Foundations of Secure System Design and Analysis

The common practice of exploitable software which becomes patched, creates a cat-and-mouse game that cannot be tolerated in the presence of critical infrastructure or personal data.
In order to mitigate this cat-and-mouse game, we need new technologies that revolutionize the way systems are build and maintained. Our research area tackles this problem by giving foundations for the system design that incorporate security-by-design and methods for the analysis of existing systems. We currently in particular have a strong focus on conceptually understanding adversarial machine learning and its implications on security-critical systems.


Privacy Enhancing Technologies

With the advent of Online Social Networks and other Online Services, users, often unknowingly, publicly disseminate tremendous amounts of personal information through their online interactions. All of this information is then readily available to data collectors which use it for personal gain or for malicious actions against the user.
Protection of personal data is therefore of paramount importance in a day and age where data disseminated in the Internet, is completely visible and available to anyone who wants to collect it. In our group we develop foundational methods for quantifying privacy and anonymity in the Internet. Our methods allow for the analysis of existing privacy-enhancing technologies, but also for the development of novel, privacy-enhancing solutions. A particular focus at the moment is privacy assessment and protection for genetic data.


System and Web Security

Not only smartphones and tablets have become ubiquitous but also everyday household appliances and infrastructure have been computerized – or became ‘smart’. The endless possibilities of app stores have brought diversity and ingenuity to the way we interact with our world. However, the simplicity of developing and distributing apps together with their omnipresence has made it easy for attackers to gain access to our most personal data or extort us, all under the pretext of being a helpful app.
We conduct research as to how to protect user’s data and privacy on mobile, embedded, and other’smart’ devices, we analyse attacks and data breaches and we construct more secure operating systems.


Usable Security

Usable security and privacy research became an important field of research over the last decade. While many IT security mechanisms offer (very) strong security guarantees in theory, humans are a limiting factor in many cases. Choosing secure passwords, understanding and adhering SSL warning messages or encrypting email is a tough challenge for end users. Developers struggle with using secure cryptographic APIs and webmasters are overwhelmed with configuring X.509 certificates. We collect real data from real users of IT security systems and then build systems to help users make sensible decisions.

All Publications

Recent Publications

Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security & Privacy

Duc Cuong Nguyen , Erik Derr , Michael Backes , Sven Bugiel
To appear in the Proceedings of the IEEE Symposium on Security & Privacy, May 2019 , 2019

Precise and Scalable Detection of Double-Fetch Bugs in OS Kernels

Meng Xu , Chenxiong Qian , Kangjie Lu , Michael Backes , Taesoo Kim
In Proceedings of the 39th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, May 2018. , 2018

The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators

Marten Oltrogge , Erik Derr , Christian Stransky , Yasemin Acar , Sascha Fahl , Christian Rossow , Giancarlo Pellegrino , Sven Bugiel , Michael Backes
39th IEEE Symposium on Security and Privacy (SP '18) , 2018

Verifying System Level Information Flow Using Confidentiality-Preserving Refinement

Christoph Baumann , Roberto Guanciale , Hamed Nemati , Mads Dam
In Submission , 2018

Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86

Hojoon Lee , Chihyun Song , Brent Byunghoon Kang
ACM CCS 2018 , 2018