Institut für Verteilte Systeme
Unser Institut beschäftigt sich mit Themen wie Skalierbarkeit, Zuverlässigkeit, Sicherheit und Datenschutz, Selbstorganisation und Beherrschbarkeit von Komplexität in Verteilten Systemen in einer Vielzahl von Einsatzszenarien wie Cloud-Computing oder Fahrzeug-Fahrzeug-Kommunikation.
In der Lehre decken wir das gesamte Spektrum von Rechnernetzen, über verteilte Systeme bis hin zu Sicherheit und Privacy-Schutz ab.
Ältere News finden Sie im Archiv.
Unsere letzten Publikationen
Secure Code Execution: A Generic PUF-driven System Architecture
21st Information Security Conference
Zusammenfassung: In his invited talk, joint between CHES 2016 and CRYPTO 2016 on the Future of Embedded Security, Paul Kocher suggested to move the security into chips because hardware is the lowest level and thus security can not be compromized by a lower layer. In this paper, we propose a generic PUF-driven secure code execution architecture that employs instruction-level code encryption. Our design foresees a tight integration of a Physically Unclonable Function (PUF) and the decryption of encrypted program code directly inside the processor’s instruction pipeline to avert revealing keys or decrypted code in externally accessible registers or memory. The architecture prevents code-injection by executing only code encrypted for individual target CPUs, has an adaptable impact on performance, and requires only minor changes to the software development process. Our PUF-based code encryption defends also from reverse engineering attempts and enforces IP protection. A proof-of-concept implementation demonstrates the feasibility of our proposed architecture.
An SDN-based Approach For Defending Against Reflective DDoS Attacks
Proceedings of the 43rd IEEE Conference on Local Computer Networks
Zusammenfassung: Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks.
Mitigation of Flooding and Slow DDoS Attacks in a Software-Defined Network
Proceedings of the 43rd IEEE Conference on Local Computer Networks (Demo Track)
Zusammenfassung: Distributed denial of service (DDoS) attacks are a constant threat for services in the Internet. This year, the record for the largest DDoS attack ever observed was set at 1.7 Tbps. Meanwhile, detection and mitigation mechanisms are still lacking behind. Many mitigation systems require the assistance by the victim — or the victim’s administrator themself has to become active to mitigate attacks. We introduced a system that can detect attacks, identify attackers, and mitigate the attacks purely within the network infrastructure. With the improved flexibility of software-defined networks, new possibilities to mitigate such attacks can be implemented. In addition to our short paper on the mitigation of reflective DDoS attacks on LCN 2018 , we also like to demonstrate our work on mitigating flooding attacks presented at LCN 2017  and our mitigation of slow DDoS attacks . In our demo, we show how these systems can be combined and how they work when faced with such different attacks.
Resource-Efficient State-Machine Replication with Multithreading and Vertical Scaling
Proceedings of the 14th European Dependable Computing Conference (EDCC)
Zusammenfassung: State-machine replication (SMR) enables transparent and delayless masking of node faults. It can tolerate crash faults and malicious misbehavior, but usually comes with high resource costs, not only by requiring multiple active replicas, but also by providing the replicas with enough resources for the expected peak load. This paper presents a vertical resource-scaling solution for SMR systems in virtualized environments, which can dynamically adapt the number of available cores to current load. In similar approaches, benefits of CPU core scaling are usually small due to the inherent sequential execution of SMR systems in order to achieve determinism. In our approach, we utilize sophisticated deterministic multithreading to avoid this bottleneck and experimentally demonstrate that core scaling then allows SMR systems to effectively tailor resources to service load, dramatically reducing service provider costs.
NEMESYS: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages
12th USENIX Workshop on Offensive Technologies, WOOT 18, Baltimore, MD, USA, August 13-14, 2018
Herausgeber: USENIX Association,
Zusammenfassung: Protocol reverse engineering based on traffic traces allows to analyze observable network messages. Thereby, message formats of unknown protocols can be inferred. We present a novel method to infer structure from network messages of binary protocols. The method derives field boundaries from the distribution of value changes throughout individual messages. None of many previous approaches exploits features of structure which are contained within each single message. Our method exploits this intrinsic structure instead of comparing multiple messages with each other. We implement our approach in the tool NEMESYS: NEtwork Message SYntax analysiS. Additionally, we introduce the Format Match Score: the first quantitative measure of the quality of a message format inference. We apply the Format Match Score to NEMESYS and a previous approach and compare the results to mutually validate our new format inference method and the measure of its quality.