Send email Copy Email Address
© © Stephanie Bremerich
Research Group

Bugiel

Trusted Systems

In our security research group, we focus on (mobile) platform security and the integration of hardware security features.

Head of Group

Sven Bugiel

Email

Address

Stuhlsatzenhaus 5
66123 Saarbrücken (Germany)

Members

Yusra Elbitar
Placeholder

Paul Emil Frerichs

Noah Mauthe
© Tobias Ebelshäuser

Alfusainey Jallow
Placeholder

Ebrima Jallow
Placeholder

Esha Verma
Placeholder

Okasha Moosa Sujela
Placeholder

H T M A Riyadh

Eric Ackermann

Most Recent Publications

Year 2024

2024-05

Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security

Conference / Medium

SP
45th IEEE Symposium on Security and Privacy (SP)45th IEEE Symposium on Security and Privacy

Tags
Secure Connected and Mobile Systems
Authors
Download Visit Detail Page

Year 2023

2023-02

A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites

Conference / Medium

NDSS
Network and Distributed System Security (NDSS) Symposium 2023Network and Distributed System Security (NDSS) Symposium 2023

Tags
Secure Connected and Mobile Systems
Authors
Download Visit Detail Page
2023-01-19

TALUS: Reinforcing TEE Confidentiality with Cryptographic Coprocessors

Conference / Medium

FC
Financial Cryptography and Data Security 2023Financial Cryptography and Data Security - 27th International Conference, FC 2023

Tags
Reliable Security Guarantees Threat Detection and Defenses
Authors
Download Visit Detail Page

Year 2021

2021-08-11

Explanation Beats Context: The Effect of Timing & Rationales on Users’ Runtime Permission Decisions

Conference / Medium

USENIX-Security
USENIX Security '21USENIX Security '21

Tags
Threat Detection and Defenses Secure Connected and Mobile Systems
Authors
Download Visit Detail Page
2021-08-11

A11y and Privacy don’t have to be mutually exclusive: Constraining Accessibility Service Misuse on Android

Conference / Medium

USENIX-Security
30th USENIX Security Symposium30th USENIX Security Symposium (USENIX Security 21)

Tags
Threat Detection and Defenses
Authors
Download Visit Detail Page

PROJECTS

CURRENT PROJECTS

User-delegated privileges, permissions in Android's jargon, form a central component of mobile system' privacy protection. To protect the users' privacy and ensure the system's security, it is paramount that users are able to correctly grant privileges to apps as well as that app developers know how to correctly use and request permissions. In this line of work, we investigate whether app developers have adopted to the runtime permission model of Android and if users' understand how to make use of it.

Further, a second central line of work is to redesign the permission model to allow defensive programming with app compartmentalization and least-privilege execution. Android's permission model currently upholds the notion of an "ambient authority" in which all components of an app inherit the same privileges, which prevents efficient privilege separation of particular components (e.g., advertisement libs). We proposed replacing permissions with object capabilities (Dawoud and Bugiel 2019), which allow a more fine-grained, efficient management of permissions, and show that capabilities fit very well into the design of mobile systems like Android.

The Android middleware has been a popular target for security extensions over the last few years. For instance, context-aware policies, DRM-like solution, developer-centric policies, or generic mandatory access control infrastructures have been brought forward, just to name a few. However, almost no consideration has been given on how to analyze or security test the large, highly complex code base of the Android middleware. In this project, we advance the state-of-the-art of analysis and security testing to enable various security- and privacy-focused investigations, such as permission mapping (Backes et al. 2016), fuzzing, or placement of access control hooks.

While the majority of Android security research has focused on the platform, market operators, and end-users as primary security principals, the Android ecosystem consists of many more stakeholders that have a (sometimes significant) influence on the security state of the overall ecosystem. (Acar et al. 2016) In this project, we investigate and quantify this influence of third-party stakeholders (Backes, Bugiel, and Derr 2016; Derr et al. 2017; Oltrogge et al. 2018) and propose new techniques and workflows that improve the overall security state of the Android ecosystem (Huang et al. 2017; Huang et al. 2019).

The LibScout tool as part of this research has been made publicly available at github.

PAST PROJECTS

Android Security Framework (ASF) is a generic, extensible security framework for Android that enables the development and integration of a wide spectrum of security models in form of code-based security modules. The design of ASF reflects lessons learned from the literature on established security frameworks (such as Linux Security Modules or the BSD MAC Framework) and intertwines them with the particular requirements and challenges from the design of Android’s software stack. ASF provides a novel security API that supports authors of Android security extensions in developing their modules. This overcomes the current unsatisfactory situation to provide security solutions as separate patches to the Android software stack or to embed them into Android’s mainline codebase. As a result, ASF provides different practical benefits such as a higher degree of acceptance, adaptation, and maintenance of security solutions than previously possible on Android. We present a prototypical implementation of ASF and demonstrate its effectiveness and efficiency by modularizing different security models from related work, such as context-aware access control, inlined reference monitoring, and type enforcement.

Source code, example security modules, and documentation can be retrieved from the project website.