Kolloquium des Studiendekanats Elektrotechnik, Informatik und Mathematik (EIM)

Das Studiendekanat Elektrotechnik, Informatik und Mathematik der Technischen Universität Hamburg (TUHH) freut sich, im Rahmen seines Kolloquiums eine weitere Antrittsvorlesung und einen Forschungsvortrag aus dem Bereich der Avionik mit der gesamten TUHH und mit der Öffentlichkeit teilen. Dieses Kolloquium des Dekanats EIM beginnt am

Freitag, den 5. November 2021 ab 14:00 Uhr

mit folgendem kurzen Programm:

•   14:00 Uhr: Antrittsvorlesung „Software Security Challenges in the 2020s“.
Prof. Riccardo Scandariato, Institut für Software-Sicherheit, Technische Universität Hamburg (TUHH)

•   14:45 Uhr: Security Above the Clouds – Protecting Aircraft Information Systems.
Dr. Timo Warns, Technical Information Security Consultant, Airbus Hamburg

Alle Vorträge werden mittels Zoom live für die Öffentlichkeit über das Internet übertragen, interessierte Personen können sich zum Erhalt der Zugangsdaten hier anmelden: https://lists.tuhh.de/sympa/subscribe/kolloq.eim

Software Security Challenges in the 2020s

A car, a smartphone, a voice activated home assistant, an industrial control system. What do these systems have in common? They all run on software and they all have been affected by major cybersecurity issues in the recent past. The cyber-physical world is dominated by software and software plays a major economical role for business enterprises and has a tangible impact on people’s life-styles. As such, it has become crucial that software not only provides innovative features but is also capable of being robust and resilient to cyber-attacks. Unfortunately, as shown in Figure 1, software is plagued by an ever-growing number of security issues, a.k.a., vulnerabilities. The Software Engineering Institute estimates that 90 percent of reported security incidents result from exploits against defects in either the design or the implementation code of software.

Riccardo Scandariato leads the new Institute of Software Security at TUHH, where his team applies an inter-disciplinary approach to create innovative tools and techniques to design and implement secure and privacy-friendly applications. His target application domains are micro-services, Internet-of-Things (IoT) ecosystems, and cyber-physical systems. While Riccardo’s main interest is in the technical aspects of software security, he also investigates how security techniques can be made more effective and usable by the developers. His core research topics are:

·         Model-based security

·         Threat and risk analysis

·         Program repair for software security

·         Prediction of software vulnerabilities

·         Benchmarking of security features

·         Usable security and privacy

In this inaugural lecture titled “Software Security Challenges in the 2020s”, Riccardo Scandariato will present the cybersecurity challenges that are emerging due to the adoption of new paradigms for software development (e.g., fast-paced development, software ecosystems, micro-components, Infrastructure-as-Code). He will illustrate how traditional security assurance techniques might be insufficient to cope with the above-mentioned challenges.

In the first part, the talk will discuss the well-known concept of “shifting security left”, i.e., the principle of moving security sooner in the development process in order to address security threats as early as the conceptualization phase, when the software requirements are defined and the software architecture emerges. In this respect, several model-based security techniques have been defined, and a few will be briefly reviewed in this talk. The talk will problematize the adoption of these techniques in the context of the emerging trends of software ecosystems, fast paced development and complex software supply chains. The talk will also illustrate how traceability can be leveraged to mitigate some of these challenges. Finally, the talk will discuss how these technical results can be applied to important and emerging domains, like IoT.

In the second part of the talk, we move the gaze to the later stages of the software development and focus on the problem of locating and repairing vulnerabilities. Although there is a wealth of code scanning tools, the scope of vulnerabilities is increasingly growing beyond implementation code and is impacting the software configuration, especially due to the Infrastructure-as-Code paradigm. The talk will discuss the use of machine learning as means to define lightweight vulnerability location techniques. Although promising, these techniques are still afflicted by erratic performance and deserve further research. An additional challenge in this area is represented by the inadequacy of developers when it comes to recognizing and fixing vulnerabilities. This aspect is confirmed by surveys and empirical studies, which will be briefly reviewed here. In this respect, the talk will conclude by discussing some interesting research directions towards more powerful techniques to automatically repair vulnerabilities, which might provide a better support for developers.


Security Above the Clouds – Protecting Aircraft Information Systems

Aircraft and their avionics are getting increasingly interconnected, which, while bringing numerous advantages, also increases both complexity and the surface to security threats. The mitigation of such threats is paramount to maintain aircraft operations and airworthiness. Aircraft information security is the discipline of mitigating aircraft security risks resulting from intentional unauthorized electronic interactions. It relies on processes and principles put in place by the civil aviation community for threat identification and mitigation and for the demonstration of airworthiness in the presence of threats. The presentation gives an overview on the aircraft security threat landscape, the processes and methods in place to address the associated risks, and the concepts and principles underlying today's aircraft information security architectures.

Dr. Timo Warns is an Expert on Aircraft Information Security Architectures at Airbus since 2017 with more than 10 years of experience in this domain. He is an active contributor to different aviation standards developing organizations (ICAO, RTCA, EUROCAE, AEEC). Before working as a security engineer and technical information security consultant, he was awarded a Doctorate degree on fault-tolerant, distributed computing in 2009 by the University of Oldenburg, Germany, where he also completed his studies in Computer Science.