Stephan Kleber

Stephan Kleber graduated from his studies of computer science at the University of Ulm in 2011 as Master of Science. Until 2012, he worked at the data processing service center of the University Medical Center Ulm (ZIK). During this time he also supervised courses and theses at the Institute of Media Informatics in the areas IT-Security and Privacy. 2012/2013 he worked in cooperation with the Institute of Information Resource Management and the Institute of Distributed Systems as research assistant in the bwGRiD-Portalproject.

Since 2013, he is research assistant at the Institute of Distributed Systems.


I am interested in Security and Privacy in IT-Systems in general.

My emphasis lies in the areas:

  • Analysis of network protocols and Protocol Reverse Engineering
  • Usage of Physical(ly) Unclonable Functions (PUFs)
  • Security of wireless communications, especially of Implantable Medical Devices (IMDs)

Besides that my further interests are:

  • Security and forensics of mobile devices
  • Privacy implications on unsing mobile devices
  • Malware analyses
  • Penetration testing
  • Security of web technologies

Since 2008 I participated in the iCTF of UCSB with the team Ulm Security Sparrows of the University of Ulm on a regular basis.


Kleber, Stephan; Unterstein, Florian; Hiller, Matthias; Slomka, Frank; Matousek, Matthias; Kargl, Frank; Bösch, Christoph
Secure Code Execution: A Generic PUF-driven System Architecture
21st Information Security Conference
October 2018

Abstract: In his invited talk, joint between CHES 2016 and CRYPTO 2016 on the Future of Embedded Security, Paul Kocher suggested to move the security into chips because hardware is the lowest level and thus security can not be compromized by a lower layer. In this paper, we propose a generic PUF-driven secure code execution architecture that employs instruction-level code encryption. Our design foresees a tight integration of a Physically Unclonable Function (PUF) and the decryption of encrypted program code directly inside the processor’s instruction pipeline to avert revealing keys or decrypted code in externally accessible registers or memory. The architecture prevents code-injection by executing only code encrypted for individual target CPUs, has an adaptable impact on performance, and requires only minor changes to the software development process. Our PUF-based code encryption defends also from reverse engineering attempts and enforces IP protection. A proof-of-concept implementation demonstrates the feasibility of our proposed architecture.

Lukaseder, Thomas; Stölzle, Kevin; Kleber, Stephan; Erb, Benjamin; Kargl, Frank
An SDN-based Approach For Defending Against Reflective DDoS Attacks
Proceedings of the 43rd IEEE Conference on Local Computer Networks
October 2018

Abstract: Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks.

Kleber, Stephan; Kopp, Henning; Kargl, Frank
NEMESYS: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages
12th USENIX Workshop on Offensive Technologies, WOOT 18, Baltimore, MD, USA, August 13-14, 2018
Publisher: USENIX Association,
August 2018

Abstract: Protocol reverse engineering based on traffic traces allows to analyze observable network messages. Thereby, message formats of unknown protocols can be inferred. We present a novel method to infer structure from network messages of binary protocols. The method derives field boundaries from the distribution of value changes throughout individual messages. None of many previous approaches exploits features of structure which are contained within each single message. Our method exploits this intrinsic structure instead of comparing multiple messages with each other. We implement our approach in the tool NEMESYS: NEtwork Message SYntax analysiS. Additionally, we introduce the Format Match Score: the first quantitative measure of the quality of a message format inference. We apply the Format Match Score to NEMESYS and a previous approach and compare the results to mutually validate our new format inference method and the measure of its quality.

Kleber, Stephan; Maile, Lisa; Kargl, Frank
Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic Analysis
IEEE Communications Surveys and Tutorials, tba.

Abstract: Knowledge about a network protocol to understand the communication between entities is necessary for vulnerability research, penetration testing, malware analysis, network reconnaissance, and network modeling. Traffic analysis is one approach to infer a protocol. This approach shares common challenges, tasks, methods, and solutions. In this survey, we collect tools proposed by previous work in the research field of protocol reverse engineering by static traffic trace analysis. We dissect each tool to discern the individual mechanisms and the algorithms they are based on. Thereby, we categorize and contrast these mechanisms and algorithms that are used in static traffic trace analysis to discuss how successful they were applied in each case. We compared classification schemes for protocol reverse engineering to structure our discussion about the tools. We present and discuss an explicit process model for static traffic trace analysis revealing the common structure of the decomposed tools and frameworks from previous research. By discussions about the algorithms applied within each tool for each process task, we show relations between tools, methods, and the process. We validate our model by applying it to each of the tools, followed by an outline of the utility of protocol reverse engineering. Starting out from the process description, we deduce which solutions and algorithms have already been investigated and where challenges remain so that novel solutions need to be searched for in the future. Regarding the whole field of protocol reverse engineering, it is a prevalent problem that only very few implementations of tools and frameworks are publicly available.

Kleber, Stephan; Ferdinand Nölscher, Henrik; Kargl, Frank
Automated PCB Reverse Engineering
11th USENIX Workshop on Offensive Technologies, WOOT 17
USENIX Association
August 2017
Kleber, Stephan; Unterstein, Florian; Matousek, Matthias; Kargl, Frank; Slomka, Frank; Hiller, Matthias
Design of the Secure Execution PUF-based Processor (SEPP)
Workshop on Trustworthy Manufacturing and Utilization of Secure Devices, TRUDEVICE 2015
September 2015

Abstract: A persistent problem with program execution is its vulnerability to code injection attacks. Equally unsolved is the susceptibility of software to reverse engineering, which undermines code confidentiality. We propose an approach that solves both kinds of security problems by employing instruction-level code encryption combined with the use of a physical unclonable function (PUF). Our Secure Execution PUF-based Processor (SEPP) architecture is designed to minimize the attack surface, as well as the performance impact, and requires no significant changes to the software development process. Our approach supports distributed systems, as the secure execution environment needs not be physically available to the developer.

Kleber, Stephan; Unterstein, Florian; Matousek, Matthias; Kargl, Frank; Slomka, Frank; Hiller, Matthias
Secure Execution Architecture based on PUF-driven Instruction Level Code Encryption
July 2015

Abstract: A persistent problem with program execution, despite numerous mitigation attempts, is its inherent vulnerability to the injection of malicious code. Equally unsolved is the susceptibility of firmware to reverse engineering, which undermines the manufacturer's code confidentiality. We propose an approach that solves both kinds of security problems employing instruction-level code encryption combined with the use of a physical unclonable function (PUF). Our novel Secure Execution PUF-based Processor (SEPP) architecture is designed to minimize the attack surface, as well as performance impact, and requires no significant changes to the development process. This is possible based on a tight integration of a PUF directly into the processor's instruction pipeline. Furthermore, cloud scenarios and distributed embedded systems alike inherently depend on remote execution; our approach supports this, as the secure execution environment needs not to be locally available at the developers site. We implemented an FPGA-based prototype based on the OpenRISC Reference Platform. To assess our results, we performed a security analysis of the processor and evaluated the performance impact of the encryption. We show that the attack surface is significantly reduced compared to previous approaches while the performance penalty is at a reasonable factor of about 1.5.

Kleber, Stephan; van der Heijden, Rens W.; Kopp, Henning; Kargl, Frank
Terrorist fraud resistance of distance bounding protocols employing physical unclonable functions
Networked Systems (NetSys), 2015 International Conference and Workshops on , page 1-8.
Publisher: IEEE,
March 2015

Abstract: Distance bounding protocols (DBPs) are security protocols that aim to limit the maximum possible distance between two partners in a wireless communication. This enables to ensure locality of interaction between two devices. Despite numerous proposed protocols, recent analyses of DBPs have shown the majority of them to be susceptible to attacks. Most prominent among the unsolved security problems of DBPs is terrorist fraud. This type of attack involves collaboration with a legitimate device, after which the attacker can successfully execute the protocol. We show how terrorist fraud can be prevented by replacing shared secrets - commonly used in classical DBPs - with physical unclonable functions (PUFs). Our new approach can be integrated in all current DBPs with minor modifications. We offer two alternate designs: One utilizing challenge-response PUFs and another using so-called SIMPL systems, a PUF-analogue to public-key cryptography. We use a security model proposed by previous work to demonstrate security of our scheme.

Patzlaff, Heiko; Kleber, Stephan
Working Groups Report: Cyberforensics
In Marc Dacier and Frank Kargl and Hartmut König and Alfonso Valdes, editor, Network Attack Detection and Defense: Securing Industrial Control Systems for Critical Infrastructures Volume 14292 of Report from Dagstuhl Seminar
Chapter 5.4, page 75--77.
Publisher: Dagstuhl Publishing, Germany,


Supervision of theses

Gladly, I take the supervision of bachelor's, master's and diploma theses from any area of my research. Suggested topics can be found under Theses. Own propositions are welcome.

Excercises for Lectures

(Pro-)Seminars, Praktica und Project Modules


Please make an appointment by email.