Themen

• Your own topic – English only

You have the possibility until the beginning of the semester to come up with your own topic and find a supervisor who is willing to mentor more students.

✘ Pattern-Selection Methods – English only

Security and Privacy engineering have gained a lot of attention recently. Many methodologies and tools have been proposed to assist practitioners coming up with secure and privacy-enhanced systems. Security and privacy patterns are considered among the backbones to introduce such systems.
In this seminar, you will investigate the current selection methods to select suitable and fitting security and privacy patterns according to, e.g., their properties and the system's context they are envisioned to be deployed in. According to the analysis you carry on, you are expected to have a clear overview of what propoerties such selection-methods are based on and how patterns were classified accordingly.

✘ Network Security Breaches – English only

The goal of this seminar is the outlining of popular network security breaches (2-3 examples).  Subsequently, state-of-the-art protection or detection approaches against these presented breaches should be explained.

Leonard Bradatsch

✘ First Packet Authentication / Firewall Poking / Single Packet Authentication – English only

All three of the above stated techniques describe an authentication process that starts with the very first packet a client sends to an network entry node when entering a network or accesing a service. This kind of authentication can be performed without having the communication parties any messages exchanged before the authentication happened.
The seminar paper should describe these techqniues and should outline the different existing approaches to perform such a first packet authentication.

Leonard Bradatsch

✘ SimGrid – English only

The increased popularity of distributed systems over the last years also increased the need for test environments to evaluate and validate distributed applications.
Unfortunately, the setup of a distributed system for application testing is expensive and time consuming. A solution for this problem is frameworks that are able to simulate a distributed system or at least their requirements. Such a simulation framework is SimGrid.
The goal of this seminar is to outline the functionalities of SimGrid, its advantages and drawbacks and also how it is used in application development.

Eugen Frasch

✘ Real-Time in Distributed Systems – English only

The term "Real-Time" is one of the most confusing terms in computer-science. However from spaceflight to medical systems real-time systems have an high impact on our daily life.
This seminar should have a closer look to real-time distributed systems and their development process.

Eugen Frasch

✘ OpenWorm – English only

The OpenWorm project is an international open science project, working on a complete simulation of a multicellular organism called Caenorhabditis elegans. This roughly 1mm long worm was the first animal that had its whole genome fully sequenced, and is also, as of today, the only organism of which the full 'connectome' is known, i.e., of which the full map of all connections of its 302 neurons has been mapped. A full simulation of the worm's neural network as well as creating a full model of the physical movement of the worm are among the project's goals, and have spurred the creation of dedicated physics engines aimed at simulating biological systems.
This seminar should give a brief overview of the entire OpenWorm project, its current status and recent activities, and further present one of its core concepts (e.g., the simulation engine, or the neurological simulation model, etc.) in greater detail.

Gerhard Habiger

✘ Swarm Intelligence – English only

Swarm intelligence is a hot topic especially in robotics and UAV research. With multiple cooperative agents, it is possible to solve tasks that would otherwise be infeasible or very costly to achieve.
The goal of this seminar is to give an introduction to swarm intelligence and to examine further aspects of reasearch in this area in more detail. The focus could be on security, safety and/or privacy of robotic swarm agents, but the seminar is not strictly limited to this direction.

✘ Break-glass Access Control Systems in Medical Devices – English only

With health-related data being considered as very sensitive under the EU's General Data Protection Law and medical devices performing life-critical operations on the human body, we expect data and functionalities in healthcare devices to be secured in the best way possible by encryption, pseudonymization and access control among others.
In the case of emergency, however, break-glass mechanisms may be needed to bypass security mechanisms that would otherwise prevent proper treatment.
The goal of this seminar is to introduce modern break-glass access control mechanisms used in healthcare and discuss their implications on security, safety and privacy.

Matthias Matousek

• Surveying Peripheral Sensors in Context of Mobile Crowdsensing – English only

In this seminar report, the students are required to survey the current state of peripheral sensors that can be coupled with smartphones to further accurate the mobile crowdsensing applications. These peripheral sensors can be coupled with smartphones using Bluetooth technology or wifi. The students would be further required to study the current state of coupling technologies. In addition to the general perspective, the students will survey the peripheral sensors, their technology, and limitations within the context of mHealth (mobile health).

Muntazir Mehdi

✘ State of the Art of Web Application Security – English only

The field of web applications is constantly and rapidly evolving, but so are attacks targeting them. For this reason the World Wide Web Consortium (W3C) assembled a working group to develop technical and policy mechanisms to improve the security for applications on the Web. In recent years, this Web Application Security Group proposed various drafts for mechanisms of which some have been refined into W3C recommendations and are now implemented in all major browsers  (such as CSP and SRI). The establishment of Let's Encrypt layed the ground stone of a widespread adoption of TLS, which was further refined in TLS 1.3 and supplemented by new technologies, such as certificate transparency (CT).
This seminar should give an overview of and discuss W3C recommendations, other developments in the area of web application security, and practical implications for current web applications.

✘ Trusted Execution Environments – English only

Trust management is a central aspect of computer security. For instance, an operating system uses sandboxes to protect itself and other applications from viruses and malicious software, and cryptography is used to protect data in transit and at rest. With the advent of cloud computing, even the hardware that executes a particular software is not always considered trustworthy. Trusted Execution Environments (TEEs) try to relieve of the need to fully trust the hardware, by adding a secure area to the CPU that can guarantee code/data confidentiality and integrity through cryptographic means. Hence, protecting an application from untrusted hardware, software, and even privileged attackers (i.e., the operating system). Several TEE implementations can already be used today, such as Intel SGX and ARM TrustZone. While the former proprietary implementations often expect trust in the vector, open-source alternatives that address this weak point are already in development. 
In this seminar, you will investigate TEEs, highlight use-cases for this technology, and compare prominent representatives for their features and shortcomings.

Echo Meißner

✘ Quaternions and their Application in Computer Science – English only

Quaternions are the next extension of complex numbers which are complete regarding multiplication and division. They are often shown using three imaginary units: i,j and k. Quaternions are useful to describe rotations and motions in 3D space and are therefore applied in a variety of computer science fields, e.g., 3D game engines and robotics.
The seminar should convey a sensible understanding of quaternions and how to interpret them, as well as give an overview of their applications in computer science.

David Mödinger

✘ Time constraints of Security in CACC – English only

One application of Corporate Adaptive Cruise Control (CACC) is platooning where vehicles drive very close after each other to reduce the air resistance and therefore reduce fuel consumption. This, however, comes with safety risks due to the reduced distance gap to the following vehicle and therefore reduced reaction time. If the vehicles drive 100 km/h (~30m/s), a safety distance of 50m is required by German law. When this distance is now reduced to 10m or less in CACC, only a third of a second reaction time is available. During this time, a message send from the leading vehicle, needs to be processed by both vehicles, the leading and the ego vehicle. E.g. by encrypting, signing, verifying, ...
Your task is to look at the time each task will take (theoretically and if possible practically) and evaluate if it is enough time to execute these steps with proper security in mind.

Michael Wolf

✘ Multi Agent Based Simulations – English only

PaySim, a Mobile Money Payment Simulator simulates money transactions between users based on Multi Agent Based Simulation (MABS). It also generates data that can be used to test algorithms which should detect suspicious activities or fraud. This generated data is based on real financial data, which cannot be published for security reasons. In order to use or train the detection algorithms on real data, the synthetic information should be as similar as possible to the real one but not exactly the same.
Your job is to present an overview of MABS, what they are and how they are used.

Michael Wolf

✘ Secure Multi-Party Computation – English only

The goal of Secure Multi-Party Computation (MPC) is to enable parties to work together without ever knowing one another's confidential information. It plays an important role in solving security and privacy issues and there are many examples of where it can be helpful.
The aim of this seminar is to investigate MPC with respect to both theoretical and practical aspects and look at uses in real world applications.

Migena Ymeraj

✘ Distributed Machine Learning – English only

Due to the poor scalability and efficiency of learning algorithms, Machine Learning cannot handle large-scale data. This issue gave rise to Distributed Machine Learning. Even though it is a promising line of research, it still faces a lot of challenges.
The goal of this seminar is to discover the importance of Distributed Machine Learning, while comparing it with traditional Machine Learning environments and investigating its challenges.

Migena Ymeraj

✘ Protocol Identification – English only

Network management and security require knowledge about the communication in transit to make meaningful decisions. An example for this is a network intrusion detection system that needs to decide about benign and malicious network traffic based only on the observable protocol packets. Proprietary encapsulation, encryption, missing
protocol specification, and privacy concerns often do not allow for deep packet inspection and therefore prevent recognition of the full variance of observed protocols. Protocol Identification (PI) is an approach to be able to identify the type of protocol in network communications based on alternative methods, such as statistical analyses.
The goal of this seminar topic is to determine and discuss common methods in PI and the quality of results they currently can provide.

Stephan Kleber (Daimler TSS)

✘ Differential Cryptanalysis – English only

Modern symmetric encryption algorithms such as AES use alternating permutations and substitutions in order to achieve the notions of confusion and diffusion. The  substitutions - essentially a lookup table - are the only nonlinear operations. In differential cryptanalysis these substitution components, or s-boxes, are analyzed by tracking the operations of the encryption on a difference of input data. In an ideal cipher, given a fixed input difference, any possible output difference has the same probability of  occurrence. However that is mathematically impossible. If the deviations from the ideal probability are too large, the encryption key can be recovered using a chosen plaintext  attack.
In the seminar, the basics of differential cryptanalysis of a single round cipher should be explained, together with the necessary background. Interested students may  explain how to extend the attack to multiple rounds.

Henning Kopp (Schutzwerk GmbH)

✘ Trusting Trust Revisited: Preventing Software Supply Chain Attacks Using Modern Methods – English only

Ken Thompson's famous 1984 Turing Award Lecture on trusting your compiler is still relevant today, perhaps more than ever. XcodeGhost showed that these attacks are not just theory, and the Snowden documents tell us that not only criminals are considering these attacks.
Diverse Double Compilation and Reproducible Builds have been proposed to detect such attacks, and various projects have started performing reproducibility testing. For example, Debian has now reached 94.5 % reproducibility in its package archive for the bullseye version. However, trusting a central party to certify that software is reproducible may not be sufficient in defense against state actors. Mechanisms similar to certificate transparency for TLS certificates, such as CHAINIAC, have been proposed to achieve the same transparency goals for software udpates.
What current state of the art mechanisms exist to defend against software supply chain attacks? Where do those mechanisms have gaps and/or require significant effort by trusted notaries or volunteers? What practical problems prevent us from building everything reproducible?

Clemens Lang (BMW Car IT)

✘ An Introduction to Elliptic Curve Cryptography and ECDSA – English only

Elliptic Curve Cryptography (ECC) has become a prominent alternative to classical asymmetric crypto systems. Due to the mathematical properties of elliptic curves, key lengths can typically be shorter at the same security level compared to, e.g., RSA. This makes ECC particularly interesting for low-power devices in IoT applications or can reduce network load.
Your work should give an overview of the basic mathematical principles behind elliptic curve cryptography and show similarities to already existing cryptography systems (e.g., DSA and ECDSA). Moreover, the past decade has shown that ECDSA is a relatively fragile crypto algorithm. Although ECDSA is not broken if used correctly, there are many things that can go wrong around parameter selection. Your work should provide an overview of the known problems, an outlook towards the recent LadderLeak problem and what the EdDSA algorithm does differently in order to reduce this problematic aspect of EC-cryptography.

✘ Zero Trust Networks – English only

Traditional security infrastructures rely heavily on a perimeter based security model, which creates a perimeter between an untrusted zone (usually the internet) and a trusted zone (usually the internal network). However, this security model has a few disadvantages, such as the ability to deal with insider attacks, and attackers that have breached the perimeter and have gained access to the trusted network zone. An alternative concept are zero trust networks, which treat the entire network as untrusted.
The goal of this seminar is to give an overview of zero trust networks and discuss its strengths and weaknesses, as well as existing concepts and implementations.

Dominik Lang (ditis)

✘ Vehicular Intrusion Detection – What can we learn from Network IDS? – English only

Intrusion Detection Systems (IDS) in Networks have a long tradition and are an essential tool to detect and, in many cases, also defend against attacks. With increasingly complex intra-vehicular networks, IDS are also becoming more and more common within vehicles. However, the characteristics of these networks vary considerably and the transferability of experience is accordingly limited.
In this seminar, we want to look into what we can learn from other Intrusion Detection Systems and what can be transferred to the automotive realm.

Thomas Lukaseder (Escrypt)

Sorted by Topics

AI / ML
- Distributed Machine Learning (Migena Ymeraj)
- OpenWorm (Gerhard Habiger)
- Swarm Intelligence (Matthias Matousek)

Automotive
- Time constraints of Security in CACC (Michael Wolf)
- Vehicular Intrusion Detection – What can we learn from Network IDS? (Thomas Lukaseder)

Privacy and Computer Science
- Pattern-Selection Methods (Ala'a Al-Momani)
- State of the Art of Web Application Security (Echo Meißner)
- Quaternions and their Application in Computer Science (David Mödinger)
- Trusting Trust Revisited: Preventing Software Supply Chain Attacks Using Modern Methods (Clemens Lang BMW)

Cryptography
- Trusted Execution Environments (Echo Meißner)
- Secure Multi-Party Computation (Migena Ymeraj)
- An Introduction to Elliptic Curve Cryptography and ECDSA (Martin Lang BMW)
- Differential Cryptanalysis (Henning Kopp Schutzwerk)

Distributed Systems
- SimGrid (Eugen Frasch)
- Real-Time in Distributed Systems (Eugen Frasch)
- Surveying Peripheral Sensors in Context of Mobile Crowdsensing (Muntazir Mehdi)

Network Security
- Protocol Identification (Stephan Kleber)
- Network Security Breaches (Leonard Bradatsch)
- First Packet Authentication / Firewall Poking / Single Packet Authentication (Leonard Bradatsch)
- Zero Trust Networks (Dominik Lang)