Stephan Kleber

Stephan Kleber schloss sein Informatikstudium an der Universität Ulm im Jahr 2011 mit dem Master of Science ab. Bis 2012 arbeitete er im Rechenzentrum des Universitätsklinikums Ulm (ZIK). In dieser Zeit betreute er auch Lehrveranstaltungen und Abschlußarbeiten im Institut für Medieninformatik im Bereich IT-Security und Privacy. 2012/2013 arbeitete er in einer Kooperation zwischen dem Institut für Organisation und Management von Informationssystemen und dem Institut für Verteilte Systeme als akademischer Mitarbeiter am bwGRiD-Portalprojekt mit. Von 2013 bis 2018 war er akademischer Mitarbeiter im Institut für Verteilte Systeme.

Seit 2019 arbeitet Stephan Kleber als Security Architect bei Daimler TSS, während er seine Promotion vorantreibt.

Zur Zeit nimmt Stephan Kleber leider keine neuen Abschlussarbeiten zur Betreuung an.


Ich interessiere mich generell für Security und Privacy in IT-Systemen.

Meine Schwerpunkte liegen in den Bereichen:

  • Analyse von Netzwerkprotokollen und Protocol Reverse Engineering
  • Einsatz von Physisch(en) Unkopierbaren Funktionen - Physical(ly) Unclonable Functions (PUFs)
  • Sicherheit drahtloser Kommunikation, insbesondere bei Implantierbaren Medizingeräten (Implantable Medical Devices, IMDs)

Daneben bin ich auch interessiert an den Bereichen:

  • Security und Forensik von Mobilen Geräten
  • Privacyimplikationen bei der Nutzung Mobiler Geräte
  • Malware Analyse
  • Penetration Testing
  • Sicherheit von Web-Technologien

Seit 2008 nehme ich regelmäßig am iCTF der UCSB im Team Ulm Security Sparrows der Universität Ulm teil.


Kleber, Stephan; Maile, Lisa; Kargl, Frank
Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic Analysis
IEEE Communications Surveys and Tutorials, 21(1)
Februar 2019

Zusammenfassung: Knowledge about a network protocol to understand the communication between entities is necessary for vulnerability research, penetration testing, malware analysis, network reconnaissance, and network modeling. Traffic analysis is one approach to infer a protocol. This approach shares common challenges, tasks, methods, and solutions. In this survey, we collect tools proposed by previous work in the research field of protocol reverse engineering by static traffic trace analysis. We dissect each tool to discern the individual mechanisms and the algorithms they are based on. Thereby, we categorize and contrast these mechanisms and algorithms that are used in static traffic trace analysis to discuss how successful they were applied in each case. We compared classification schemes for protocol reverse engineering to structure our discussion about the tools. We present and discuss an explicit process model for static traffic trace analysis revealing the common structure of the decomposed tools and frameworks from previous research. By discussions about the algorithms applied within each tool for each process task, we show relations between tools, methods, and the process. We validate our model by applying it to each of the tools, followed by an outline of the utility of protocol reverse engineering. Starting out from the process description, we deduce which solutions and algorithms have already been investigated and where challenges remain so that novel solutions need to be searched for in the future. Regarding the whole field of protocol reverse engineering, it is a prevalent problem that only very few implementations of tools and frameworks are publicly available.

Anmerkung: (Firstquarter 2019) - Early Access: 2018-08-28

Kleber, Stephan; Unterstein, Florian; Hiller, Matthias; Slomka, Frank; Matousek, Matthias; Kargl, Frank; Bösch, Christoph
Secure Code Execution: A Generic PUF-driven System Architecture
21st Information Security Conference
Oktober 2018

Zusammenfassung: In his invited talk, joint between CHES 2016 and CRYPTO 2016 on the Future of Embedded Security, Paul Kocher suggested to move the security into chips because hardware is the lowest level and thus security can not be compromized by a lower layer. In this paper, we propose a generic PUF-driven secure code execution architecture that employs instruction-level code encryption. Our design foresees a tight integration of a Physically Unclonable Function (PUF) and the decryption of encrypted program code directly inside the processor’s instruction pipeline to avert revealing keys or decrypted code in externally accessible registers or memory. The architecture prevents code-injection by executing only code encrypted for individual target CPUs, has an adaptable impact on performance, and requires only minor changes to the software development process. Our PUF-based code encryption defends also from reverse engineering attempts and enforces IP protection. A proof-of-concept implementation demonstrates the feasibility of our proposed architecture.

Lukaseder, Thomas; Stölzle, Kevin; Kleber, Stephan; Erb, Benjamin; Kargl, Frank
An SDN-based Approach For Defending Against Reflective DDoS Attacks
Proceedings of the 43rd IEEE Conference on Local Computer Networks
Oktober 2018

Zusammenfassung: Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks.

Kleber, Stephan; Kopp, Henning; Kargl, Frank
NEMESYS: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages
12th USENIX Workshop on Offensive Technologies, WOOT 18, Baltimore, MD, USA, August 13-14, 2018
Herausgeber: USENIX Association,
August 2018

Zusammenfassung: Protocol reverse engineering based on traffic traces allows to analyze observable network messages. Thereby, message formats of unknown protocols can be inferred. We present a novel method to infer structure from network messages of binary protocols. The method derives field boundaries from the distribution of value changes throughout individual messages. None of many previous approaches exploits features of structure which are contained within each single message. Our method exploits this intrinsic structure instead of comparing multiple messages with each other. We implement our approach in the tool NEMESYS: NEtwork Message SYntax analysiS. Additionally, we introduce the Format Match Score: the first quantitative measure of the quality of a message format inference. We apply the Format Match Score to NEMESYS and a previous approach and compare the results to mutually validate our new format inference method and the measure of its quality.

Kleber, Stephan; Ferdinand Nölscher, Henrik; Kargl, Frank
Automated PCB Reverse Engineering
11th USENIX Workshop on Offensive Technologies, WOOT 17
USENIX Association
August 2017
Kleber, Stephan; Unterstein, Florian; Matousek, Matthias; Kargl, Frank; Slomka, Frank; Hiller, Matthias
Design of the Secure Execution PUF-based Processor (SEPP)
Workshop on Trustworthy Manufacturing and Utilization of Secure Devices, TRUDEVICE 2015
September 2015

Zusammenfassung: A persistent problem with program execution is its vulnerability to code injection attacks. Equally unsolved is the susceptibility of software to reverse engineering, which undermines code confidentiality. We propose an approach that solves both kinds of security problems by employing instruction-level code encryption combined with the use of a physical unclonable function (PUF). Our Secure Execution PUF-based Processor (SEPP) architecture is designed to minimize the attack surface, as well as the performance impact, and requires no significant changes to the software development process. Our approach supports distributed systems, as the secure execution environment needs not be physically available to the developer.

Kleber, Stephan; Unterstein, Florian; Matousek, Matthias; Kargl, Frank; Slomka, Frank; Hiller, Matthias
Secure Execution Architecture based on PUF-driven Instruction Level Code Encryption
Juli 2015

Zusammenfassung: A persistent problem with program execution, despite numerous mitigation attempts, is its inherent vulnerability to the injection of malicious code. Equally unsolved is the susceptibility of firmware to reverse engineering, which undermines the manufacturer's code confidentiality. We propose an approach that solves both kinds of security problems employing instruction-level code encryption combined with the use of a physical unclonable function (PUF). Our novel Secure Execution PUF-based Processor (SEPP) architecture is designed to minimize the attack surface, as well as performance impact, and requires no significant changes to the development process. This is possible based on a tight integration of a PUF directly into the processor's instruction pipeline. Furthermore, cloud scenarios and distributed embedded systems alike inherently depend on remote execution; our approach supports this, as the secure execution environment needs not to be locally available at the developers site. We implemented an FPGA-based prototype based on the OpenRISC Reference Platform. To assess our results, we performed a security analysis of the processor and evaluated the performance impact of the encryption. We show that the attack surface is significantly reduced compared to previous approaches while the performance penalty is at a reasonable factor of about 1.5.

Kleber, Stephan; van der Heijden, Rens W.; Kopp, Henning; Kargl, Frank
Terrorist fraud resistance of distance bounding protocols employing physical unclonable functions
Networked Systems (NetSys), 2015 International Conference and Workshops on , Seite 1-8.
Herausgeber: IEEE,
März 2015

Zusammenfassung: Distance bounding protocols (DBPs) are security protocols that aim to limit the maximum possible distance between two partners in a wireless communication. This enables to ensure locality of interaction between two devices. Despite numerous proposed protocols, recent analyses of DBPs have shown the majority of them to be susceptible to attacks. Most prominent among the unsolved security problems of DBPs is terrorist fraud. This type of attack involves collaboration with a legitimate device, after which the attacker can successfully execute the protocol. We show how terrorist fraud can be prevented by replacing shared secrets - commonly used in classical DBPs - with physical unclonable functions (PUFs). Our new approach can be integrated in all current DBPs with minor modifications. We offer two alternate designs: One utilizing challenge-response PUFs and another using so-called SIMPL systems, a PUF-analogue to public-key cryptography. We use a security model proposed by previous work to demonstrate security of our scheme.

Patzlaff, Heiko; Kleber, Stephan
Working Groups Report: Cyberforensics
In Marc Dacier and Frank Kargl and Hartmut König and Alfonso Valdes, Editor, Network Attack Detection and Defense: Securing Industrial Control Systems for Critical Infrastructures Band 14292 aus Report from Dagstuhl Seminar
Kapitel 5.4, Seite 75--77.
Herausgeber: Dagstuhl Publishing, Germany,


Übungen zu Vorlesungen

(Pro-)Seminare, Praktika und Projektmodule

Stephan Kleber, M. Sc.

 Stephan Kleber, M. Sc.
Stephan Kleber, M. Sc.

Daimler TSS

Institut für Verteilte Systeme
Universität Ulm
Albert-Einstein-Allee 11
89081 Ulm


Vereinbart bitte per Email einen Termin mit mir