approach to designing countermeasures for code injection attacks. To achieve this we build a model of the execution environment of a program. This machinemodel allows use to think in a more abstract way about countermeasures. A model is however strongly linked to a particular architecture and as a result is limited in usefulness. To reduce the work required to build a model we are working on a metamodel which would allow a systems expert to build a machinemodel for a particular architecture. This metamodel will allow reasoning at an even higher level and will also ensure uniformity among machinemodels and may add in porting countermeasures over several architectures. The talk will also describe some countermeasures we have designed and implemented using the model-based approach.
December 22th, 2005: Marlene Knigge, University of Hamburg
"Access Control in ERP-Systems"
(download as pdf or powerpoint: ,ppt)
Abstract:
Within the scope of my diploma thesis I am going to examine security
in enterprise resource planning systems (ERP-systems) in general
and implement a user access control for an ERP-system in a medium-sized
company. At the session on December 22nd, an overview of security
in ERP-systems and an introduction to the company and the ERP-system
will be given. After that, the current state and my conception of
the new access control will be described.
January 12th, 2006: Jan Seedorf, University of Hamburg
"Security Considerations for P2P SIP"
(download as pdf:)
Abstract:
Voice-over-IP (VoIP) has matured over the past couple of years to
a now widely used application with many service providers for home
users available. During this process, SIP has emerged as the dominating
protocol for signaling in multimedia communications. Recently, several
researchers have proposed to use a peer-to-peer (P2P) network instead
of servers to support mobility in SIP-based communications. In the
talk it will be shown how SIP can be used in conjunction with a
P2P network (P2P-SIP). Specifically, it will be described how to
use a structured overlay network (such a Chord) for SIP user registration
and user location. The initiators of P2P-SIP claim higher scalability,
robustness and ease of deployment for P2P-SIP compared to client-server
SIP. However, the P2P paradigm imposes new security challenges for
SIP communications. These issues will be investigated during the
presentation and several attacks will be exemplified. Following
a discussion of attacks and threats, the proposed approaches for
P2P-SIP will be compared from a security perpespective. A summary
followed by an outlook on future work and open challenges concludes
the talk.
January 26th, 2006: Thilo Mende, University of Hamburg
"Using Compiler Intermediate Representations for Security-related
Static Analysis"
(download
as pdf )
Abstract:
The first steps of static analysis tools are usually lexical, syntax
and semantic analysis to generate an unambiguous representation
of the target program. Compilers implement these steps in their
front end and generate data structures, especially during the optimization
phase, that are very useful for static analysis, e.g. Control and
Data flow graphs. The idea for my diploma thesis is to use the GCC
to analyze source code and export data structures generated during
compilation to a tool independent, reusable format. In the talk
I will present a first requirements analysis, introduce GCC's architecture
and available Intermediate Representations and outline the next
steps of my thesis.
January 26th, 2006: Stephan Schirmer, University of Hamburg
"Machine-aided Tracking and Archiving of Security Updates
of a free Unix-derivation"
Abstract:
In many published software versions vulnerable code is included.
This talk will introduce a new project SecFlawDB which strives for
the goal to collect vulnerable source code and the fixation of it,
to publish in a database. This database may be a knowledge base
for programmers and students to experience common security flaws
in concrete examples. After a short introduction to the project,
the basics of machine-aided tracking of vulnerabilities and collection
of software versions will be discussed.
February 2nd, 2006: Robert Christian, Solsoft
"Network Security Policy Management"
Abstract:
Consistency ( e.g. of ACLs ) is a vital factor in the implementation
and management of a security policy. In heterogeneous IT environments
this can consume extensive resources or may even prove to be impossible.
With the aid of visual policy management tools which allow the design,
audit, and implementation of rules throughout a multi-vendor network,
this task may become significantly easier.
February 9th, 2006: Florian Kessler & Zoltan Mados,
University of Hamburg
"Problems and Possible Solutions for a Firewall on a SmartCard"
Abstract:
Smartcards have become more powerful in the last years. They have
new capabilities making them more and more versatile/universal in
their usage. The newest Prototypes are able to communicate with
TCP/IP-based networks. With these capabilities they can be used
as a hardware platform for rudimental, but secure, firewall systems.
We examine some concepts of existing firewall systems. We show in
which way they interact with their host OS and ask the question
which of them can be implemented on a smartcard / java card environment.
Additionally we talk about restrictions in the java card environment
in contrast to java.
|
Sitemap 
Search
