Service and Application Security

Security for distributed applications

Devices in the Internet of Things, mobile applications and cloud infrastructures — the challenges for IT security are constantly getting more complex due to the growing number of components and the heterogeneity of the platforms. Formerly monolithic programs have long since evolved into distributed architectures in which applications and services work together.

The field of Service & Application Security is primarily concerned with the security and data protection of distributed applications as well as secure cloud and container infrastructures. Novel solutions are developed and implemented based on current results from security research.

Fields of Research

Applied Privacy Technologies

The research field Applied Privacy Technologies addresses the dichotomy between deriving value from data processing and data protection. The goal is to support digital self-determination. This includes practical applications of state-of-the-art cryptography, such as attribute-based encryption (ABE), searchable encryption (SE) and the use of privacy-enhancing technologies (PETs). Our experts design secure, decentralized services and architectures for the future Internet technologies such as self-sovereign identities (SSI).
 

Secure Data Ecosystems

The research field Secure Data Ecosystems focuses on technologies which enable companies to exchange data in a secure environment. The main topics are the analysis, conceptual design and further development of all components that are essential for a data ecosystem. This includes secure gateways for data exchange, the transformation to trustworthy cloud infrastructures and all topics around International Dataspaces and GAIA-X. We help with analysing the status quo and assist with the certification or evaluation of components and systems.

 

Software Security

The focus of the research area Software Security is the exploration and application of techniques for the analysis and evaluation of software artifacts, such as backend applications or mobile applications. This includes novel capabilities for dynamic and static code analysis, such as code property graphs. Our solutions, some of which are published as open source, enable use cases such as the correct use of cryptographic libraries.

 

Labs

Our experts work on future topics in the field of service and application security in a wide range of laboratories. For example, our employees and customers have access to an extensive Secure Data Ecosystems lab, where new types of technologies for secure data exchange can be tested. The closely related Cloud Security lab provides hands-on experience in container virtualization with Kubernetes and access to public cloud systems such as Azure and AWS. A range of radio-based communications technology, such as Bluetooth, LTE and 5G (under construction), completes the lab offerings.

Cloud Security Lab

The Cloud Security Lab at Fraunhofer AISEC enables a wide range of evaluation services for securing cloud services.

Software Security Lab

Fraunhofer AISEC studies and evaluates the security of software and applications in a state-of-the-art laboratory environment.

Secure Data Ecosystems

The Secure Data Ecosystems research lab provides the necessary infrastructure for the development, planning and implementation of trusted data spaces.

 

Offerings

Our goal is to work closely with our customers and partners to systematically improve the ability to assess the security of systems and products, to evaluate system reliability, design systems to be secure, and sustainably maintain security throughout the lifecycle.

Evaluate security

  • As part of threat and risk assessments, we evaluate the security of distributed systems. Typical systems consist, for example, of a web application and an associated backend.
  • In practical security audits and penetration tests, we act as the attacker and uncover security vulnerabilities in mobile application or cloud system on your behalf.
  • Through source code audits with a focus on Java, TypeScript and C++, we provide detailed insights into the security of your applications.
  • An as-is analysis of existing solutions allows us to identify options on how to build secure data ecosystems. 

Design security 

  • During the development process, we give advise on how to design your applications regarding security and data protection.
  • In a collaboration with the customer, we show the potential of new security technologies such as Self-Sovereign Identities or Searchable Encryption. We also prototype innovative concepts, such as information flow and data usage control in IoT architectures.

Maintain security

  • Offers around compliance and assurance monitoring (e.g. of cloud systems) complete our portfolio.
  • Consulting on the security and compliance of cloud computing and container solutions and accompany you in the preparation of certification projects.

Selected Projects

 

Clouditor

Clouditor helps organizations to automatically comply with critical security and compliance requirements.

 

 

re:claimID

With re:claimID, Fraunhofer AISEC created a tool for self-sovereign management of digital identities. It enables users to securely manage digital identities and personal information and share them with other parties over a decentralized directory.

 

CODYZE

In this project, an automatic tool was developed for the BSI that validates whether cryptographic libraries are being used correctly. 

 

 

Anonymized data for the digitalized future of medicine

ANONY-MED

In the ANONY-MED project, Fraunhofer AISEC is working with Charité – Universitätsmedizin Berlin and Smart Reporting GmbH on the anonymization of data for the digitalized medicine of the future. Their goal was to generate new knowledge using AI models, which comply with data privacy standards.

 

6G-ANNA

The Service and Application Security department provides its cybersecurity expertise in the field of "code analysis" in the BMBF research project "6G-ANNA".

Selected Initiatives and Collaborations

 

Sovereign Data Exchange

International Data Spaces

The International Data Spaces enable the sovereign, and thus self-determined, sharing of data across company borders.

 

Fraunhofer CCIT

Trackchain Technology

In order to enhance digitalization on an international scale, logistics needs an internet with cognitive capabilities and secure networked data spaces. As part of the Fraunhofer CCIT, Fraunhofer AISEC is developing trustworthy goods tracking with cognitive sensor technology and blockchain technology.

 

Publications

  • Christian Banse, Angelika Schneider, Immanuel Kunz: »owl2proto: Enabling Semantic Processing in Modern Cloud Micro-Services«. In: To appear in: 16th International Conference on Knowledge Engineering and Ontology Development, 2024.
  • Andreas M. Binder, Immanuel Kunz: »Using Static Code Analysis for GDPR Compliance Checks«. In: European Symposium on Research in Computer Security. Springer, 2024.
  • Georg Bramm, Melek Önen, Martin Schanzenbach, Ilya Komarov, Frank Morgner, Christian Tiebel, Juan Cadavid: »UPCARE: User Privacy-preserving Cancer Research Platform«. In: Proceedings of the 21st International Conference on Security and Cryptography, 2024, pp. 52–63. ISBN: 978-3-88579-744-9. DOI: 978-989-758-709-2.
  • Felix Lange, Immanuel Kunz: »Evolution of Secure Development Lifecycles and Maturity Models in the Context of Hosted Solutions«. In: Journal of Software: Evolution and Process, 2024.
  • Martin Schanzenbach, Sebastian Nadler, Isaac Henderson Johnson Jeyakumar: »GRAIN: Truly Privacy-friendly and Self-sovereign Trust Establishment with GNS and TRAIN«. In: Open Identity Summit 2024. Bonn: Gesellschaft für Informatik e.V., 2024, pp. 85–92. ISBN: 978-3-88579-744-9. DOI: 10.18420/OID2024_07.
  • Stefan Schöberl, Christian Banse, Verena Geist, Immanuel Kunz, Martin Pinzger: »CertGraph: Towards a Comprehensive Knowledge Graph for Cloud Security Certifications«. In: 27th International Conference on Model Driven Engineering Languages and Systems, 2024.

  • Christian Banse, Immanuel Kunz, Nico Haas, and Angelika Schneider. “A Semantic Evidence-based Approach to Continuous Cloud Service Certification”. In: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing. SAC ’23. New York, NY, USA: Association for Computing Machinery, 2023. DOI: 10.1145/3555776.3577600. URL: https://doi.org/10.1145/
  • Maximilian Kaul, Alexander Küchler, and Christian Banse. “A Uniform Representation of Classical and Quantum Source Code for Static Code Analysis”. In: 2023 IEEE International Conference on Quantum Computing and Engineering. QCE ’23. 2023, pp. 1013–1019. DOI: 10 . 1109 /QCE57702.2023.00115.
  • Alexander Küchler, Leon Wenning, and Florian Wendland. “AbsIntIO: Towards Showing the Absence of Integer Overflows in ARM Binaries”. In: Proceedings of ACM Asia Conference on Computer and Communications Security. ASIA CCS ’23. 2023. DOI: 10.1145/3579856.3582814.
  • Immanuel Kunz, Konrad Weiss, Angelika Schneider, and Christian Banse. “Privacy Property Graph: Towards Automated Privacy Threat Modeling via Static Graph-based Analysis”. In: Proceedings on Privacy Enhancing Technologies. 2023.
  • Immanuel Kunz and Shuqian Xu. “Privacy as an Architectural Quality: A Definition and an Architectural View”. In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE. 2023, pp. 125–132.
  • Hendrik Meyer zum Felde, Maarten Kollenstart, Thomas Bellebaum, Simon Dalmolen, and Gerd Brost. “Extending Actor Models in Data Spaces”. In: Companion Proceedings of the ACM Web Conference 2023. 2023, pp. 1447–1451.
  • Hendrik Meyer zum Felde, JeanLuc Reding, and  Michael Lux. “DGATE: Decentralized Geolocation and Time Enforcement for Usage Control”. In: 8th IEEE European Symposium on Security and Privacy Location Privacy Workshop. 2023.
  • Mathias Morbitzer. “Analyzing and Improving the Security of Trusted Execution Environments”. Dissertation. München: Technische Universität München, 2023.
  • Mathias Morbitzer, Benedikt Kopf, and Philipp Zieris. “GuaranTEE: Introducing ControlFlow Attestation for Trusted Execution Environments”. In: IEEE International Conference on Cloud Computing (CLOUD). 2023.
  • Martin Schanzenbach, Christian Grothoff, and Bernd Fix. “The GNU Name System”. RFC 9498. Nov. 2023. DOI: 10.17487/RFC9498. URL: https://www.rfc- editor.org/info/rfc9498.

  • Alexander Küchler and Christian Banse. “Representing LLVM-IR in a Code Property Graph”. In: Information Security. Ed. by Willy Susilo, Xiaofeng Chen, Fuchun Guo, Yudi Zhang, and Rolly Intan. ISC ’22. Springer, 2022, pp. 360–380.
  • Immanuel Kunz, Angelika Schneider, Christian Banse, Konrad Weiss, and Andreas Binder. “Poster: Patient Community – A Test Bed for Privacy Threat Analysis”. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. CCS ’22. 2022. DOI: 10.1145/ 3548606.3564253.
  • Antoine d’Aligny, Emmanuel Benoist, Florian Dold, Christian Grothoff, Özgür Kesim, and Martin Schanzenbach. “Who comes after us? The correct mindset for designing a Central Bank Digital Currency”. In: SUERF Policy Note 279 (2022). URL: https://www.suerf.org/docx/f_cd24c3cabd88307c9c9299817143ba5d_46097_suerf.pdf.
  • Özgür Kesim, Christian Grothoff, Florian Dold, and Martin Schanzenbach. “Zero-Knowledge Age Restriction for GNU Taler”. In: Proceedings of 27rd European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science. Springer, 2022.
  • Immanuel Kunz and Andreas Binder. “Application-Oriented Selection of Privacy Enhancing Technologies”. In: Annual Privacy Forum. Springer. 2022, pp. 75–87.
  • Immanuel Kunz, Angelika Schneider, and Christian Banse. “A Continuous Risk Assessment Methodology for Cloud Infrastructures”. In: 2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid). IEEE. 2022, pp. 1042–1051.
  • Florian Lauf, Marcel Klöttgen, Hendrik Meyer zum Felde, and Robin Brandstädter. “Donating Medical Data as a Patient Sovereignly: A Technical Approach”. In: 15th International Conference on Health Informatics (HEALTHINF 2022). 2022.
  • Konrad Weiss and Christian Banse. A Language Independent Analysis Platform for Source Code. 2022. arXiv: 2203.08424 [cs.CR]. URL: https://doi.org/10.48550/arXiv.2203.08424.

  • C. Banse, I. Kunz, A. Schneider, and K. Weiss. “Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis”. In: 2021 IEEE 14th International Conference on Cloud Computing (CLOUD). Los Alamitos, CA, USA: IEEE Computer Society, 2021, pp. 13–19. DOI: 10.1109/CLOUD53861.2021.00014.
    URL: https://doi.ieeecomputersociety.org/10.1109/CLOUD53861.2021.00014.
  • Christian Banse. “Data Sovereignty in the Cloud Wishful Thinking or Reality?” In: Proceedings of the 2021 on Cloud Computing Security Workshop. CCSW ’21. Virtual Event, Republic of Korea: Association for Computing Machinery, 2021, 153–154. ISBN: 9781450386531. DOI: 10.1145/3474123.3486792.
    URL: https://doi.org/10.1145/3474123.3486792.
  • Christian Banse, Florian Wendland, and Konrad Weiss. “Automatisierte Compliance-Prüfung in Software-Artefakten”. In: Deutschland. Digital. Sicher. 30 Jahre BSI. SecuMedia Verlag, 2021. ISBN: 9783922746836.
  • Georg Bramm, Matthias Hiller, Christian Hofmann, Stefan Hristozov, Maximilian Oppelt, Norman Pfeiffer, Martin Striegel, Matthias Struck, and Dominik Weber. “CardioTEXTIL: Wearable for Monitoring and End-to-End Secure Distribution of ECGs”. In: IEEE 17th International Conference on Wearable and Implantable Body Sensor Networks (BSN). 2021. DOI: to appear.
  • Felicitas Hetzelt, Martin Radev, Robert Buhren, Mathias Morbitzer, and Jean-Pierre Seifert. “VIA: Analyzing Device Interfaces of Protected Virtual Machines”. In: 37th Annual Computer Security Applications Conference (ACSAC 2021). 2021.
  • Alexander Küchler, Alessandro Mantovani, Yufei Han, Leyla Bilge, and Davide Balzarotti. “Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes”. In: Network and Distributed Systems Security (NDSS) Symposium. 2021.
  • Hendrik Meyer zum Felde, Mathias Morbitzer, and Julian Schütte. “Securing Remote Policy Enforcement by a Multi-Enclave based Attestation Architecture”. In: 19th IEEE international conference on embedded and ubiquitous computing (EUC 2021). 2021.
  • Mathias Morbitzer, Sergej Proskurin, Martin Radev, Marko Dorfhuber, and Erick Quintanar Salas. “SEVerity: Code Injection Attacks against Encrypted Virtual Machines”. In: 15th IEEE Workshop on Offensive Technologies (WOOT). 2021.
  • Martin Schanzenbach, Christian Grothoff, Hansjürg Wenger, and Maximilian Kaul. “Decentralized Identities for Self-sovereign End-users (DISSENS)”. In: Open Identity Summit 2021. Ed. by Heiko Roßnagel, Christian H. Schunck, and Sebastian Mödersheim. Bonn: Gesellschaft für Informatik e.V., 2021, pp. 47–58.

  • Georg Bramm and Julian Schütte. “cipherPath: Efficient Traversals over Homomorphically Encrypted Paths.” In: ICETE. 2020.
  • Immanuel Kunz, Christian Banse, and Philipp Stephanow. “Selecting Privacy Enhancing Technologies for IoT-Based Services”. In: International Conference on Security and Privacy in Communication Systems. Springer. 2020.
  • Immanuel Kunz, Valentina Casola, Angelika Schneider, Christian Banse, and Julian Schütte. “Towards Tracking Data Flows in Cloud Architectures”. In: IEEE International Conference on Cloud Computing (CLOUD). IEEE. 2020.
  • Immanuel Kunz, Philipp Stephanow, and Christian Banse. “An Edge Framework for the Application of Privacy Enhancing Technologies in IoT Communications”. In: International Conference on Communications (ICC). IEEE. 2020.
  • Luca Wilke, Jan Wichelmann, Mathias Morbitzer, and Eisenbarth Thomas. “SEVurity: No Security Without Integrity Breaking Integrity Free
    Memory Encryption with Minimal Assumptions”. In: 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, MAY 1820, 2020. IEEE. 2020.
  • Dorian Knoblauch and Christian Banse. “Reducing implementation efforts in continuous auditing certification via an Audit API”. In: 2019 IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). 2019.
  • Mathias Morbitzer. “Scanclave: Verifying Application Runtime Integrity in Untrusted Environments”. In: 2019 IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). 2019.
  • Mathias Morbitzer, Manuel Huber, and Julian Horsch. “Extracting Secrets from Encrypted Virtual Machines”. In: Proceedings of the Ninth ACM on Conference on Data and Application Security and Privacy. CODASPY ’19. Richardson, Texas, USA: ACM, 2019, p. 10. ISBN: 9781450360999. DOI: 10.1145/3292006.3300022.
    URL: https://doi.org/10.1145/3292006.3300022.
  • Martin Schanzenbach, Thomas Kilian, Julian Schütte, and Christian Banse. “ZKlaims: Privacy-preserving Attribute-based Credentials using Non-interactive Zero-knowledge Techniques”. In: Proceedings of the 16th International Conference on Security and Cryptography (SECRYPT 2019), part of ICETE. 2019.
  • Julian Schütte and Dennis Titze. “liOS: Lifting iOS Apps for Fun and Profit”. In: Proceedings of the International Workshop on Secure Internet of Things (SIoT). Luxembourg: IEEE, 2019.
  • Konrad Weiss and Julian Schütte. “Annotary: A Concolic Execution System for Developing Secure Smart Contracts”. In: Proceedings of 24rd European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science. Springer, Sept. 2019.
  • Georg Bramm, Mark Gall, and Julian Schütte. “BDABE-Blockchain-based Distributed Attribute based Encryption.” In: ICETE (2). 2018, pp. 265–276
  • Manuel Huber Gerd S. Brost, Julian Schütte Michael Weiß Mykolai Protsenko, and Sascha Wessel. “An Ecosystem and IoT Device Architecture for Building Trust in the Industrial Data Space”. In: CPSS’18: The 4th ACM CyberPhysical System SecurityWorkshop. CPSS’18. Incheon, Republic of Korea: ACM, 2018, pp. 39–50. ISBN: 9781450357555. DOI: 10.1145/3198458.3198459.
    URL: https://doi.org/10.1145/3198458.3198459.
  • Wolfgang Gräther, Sabine Kolvenbach, Rudolf Ruland, Julian Schütte, Christof Torres, and Florian Wendland. “Blockchain for Education: Lifelong Learning Passport”. In: Proceedings of 1st ERCIM Blockchain Workshop 2018. Reports of the European Society for Socially Embedded Technologies: vol. 2, no. 10. European Society for Socially Embedded Technologies (EUSSET), 2018.
  • Mathias Morbitzer, Manuel Huber, Julian Horsch, and Sascha Wessel. “SEVered: Subverting AMD’s Virtual Machine Encryption”. In: Proceedings of the 11th European Workshop on Systems Security. EuroSec’18. Porto, Portugal: ACM, 2018. ISBN: 9781450356527. DOI: 10.1145/3193111.
    3193112.
    URL: https://doi.org/10.1145/3193111.3193112.
  • Martin Schanzenbach, Christian Banse, and Julian Schütte. “Practical Decentralized Attribute-Based Delegation Using Secure Name Systems”. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). 2018, pp. 244–251. DOI: 10.1109/TrustCom/BigDataSE.2018.00046.
  • Martin Schanzenbach, Georg Bramm, and Julian Schütte. “reclaimID: Secure, Self-Sovereign Identities Using Name Systems and Attribute-Based Encryption”. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). 2018, pp. 946–957. DOI: 10.1109/TrustCom/BigDataSE.2018.00134.
  • Julian Schütte and Gerd Brost. “LUCON: Data Flow Control for Message-Based IoTSystems”. In: Proceedings of the International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). Aug. 2018.
  • Florian Wendland and Christian Banse. “Enhancing NFV Orchestration with Security Policies”. In: ARES 2018: International Conference on Availability, Reliability and Security, August 27–30, 2018, Hamburg, Germany. New York, NY, USA: ACM, 2018. ISBN: 9781450364485/18/08. DOI: 10.1145/3230833.3233253.