https://cysec.wien/ Hugo static site builder en Thu, 14 May 2026 05:22:07 +0200 https://cysec.wien/news/2024-04-18_kick_off/agenda/ Location: TU Wien, TUtheSky (BA11B09) Date/Time: 2024-04-18 15:00 Agenda 15:00 Coffee Meeting 15:30 Opening speech Co-Director of the Cybersecurity Center, Univ. Prof. Dr. Matteo Maffei 15:33 Welcome Address Vice Rectorate Digitalisation and Infrastructure, Univ. Prof. Dipl.-Ing. Dr.techn. Wolfgang Kastner Dean of the Faculty of Informatics, O. Univ. Prof.in Dipl.-Ing.in Mag.a Dr.in techn. Gerti Kappel Co-Director of the Cybersecurity Center, Univ. Prof.in Dipl.-Ing.in Dr.-Ing.in Tanja Zseby 15:45 Presentation of the TUW Cybersecurity Center Co-Director of the Cybersecurity Center, Univ. Prof. Dr. Matteo Maffei 16:00 Keynote “The Business of Proof” Speaker: Prof. Dr. Byron Cook, Vice President and Distinguished Scientist at Amazon AWS Moderation: Univ.Prof.in Dr.in techn. Laura Kovacs 16:45 Coffee Break 17:00 Keynote “Formal Methods at Microsoft: Secure and Reliable Programs for Everyone, Everywhere” Speaker: Prof. Dr. Nikolaj Bjorner, Partner Researcher at Microsoft Research Moderation: Univ.Prof.in Dr.in sc. Maria Christakis 17:45 Panel Discussion on “Cybersecurity: Bridging Scientific Research and Societal Impact” Participants (listed alphabetically): Stephanie Jakoubi (SBA Research) Andreas Köberl (TÜV Austria) Joe Pichlmayr (IKARUS Security Software, CyberSecurity Austria) Daniele Sangion (UniCredit Bank Austria) Hanna Wilhelmer (Federal Chancellery of Austria) Moderation: Univ. Prof. Dr. Matteo Maffei 18:45 Networking Session Participation is by personal invitation only. https://cysec.wien/news/2024-04-18_kick_off/keynote_bjorner/ Keynote by Nikolaj Bjorner Abstract: The talk presents several research projects and tools from Microsoft Research and their impact on programming secure and reliable systems. As a common basis they take a formal methods angle where systems are viewed as mathematical objects. For the context of this talk we consider computation through lenses of calculi and measurements. We then describe how these research threads interleave with major developments from academic research and phase shifts in industry. With Microsoft rapidly pivoting on deploying and delivering AI products the talk relates the foundations with recent and current projects, including development of provably secure systems, securing smart contracts, network verification, efficient and correct compilation for ML systems, and programming systems and runtimes for interacting with AI. Bio: Dr. Nikolaj Bjorner is a partner researcher at Microsoft Research. Nikolaj’s main line of work is around the state-of-the-art SMT constraint solver Z3. Z3 was developed with Leonardo de Mour:a, Lev Nachmanson and Christoph Wintersteiger. Z3 is used for program verification, test case generation among several applications. The work around Z3 has received several awards. Karthick Jayaraman and Nikolaj created the SecGuru tool that is used to validate firewalls and routing configurations for Microsoft Azure. In 2021 Nikolaj Bjorner was named an ACM Fellow https://cysec.wien/news/2024-04-18_kick_off/panel_discussion/ Location: TU Wien, TUtheSky (BA11B09) Date/Time: 2024-04-18 17:45 Stephanie Jakoubi ‒ Managing Board SBA Research Stephanie Jakoubi is part of the management board of SBA Research and head of the Strategic Partnership Management and Communication. Her path in IT started as a software developer, evolving into project management roles encompassing software and research projects. In this context, she worked closely with company partners and increasingly developed into an interface between industry, research and funding bodies. Stephanie is very committed to the empowerment of women in the IT and security sector. She is founding member of various associations and female IT networks, including her role as program manager of sheDigital and also the CSA Hackerinnen team. Additionally, she contributes her expertise as a board member to various organizations, including KSÖ Kompetenzzentrum sicheres Österreich and Bildungsserver Wien. Andreas Köberl ‒ Managing Director of TÜV TRUST IT TÜV AUSTRIA GmbH Andreas Köberl is the Managing Director of TÜV TRUST IT TÜV AUSTRIA GmbH - the neutral, objective and independent partner for the industry and public sector with regard to information security and data privacy. He has been working in IT business for more than 25 years, and was Senior Manager in Siemens IT Solutions & Services and Atos for Managed Services, Big Data and Cyber Security in Austria. Joe Pichlmayr ‒ CEO IKARUS, Managing Director of CyberSecurityAustria, Executive Board of ECSC Joe Pichlmayr is the Managing Director and co-owner of IKARUS Security Software GmbH, which was founded in 1986. He has been working on computer viruses ever since. He possesses in-depth knowledge of malware and the underground scene and maintains constant contact with virus labs and CERTs of most security software providers. Additionally, he is a member and co-founder of numerous national and international professional associations, including being a founding member of AMTSO, co-founder of CIRCA (Computer Incident Response Coordination Austria), a precursor to Cert.at, co-initiator of the Austrian virus early warning systems, initiator and co-founder and member of the board of the digitalcity.wien initiative. He is also the founder and head of board of CyberSecurity Austria (CSA), Master of CyberSecurity Challenge Austria, a mentor in the Center of Excellence Program of the CSA and Secretary of the Executive Committee of ECSC (European CyberSecurity Challenge). Daniele Sangion - CISO/CSO (Digital & Corporate Security) at UniCredit Bank Austria Daniele Sangion has been leading international digital transformation programs for major European financial companies for over 25 years. He is currently CISO/ CSO (Digital & Corporate Security) of UniCredit Bank Austria in Vienna and before he was responsible in UniCredit at Group level for the security of relevant programs, including GDPR and TPRM. He is a member of the Scientific Committee of Clusit, of the Advisory Board of the Cybersecurity Observatory of the Milan Polytechnic and of the Board of Kompetenzzentrum Sicheres Österreich (KSÖ). He was Senior Manager in Accenture in Italy until 2016. He has obtained various international certifications in the IT, Security and Management areas, including a degree in Computer Science with 110 cum laude in the Università degli Studi of Milan while working in a software house. Hanna Wilhelmer - Project Lead at the Federal Chancellery of Austria Hanna Wilhelmer works at the Department for Cybersecurity Policy at the Federal Chancellery of Austria where she heads a team in charge of setting up the Austrian National Coordination Centre for Cybersecurity. She also represents Austria in the Governing Board of the European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC). Prior to her current position, she worked in foreign and security policy at the Permanent Representation of Austria to the EU in Brussels with a focus on cybersecurity and among others at the Section for International Law and International Relations at the University of Vienna. Ms Wilhelmer holds a law and a Bachelor degree in Development Studies from University of Vienna. back to kick-off event https://cysec.wien/news/2024-04-18_kick_off/keynote_cook/ Keynote by Byron Cook Abstract: With only a few niche exceptions, the software industry had not previously figured out how to make deep use of formal mechanical reasoning based on mathematical logic. At Amazon we have recently seen tremendous adoption of the approach by product groups, with a variety of customer-facing launches that use automated reasoning, and numerous internal proof projects. This talk describes those projects, and tries explain what went well at Amazon. The talk also describes challenges that we face to scale the approach to the next level. Bio: Dr. Byron Cook, FREng is Professor of Computer Science at University College London (UCL). Byron is also Vice President and Distinguished Scientist at Amazon. Byron’s has worked in a variety of areas over the years, including computer/network security, program analysis/verification, programming languages, theorem proving, hardware design, operating systems, and biological systems. https://cysec.wien/news/2026-05-08_lecture_richardson/ Talk by Mark Bentley Richardson Location: TU Wien, Seminarraum FAV 01 A (Favoritenstraße 9/11, 1040 Wien) (HE0102) Date/Time: 2026-05-08 17:00 ‒ 18:00 Register here: https://luma.com/7xv2b73y Abstract: ​The talk introduces a new mathematical framework, from which a previously unreported, generalizable, decentralized exchange (DEX) protocol emerges which ameliorates the expressive limitations of prevailing archetypes. Mark defines a Mean-of-Derivatives (MoD) Property, a first-principle predicate requiring the effective rate of any exchange to be a chosen mean of the marginal rates at the transaction’s endpoints. He then presents a constructive methodology for generating bonding curves that satisfy this property in closed form and without recourse to non-elementary functions. The method defines a curve’s marginal rate function as a weighted Hölder mean of user-specified boundary rates, from which the curve itself is recovered by integration. This synthesis provides a unified and analytically complete foundation for creating arbitrary mean-rate exchange protocols with precisely defined and predictable behavior. Bio: Mark Bentley Richardson, holding a PhD from the University of Melbourne, redirected his career from research science to DeFi in 2021, now serving as Bancor’s Project Lead. Under his guidance, Bancor launched Carbon DeFi, a system that enhances user customization in decentralized exchanges by enabling strategy-specific liquidity utilization. Richardson’s leadership emphasizes consistent innovation while maintaining the key principles of decentralization, user safety, and operational simplicity. https://cysec.wien/news/2026-04-30_cysec_positions/ The Cybersecurity Center TU Wien is currently looking for two new team members: a Senior Coordinator and a Communication Expert. Both positions are advertised as part-time positions of 20 hours per week, with the possibility of increasing the employment extent and with an option for permanent appointment after the initial fixed-term period. The positions are based at the Institute of Logic and Computation, in the Security and Privacy Research Unit. Open positions Senior Coordinator Cybersecurity Center The Senior Coordinator will support the strategic, organisational, and administrative development of the Cybersecurity Center. The role includes project and process coordination, reporting, preparation of decision-making documents, event and workshop organisation, and communication with internal and external partners. More details and application: Senior Koordinator_in Cybersecurity Center Communication Expert The Communication Expert will develop and implement the communication strategy of the Cybersecurity Center. The role includes science communication, media relations, website and social media management, preparation of German and English content, and the development of visual, digital, and multimedia communication formats. More details and application: Kommunikationsexpert_in Application deadline Applications are open until 28 May 2026. https://cysec.wien/news/2026-04-09_aas_kovacs/ Österreichische Akademie der Wissenschaften (ÖAW) — the Austrian Academy of Sciences; Austria’s leading non-university research institution, dedicated to promoting basic research across disciplines and advising on scientific matters. Membership in the ÖAW is a prestigious honor awarded to distinguished researchers in recognition of outstanding scientific achievements. The ÖAW has elected 46 new members in its 2026 intake, recognizing outstanding scientific achievements across disciplines. Among them is Laura Ildikó Kovács, Professor of Computer Science at TU Wien and head of the FORSYTE research group. She is internationally recognized for her work in formal methods, automated reasoning, and the verification of software and AI systems. Laura’s research has significantly advanced the state of the art in automated reasoning and program verification. She introduced the symbol elimination method for automatically generating and proving software requirements, including quantified loop invariants and interpolants. She has also contributed to integrating first-order theorem proving into program verification and is a key contributor to the development of the Vampire theorem prover. In symbolic computation, she developed methods for loop invariant generation based on polynomial algebra and combinatorics. Her recent achievements include the ERC Proof of Concept Grant LEARN (Learning Efficient Automated Reasoning on the Net), the ERC Consolidator Grant ARTIST (Automated Reasoning with Theories and Induction for Software Technology), and the FWF Emerging Fields Programme Grant UnAxiMa (Uncovering the Axioms of Mathematics). Earlier in her career, she was awarded the ERC Starting Grant SYMCAR, the Wallenberg Academy Fellowship, and multiple Amazon Research Awards. Beyond her research contributions, she plays a prominent role in the international scientific community, serving as President of the ETAPS Steering Committee and as program co-chair of major conferences such as TACAS, iFM, and CICM. With her election to the Austrian Academy of Sciences, Laura Kovács joins a distinguished group of researchers whose work shapes the future of science and technology. https://cysec.wien/news/2026-04-21_lecture_mueller/ Talk by Peter Müller Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstraße 9-11, 1040 Wien) (HEEG02) Date/Time: 2026-04-21 13:00 ‒ 14:00 Abstract: Viper is a verification infrastructure that facilitates the development of automated verifiers based on separation logic. Viper consists of the Viper intermediate language and two backend verifiers based on symbolic execution and verification condition generation, respectively. It has been used to build over a dozen program verifiers that translate verification problems in Go, Java, Python, Rust, and many others, into the Viper language and automate verification using the Viper backends. In this talk, we summarize the core ideas behind Viper, give an overview of its applications, and explain our principles for evolving the system. Bio: Peter Müller is a Full Professor and head of the Programming Methodology Group at ETH Zurich. His research focuses on languages, techniques, and tools for the development of correct software. His previous appointments include a position as researcher at Microsoft Research in Redmond, an assistant professorship at ETH Zurich, and a position as project manager at Deutsche Bank in Frankfurt. Peter Müller received his PhD from the University of Hagen. He is a Fellow of the ACM. https://cysec.wien/news/2026-06-09_lecture_milosevic/ Talk by Jelena Milosevic Location: TU Wien, EI 4 Reithoffer HS (Gußhausstraße 25-25a, 1040 Wien) (CF0245) Virtual location: https://tuwien.zoom.us/j/68691763991 Date/Time: 2026-06-09 11:00 ‒ 12:00 Abstract: Large Language Models are increasingly embedded in critical systems, yet they introduce a growing set of security risks. This presentation highlights key vulnerabilities such as data leakage and prompt injection, and examines how the rise of Agentic AI expands the attack surface through indirect and white-box threats. It concludes by assessing current defense mechanisms and underscoring the need for stronger, collaborative approaches to securing next-generation AI systems. Bio: Jelena Milosevic is a Professor of Generative AI at the University of Applied Sciences and Arts Northwestern Switzerland (FHNW), where she leads research and teaching in Generative and Agentic AI with an emphasis on secure, efficient deployment and on-device intelligence. Previously, she was a Senior Data Scientist at Yokoy (Zurich), delivering multimodal document-understanding systems and leading an LLM benchmarking framework. She also built several production-ready ML solutions at Mondi Group (Vienna). Jelena earned a PhD from USI Lugano on runtime malware detection for resource-constrained devices and conducted postdoctoral research at TU Wien in network security and adversarial ML. https://cysec.wien/news/2026-03-31_kboehm_fellowship_avarikioti/ The Käthe Böhm Fellowship at TU Wien is a targeted funding instrument aimed at supporting female tenure-track researchers in the early stages of their academic careers, with the goal of increasing the proportion of women in professorial positions and strengthening academic career development. Selection is based on scientific excellence, career potential, and a structured proposal outlining the intended use of funds and career objectives. Georgia Avarikioti, Assistant Professor at the Research Unit Security and Privacy, TU Wien Informatics, and head of the TU Wien Blockchain Hub, has been awarded the Käthe Böhm Fellowship in recognition of her outstanding scientific achievements and her exceptional potential to establish an independent research profile. Her research focuses on the foundations of secure and scalable blockchain systems, covering payment channels, cross-chain protocols, light clients, and consensus mechanisms. A key contribution of her work is the development of compositional game-theoretic frameworks for blockchain protocols, enabling rigorous analysis of economically rational adversaries and strengthening security guarantees in Layer 2 systems. She has also contributed to the design of interoperable blockchain infrastructures, including constant-storage light clients, secure bridge constructions, and proof systems for cross-chain verification. Most notably, she co-developed BitVM, a breakthrough approach enabling trustless smart contract execution on Bitcoin, which was awarded the Bitcoin Research Prize in 2025. Her research has been published at leading venues such as USENIX Security, ACM CCS, NDSS, CSF, and Financial Cryptography, and underpins major research initiatives including FWF ESPRIT and WWTF SCALE2. Beyond academia, her work has influenced industry practice and open-source development. Zeta Avarikioti is an active member of the international research community, serving on program committees of top conferences and as Program Chair of Advances in Financial Technologies (AFT 2025). In 2025, she was also awarded the Hedy Lamarr Prize by the City of Vienna for her contributions to information technology. https://cysec.wien/news/2026-03-24_presentation_avarikioti/ Talk by Georgia Avarikioti Location: TU Wien, EI 9 Hlawka HS (Gußhausstraße 27-29, 1040 Wien) (CAEG17) Date/Time: 2026-03-24 18:00 Abstract: Blockchains have evolved from cryptocurrencies into a foundational infrastructure for secure, decentralized computation. At the Blockchain Hub of TU Wien, we study the principled design of blockchain systems across layers: from consensus protocols and cryptographic foundations to scalability, interoperability, and cryptoeconomics. We combine formal reasoning with real-world deployment, collaborating with industry to ensure that theory informs practice and vice versa. This talk presents our research vision and outlines how students can contribute to shaping the next generation of decentralized infrastructures. I will also introduce the new TU Wien Blockchain Student Association (BSA), an initiative connecting bachelor and master students with researchers and industry practitioners through monthly events featuring invited talks and networking (with food and drinks). Our goal is to foster a vibrant local ecosystem bridging research, engineering, and entrepreneurship in blockchain technologies. Bio: Georgia (Zeta) Avarikioti is an Assistant Professor at the Technical University of Vienna (TU Wien), where she leads the Blockchain Hub, within the university’s Cybersecurity Center. She holds a PhD from ETH Zürich, advised by Roger Wattenhofer, and has previously held research positions at IST Austria and Columbia University. She specializes in distributed systems, blockchain scalability and interoperability, and the analysis of cryptoeconomic incentives, with numerous publications spanning payment channels (e.g., Brick, Cerberus, Crab), light clients and bridges (e.g., Blink, Alba, Glimpse, BitVM), consensus protocols (e.g., FnF-BFT, CoBRA), as well as foundational work on sharding, layer 2 protocols, and compositional game theory. Her work has appeared at leading venues including USENIX Security, ACM CCS, NDSS, CSF, FC, AFT, AAAI, and SODA, and is supported by several major national funding bodies (FWF, WWTF) and industry-funded research donations (Ark Labs, Sui Foundation). She currently serves on the program committees of top-tier conferences such as CCS, USENIX Security, FC, and as Program Chair of the Advances in Financial Technologies (AFT 2025) conference. In 2025, she received the Hedy Lamarr Prize from the City of Vienna for her contributions to information technology, as well as the Bitcoin Research Prize, along with her collaborators, for their work on BitVM. https://cysec.wien/news/2026-03-23_lecture_rain/ Talk by Sophie Rain Location: TU Wien, FAV Hörsaal 2 (Favoritenstraße 9-11, Erdgeschoß) (HEEG03) Virtual location: https://tuwien.zoom.us/j/64773214176 Date/Time: 2026-03-23 14:00 ‒ 15:00 Abstract: This talk introduces act, a high-level specification language designed for formal verification of Ethereum smart contracts. act bridges the gap between human-readable specifications and machine-verifiable proofs, enabling developers to rigorously ensure their smart contracts behave as intended. We will demonstrate act’s key features through a live demo, showing how to write specifications that capture contract behavior in a clear, mathematically precise way; automatically proving the equivalence between act specifications and the EVM byte code of Solidity/Vyper implementations; export specifications to proof assistants (Rocq and Lean) for proving higher-level properties; and show an example of such a proof. The demo will walk through a real-world example, illustrating the verification workflow with act. Bio: Sophie Rain is a formal verification researcher at the Argot Collective. With a background in mathematics and a PhD in computer science, she specializes in formal methods that combine mathematical logic with automated reasoning. Her research focuses on security of blockchain protocols. She developed CheckMate, an open-source tool for automatically verifying the game-theoretic security of protocols. Her current work involves Act, a specification language for Ethereum smart contracts, with the goal of creating an integrated verification pipeline for smart contract incentives. Her research interests include logic, blockchain security, game theory, and automated reasoning. https://cysec.wien/news/2026-03-23_lecture_veanes/ Talk by Margus Veanes Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstraße 9-11, 1040 Wien) (HEEG02) Date/Time: 2026-03-23 11:00 ‒ 12:00 Abstract: Regular-expression derivatives are a classic tool with modern relevance: they yield compact, compositional algorithms for matching and equivalence. When regular expressions are extended with additional operators, however, derivative computation must be redesigned to remain sound, terminating, and useful in practice. This talk surveys recent algorithmic extensions in this space, centered on ERE# (CAV’25) and the forthcoming EREQ (PLDI’26) extension that embeds weak MSO. I will explain the key semantic choices behind these formalisms, how they impact derivative rules, and how normalization/canonicalization enables effective reasoning despite increased expressiveness. The goal is to convey a unified perspective on how to extend derivative-based methods without losing their algorithmic advantages. Further details are available in the slides. Bio: Margus Veanes is a principal researcher at Microsoft Research Redmond. His current research agenda is to develop scalable analysis techniques and corresponding logical foundations for analysis of programs manipulating strings. He is also investigating foundations for behavioral model analysis in the context of model validation and model-based testing. The main focus is on the use of symbolic automata theory in combination with state-of-the-art satisfiability modulo theories techniques. He is a co-designer and co-developer of Spec Explorer 2004, and a co-author of the book Model-Based Software Testing and Analysis with C. https://cysec.wien/news/2026-03-17_acmw_award_christakis/ ACM-W Rising Star Award is a recognition granted by ACM-W (ACM Women in Computing), a committee of the Association for Computing Machinery, to early-career women who have demonstrated outstanding research contributions in computing. The award highlights emerging leaders in computer science and related fields and is based on criteria such as research excellence, innovation, and impact. It aims to increase the visibility of talented women in computing and to support their professional development in academia and industry. Maria Christakis has been recognized with the 2026 ACM-W Rising Star Award. A Full Professor of Software Engineering at TU Wien, she leads the the Software Engineering Research Unit. Her work combines theoretical foundations with practical tools to advance the reliability, robustness, and usability of software, with a strong focus on formal methods, program analysis, automatic test generation, and software verification. She received her PhD in Computer Science from ETH Zurich, following earlier studies at the National Technical University of Athens, and has held research and academic positions at Microsoft Research, the University of Kent, and the Max Planck Institute for Software Systems. Maria Christakis is the recipient of multiple prestigious awards, including a Google Research Scholar Award, an Amazon Research Award, and an ERC grant, and she is a member of the Young Academy of the Austrian Academy of Sciences. Her work aims to improve software reliability while enhancing developer productivity through innovative techniques for specifying, testing, and verifying programs. https://cysec.wien/news/2026-03-09_rwc_2026/ Real World Crypto Symposium (RWC) is an annual conference focused on the practical application and deployment of cryptography in real-world systems. It brings together researchers and practitioners from academia and industry to discuss topics such as secure protocols, privacy-enhancing technologies, cryptographic implementations, and system security. The symposium emphasizes practice-oriented contributions and operates primarily in an invited-talk format, making it a key venue for connecting advanced cryptographic research with real-world use cases. At RWC 2026, Carolina Ortega Pérez and Paul Gerhart (both TU Wien Informatics, Privacy Enhancing Technologies Group) presented their joint research, together with Alaa Daffalla (Cornell University) and Thomas Ristenpart (Cornell Tech), titled “Improving Account Security for Victims of Account Compromise through Client-Side Access Logging.” The work addresses a persistent and practically relevant challenge in modern cybersecurity: despite continuous improvements in authentication mechanisms, account compromise remains widespread, while users still lack reliable tools to determine which devices have accessed their accounts. At the same time, providing such transparency conflicts with strict privacy requirements on the modern web, which discourage or prohibit the use of stable device identifiers by online services. Recent approaches have attempted to reconcile this tension through client-side encrypted access logging (CSAL). However, existing solutions remain limited, as they do not guarantee complete retrieval of log entries, potentially leaving users unaware of adversarial or unauthorized access events. To overcome these limitations, the authors introduce Trace, a novel CSAL system that enables complete and privacy-preserving access logging. Trace records verifiable evidence of each authentication event in an encrypted log maintained by an independent logging service, ensuring that only the user can access and inspect this information. Importantly, the design maintains full backward compatibility with existing authentication infrastructures, as web services remain unaware of the logging process. Compared to prior work, Trace achieves a unique combination of properties: verifiable device attribution, strong privacy guarantees, backward compatibility, and formally analyzed security against malicious adversaries. The system has also been evaluated in a prototype implementation, demonstrating performance of over 10,000 authentications per second on a single core, indicating strong potential for deployment at scale in real-world services. This contribution highlights an important step toward reconciling usability, security, and privacy in account protection mechanisms, and reflects the growing importance of user-centric security designs in modern web ecosystems. Further reading: Trace: Complete Client-Side Account Access Logging https://cysec.wien/news/2026-03-11_eurocrypt_2026/ EUROCRYPT (the Annual International Conference on the Theory and Applications of Cryptographic Techniques) is one of the leading international conferences in the field of cryptography. The conference primarily focuses on theoretical and foundational aspects of cryptography, while also covering a broad range of topics in applied cryptography. Typical research areas include public-key cryptography, zero-knowledge proofs, secure multiparty computation, blockchain and distributed cryptography, cryptographic protocols, cryptographic hardness assumptions, and privacy-preserving technologies. At EUROCRYPT 2026, which will take place in Rome, Italy, from 10 to 14 May 2026, researchers Paul Gerhart, Davide Li Calsi, Luigi Russo, and Dominique Schröder (all from the Privacy Enhancing Technologies Research Group, TU Wien Informatics) will present new work titled “Fully-Adaptive Two-Round Threshold Schnorr Signatures from DDH.” Digital signatures are a fundamental technology used to secure online communication, financial transactions, and distributed systems such as blockchains. In many modern applications, it is important that signatures are not produced by a single individual but rather by a group of participants acting together. Threshold signature schemes address this need by allowing a subset of participants to jointly produce a single valid signature. The resulting signature is indistinguishable from a standard Schnorr signature, meaning it can be verified by existing systems without modification. The work to be presented at EUROCRYPT 2026 introduces a new approach that improves both the security and efficiency of such collaborative signature systems. In particular, the proposed scheme protects against adaptive attacks, in which an adversary may attempt to compromise participants during the signing process. Achieving strong protection against these attacks while maintaining high efficiency has long been a challenge in cryptographic research. The proposed protocol requires only two rounds of communication, helping ensure low latency and making it suitable for real-world distributed systems. To demonstrate practical feasibility, the researchers implemented a prototype and evaluated its performance on standard hardware. The results indicate that the scheme meets efficiency requirements highlighted in recent recommendations by the U.S. National Institute of Standards and Technology (NIST). This research represents an important step toward secure and deployable collaborative signature systems, which are increasingly important for applications such as blockchain infrastructures, distributed financial services, and other systems that rely on shared cryptographic control. https://cysec.wien/news/2026-03-09_fwf_grant_kovacs/ FWF Emerging Fields is a funding programme of the Austrian Science Fund (FWF) designed to support large, collaborative basic-research projects that explore radically new scientific directions. The programme aims to enable research that has the potential to create new disciplines or fundamentally transform existing ones. A new interdisciplinary research project titled UnAxiMa – Uncovering the Axioms of Mathematics will investigate one of the most fundamental questions in science: What should the rules of mathematics be? The project brings together leading researchers from TU Wien and the University of Vienna to explore the logical foundations of mathematics using contemporary computational methods. The primary researchers of the project are Laura Kovács (TU Wien Informatics, CySec) together with Juan P. Aguilera, Sandra Müller, and Michael Pinsker from TU Wien’s faculty of Mathematics and Geoinformation. The team also includes Vera Fischer and Georg Schiemer as primary researchers from the University of Vienna. The project has a total funding volume of €7 million, with about €4.7 million allocated to TU Wien, and will run for five years. UnAxiMa integrates perspectives from mathematics, computer science, and philosophy to address the foundations of mathematical reasoning. The project revisits questions that were first systematically explored more than a century ago by the Vienna Circle, whose work on the logical structure of science ultimately led to one of the most influential discoveries in modern mathematics: the Gödel’s Incompleteness Theorems developed by Kurt Gödel. Gödel demonstrated that within any sufficiently powerful formal system there exist true mathematical statements that cannot be proven within the system itself. Building on this intellectual legacy, the UnAxiMa project will examine the phenomenon of mathematical incompleteness from a modern perspective. By employing contemporary tools from computation and artificial intelligence, the researchers aim to identify and analyse the underlying axioms that structure mathematical reasoning. Through this interdisciplinary approach, UnAxiMa seeks to deepen our understanding of the logical foundations of mathematics and to explore how modern computational methods can contribute to uncovering the basic principles on which the discipline ultimately rests. @ FWF, Johannes Zinner https://cysec.wien/news/2026-03-04_cysec_presentation/ Date/Time: 2026-03-04 14:00 On 4 March, the Cybersecurity Center TU Wien hosted an event dedicated to presenting its recent achievements and the current portfolio of cybersecurity education offered at the university. The meeting brought together students, lecturers, and industry partners to review the Center’s progress and to introduce the wide range of courses available for those interested in cybersecurity. The event builds on the CySec Kick-Off held two years ago, which marked the official launch of the Center’s educational activities. Since then, the cybersecurity teaching portfolio at TU Wien has continued to expand, reflecting the rapidly growing importance of security and privacy in modern digital systems. The event was opened by Matteo Maffei, Co-Director of the CySec Center and professor at TU Wien’s Faculty of Informatics, who briefly introduced the Center, its mission, and its role in strengthening cybersecurity research and education at TU Wien. Together with Tanja Zseby, Co-Director of CySec and professor at the Faculty of Electrical Engineering and Information Technology, he leads the Center’s interdisciplinary activities across the two faculties. During the event, the CySec team presented key results achieved over the past two years, highlighting ongoing initiatives, collaborations, and developments in cybersecurity research and education at TU Wien. A central part of the program focused on cybersecurity education at TU Wien. Students were introduced to the broad spectrum of security-related courses offered across bachelor’s and master’s programs. Several lecturers briefly presented their courses and provided insights into the topics and practical aspects covered in their teaching. Presentations were delivered by Daniel Arp, Ezio Bartocci, Georg Fuchsbauer, Matteo Maffei, Dominique Schröder, Mauro Tempesta, Tanja Zseby, Andrea Weninger (on behalf of Elena Andreeva), Matteo Maffei, and Marco Squarcina. In addition, Marco Squarcina introduced Cyber Security Austria and the European Cyber Security Challenge (ECSC), encouraging students to engage with the broader cybersecurity community and participate in international competitions. The event also featured short presentations from CySec industry partners. Robert Wagenleitner (Raiffeisen Bank) and Christoph Kukovic (Verbund) provided insights into their organizations’ cybersecurity activities and discussed current challenges faced by industry, highlighting the importance of strong collaboration between academia and industry in developing future cybersecurity expertise. Overall, the event provided students with a comprehensive overview of cybersecurity education at TU Wien and demonstrated the CySec Center’s continued commitment to developing a strong interdisciplinary ecosystem for cybersecurity research, teaching, and collaboration. https://cysec.wien/news/2026-02-27_acsc_2026/ The Austria Cyber Security Challenge (ACSC), Austria’s largest cybersecurity talent competition, has officially started. Following the successful kick-off event held in Vienna on February 27, the online qualification phase is now running and will continue until May 1, 2026. Organized by Cyber Security Austria, the ACSC is a nationwide Capture The Flag (CTF) competition designed for young talents and cybersecurity enthusiasts. Participants work on realistic, hands-on security challenges, develop practical skills, and compete with peers from across Austria. High-ranking participants may qualify for the Austrian team participating in the European Cyber Security Challenge (ECSC). The competition follows a single-player jeopardy-style format and runs entirely online. Challenges are released in two waves: the first wave became available on March 1, while the second wave will follow on April 1 at 18:00 CEST. All challenges can be solved and submitted at any time during the qualification period, meaning participants may continue working on earlier tasks right up until the final submission deadline on May 1, 2026 at 18:00 CEST. The challenge structure is organized in partial cooperation with German and Swiss counterparts. Participants compete in three categories based on age and eligibility criteria: junior (14–20 years), senior (20–25 years), and an open category available to anyone interested in cybersecurity. Top-ranked participants in each category will be invited to the team-based finale, which will take place in Linz from September 14 to 17, 2026. The ACSC welcomes both experienced players and newcomers. Specially marked beginner challenges help participants who are new to cybersecurity get started with approachable tasks and guided community discussion via dedicated Discord channels. Participants are reminded that discussion is allowed only for designated beginner challenges; sharing or discussing solutions for other tasks during the competition is strictly prohibited and may lead to disqualification. Beyond the competition itself, the ACSC offers valuable opportunities to connect with the cybersecurity community, learn from experts, and gain practical experience in ethical hacking and security problem-solving. Whether you are studying IT security or simply enjoy coding, analysis, and technical challenges, the ACSC provides an excellent environment to expand your skills. Registration is still open, and new participants can join the qualification at any time while it is running. https://cysec.wien/news/2026-02-26_ndss_2026/ The Network and Distributed System Security (NDSS) Symposium is a leading venue for the exchange of ideas between researchers and practitioners in network and distributed system security. It places strong emphasis on practical security challenges, particularly the design and implementation of real-world systems. The symposium serves as a key platform for presenting and discussing the latest advances in Internet security, making it an essential forum for keeping up with developments at the forefront of the field. At the NDSS 2026, the study “Chasing Shadows: Pitfalls in LLM Security Research” was presented. Co-authored by an international team of researchers, including Philipp Normann and Daniel Arp (both at TU Wien), the work explores one of the fastest-growing areas in cybersecurity, the use of large language models (LLM). The study addresses a central challenge faced by the research community as LLMs become increasingly integrated into cybersecurity tasks such as vulnerability detection, secure code generation, and automated analysis. While these models offer powerful new capabilities, their complexity and unique behavior introduce risks that can undermine the validity and reliability of scientific results. To better understand these challenges, the authors identify nine recurring pitfalls that affect how LLM based security research is conducted. These issues arise throughout the entire development process, including data collection, model training, prompting strategies, and evaluation. Some pitfalls are specific to LLMs, such as model collapse caused by training on synthetic data and unpredictable behavior due to prompt sensitivity. Others, including data leakage and spurious correlations, are well known from earlier machine learning research but become more severe and harder to detect in the context of large language models. To assess how widespread these problems are, the researchers conducted a systematic analysis of 72 peer reviewed papers published at leading conferences in security and software engineering between 2023 and 2024. The results reveal that every paper contains at least one of the identified pitfalls, and that only a small fraction of these issues are explicitly acknowledged. This suggests that many of the underlying risks remain unrecognized, even in high quality research. The practical implications of these findings are demonstrated through a series of empirical case studies. The analysis shows that even minor methodological issues can significantly distort evaluation results, inflate reported performance, and reduce reproducibility. For example, data leakage can artificially improve model metrics, while limitations in context size may remove essential information and bias evaluation outcomes. In addition, variations in model configuration can lead to inconsistent and difficult to reproduce results. Taken together, these findings underline the need for stronger methodological rigor in LLM based security research. As these models become more widely adopted, ensuring transparency, reproducibility, and robustness is critical to maintaining the credibility of the field. Without addressing these challenges, there is a risk that research may overestimate model capabilities or fail to capture important limitations. To support the community, the authors provide practical guidelines and recommendations aimed at improving research practices. These include clearer reporting of experimental setups, systematic validation of data, and more robust evaluation procedures. Paper: Chasing Shadows: Pitfalls in LLM Security Research https://cysec.wien/news/2026-02-25_lecture_bielova/ Talk by Nataliia Bielova Location: TU Wien, FAV Hörsaal 3 Zemanek (Favoritenstraße 9-11, 1040 Wien) (HHEG01) Virtual location: https://live.video.tuwien.ac.at/watch?l=iwWhYq1fWmHBcESTpTboSa Date/Time: 2026-02-25 11:00 ‒ 12:00 Abstract: Over the past decades, Web tracking technologies have enabled pervasive, large-scale surveillance of online activity for data extraction and targeted advertising. In response, European regulators have sought to safeguard users through the consent required by the General Data Protection Regulation (GDPR), operationalized in practice via cookie consent banners. Yet these interfaces frequently rely on “dark patterns” that manipulate user decision-making. Such manipulative design does not only affect end users, but can also distort interactions among other actors in the web ecosystem. In this talk, I examine how cookie consent mechanisms and dark patterns can be regulated under existing and emerging EU legal frameworks, including the General Data Protection Regulation and the Digital Services Act (DSA). I argue that effective enforcement requires close collaboration between legal scholars, web measurement researchers, and the HCI community. By combining doctrinal legal analysis with web measurements and empirical user studies, regulators can be better equipped to make robust, evidence-based, legally binding decisions. I conclude by outlining the key opportunities and methodological challenges of this emerging transdisciplinary research agenda aimed at strengthening user protection online. Bio: Dr. Nataliia Bielova is a Research Director in Computer Science at Inria (French Institute for Research in Computer Science and Automation). She is a privacy expert with a multidisciplinary background in computer science and regulation, investigating privacy and data protection on the Web. Dr. Bielova was a Senior Privacy Fellow at the French Data Protection Authority (CNIL) and an External Expert for the EU Commission for its implementation of the EU Digital Services Act (DSA). She received a Young Researcher Award from the French National Research Agency (ANR), the Rising Star award by Women at Privacy in 2023, the CNIL-Inria Privacy Award in 2025 and the Lovelace-Babbage Award from the French Science Academy and the French Computer Society in 2025. https://cysec.wien/news/2026-02-09_zksc_2026/ ZKSC 2026 – the Workshop on Zero-Knowledge, Succinct Proofs and Symmetric Cryptography – successfully took place on February 9–11, 2026. Organized by Elena Andreeva and Georg Fuchsbauer, the event brought together researchers from zero-knowledge and symmetric cryptography, two communities whose interaction is becoming increasingly essential for modern privacy-preserving systems. The workshop formed part of the activities of the Cybersecurity Center TU Wien and the FWF-funded SPyCoDe project, with additional support provided by the Ethereum Foundation. The workshop featured a diverse and high-level program of talks covering foundational advances, practical challenges, and emerging directions at the intersection of zero-knowledge and symmetric cryptography: Christian Rechberger: On Zero-Knowledge Proofs and Symmetric Crytography, Ivan Visconti: A Few Stops in the Zero-Knowledge Journey, Léo Perrin: When POlynomial System SOlving became a threat for symmetric primitives, Ziyi Guan: On the Security of Succinct Arguments from Probabilistic Proofs, Arnab Roy: When Polynomials Iterate: Structure and Security in Symmetric Cryptography, Abhishek Jain: IVC without Random Oracles, Dmitry Khovratovich: Succinct Proofs in the Core Ethereum Protocol, Stefano Trevisani: New Modes on the Block: Security and Efficiency of Novel AO Compression Modes, Lorenzo Grassi: Greek and Roman Gods in Symmetric-Key Crypto, Justin Thaler (remote talk): Lessons from Jolt: When Do We Need SNARK-Friendly Primitives?, Dmitry Khovratovich: Panel on Poseidon, Michele Orrù (remote talk): A Fiat–Shamir Transformation From Duplex Sponges, Markus Schofnegger: Implementation Characteristics of Hash Functions in Modern Proof Systems, Ngoc Khanh Nguyen: Recent Progress on Lattice-based Zero-Knowledge Proofs, Georg Fuchsbauer: Plonk Without Random Oracles. The program also included dedicated breakout sessions that encouraged focused discussions and in-depth exchanges on emerging research questions. https://cysec.wien/news/2026-01-21_a2rl_2026/ A2RL (Abu Dhabi Autonomous Drone Race League) is a pioneering extreme racing series dedicated to advancing the frontiers of autonomous technology. Initiated by ASPIRE and realized through the collaborative efforts of engineers, scientists, and programmers, it functions both as a high-performance competition and as a global platform for innovation in AI-driven mobility. Each year, multidisciplinary teams from leading academic and technological institutions worldwide compete to design and deploy the fastest, most robust, and most capable autonomous racing systems. Team FlyBy won the Silver Group at A2RL 2026. The core team consists of Joel Klimont (PhD student with Prof. Radu Grosu, Cyber-Physical Systems, TU Wien), Alexander Lampalzer (Master’s student, TU Wien), and Jakob Buchsteiner (Master’s student, TU Wien). They were supported by Konstantin Lampalzer (Master’s student, TU Wien), Thisas Ranhiru (Bachelor’s student, RIT Dubai), and Akos Papp (student at HTL Wiener Neustadt and member of the robotics club robo4you). A2RL is known for its exceptionally strict and fair rules: each team is provided with exactly the same drone by the organizers, eliminating any hardware advantage. As a result, success depends entirely on software performance — specifically on how effectively perception, state estimation, and control algorithms interact under real-world racing conditions. The competition therefore serves as a rigorous benchmark for algorithmic excellence and system integration. The FlyBy system is built on a highly efficient autonomous control architecture that relies solely on a single camera and motion sensors. With this minimal sensor configuration, the drone must estimate its position and velocity and detect race gates in real time while operating at high speeds. After months of development and refinement, the system achieved peak speeds of up to 20 meters per second. Shortly before the January 2026 final, the team made a bold strategic decision: rather than relying exclusively on classical control methods, they integrated reinforcement learning into their control framework. This AI-driven approach enabled the drone to learn optimal racing strategies autonomously. The shift proved decisive — reinforcement learning delivered not only higher speeds but also increased stability, particularly in demanding multi-drone race scenarios. The full competition video can be viewed on YouTube https://cysec.wien/news/2026-01-28_lecture_niederlaender/ Talk by Petia Niederländer Location: TU Wien, EI 8 Pötzl HS (Gußhausstraße 27-29, 1040 Wien) (CDEG08) Date/Time: 2026-01-28 10:30 ‒ 11:30 Bio: Petia Niederlaender is the Director for Payments, Risk Monitoring and Financial Literacy of Austrian National Bank (Oesterreichische Nationalbank) and a member of ECB’s Market Infrastructure Board. Petia jointed payments and banking more than 25 years ago. Prior to her role in the Austrian National Bank, she had several management positions in one of the biggest Retail Banks in Austria, served on the board of EBA Clearing as well as national and international payments bodies. Background: What is the digital euro and why does it matter? The digital euro is a project by the European Central Bank to create a public digital version of the euro. It is being developed in response to the rapid decline in cash use and the growing dominance of private digital payment systems across Europe. Today, most electronic payments rely on non-European providers, which has raised concerns about Europe’s financial independence and long-term control over its payment infrastructure. Another driver behind the digital euro is the rise of stablecoins—privately issued digital currencies that are often linked to foreign currencies. Policymakers worry that widespread use of such instruments could further weaken the role of public money and increase dependence on private or foreign issuers. Supporters argue that the digital euro could offer a public alternative to private payment solutions. It would be designed as a basic payment infrastructure, allowing banks and payment companies to build additional services on top of it. The European Central Bank has also highlighted stronger privacy protections and lower costs for consumers and merchants as potential advantages, as well as improved access to digital payments for people who are currently underserved. However, experience from other countries suggests that public digital currencies are not automatically adopted. In regions with already efficient digital payment systems, people may see little reason to switch unless the new system offers clear benefits in terms of convenience, cost, or trust. One of the most debated aspects of the digital euro is the proposed limit on how much individuals could hold. Current plans suggest relatively low caps, which critics say would prevent the digital euro from serving as a meaningful store of value. Unlike cash, bank deposits, or stablecoins, which have no formal holding limits, a capped digital euro may be less attractive to users. The European Central Bank argues that limits are needed to protect financial stability, as an unlimited digital euro could make it easier for people to move money out of banks during a crisis. Critics counter that digital bank runs are already possible and that a public digital euro could be safer than private alternatives and easier for authorities to manage in times of stress. More broadly, the debate over the digital euro has reopened questions about the structure of Europe’s banking system and the balance between public and private money in a digital economy. Whether the digital euro will succeed will largely depend on its final design and whether it offers enough value to persuade Europeans to use it in everyday life. https://cysec.wien/news/2026-01-14_lecture_yamaguchi/ Talk by Fabian Yamaguchi Location: TU Wien, EI 11 Geodäsie HS (Gußhausstraße 27-29, 1040 Wien) (CD0304) Virtual location: https://tuwien.zoom.us/j/68970632137 Date/Time: 2026-01-14 14:00 ‒ 16:00 Abstract: The discovery of zero-day vulnerabilities remains one of the most significant challenges in computer security, traditionally reliant on the manual expertise of seasoned security researchers. As software complexity scales exponentially, manual auditing alone can no longer keep pace with the vast attack surfaces of modern codebases. This lecture explores the evolution of automated vulnerability discovery, centering on the development and application of the Code Property Graph (CPG) — a unified program representation that has bridged the gap between academic static analysis and industrial-scale security auditing. We will begin by examining the theoretical foundations of the CPG, which merges abstract syntax trees (ASTs), control flow graphs (CFGs), and program dependence graphs (PDGs) into a single, queryable data structure. This representation allows for the elegant modeling of complex vulnerability patterns — such as taint-style flaws and missing checks — using expressive graph traversals. Moving from theory to practice, the session will detail the challenges and “street smarts” required to implement these concepts in a production environment. Drawing on experience from the open-source platform Joern and its commercial counterparts, we will discuss: Scalability: How to perform deep data-flow tracking across millions of lines of code within modern CI/CD time constraints (e.g., < 10 minutes). Abstraction Levels: Handling diverse instruction sets and programming languages through a language-agnostic intermediate representation. Human-in-the-Loop Automation: Shifting the focus from “black-box” scanners to extensible “analyst workbench” tools that augment the auditor’s capabilities. The lecture concludes with a look at the future of the field, including the integration of machine learning and large language models (LLMs) with graph-based analysis to further refine the precision of automated bug hunting. Bio: Prof. Dr. Fabian Yamaguchi is co-founder and CTO of Whirly Labs, Adjunct Professor for Computer Security at Stellenbosch University, and Chief Scientist Emeritus at Qwiet.ai (formerly ShiftLeft Inc.). He is a seasoned expert in cyber security with over 20 years of experience, both as an individual contributor and in leadership roles. Most recently, he was a founding team member of ShiftLeft Inc where he built and led the R&D team that designed and implemented the technology for automated vulnerability discovery at the heart of the product offering — based on his 2015 award-winning PhD thesis “Pattern-Based Vulnerability Discovery”. Throughout his career, he has identified previously unknown vulnerabilities in widely used software such as Microsoft Windows and Linux kernels, the Squid proxy server, and the VLC media player. He has presented his findings and techniques at both major industry conferences such as BlackHat USA, DefCon, First, and CCC, and renowned academic security conferences such as ACSAC, IEEE Security and Privacy, and CCS. He is the inventor of the code property graph and lead developer of the open-source code analysis platform Joern. Fabian holds a PhD in computer science from the University of Goettingen and a master’s degree in computer engineering from Technical University Berlin. © Marco Squarcina https://cysec.wien/news/2025-12-19_kurier_interview_arp/ Artificial intelligence and cybersecurity is one of the central topics in today’s digital world. While AI enhances threat detection and automation, it is also exploited by attackers, creating a rapidly evolving technological arms race. In a guest commentary in Kurier, Daniel Arp highlights the limitations of artificial intelligence as a security solution and warns of an ongoing arms race with increasingly sophisticated attackers. According to Arp, despite rapid technological progress, human expertise and academic research remain indispensable. Artificial intelligence is currently widely promoted as a universal solution across many domains, including cybersecurity. AI-based systems are often marketed as digital “wonder weapons” capable of automatically detecting threats such as malware or phishing emails. While this promise sounds appealing, Arp cautions that it represents only part of the reality. “AI can indeed identify patterns that humans might overlook and significantly reduce the manual workload of security teams,” Arp explains. “However, believing that AI alone can solve all security problems ignores the fact that attackers are also using AI.” Malicious actors, for example, already rely on AI to generate flawless phishing emails in multiple languages. Arp notes that modern AI systems can automatically search for vulnerabilities and adapt to defensive measures like “digital chameleons.” At the same time, AI has inherent weaknesses: its performance depends heavily on the quality of the data on which it is trained. These datasets are often incomplete, biased, or outdated, making AI-based detection systems vulnerable to targeted attacks. As a result, such systems may misclassify harmless code as malicious or miss real threats. This is where scientific research plays a crucial role, Arp emphasizes. Researchers must develop more robust models, increase transparency, and ensure that AI systems are explainable and verifiable. Despite notable advances, he does not expect fully autonomous security systems to become viable in the near future. “AI will support security teams, but it will not replace them,” Arp concludes. “Real progress emerges not from AI models alone, but from their interaction with rigorous research and human expertise.” https://cysec.wien/news/2025-12-18_ffg_project_bartocci/ The FFG “AI Ecosystems 2025: AI for Tech & AI for Green” initiative is implemented by the Austrian Research Promotion Agency (FFG – Österreichische Forschungsförderungsgesellschaft), Austria’s central national funding organisation for applied research, technological development, and innovation. Acting on behalf of the Austrian federal ministries, FFG supports industry-driven R&D, strengthens cooperation between science and business, and facilitates the translation of research results into market-ready solutions. Within this framework, the AI Ecosystems 2025 call provides EUR 6.48 million in funding for projects in the field of artificial intelligence, with the objective of strengthening Austria’s AI innovation ecosystem through collaborative, application-oriented research. One of the projects selected for funding under this call is NEST – Neuro-symbolic Ethical Safe Traffic, which will be implemented with the involvement of researchers from TU Wien and has been awarded a EUR 1 million research grant. Professor Ezio Bartocci will serve as project coordinator, leading a consortium of academic and industrial partners comprising TU Wien (Agata Ciabattoni, Martin Tappler, Ezio Bartocci), the Austrian Institute of Technology (AIT) (Dejan Nickovic, Alessio Gambi), and Kapsch TrafficCom AG – Intelligent Traffic & Toll Solutions. The consortium combines complementary expertise across the innovation value chain, bringing together strengths in formal methods and artificial intelligence with deployment-oriented validation and pilot use cases to ensure practical relevance and applicability in real-world settings. The NEST project addresses a central challenge of modern urban mobility: how to design traffic control systems that are not only efficient, but also fair, ethical, and transparent for all road users, including pedestrians, cyclists, public transport, and vehicles. Existing traffic control solutions are largely based on static models and manual tuning, which limits their ability to respond to dynamic traffic conditions, adequately account for vulnerable users, and scale efficiently in real-world deployments. NEST proposes a neuro-symbolic traffic control approach that integrates learning-based methods with symbolic normative reasoning. The project aims to develop traffic control systems that are adaptive and high-performing through reinforcement and imitation learning, ethically grounded through formal representations of norms and fairness constraints, and transparent and explainable through verifiable, human-interpretable models. By combining Hybrid AI, generative AI, and search-based software engineering, NEST will generate rich, norm-relevant urban traffic scenarios using the SUMO simulation framework and investigate large language model (LLM)-based methods for translating natural-language normative requirements into formal logic. The expected outcomes of NEST include a neuro-symbolic toolchain for synthesising trustworthy and norm-compliant traffic controllers, a novel simulation environment for complex and ethically relevant urban traffic scenarios, and AI-assisted methods that support developers in both scenario generation and the formalisation of normative requirements. NEST is strategically aligned with major national and European AI initiatives, including the FWF Cluster of Excellence Bilateral AI, AI Factories at AIT, and large-scale computational infrastructures such as the Vienna Scientific Cluster and the AIT AI Cluster, supporting scalability, reproducibility, and sustainable impact. https://cysec.wien/news/2025-12-16_fnr_fwf_project_bartocci/ In cooperation with the Luxembourg National Research Fund (FNR), the Austrian Science Fund (FWF) supports closely integrated research collaborations between teams in Austria and Luxembourg through Weave, a bottom-up cross-European funding scheme designed to enable excellent collaborative projects. Weave streamlines international collaboration by allowing researchers from up to three participating European countries or regions to collaborate under simplified and harmonized funding procedures. The international research project FREELY – FREquency-Enhanced Verification and VaLidation of Cyber-Physical Systems has been awarded more than €1.2 million in joint funding from the Luxembourg National Research Fund (FNR) and the Austrian Science Fund (FWF). The project marks a significant milestone for the Trustworthy Cyber-Physical Systems (TrustCPS) research group at TU Wien, led by Prof. Ezio Bartocci, with approximately €600,000 of the total budget allocated to his team. FREELY’s mission is to strengthen the trustworthiness of cyber-physical systems by developing frequency-aware verification and validation techniques that can uncover subtle faults and vulnerabilities arising from timing and performance effects, and by translating these advances into methods and tools that better reflect real-world operational conditions. The project will address core research tasks such as designing new models and specifications that capture frequency- and timing-dependent behaviors of CPS, developing verification and testing approaches that combine rigorous formal guarantees with practical validation workflows, creating scalable analysis techniques for complex CPS stacks that span software, hardware, and networked components, providing actionable artifacts—benchmarks, datasets, and prototypes—that can be reused by the broader research community. FREELY represents a closely integrated collaboration between TU Wien and the Software Verification and Validation (SVV) research group at the Interdisciplinary Centre for Security, Reliability and Trust (SnT), University of Luxembourg. On the Luxembourg side, the project is jointly led by Dr. Drishti Yadav — former PhD student of Prof. Bartocci and recent Runner-up for the Informatics Europe Best Dissertation Award — together with Prof. Domenico Bianculli, current head of the SVV research group and successor of Lionel Briand, and Dr. Claudio Mandrioli, Marie Curie Fellow. Their combined expertise forms the core leadership team for the Luxembourg partner, complementing TU Wien’s strengths in trustworthy CPS analysis with leading competence in software verification and validation. Over the next three years, FREELY will build strong scientific synergies between the TrustCPS group at TU Wien and the SVV group at the University of Luxembourg, advancing state-of-the-art methods for the verification and validation of cyber-physical systems. The collaboration will include intensive joint research activities and researcher exchanges, further strengthening ties between the two institutions. Beyond scientific outputs, FREELY aims to deliver practitioner-relevant guidance for designing and assessing CPS with stronger assurance guarantees, supporting safer and more resilient deployments in domains where reliability and security are critical. https://cysec.wien/news/2025-12-02_cardinal_innitzer_prize_kugi/ The Cardinal Innitzer Study Fund, established in 1962 and named after Cardinal Theodor Innitzer (1875–1955), supports scholarly excellence in Austria through annual awards. Initiated by the Archdiocese of Vienna, the Cardinal Innitzer Prize recognizes outstanding achievements across fields including theology, the humanities, social sciences, natural sciences/medicine, and journalism, and also includes promotion awards for early-career researchers. It is regarded as one of Austria’s most prestigious academic honors. Prof. Andreas Kugi, Scientific Director of the Austrian Institute of Technology (AIT) and Professor of Complex Dynamic Systems at TU Wien, was awarded the 2025 Kardinal-Innitzer Würdigungspreis (Recognition Prize) in the Natural Sciences category. The award recognizes Kugi’s fundamental contributions to systems engineering and control engineering, with a particular focus on the mathematical modeling and optimization of complex industrial processes. His research spans energy and manufacturing systems, robotics and automation, autonomous systems, and machine learning, and is widely regarded as pioneering in its ability to connect theory, simulation, and industrial application. tuwien.at With more than 350 scientific publications and 149 patents, and memberships in the Austrian Academy of Sciences (Österreichische Akademie der Wissenschaften, ÖAW) and acatech (Deutsche Akademie der Technikwissenschaften), Kugi has built a research portfolio that combines academic excellence with tangible technological impact. https://cysec.wien/news/2025-11-19_ase_2025/ The IEEE/ACM International Conference on Automated Software Engineering (ASE) is a premier research forum that brings together researchers and practitioners from academia and industry to present and discuss foundations, methods, and tools for automating the analysis, design, implementation, testing, and maintenance of large software systems. At ASE 2025 in Seoul, Republic of Korea, Jakob Bleier, Felix Kehrer**, Jürgen Cito, and Martina Lindorfer presented their paper “Profile Coverage: Using Android Compilation Profiles to Evaluate Dynamic Testing.” Their work addresses a key challenge in Android security and reliability: as apps grow more complex, it becomes increasingly difficult to test them in a way that reflects how real users interact with them. The team shows that Android’s compilation profiles — particularly Cloud Profiles from the Google Play Store — offer a valuable, previously underused view of real-world usage. They introduce profile coverage, a new metric that measures how well dynamic testing exercises the methods users actually trigger, and implement it with PROFTRACE, a lightweight tracer based on Linux kernel uprobes that runs without modifying apps or the Android system. Evaluations on popular apps demonstrate that profile coverage uncovers insights beyond traditional code coverage and opens up new opportunities for user-centric testing, app understanding, and future research on usage-informed analysis of Android software. https://cysec.wien/news/2025-11-26_netidee_scholarship_tagliaro_2025/ netidee is Austria’s major open-source internet funding initiative, organised and financed by the Internet Foundation, which supports projects and academic work related to the internet with a strong focus on open source, openness, and societal benefit. Each year, netidee awards scholarships for thesis projects at Austrian universities (approximately €6,000 for Master’s theses and €12,000 for PhD dissertations), enabling students to fully concentrate on their research. In Call 20 (2025), netidee made €1.4 million available for innovative projects, scholarships, and research. From 138 submissions, the funding board selected 18 projects and 10 scholarship recipients, awarding around €1 million to support the development of the internet in Austria. Among the funded scholarship projects is “Analyzing and Understanding the Internet of Insecure Things” by Carlotta Tagliaro, a PreDoc researcher at the Research Unit Security and Privacy, supervised by Prof. Martina Lindorfer. Internet of Things (IoT) devices are now common in homes, assisting with daily tasks while collecting large amounts of user and environmental data. As these devices often lack interfaces, mobile companion apps provide key functionality but also pose privacy and security risks. Carlotta’s research investigates how IoT devices, apps, backends, and protocols operate, whether safeguards exist, and where privacy may be compromised. One study analyzes the HbbTV protocol used in smart TVs and shows that personal data is collected before user consent in several European countries. Another examines 3,000 companion apps, identifying sensitive data exposures, including default credentials that allow access to all users of a health bracelet. A further large-scale assessment of backend systems uncovers widespread misconfigurations, weak cryptography, and data leakage. Finally, the work explores the challenges of coordinated vulnerability disclosure, balancing public safety with the responsibilities of researchers and vendors. https://cysec.wien/news/2025-11-18_tuw_interview_vazquez/ The Communication Networks Group (CN-Group), led by Tanja Zseby at the TU Wien Institute of Telecommunications, develops data analysis and machine-learning methods for network security, focusing on scalable anomaly detection and traffic analysis under real-world constraints such as encryption, streaming data, and large-scale monitoring. It provides practical resources including Traffic Flow Mapping for visualization, lightweight network-feature research, algorithms such as One-class Decision Tree Fuzzyfier and Sparse Data Observers, and shared datasets and repositories such as the Network Traffic Analysis Database, Covert Timing Channel datasets, Multidimensional Data Cluster Generator, Geometrical Optimum Index indices, and Internet Background Radiation (“darkspace”) captures. In an interview with the Center Research Data Management at TU Wien, Félix Iglesias Vázquez discussed data-centric research and reproducible science within the Communication Networks Group. With a background spanning electrical engineering, data analysis, and machine learning, he develops methodologies and versatile algorithms for detecting anomalies in complex real-world datasets, particularly in network traffic, where privacy, security, and anonymisation constraints often limit access to high-quality, well-documented data. A central theme of Iglesias’ work is the close alignment of theoretical development with practical application. He notes that anomaly-detection methods frequently fail when transferred across domains because they are built on assumptions that do not reflect the structure of real data. In many cases, anomalies are not isolated outliers but appear as dense clusters, novelties, or context-dependent patterns. This insight has led his group to broaden the concept of anomalies and to prioritise dataset relevance, labelling quality, and rich, findable metadata over incremental algorithmic refinement on synthetic benchmarks. To support reproducibility and open research, Iglesias advocates publishing code in forms that remain usable over time despite evolving software dependencies. He promotes Docker containerisation as a practical solution, enabling pinned libraries and well-defined execution environments that ensure infrastructure-independent and reproducible experiments. Alongside these practices, his group publishes robust and adaptable methods designed to operate across domains, including anomaly-detection systems such as Sparse Data Observers and Go-flows. Looking ahead, Iglesias expresses cautious optimism about the use of artificial intelligence and large language models in data analysis, particularly as agents for testing and interpreting results in complex environments. At the same time, he cautions that the greatest risk lies not in occasional failures but in systematic, unnoticed errors that can propagate across interconnected systems. For this reason, he emphasises the need for transparency, continuous monitoring, and human oversight from diverse perspectives, with the aim of embedding critical thinking and responsible practice into both research and education. https://cysec.wien/news/2025-11-11_bitcoin_research_prize_2025/ The Bitcoin Research Prize honors breakthrough results that advance Bitcoin and the Lightning Network. Eligible work spans cryptography, theoretical computer science, network theory, economics, and adjacent fields. An independent committee of leading researchers selects the winners annually. The Bitcoin Research Prize 2025 was awarded to the BitVM2 team for advancing a long-standing goal in blockchain infrastructure: a trust-minimized bridge between Bitcoin and its second layers or other chains. The project is a collaboration among Robin Linus (ZeroSync Association; Stanford University), Lukas Aumayr (University of Edinburgh; Common Prefix), Zeta Avarikioti (TU Wien; Common Prefix), Matteo Maffei (TU Wien), Andrea Pelosi (University of Pisa; University of Camerino; TU Wien), Orfeas Thyfronitis Litos (Imperial College London; Common Prefix), Christos Stefo (TU Wien), David Tse (Stanford University), and Alexei Zamyatin (BOB). BitVM2 is the first protocol enabling arbitrary computations on Bitcoin, which the team leverages to design the first secure bridge to Layer-2. This work advances the vision of a trustless connection between Bitcoin and its scaling layers with the first light-client-based Bitcoin bridge. At its core, BitVM2-core introduces a paradigm for arbitrary program execution on Bitcoin, combining Turing-complete expressiveness with the security of Bitcoin consensus. BitVM2-bridge improves prior approaches by reducing the trust assumption from an honest majority (t-of-n) to existential honesty (1-of-n) during setup. Liveness holds with only one rational operator, and any user can act as a challenger, enabling permissionless verification. A production-level implementation of BitVM2 is available, and a full challenge verification has been executed on the Bitcoin mainnet. https://cysec.wien/news/2025-08-29_mfcs_award_2025/ The International Symposium on Mathematical Foundations of Computer Science (MFCS) is a long-running, high-quality venue for original research across the breadth of theoretical computer science. The 50th edition took place 25–29 August 2025 in Warsaw, Poland. The programme covered core areas of theoretical computer science and related topics: algorithms and data structures, computational complexity, automata and formal languages, logic, verification, cryptography and security, distributed and parallel computing, network algorithms, and quantum computing. Anton Varonka, a PhD student in the Doctoral College “Logical Methods in Computer Science” at TU Wien Informatics (co-funded by the EU’s Marie Skłodowska-Curie Actions), supervised by Prof. Laura Kovács, won the Best Student Paper Award at MFCS 2025 for “On Piecewise Affine Reachability with Bellman Operators,” co-authored with Kazuki Watanabe (NII). The paper examines the reachability problem for piecewise affine maps. These maps can exhibit complex dynamics, and reachability is known to be undecidable even in two dimensions. The authors focus on the subclass of Bellman operators arising from Markov decision processes and establish new decidability results. In any dimension, reachability is decidable if (i) the target vector is not a fixed point of the operator or (ii) the source and target are comparable in the componentwise order. In two dimensions, reachability for Bellman operators is always decidable. These results refine the boundary between undecidability and decidability and link foundational theory to applications in AI and dynamic systems. https://cysec.wien/news/2025-11-08_cs_ranking_2025/ CSRankings is a metrics-based, open-source ranking of top computer science institutions worldwide, built on publication records in leading conferences across key research areas. It highlights where faculty actively publish high-impact research, providing a transparent, data-driven view of institutional strength in computer science. We are proud that the strong presence of TU Wien Informatics and CySec faculty at leading international conferences in computer security, cryptography, and logic & verification has resulted in TU Wien being ranked 5th in Europe and 19th worldwide in CSRankings 2024–2025. This success reflects the excellence of our faculty, the supportive environment of Technische Universität Wien, and the strength of the Austrian research funding ecosystem, including the Vienna Science and Technology Fund (WWTF), the Austrian Science Fund (FWF), the Austrian Research Promotion Agency (FFG), the City of Vienna, the Federal Ministry of Education, and the Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology. For computer security, CSRankings considers the flagship conferences ACM SIGSAC CCS, the IEEE Symposium on Security and Privacy (“Oakland”), and the USENIX Security Symposium. At these venues, TU Wien is represented by publications from Matteo Maffei (3 papers), Martina Lindorfer (2), and Zeta Avarikioti and Laura Kovács (1 each). In logic and verification, the relevant venues include CAV and LICS (associated with ACM SIGLOG), with contributions from Ezio Bartocci (2 papers) and from Maria Christakis, Katalin Fazekas, Matteo Maffei, Georg Weissenbacher, and Laura Kovács (1 paper each). In cryptography, CSRankings is based primarily on the IACR flagship conferences CRYPTO and EUROCRYPT, where TU Wien is represented by Georg Fuchsbauer (3 papers) and by Dominique Schröder and Elena Andreeva (1 paper each). https://cysec.wien/news/2025-11-07_emsoft_best_paper_bartocci/ The ACM SIGBED International Conference on Embedded Software (EMSOFT) is a leading forum for researchers and practitioners from academia, industry, and government working on the science and engineering of embedded software. Since 2001, it has showcased cutting-edge research on the design and analysis of software interacting with physical processes, with a strong focus on cyber-physical systems that integrate computation, communication, and physical dynamics. Ezio Bartocci, together with Hongkai Chen (The Chinese University of Hong Kong, China), Zeyu Zhang (Stony Brook University, USA), Shouvik Roy (Illinois Institute of Technology, USA), and Scott Smolka, Scott Stoller, and Shan Lin (all Stony Brook University, USA), have been awarded the EMSOFT Best Paper Award at Embedded Systems Week 2025 for their work on “Cumulative-Time Signal Temporal Logic.“ The work addresses an important gap in specifying and verifying temporal requirements in cyber-physical systems such as microgrids and medical devices. While Signal Temporal Logic (STL) is widely used to express conditions like safety and response time, it cannot capture how long a property remains satisfied within a time interval. CT-STL extends STL with a new cumulative-time operator that compares the total duration for which a condition holds against a threshold. The authors provide both qualitative and quantitative semantics for CT-STL, prove their soundness and completeness, and develop an efficient online monitoring algorithm. They demonstrate the practical impact of this approach in two case studies: enforcing cumulative safety requirements in a microgrid and monitoring glucose control in an artificial pancreas. The results offer a rigorous and implementable way to reason about “how long” critical properties hold, contributing to more reliable and trustworthy cyber-physical systems. https://cysec.wien/news/2025-12-01_lecture_fuchsbauer/ Talk by Georg Fuchsbauer Virtual location: https://tuwien.zoom.us/j/63867281732?pwd=WEFYQ3pHdU1tK2JMSTlBSFlRWFpxZz09 Date/Time: 2025-12-01 17:00 Abstract: The move from “proof of work” to “proof of stake” has arguably overcome the problem of energy waste in blockchains. However, for public verifiability, most systems require all transactions to be stored forever, by every full node. In Bitcoin this data now amounts to over 600GB, while in Ethereum it is over 1TB. We will overview two approaches to space-efficient systems. “Mimblewimble” is a protocol where spent transactions can be erased from the blockchain while maintaining verifiability. “Mina” goes further and, using a heavy-weight cryptographic concept called zk-SNARK, reduces its blockchain size to 22kB, which will never grow. The talk is a part of the Public Lecture Series ‘Sustainability in Computer Science’ under the auspices of Informatik Austria. https://cysec.wien/news/2025-10-18_die_presse_interview_kovacs/ Prof. Laura Kovacs has been awarded an ERC Proof of Concept (PoC) Grant for the development of LEARN in January 2025. The aim of the grant is to validate the innovation and market potential of ERC-funded research results. In an interview with Die Presse, Prof. Laura Kovács presents LEARN, a web platform that brings state-of-the-art bug finding and formal methods to a broad user base. Building on her team’s advances in automated reasoning, LEARN helps non-experts and developers detect errors early — before “small bugs” cascade into large-scale outages. “In software development it is extremely difficult to know whether a system is error-free; once a defect exists, finding and fixing it requires deep expertise in mathematics, logic, and computer science,” Kovács notes. With large language models such as ChatGPT, ethical questions also arise: how answers should be used, which outputs derive from which inputs, and which data can be trusted. LEARN addresses these challenges through an interactive, web-based “sandbox” where developers can experiment, choose appropriate programming languages for a given task, write specifications, and check code. Traditional debugging tools often miss semantic or logic errors (code that compiles but is wrong), but LEARN is designed to detect exactly these kinds of failures. “Security is necessary but not sufficient; correctness matters,” Kovács emphasizes, pointing to the significant economic stakes. Referencing the 19 July 2024 incident — when a faulty security-software update triggered global disruptions across hospitals and airports — Kovács explains that LEARN aims not only to prevent failures but also to triage incidents quickly, distinguishing cyberattacks from internal software faults so organisations can respond faster. She also highlights plans to embed these approaches in TU Wien’s curriculum, arguing that early, practical understanding of how computers work is vital for digital resilience. https://cysec.wien/news/2025-10-15_dynamics_workshop_2025_kovacs/ The DynAMiCs workshop “Algebraic Methods in Dynamics and Particle Physics ”, organized by the Max Planck Institute for Software Systems (MPI-SWS) with support from the Max Planck Center for Particle Physics, Cosmology and Geometry and the Max Planck Center for Mathematics in the Sciences, brings together leading researchers in dynamics, algebra, and particle physics to explore themes at their intersection. Focus areas include the development of mathematical languages for describing physical phenomena across scales, as well as the algebraic and algorithmic foundations of discrete and continuous dynamical systems. Prof. Laura Kovács delivered the lecture “Algebraic Methods in Dynamics and Particle Physics”. Abstract: Despite the substantial progress in the computer-aided verification of computer systems, ensuring the correctness of programs implementing algebraic operations is still an open problem. This problem remains unsolved even when we restrict consideration to loops that are non-nested, without exit conditions, and/or only use limited (polynomial) arithmetic.Such programs naturally arise in compiler optimization, cryptography, cybersecurity, control theory, and probabilistic reasoning. This talk will present classes of computer systems for which we automatically can solve the challenge of proving programs error-free. Key to our setting is the combination of algebraic techniques with static code analysis, allowing us to even turn some unsolvable verification challenges into solvable ones. https://cysec.wien/news/2025-10-24_google_fellowship_gerhart_2025/ Google has announced the recipients of the 2025 Global Google PhD Fellowships. These fellowships recognize outstanding graduate students who are conducting exceptional and innovative research in computer science and related fields, specifically focusing on candidates who seek to influence the future of technology. The program provides vital direct financial support for their PhD pursuits and connects each Fellow with a dedicated Google Research Mentor, reinforcing our commitment to nurturing the academic community. Among the 2025 Global Google PhD Fellowships, in the Privacy, Safety, and Security category, is Paul Gerhart. He is a doctoral student at TU Wien’s Privacy Enhancing Technologies research unit, supervised by Dominique Schröder. His work focuses on advanced cryptographic protocols — especially threshold signatures, partially-oblivious pseudorandom functions (PoPRFs), and password-based cryptography — with an emphasis on strong security guarantees and practical efficiency. He holds an M.Sc. in Computer Science from FAU Erlangen–Nürnberg (2022) and a B.Sc. in Mathematics from the University of Bonn (2020). In 2025 he co-authored four papers presented at flagship conferences — ASIACRYPT 2025, CRYPTO 2025, and PoPETS 2025. At ASIACRYPT, “Password-Hardened Encryption Revisited,” co-authored with Ruben Baecker and Dominique Schröder, uncovers a practical weakness that enables offline password guessing in real systems, then proposes a faster, provably secure redesign with a realistic model including key rotation. Also at ASIACRYPT, “Universally Composable Password-Hardened Encryption,” by an international team of co-authors, identifies a proof error in prior work, introduces the first UC formalization for PHE/TPHE with key rotation, and presents a round-optimal, provably secure, and efficient protocol. At CRYPTO, “A Fully-Adaptive Threshold Partially-Oblivious PRF,” by Ruben Baecker, Paul Gerhart, Daniel Rausch, and Dominique Schröder, delivers a threshold PoPRF with proactive key refresh and composable security, addressing gaps in earlier models and proofs for privacy-preserving applications. At PoPETS, “SoK: Descriptive Statistics Under Local Differential Privacy,” by René Raab, Pascal Berrang, Paul Gerhart, and Dominique Schröder, systematizes LDP methods for means, variances, and frequencies, shows equivalences among common estimators, adds variance estimators, runs empirical comparisons, and offers practical recommendations and caveats for real deployments. Together, these papers advance both theory and practice: they tighten the foundations of password-hardened encryption, introduce stronger and more usable cryptographic primitives for privacy-preserving systems, and provide evidence-based guidance for deploying local differential privacy. The result is more secure authentication, more robust building blocks for private computation, and clearer best practices for privacy analytics—impacting real-world systems as well as future research. https://cysec.wien/news/2025-11-10_ar_dc_kickoff/ Funded by the Austrian Science Fund (FWF), the new Doctoral College on Automated Reasoning launches on 10 November 2025 at TU Wien. Location: TU Wien, Festsaal (Karlsplatz 13, 1040 Wien) (AA0148) Date/Time: 2025-11-10 09:00 The FWF-funded doctoral program on Automated Reasoning is designed to educate the next generation of experts in this field. It targets foundational questions such as rigorously defining the notion of safety and security across domains and applications, the development of automated techniques and analyses to ensure safety and security of electronic systems, and explores synergies between the fields of security and artificial intelligence. Program 09:00 Opening TU Wien Rektor, Prof. Dr.-Ing. Jens Schneider 09:15 Presentation of the Doctoral College Head of the Doctoral Program, Univ.Prof. Dipl.-Ing., D.Phil. Georg Weissenbacher 09:30 Talk Neurosymbolic Artificial Intelligence at Amazon Web Services Speaker: Prof. Dr. Byron Cook, Vice President and Distinguished Scientist at Amazon AWS Video Reference: Reasoning Engines: The Next Frontier in AI with Carina Hong & Byron Cook Byron Cook is a vice president and distinguished scientist at Amazon, program manager at DARPA, and also a professor at the University College London. Byron Cook is well-known for his works on automatic methods for proving program termination and the Terminator termination prover, showcasing that automatic termination proving was impossible. He also contributed to Microsoft’s SLAM and the product Static Driver Verifier. He revived automatic program verification research in various ways and founded the Amazon’s Automated Reasoning Group (ARG). Byron Cook has received multiple awards for his research contributions, notably the Roger Needham Award and the distinction of Fellow of the Royal Academy of Engineering. Join us to meet the PIs and new PhD students and to celebrate a new phase of research at TU Wien at the intersection of Cyber-Physical Systems, Formal Methods in Systems Engineering, Machine Learning, Security & Privacy, and Software Engineering. https://cysec.wien/news/2025-10-23_sui_award/ Sui is a Layer 1 blockchain from Sui Foundation that uses the Move language and an object centric design to execute many independent transactions in parallel, delivering high throughput and low latency. Live since May 2023, the SUI token powers gas, staking, and a storage aware fee model designed for predictable, sustainable costs. Its mission is to support the advancement and adoption of technology and Web3. In line with that mission, the Sui Foundation together with the Walrus Foundation supports academics and researchers to advance the technology and accelerate real world adoption across fields such as technology, finance, and economics. The Sui Academic Research Awards program provides funding for research that addresses key challenges across the stack, including Systems & Security; Cryptography; Programming Languages, Developer Tooling, and Formal Verification; Economics, DeFi, and Mechanism Design; Frontier Technologies; and Walrus (data availability and storage). Among the SARA 2025 awardees is “Lionfish: Securing Sui with Sparse Nodes,” a project by Prof. Matteo Maffei, Prof. Zeta Avarikioti, and PhD student Giulia Scaffino. As Sui’s high performance blockchain scales, operating full nodes is becoming increasingly costly in storage, computation, and bandwidth. Lionfish proposes a sparse node architecture in which nodes track and validate only targeted subsets of on chain state. By distributing validation and storage across many sparse nodes while preserving full node security guarantees, the approach lowers resource requirements, increases scalability beyond consensus and execution, and enables efficient validation, custom indexing, hotspot management, and fork detection. The result is a simpler path to node deployment and a more robust overall architecture. Related work by Giulia Scaffino during her internship at Mysten Labs introduced Sunfish, a protocol that generalizes sparse node operation across blockchains. High throughput systems such as Sui, Aptos, and Solana can process thousands of transactions per second, which makes full nodes expensive for dApp teams, while light nodes, although cheaper, cannot ensure they observe all relevant transactions and may accept invalid ones under strong adversaries. Sparse nodes offer a middle ground: they prove completeness for all transactions that touch a selected substate and re execute those transactions to verify validity. Consequently, resource usage scales with the chosen substate rather than with the entire chain. Sunfish formalizes this model, is compatible with most existing blockchains, and reduces computational and storage costs by orders of magnitude compared with full nodes while retaining meaningful security guarantees. Read more: Sunfish: Reading Ledgers with Sparse Nodes https://cysec.wien/news/2025-10-21_etherium_grant_christakis/ Today, Ethereum stands as a cornerstone of the crypto ecosystem: a programmable base layer for general-purpose smart contracts across finance, gaming, identity, and supply-chain use cases; the source of de facto standards for tokens and NFTs; the anchor of the largest DeFi and stablecoin networks; and — via proof-of-stake — a neutral settlement layer that secures thousands of applications. Although no longer fragile, the Ethereum ecosystem is not yet mature and benefits from continued contributions. To that end, the Ethereum Foundation funds free and open-source projects, especially builder tools, core infrastructure, research, community resources, and other public goods. From 2021 to 2024, it funded 1,708 projects, totaling $162.4 million. The 2025 Academic Grants Round of the Ethereum Foundation is sponsoring a new wave of awards to advance Ethereum-related research. Among the awardees is zkFuzz, a project by Prof. Maria Christakis, PhD student Christoph Hochrainer (TU Wien), and Valentin Wüstholz (ConsenSys Diligence). The project develops automated testing techniques to improve the reliability and security of zero-knowledge virtual machines (zkVMs) — a critical building block for blockchain scaling and privacy-preserving applications. A zkVM lets you prove a program ran correctly without revealing private inputs or requiring everyone else to re-run it, so others can verify results quickly and cheaply. Because this trust hinges on correct tooling, even subtle logic bugs in ZK pipelines can cause severe financial and security incidents. To mitigate this, zkFuzz pioneers metamorphic, fuzzing-based methods to uncover such bugs automatically, strengthening the foundations of next-generation decentralized technologies. Related research from the team introduced Circuzz, the first systematic fuzzer for ZK circuit-processing pipelines, which uses metamorphic test oracles to detect critical logic bugs. Applied to four distinct pipelines, Circuzz uncovered 16 logic errors, 15 of which have already been fixed by maintainers. Further reading: Fuzzing Processing Pipelines for Zero-Knowledge Circuits — presented at ACM CCS 2025 in October by Christoph Hochrainer, Anastasia Isychev, Valentin Wüstholz, and Maria Christakis (TU Wien / ConsenSys). https://cysec.wien/news/2025-10-16_oopsla_2025/ ICFP/SPLASH are ACM SIGPLAN flagship conferences: ICFP spotlights advances in the design, implementation, theory, and applications of functional programming, while SPLASH spans systems, programming languages, and software engineering across the full lifecycle of software construction and delivery. Ivana Bocevska presented at ICFP/SPLASH 2025 “Divide and Conquer: A Compositional Approach to Game-Theoretic Security,” coauthored with Anja Petković Komel, Laura Kovács, Sophie Rain, and Michael Rawson. They propose a compositional approach to combine and scale automated reasoning for the static analysis of decentralized systems such as blockchains. The method models protocols as games driven by economic incentives and proves that honest behavior is never disadvantageous, regardless of others’ actions. Instead of verifying one monolithic model that cannot scale to millions of interactions, the authors decompose the overall game into smaller subgames, analyze each, and then compose the results; when a component changes, only that part and its ancestors need to be rechecked. The approach is sound and complete, uncovers properties and bugs in large protocols, and makes rigorous, incentive-aware security proofs practical at real-world scale. https://cysec.wien/news/2025-11-18_lecture_watanabe/ Talk by Kazuki Watanabe Location: TU Wien, EI 8 Pötzl HS (Gußhausstraße 27-29, 1040 Wien) (CDEG08) Date/Time: 2025-11-18 11:00 ‒ 12:00 Abstract: We present a string diagrammatic approach to structural (modular or compositional) verification. In this talk, we focus on probabilistic model checking of Markov decision processes and we show compositional algorithms that leverage multi-objective optimization. Finally, we introduce our ongoing work that extends this approach. This talk is based on joint work with Kazuyuki Asada, Clovis Eberhart, Ichiro Hasuo, Sebastian Junges, Satoshi Kura, Jurriaan Rot, Hiroshi Unno, and Marck van der Vegt. Related References: Kazuki Watanabe, Clovis Eberhart, Kazuyuki Asada and Ichiro Hasuo. “Compositional Probabilistic Model Checking with String Diagrams of MDPs” CAV2023. Kazuki Watanabe*, Marck van der Vegt*, Ichiro Hasuo, Jurriaan Rot, and Sebastian Junges, “Pareto Curves for Compositionally Model Checking String Diagrams of MDPs.” TACAS2024. *Equally contributed. Kazuki Watanabe*, Marck van der Vegt*, Sebastian Junges, and Ichiro Hasuo, “Compositional Value Iteration with Pareto Caching.” CAV2024. *Equally contributed. Marck van der Vegt, Kazuki Watanabe, Ichiro Hasuo, and Sebastian Junges. “Compositional Verification of Almost-Sure Büchi Objectives in MDPs.” To Appear in RP2025. Bio: Kazuki Watanabe is an Assistant Professor at the National Institute of Informatics (NII), Japan. He received his Ph.D. in Informatics from NII in March 2025 under the supervision of Professor Ichiro Hasuo. In 2023, he spent six months at Radboud University as a guest hosted by Professors Jurriaan Rot and Sebastian Junges. His research focuses on applied category theory and algorithms for formal verification. https://cysec.wien/news/2025-10-16_hedy_lamarr_prize_avarikioti/ The Hedy Lamarr Prize is the City of Vienna’s annual award (since 2018) honoring outstanding women researchers in IT; it is presented in cooperation with DigitalCity.Wien and Urban Innovation Vienna and is endowed with €10,000. The prize is named after Vienna-born Hollywood star Hedy Lamarr, who ‒ together with composer George Antheil ‒ patented a wartime “secret communication system” based on frequency hopping, a forerunner of modern spread-spectrum techniques used in today’s wireless technologies. The award not only recognizes scientific excellence but also celebrates role-model impact Georgia Avarikioti, Assistant Professor at the Research Unit Security and Privacy, TU Wien Informatics, and head of the TU Wien Blockchain Hub, has been awarded the 2025 Hedy Lamarr Prize of the City of Vienna. “It is a great honor for me to receive the City of Vienna’s Hedy Lamarr Prize. But if we truly want to pay tribute to Hedy Lamarr, then the next generation of women should not have to fight for a seat at the table. The door should already be wide open,” Avarikioti said at the award ceremony. Avarikioti’s research advances the foundations of secure, scalable, and interoperable blockchain systems. Her current projects ‒ Scalable, Private, and Interoperable Layer 2 (SCALE2) and Optimal Cross-Chain and Cross-Layer Protocols (CROSS) ‒ are funded by the Vienna Science and Technology Fund (WWTF) and target some of the field’s most pressing challenges: performance at scale, privacy guarantees, and seamless interaction across blockchain layers and networks. Blockchain technology has become a key building block of today’s internet infrastructure. While best known for powering cryptocurrencies like Bitcoin, blockchains also support a growing range of sensitive applications ‒ from privacy-preserving digital payments to the management of complex supply chains. Avarikioti’s work takes a rigorous, systems-engineering approach to realize what the technology can reliably deliver: secure, censorship-resistant, and universally accessible platforms for exchanging information and value. In her interview with #5QW, Georgia shares her vision: her team is designing financial and data systems from the ground up ‒ principled, transparent, privacy-preserving, secure, and efficient ‒ to return custody and control of money and data to users. Beyond finance, her group explores how decentralized architectures can support governance, auditing, and community decision-making ‒ core components of more democratic digital services. Georgia Avarikioti’s journey ‒ from studying civil engineering in Athens to earning a PhD at ETH Zurich on blockchain scaling protocols, and pursuing research that bridges computer science and economics ‒ has shaped her interdisciplinary agenda and her commitment to inclusive excellence in STEM. Today, she mentors a growing team of early-career researchers and works not only to bring more women into technical fields, but also to change the culture so that women feel included, supported, and able to thrive. Also read: Georgia’s interview with futurezone – “Blockchains werden sichere politische Wahlen ermöglichen.” ©DigitalCity.Wien/Clemens Schmiedbauer https://cysec.wien/news/2025-10-14_ccs_2025/ The ACM Conference on Computer and Communications Security (ACM CCS) is the flagship conference of ACM’s Special Interest Group on Security, Audit and Control (SIGSAC) and a premier venue for breakthrough work in systems and network security, cryptography, privacy, security engineering, and real-world deployments. With a highly selective review process and a broad international audience, ACM CCS showcases state-of-the-art research, fosters cross-sector collaboration, and sets the agenda for the cybersecurity field. ACM CCS 2025 takes place October 13–17, 2025, in Taipei, Taiwan. CYSEC researchers are presenting two papers at ACM CCS 2025. “Wanilla: Sound Noninterference Analysis for WebAssembly,” by Markus Scherer, Jeppe Fredsgaard Blaabjerg (Aarhus University), Alexander Sjösten, and Matteo Maffei, appears in the Formal Methods and Programming Languages track. WebAssembly is increasingly used to distribute software components in security-critical settings, but because it is often generated from memory-unsafe languages, subtle memory corruption and data leaks can occur. Wanilla introduces the first automatic, sound, fully static noninterference analysis for Wasm. In simple terms, it checks — purely by analyzing code — that secret data never influences public outputs and that a module’s memory remains intact. The approach lifts existing reachability analyses to noninterference by tracking taints on values and using value-sensitive, relational reasoning to safely remove taints when justified. Experiments on synthetic and real-world benchmarks show strong precision and performance for verifying memory integrity and other noninterference properties. The second paper, “Fuzzing Processing Pipelines for Zero-Knowledge Circuits,” by Christoph Hochrainer, Anastasia Isychev, Valentin Wüstholz (Consensys), and Maria Christakis, is featured in the Software Security track. Modern zero-knowledge (ZK) applications in authentication, online voting, and blockchain rely on complex pipelines that transform programs written in domain-specific languages such as Circom and Noir into circuits used by ZK protocols. Logic bugs in these pipelines can have severe consequences, including identity or asset theft. The authors present the first systematic fuzzing method for ZK pipelines, using metamorphic test oracles to reveal critical logic flaws even when the “correct” output is unknown. Their open-source tool, Circuzz, uncovered 16 logic bugs across four diverse ZK pipelines; developers have already fixed 15 of them, underscoring the practical impact of the technique. https://cysec.wien/news/2025-10-22_lecture_pons/ Talk by Diego Olivier Fernandez Pons Location: TU Wien, FAV Hörsaal 3 Zemanek (Seminarraum Zemanek, Favoritenstraße 9-11, Erdgeschoß) (HHEG01) Virtual location: https://live.video.tuwien.ac.at/watch?l=4ns5B5mJYMrWJb7n3W958g Date/Time: 2025-10-22 15:00 ‒ 16:00 Abstract: Saturation-based theorem provers use heuristics to create and delete formulas. Mixed integer programming engines used in mathematical optimization, while based on DPLL, also are saturation-based theorem provers for systems of integer linear equations. The algorithm that guides and supports the formula generation is the LP while the formulas are generated by the cutting-planes heuristics in a process globally known as the separation problem. We will show the similarities and differences between saturation-based theorem provers and MIP engines, and try to identify research directions that could benefit both communities. Bio: Diego Olivier Fernandez Pons started his career in ILOG R&D working on MIP and Constraint Programming engines. Then worked for IBM as an optimization consultant. He is the co-author of OptalCP a constraint programming engine for scheduling problems. And he works today in the quantum group of Microsoft. https://cysec.wien/news/2025-10-13_dig_humanismus_kovac/ “Digitaler Humanismus. Transformation gestalten” (Digital Humanism. Shaping the Transformation) is a public event series in Vienna that brings researchers, artists, writers, policy-makers, and the wider public into conversation about how to steer digital technologies toward human-centered values. Hosted primarily by the Wienbibliothek im Rathaus in cooperation with TU Wien’s Center for Artificial Intelligence and Machine Learning (CAIML) and other Viennese institutions, the series features panel talks and lectures on topics such as language and AI, risks and opportunities of digitalization, and the governance of platform technologies. The aim is to clarify what Digital Humanism means in practice: aligning technology development and policy with human rights, democracy, inclusion, and diversity, and empowering society to actively shape digital transformation rather than passively accept it. In 2025, the City of Vienna highlighted the series with a dedicated “Month of Digital Humanism,” and related initiatives span a broader Vienna ecosystem that includes TU Wien’s long-running Digital Humanism initiative and conferences. Prof. Laura Kovács took part in the panel discussion “Die Macht der geschriebenen Worte – Digitale Transformation, neue Sprache?” at the Lesesaal der Wienbibliothek im Rathaus, where she focused on the transformative and regulatory role of computer science in shaping language, culture, identity, and society at large. Speaking alongside writer Daniel Wisser and discourse scholar Ruth Wodak, Kovács connected advances in formal methods and automated reasoning with questions of how platforms, algorithms, and AI infrastructures govern what is written, what becomes visible, and what counts as credible knowledge. She emphasized that verifiability, transparency, and accountability—core principles in program analysis and theorem proving—are equally vital for safeguarding linguistic diversity, cultural expression, and civic trust in an increasingly digitized public sphere. The event was introduced by Stefan Woltran (TU Wien), moderated by Anita Eichinger and Wolfgang Renner (Wienbibliothek). A recording of the discussion is available on YouTube. © Teresa Wagenhofer https://cysec.wien/news/2025-11-11_lecture_stringhini/ Talk by Gianluca Stringhini Location: TU Wien, FAV Hörsaal 2 (Favoritenstraße 9-11, Erdgeschoß) (HEEG03) Virtual location: https://tuwien.zoom.us/j/66595171033 Date/Time: 2025-11-11 11:00 ‒ 12:00 Abstract: In this talk, I will discuss the results of our investigation on the ability of Large Language Models (LLMs) to detect software vulnerabilities. I will show that while LLMs show promise, they present several pitfalls like non-determinism in their outputs and unfaithful reasoning. I will then talk about how we can manage these pitfalls to create an agentic framework that is able to take CVEs of known vulnerabilities, set up a working environment with the vulnerable software, and produce a verifiable exploit against the vulnerability. This framework allows the research community to produce benchmarks of known vulnerabilities and their exploits, which are needed to test new defenses. Unfortunately, our framework also shows that automated generation of exploits using LLMs is a real threat that could be weaponized by attackers. I will finally conclude discussing the future challenges and opportunities of LLMs for vulnerability detection. Bio: Gianluca Stringhini is an Associate Professor in the Electrical and Computer Engineering Department at Boston University, holding affiliate appointments in the Computer Science Department and in the Faculty of Computing and Data Sciences. In his research Gianluca applies a data-driven approach to better understand malicious activity on the Internet. Through the collection and analysis of large-scale datasets, he develops novel and robust mitigation techniques to make the Internet a safer place. Over the years, Gianluca has worked on understanding and mitigating malicious activities like malware, software vulnerabilities, online fraud, influence operations, and coordinated online harassment. He received multiple prizes including an NSF CAREER Award in 2020, and his research won multiple Best Paper Awards. Gianluca has published over 150 peer reviewed papers including several in top computer security conferences like IEEE Security and Privacy, CCS, NDSS, and USENIX Security, as well as top measurement, HCI, and Web conferences such as IMC, ICWSM, CHI, CSCW, and WWW. https://cysec.wien/news/2025-10-01_asiacrypt_2025/ ASIACRYPT is one of the three flagship IACR conferences in cryptography. It is an annual, peer-reviewed venue showcasing top-tier research across theory, primitives, protocols, implementations, and attacks, with a single-track program and proceedings published in LNCS. Hosted in the Asia–Pacific region, ASIACRYPT serves as a premier forum for the global cryptography community. International research teams including Dominique Schröder will present two papers at ASIACRYPT 2025, highlighting advances in password-hardened cryptography and its security foundations. Password-Hardened Encryption Revisited by Ruben Baecker (Friedrich-Alexander-Universität Erlangen-Nürnberg), Paul Gerhart (TU Wien), and Dominique Schröder (CySec, TU Wien) re-examines password-hardened encryption in today’s password-centric landscape and identifies a critical weakness in the original design that enables offline brute-force attacks—the very threat this line of work seeks to prevent. The weakness arises from an idealized security model that overlooks real-world interactions, particularly key rotation. The authors demonstrate practical exploitability by recovering passwords in seconds from a commercially used, open-source implementation, and they introduce a new, efficient construction with a refined, realistic security model, prove security for the design, and report robust performance. Universally Composable Password-Hardened Encryption by Behzad Abdolmaleki (University of Sheffield), Ruben Baecker (Friedrich-Alexander-Universität Erlangen-Nürnberg), Paul Gerhart (TU Wien), Mike Graf (University of Stuttgart), Mojtaba Khalili (Isfahan University of Technology), Daniel Rausch (University of Stuttgart), and Dominique Schröder (TU Wien, CySec) provides a rigorous basis for this approach and for a threshold, multi-party design in which several independent servers share the rate-limiting role. The work uncovers a flaw in a prior security proof, provides the first Universal Composability (UC) formalization with support for key rotation and related primitives such as updatable encryption, and presents a round-optimal, UC-secure protocol. An implementation and evaluation demonstrate practical efficiency that outperforms previous approaches under realistic network conditions. https://cysec.wien/news/2025-09-29_wwtf_projects/ As part of the ICT25 Call, the Vienna Science and Technology Fund (WWTF) invited scientists to submit research proposals addressing fundamental questions in information and communication technologies (ICT). Funding per project ranged between €500,000 and €880,000. Out of 84 short proposals and 24 full proposals, 12 excellent projects were selected for funding, based on peer review and an international jury decision. The formal approval was made by the WWTF Board on 29 September 2025. Five newly funded projects under the WWTF ICT25 Call involve CySec researchers at TU Wien, underlining the Center’s strength in cybersecurity, cryptography, distributed systems, and verification. PROMT: Probably the Best Moment to Terminate PI: Laura Kovacs (TU Wien, CySec) Co-PIs: Ezio Bartocci (TU Wien, CySec), Krishnendu Chatterjee (ISTA) Funding: €879,423 PROMT develops new algorithmic foundations and tools for analyzing probabilistic programs, which are increasingly used in AI, cybersecurity, and cyber-physical systems. The project addresses long-standing open questions in program termination, introducing automated reasoning techniques and the analyzer Polar to ensure reliability of software under uncertainty. CROSS: Optimal Cross-Chain and Cross-Layer Protocols PI: Georgia Avarikioti (TU Wien, CySec) Co-PI: Matteo Maffei (TU Wien, CySec) Funding: €799,910 CROSS pioneers scalable, secure blockchain interoperability. By combining optimal off-chain light clients, advanced bridge protocols, and a new compositional security framework, the project enables trust-minimized cross-chain communication. Its results aim to unlock decentralized finance and broader blockchain applications across heterogeneous ecosystems. Cross-Domain Privacy-Preserving Protocols and Symmetric Cryptography PI: Elena Andreeva (TU Wien, CySec) Co-PIs: Arnab Roy (University of Innsbruck), Georg Fuchsbauer (TU Wien, CySec) Funding: €797,739 This project addresses the gaps between lightweight symmetric cryptography for IoT and the computationally heavy cryptography used in multi-party computation (MPC) and zero-knowledge proofs (ZKP). By designing new symmetric-key primitives and adapting them for privacy-preserving protocols across domains, the project will deliver the first practical algorithms bridging IoT, cloud computing, and blockchain-based systems. Verifying Without Loss of Generality PI: Adrian Rebola Pardo (TU Wien) Co-PI: Georg Weissenbacher (TU Wien, CySec) Funding: €635,107 This project enhances hardware verification by enabling engineers to apply “without loss of generality” reasoning directly in hardware description languages. By bridging domain expertise with automated verification, the project promises more scalable, safe, and efficient verification workflows for chip and accelerator design. Foundations and Applications of Resource-Restricted Cryptography PI: Karen Azari (University of Vienna) Co-PIs: Krzysztof Pietrzak (ISTA), Dominique Schröder (TU Wien, CySec) Funding: €878,848 The project establishes theoretical foundations and practical applications for resource-restricted cryptography (RRC), a paradigm where security relies on significant but feasible resource costs. Beyond proof-of-work, RRC has untapped potential for privacy-preserving protocols. The project develops new primitives and applies RRC to enhance privacy and security in modern cryptography. The success of these five projects highlights the prominent role of CySec researchers at TU Wien in shaping the future of trustworthy digital systems, advancing foundational theory while enabling practical breakthroughs in cryptography, verification, and blockchain security. https://cysec.wien/news/2025-11-25_tuw_security_defense_research_day/ TU Wien will host a Security & Defence Research Day bringing together researchers from across disciplines who work on security, defence, and disaster research. The event will provide space for networking, knowledge exchange, and collaboration. Focus areas include critical infrastructure protection, risk assessment and crisis management, cybersecurity, resilient systems and technologies, climate-related disasters, emergency response and mitigation, civil protection, defence-related technologies, and dual-use research. Date: 2025-11-25 Program 08:45 Doors open – Networking Coffee 09:15 Opening Remarks Vice Rector for Research, Innovation and International Affairs, Prof. Peter Ertl 09:30 Keynotes Dr. Ralph Hammer (BMF) and DI Sabine Kremnitzer (FFG) Brigadier Mag. Rudolf Zauner (BMLV) 09:55 Disaster Competence Network Austria (DCNA) Introduction by Mag. (FH) Christian Resch (Managing Director) Insights by Dr. Peter Kán & Dr. Diana Marin on the Project “Post-Disaster” 10:25 Presentation Cybersecurity Center Prof. Matteo Maffei & Prof. Tanja Zseby 10:35 Coffee Break 10:50 Overview Funding Programs. Roadmap from KIRAS and FORTE to Horizon Europe and EDF FFG National contact points: DI Jeannette Klonk (Cluster 3), DI Thomas Leithner (EDF) 11:20 Panel Discussion: Experiences with KIRAS and FORTE Panellists: Prof. Friedrich Bleicher, Prof. Robert Sablatnig, Dr. Andreas Sinn Moderator: Dr. Ralph Hammer (BMF) 12:10 Responsible Research Practices & Ethics Dr. Marjo Rauhala 12:30 Open Networking Lunch and Exhibition Prof. Matteo Maffei and Prof. Tanja Zseby will present the Cybersecurity Center at TU Wien, highlighting its mission to advance cutting-edge research and education in cybersecurity, privacy, and resilience. The presentation will introduce the Center’s interdisciplinary approach, which brings together expertise from computer science, electrical engineering, mathematics, and social sciences to address pressing security challenges. Key research areas such as secure systems design, cryptography, network security, trustworthy AI, and the protection of critical infrastructures will be outlined, along with initiatives to foster collaboration with industry, government, and international partners. The session will also showcase opportunities for researchers and students to engage with CySec through joint projects, seminars, and long-term academic programs, underlining the Center’s role as a hub for excellence in cybersecurity at TU Wien and beyond. https://cysec.wien/news/2025-10-13_guest_professor_abate/ A series of guest lectures on Advanced Topics in Verification and Synthesis for AI-Enabled Cyber-Physical Systems will be held at TU Wien from October 13 to 24. Alessandro Abate is Professor of Verification and Control in the Department of Computer Science at the University of Oxford. He previously conducted research at Stanford University and SRI International, and served as an Assistant Professor at the Delft Center for Systems and Control, TU Delft. He holds a Laurea from the University of Padova and an MS/PhD from UC Berkeley. His research focuses on the analysis, verification, and optimal control of heterogeneous, complex dynamical systems — particularly stochastic hybrid systems — with applications to cyber-physical systems (smart energy, safety-critical autonomy) and to the life sciences (systems biology). He is especially interested in principled integrations of model-based mathematical methods with data-driven learning algorithms. Prof. Alessandro Abate will deliver a series of guest lectures at TU Wien on advanced verification and synthesis for AI-enabled cyber-physical systems. The series will introduce probabilistic model checking and logics, cover advanced modelling for CPS, and present verification and synthesis techniques grounded in formal abstractions, proof rules, and certificates. Emphasis will be placed on both model — based and data-driven (sample-based) approaches, with applications drawn from modern safety-critical CPS. The lectures will also address uncertainty in models — especially when AI components are involved — and discuss how to interface model-based and data-driven methods for verification and control. https://cysec.wien/news/2025-10-10_lecture_yerukhimovich/ Talk by Arkady Yerukhimovich Location: TU Wien, FAV Hörsaal 3 Zemanek (Seminarraum Zemanek, Favoritenstraße 9-11, Erdgeschoß) (HHEG01) Virtual location: https://live.video.tuwien.ac.at/watch?l=vjbu2jzbD2nBhHVaCEdEiZ Date/Time: 2025-10-10 11:00 ‒ 12:00 Abstract: Consider a weak analyst that wishes to outsource data collection and computation of aggregate statistics over a potentially large population of (also weak) clients to a powerful server. For flexibility and efficiency, we consider public-key and non-interactive protocols, meaning the clients know the analyst’s public key but do not share secrets, and each client sends at most one message. Furthermore, the final step should be silent, whereby the analyst simply downloads the (encrypted) result from the server when needed. To capture this setting, we define a new primitive we call Non-Interactive Verifiable Aggregation (NIVA). We require both privacy and robustness for a NIVA protocol to be deemed secure. Namely, our security notion for NIVA ensures that the clients’ data remains private to both the server and the analyst, while also ensuring that malicious clients cannot skew the results by providing faulty data. We propose a secure NIVA protocol, which we call PEAR (for Private, Efficient, Accurate, Robust), which can validate inputs according to any NP validity rule. PEAR is based on a novel combination of functional encryption for inner-products (Abdalla et al., PKC 2015) and fully-linear probabilistically-checkable proofs (Boneh et al., Crypto 2019). We emphasize that PEAR is non-interactive, public-key, and makes black-box use of the underlying cryptographic primitives. Additionally, we implement PEAR and conduct a thorough performance evaluation showing improvement over prior work for practically-relevant validity rules. Bio: Arkady Yerukhimovich is an associate professor of Computer Science at George Washington University. His research interests span theoretical and applied cryptography with a focus on building provably-secure protocols to enable people to communicate, search, and compute over their personal data while preserving their privacy. In particular, his recent research focuses on “large-scale” secure computation looking to perform secure computation with a large number of parties or on very large inputs. Prior to joining George Washington University, professor Yerukhimovich received his PhD from the University of Maryland where his research focused on black-box separations. https://cysec.wien/news/2025-10-30_lecture_khedkar/ Talk by Mugdha Khedkar Location: TU Wien, Seminarraum FAV 05 (Seminarraum 186, Favoritenstraße 9-11, Obergeschoß) (HA0503) Virtual location: https://tuwien.zoom.us/j/63435768500 Date/Time: 2025-10-30 11:00 ‒ 12:00 Abstract: Android applications collecting data from users must protect it according to the current legal frameworks. This need for data protection has become even more crucial with the introduction of the General Data Protection Act (GDPR) by the European Union. While many Android applications state a privacy policy, privacy assessments are manual and thus very costly and error prone. A major challenge lies in bridging the gap between legal privacy statements (written in natural language) and the technical measures implemented within apps. In this talk, I will discuss how static program analysis can help address key data protection challenges and support GDPR-compliant documentation. Our goal is to develop automated, static analysis-based approaches that improve understanding and enhance collaboration between app developers, privacy professionals, and legal experts, ultimately ensuring stronger data protection in Android applications. Bio: Mugdha Khedkar is a final-year PhD student in the Secure Software Engineering Group at Paderborn University, Germany, where she works with Prof. Dr. Eric Bodden. Her research interests include an intersection of program analysis, data protection, and empirical software engineering. She earned her Master’s degree in Computer Science from the Chennai Mathematical Institute, India. Outside academia, she enjoys traveling and writing, and brings these interests together in her travel blog. https://cysec.wien/news/2025-10-13_guest_professor_bjorner/ A series of guest lectures on SMT Internals will be held at TU Wien from October 13 to 24. Dr. Nikolaj Bjorner is a Partner Researcher at Microsoft Research. His main line of work focuses on the development of the SMT constraint solver Z3, created together with Leonardo de Moura, Lev Nachmanson, and Christoph Wintersteiger. Z3 has become one of the most influential tools in automated reasoning, widely applied in program verification, test case generation, formal methods, and other domains that demand rigorous correctness guarantees. The work surrounding Z3 has received several awards. Beyond Z3, Bjorner and Karthick Jayaraman developed SecGuru, a tool used in Microsoft Azure to validate firewalls and routing configurations. In recognition of his contributions to automated reasoning and formal methods, Bjorner was named an ACM Fellow in 2021. Dr. Nikolaj Bjorner, hosted by Prof. Laura Kovacs, will deliver guest lectures on SMT solving internals. His lectures will provide a comprehensive overview of the theoretical and practical foundations of Satisfiability Modulo Theories (SMT) solving. Topics include CDCL(T) and theory reasoning, quantifier handling, pre- and in-processing techniques, optimization modulo theories, and solving Constrained Horn Clauses. In addition to these conceptual foundations, the course will examine implementation aspects and the internal mechanisms of Z3. By combining theoretical background with practical insights, the course aims to equip participants with a solid understanding of SMT principles and hands-on knowledge of engineering high-performance reasoning tools. https://cysec.wien/news/2025-09-08_serics_2025/ The SERICS Summer School on Secure Software Development brought together leading experts and young researchers for an intensive five-day program dedicated to advancing knowledge in secure software engineering. Through a mix of lectures, hands-on training, and interactive discussions, participants explored the latest methods in threat modeling, secure coding, vulnerability analysis, and security testing — gaining practical skills essential for building robust and trustworthy software systems. Prof. Matteo Maffei delivered a lecture “Foundations of Secure Blockchain Programming”, exploring the key principles, challenges, and best practices of writing secure blockchain software. He outlined major threats — including smart contract vulnerabilities, reentrancy attacks, front-running, and flawed consensus logic — and stressed that despite blockchain’s immutability and transparency, implementations remain prone to costly errors. He discussed secure coding practices such as formal verification, runtime checks, gas-cost awareness, and language choice, and compared programming frameworks in terms of safety and usability. He also highlighted essential tools like automated testing, fuzzing, static analysis, and code audits, as well as advanced techniques such as symbolic execution and model checking. Through case studies of real incidents, Prof. Maffei showed how vulnerabilities could have been prevented by applying these principles. The lecture, attended by students, researchers, and practitioners, concluded with a lively discussion on scalability, privacy, and regulatory aspects. Prof. Maffei emphasized that combining theory (formal methods and secure design) with practice (auditing, testing, and tooling) is crucial for building robust blockchain applications. Markus Scherer introduced Wanilla, a new tool designed to make WebAssembly (Wasm) programs more secure. Wasm is a modern technology used to run software across many platforms and is increasingly important in areas where security matters, such as web services and smart contracts. While Wasm was carefully designed, programs written in it can still have vulnerabilities, especially when translated from older, less secure programming languages. Wanilla helps address this by automatically checking whether information inside a program stays protected and whether different parts of the program interact safely. Built on the HoRSt analysis framework, Wanilla uses advanced methods to detect potential leaks or memory errors before the program runs. In tests with both synthetic examples and real-world smart contracts, Wanilla showed strong performance, often more effective than existing tools. Scherer’s talk highlighted how this innovation strengthens the reliability of WebAssembly and supports its safe use in critical applications. Pedro Bernardo, in his talk, addressed how browsers implement client-side security features such as cookie settings and “mixed content” rules that prevent secure pages from loading insecure resources. These mechanisms are designed to keep users safe, but they are complex, and both their design and implementation can contain bugs. He presented a framework that leverages Web Platform Tests (WPT) — a large suite of tests across different browsers—to monitor actual browser behavior, collect “execution traces” (records of what happens internally), and verify them against formal rules called Web invariants, security properties that should always hold. Using this framework, the team tested nine security invariants and discovered violations in 104 WPT tests across Firefox, Chromium, and Safari. These violations have concrete security implications. The researchers reported their findings to browser vendors and standards bodies, and one issue was assigned a CVE in Safari. The presentation demonstrated that automated, formal checking of browser behavior can uncover security flaws that might otherwise go unnoticed, ultimately contributing to a safer Web for all users. https://cysec.wien/news/2025-06-30_euro_sp_2025/ EuroS&P, the IEEE European Symposium on Security and Privacy, is one of Europe’s premier academic conferences in cybersecurity, ranked at the top tier (CORE A) alongside its US counterpart, IEEE S&P (“Oakland”). The symposium brings together leading researchers to present cutting-edge work on cryptography, systems and network security, AI and machine learning security, privacy, and formal methods. At EuroS&P 2025 in Venice, held from June 30 to July 4, Magdalena Steinböck presented the paper “SoK: Hardening Techniques in the Mobile Ecosystem – Are We There Yet?”, co-authored with Martina Lindorfer and researchers from Vrije Universiteit Amsterdam and the University of Twente. The work investigates the real-world adoption of mobile app hardening techniques — such as tamper prevention, jailbreak detection, and data leakage protection — recommended by the Mobile Application Security Verification Standard (MASVS). To address the lack of systematic knowledge, the authors introduced HALY, a new framework that combines static and dynamic analysis to measure hardening adoption across platforms. Analyzing 2,646 popular Android and iOS apps, the study found that iOS apps surprisingly underperform, implementing only half as many recommended techniques as their Android counterparts—challenging the widespread perception of iOS as inherently “more secure.” The results also revealed inconsistencies, with many apps hardening only on one platform, and raised doubts about the effectiveness of single techniques that are easy to bypass. Overall, the research highlights that while most apps employ some form of hardening, large gaps remain: 24.1% of Android apps and 85.0% of iOS apps implement fewer than half of the recommended protections, and only 4.7% of Android apps and 0.2% of iOS apps achieve full coverage. Reviewers praised HALY for providing the first large-scale comparative systematization of mobile hardening practices, positioning it as a valuable reference point for future research in app security. Marco Squarcina and Pedro Bernardo served as members of the EuroS&P Program Committee, contributing their expertise to the review and selection of cutting-edge research in cybersecurity and privacy. https://cysec.wien/news/2025-09-01_gapsworkshop_2025_andreeva/ Generic Attacks and Proofs in Symmetric Cryptography (GAPS 2025) is a research workshop at NTU Singapore (September 1–5, 2025) bringing leading and early-career cryptographers together from the area of provable symmetric-key cryptography. Framed by the theme “Five Decades of Provable Security of Symmetric Ciphers: Challenges and Future Developments,” it featured invited talks and discussions on bridging proofs and attacks, foundational techniques, new notions for real-world threats, (post-)quantum security proof techniques, leakage resilience, and automated proof verification, among others. Prof. Elena Andreeva gave a talk titled “Expanding the Scope, Security, and Efficiency of Classical Symmetric Primitives,” highlighting how expanding symmetric-key primitives — such as the ForkSkinny forkcipher and the Butterknife tweakable pseudorandom function — offer stronger security and higher efficiency than classical block ciphers and recent tweakable cipher symmetric primitives. She showed that across multiple application scenarios — including, authenticated encryption (SAFE, r/PAEF, ZAFE), key-derivation functions (Skye) for protocols such as Signal, encryption for resource-constrained IoT devices and decryption in cloud environments (Eevee), and message authentication (Sonniku) — expanding primitives can surpass traditional security bounds (e.g., the birthday bound). They also provide robustness properties such as nonce-reuse resilience, resistance to release of unverified plaintext, and block-wise adaptive security. Another important feature is that expanding primitives offer significant performance improvements over classical symmetric-key algorithms (e.g., AES) and more recent tweakable block ciphers. Prof. Andreeva concluded by emphasizing the inherent flexibility of expanding symmetric-key primitives and proposed several avenues for future research aligned with the workshop’s goals. Supplementary References: Andreeva, E., Bhati, A. S., Preneel, B., & Vizár, D. (2021). 1, 2, 3, Fork: Counter Mode Variants based on a Generalized Forkcipher Bhati, A. S., Dufka, A., Andreeva, E., Roy, A., & Preneel, B. (2024). An Expanding PRF based Fast KDF and its Applications https://cysec.wien/news/2025-09-16_lecture_kopmann/ Talk by Samuel Kopmann Location: TU Wien, Seminarraum 1 (Institute of Telecommunications, Entrance CF, Gußhausstrasse, 25-25a, Erdgeschoß) (CG 0118) Date/Time: 2025-09-16 12:00 ‒ 13:00 Abstract: Expert-driven labeling of network traffic for Denial of Service (DoS) detection is error prone and prohibitively expensive in large-scale environments, such as Internet Service Provider (ISP) networks. However, supervised Machine Learning-based (ML) DoS detection approaches require high-quality and up-to-date training data sets. To ensure fast and high-quality data set creation for ML model training while facing evolving traffic patterns in the legitimate and the attack traffic, there is a need for a labeling approach without an expert in the loop. This presentation outlines FeADable, a retrospective and fully autonomous labeling approach that leverages autoencoders to distinguish between legitimate and attack traffic based on reported feedback about occurred attacks. FeADable enables the scalable labeling of application layer DoS attacks and volumetric Distributed DoS (DDoS) attacks with near-perfect precision and false-positive feedback resilience, which ensures fast retraining of deployed detection models in response to successful attacks. The presentation covers evaluation results of FeADable with authentic, real-world data sets that are publicly available, i.e., from the Canadian Institute for Cybersecurity, and with network traffic of a tier-1 ISP. I will further outline FeADable’s compatibility with different monitoring approaches, i.e., micro-flows and traffic aggregates, to emphasize its labeling capability of DoS traffic independent of the traffic representation. Bio: Samuel Kopmann has been working as a Research Assistant and Ph.D. candidate at the Institute of Telematics, Karlsruhe Institute of Technology since 2021. He is interested in the application of computer vision approaches to network traffic classification and developing novel approaches to overcome limited data availability for Machine Learning (ML) in networking. His research focuses on detecting and mitigating volumetric DDoS attacks with ML while maintaining fixed and predictable resource consumption, i.e., memory and CPU utilization. https://cysec.wien/news/2025-08-17_crypto_2025/ Crypto is a flagship hybrid conference of the International Association for Cryptologic Research (IACR). It convenes the global cryptography community for the presentation of rigorously peer-reviewed papers, keynote addresses, and tutorials, offering both on-site and virtual participation to foster broad engagement across theory and practice. CySec researchers contributed to four papers presented at Crypto 2025, highlighting advances with direct implications for privacy, authentication, and data security in real systems. Georg Fuchsbauer, Marek Sefranek, Adam O’Neill, and Gavin Cho (both from the University of Massachusetts Amherst), in their work “Schnorr Signatures are Tightly Secure in the ROM under a Non-Interactive Assumption,” provide a tight security proof for Schnorr signatures, one of the most efficient and widely deployed digital signature schemes. A “tight” proof means that the theoretical security guarantee closely matches real-world parameters, minimizing the need for oversized keys or conservative settings. This result strengthens confidence in deployments ranging from cryptocurrencies and secure messaging to authentication tokens and embedded devices, helping standards bodies and engineers choose parameters that deliver both safety and performance. Elena Andreeva and Amit Singh Bhati (COSIC, KU Leuven, Belgium, 3MI Labs), in “Breaking the IEEE Encryption Standard XCB-AES in Two Queries,” expose a fundamental flaw in XCB-AES, a tweakable enciphering mode standardized by IEEE 1619.2 for encrypting sector-based storage such as disks and file systems. They describe a highly efficient plaintext-recovery attack that succeeds with just one encryption and one decryption query, tracing the root cause to a separability property in the underlying polynomial hashing approach. Because XCB-style modes appear in storage and data-at-rest protection, the findings carry immediate practical significance: vendors and operators should reassess systems relying on XCB-AES or related designs, plan mitigations or migration paths, and update guidance to ensure that encrypted data on drives and appliances remains secure. In “A Fully-Adaptive Threshold Partially-Oblivious PRF,” Paul Gerhart, Dominique Schröder, Ruben Baecker (FAU Erlangen-Nürnberg), and Daniel Rausch (University of Stuttgart) present the first threshold, partially oblivious pseudorandom function with fully adaptive and universally composable security, along with proactive key refresh. OPRFs are building blocks for privacy-preserving technologies such as private set intersection, oblivious keyword search, and modern password-based login protocols. By enabling multiple servers to jointly compute an OPRF without any one party learning sensitive inputs—and by supporting regular key rotation—the construction makes large-scale services more resilient to compromise while protecting user privacy. This advances practical deployments in areas like contact discovery, privacy-respecting analytics, and hardened credential systems used by consumer platforms and cloud providers. In “Universally Composable SNARKs with Transparent Setup without Programmable Random Oracle,” Luigi Russo and co-authors introduce a new method for constructing succinct non-interactive proofs — commonly known as SNARKs — that require only a public hash function as setup, rather than a special “trusted” ceremony. This is significant because many emerging applications — from blockchain scalability and verifiable cloud computing to privacy-preserving digital identity — depend on small proofs that compose safely with other protocols. By demonstrating that universal composability can be achieved with a simple, non-programmable random-oracle setup and by delivering logarithmic-size proofs, the authors reduce trust assumptions, simplify deployments, and pave the way for more robust and widely usable proof systems in practice. https://cysec.wien/news/2025-08-11_usenix_2025/ USENIX is not just a conference — it’s the world’s premier forum where cutting-edge security research meets real-world impact. Following last year’s strong showing with two presentations, our researchers have built on their success: at the 34th USENIX Security Symposium, held in Seattle, five papers from CySec and collaborators were presented, covering a diverse range of topics from blockchain technologies and payment channels to mobile security, video privacy, and advanced persistent threats. In their work Let’s Move2EVM, Lorenzo Benetollo, Andreas Lackner, Matteo Maffei, and Markus Scherer tackled the challenge of preserving the strong safety guarantees of the Move programming language when contracts are executed outside of their native environment, specifically on the Ethereum Virtual Machine. By designing a novel compiler with an inlined reference monitor, they ensured that core rules such as linear semantics and borrow-checking can still be enforced at runtime. Their evaluation demonstrated that the security benefits come with only modest performance overhead, making the approach a practical way of securing smart contracts in adversarial environments. © Marco Squarcina Security on mobile devices was the focus of TapTrap: Animation-Driven Tapjacking on Android by Philipp Beer, Marco Squarcina, Martina Lindorfer, and Sebastian Roth (University of Bayreuth). Their research uncovered a new form of attack that exploits user interface animations to bypass Android’s permission system, a method that remains effective even on the latest Android version. A large-scale analysis of nearly 100,000 apps revealed that more than three-quarters are vulnerable to this threat. The impact of the discovery is underlined by the assignment of two CVEs, showing that the findings are not only theoretical but highly relevant to the security of millions of users worldwide. More detail on TapTrap: Animation-Driven Tapjacking on Android. The video demonstrates TapTrap in action, where a user playing a game is secretly redirected to a browser that tricks them into granting camera permissions to a malicious website. The research received both international and national media coverage, with prominent publications including Forbes, Fox News, BleepingComputer, Der Standard (Austria), The Sun (UK), and Golem (Germany). © Marco Squarcina Another pressing problem in blockchain infrastructure was addressed by Zeta Avarikioti, Yuheng Wang, and Yuyi Wang (CRRC Zhuzhou Institute & Tengen Intelligence Institute) in their paper Thunderdome: Timelock-Free Rationally-Secure Virtual Channels. Current payment channel networks are prone to timelock and censoring attacks, creating risks for users. The authors introduced Thunderdome, the first timelock-free network that leverages rational, non-trusted wardens to ensure security even in adversarial settings. Their proof-of-concept deployment on Ethereum demonstrated not only feasibility but also low transaction costs, showing that secure and scalable payment channels can be achieved without timelocks. © Marco Squarcina The human and organizational side of cybersecurity came into focus with Expert Insights into Advanced Persistent Threats (APTs): Analysis, Attribution, and Challenges, authored by Aakanksha Saha and Martina Lindorfer in collaboration with James Mattei and Daniel Votipka (Tufts University), Jorge Blasco (Universidad Politécnica de Madrid), and Lorenzo Cavallaro (University College London). Through in-depth interviews with security professionals, the study uncovered how experts approach the attribution of highly sophisticated attacks. Instead of focusing on identifying the exact attacker, practitioners prioritize understanding tactics, techniques, and motivations. The study revealed major challenges in handling diverse data and collaborating effectively, and the authors put forward recommendations that bridge the gap between academic methods and the realities faced by practitioners. © Marco Squarcina Finally, the paper Seeing Through: Analyzing and Attacking Virtual Backgrounds in Video Calls by Daniel Arp, Felix Weissberg, Thorsten Eisenhofer, and Konrad Rieck (BIFOLD & TU Berlin), Jan Malte Hilgefort, Steve Grogorick, and Martin Eisemann (TU Braunschweig) exposed the privacy risks of widely used virtual backgrounds in video conferencing platforms such as Zoom and Google Meet. Their reconstruction attack was able to recover significantly more leaked information than previous methods, demonstrating that private environments of call participants remain vulnerable despite the intended protections. This finding calls into question the adequacy of current virtual background technologies in safeguarding user privacy. Taken together, these five contributions highlight CySec’s strength in addressing security challenges from multiple angles: designing safer foundations for blockchain, uncovering new attack vectors on mobile devices, building more resilient financial infrastructures, understanding the realities of advanced threat attribution, and exposing privacy gaps in everyday communication tools. The results not only advance academic knowledge but also have tangible implications for the security of digital technologies used by millions worldwide. © Marco Squarcina https://cysec.wien/news/2025-08-27_lecture_ouaknine/ Talk by Joël Ouaknine Location: TU Wien, FAV Hörsaal 1 Helmut Veith - INF (Favoritenstraße 9-11, Erdgeschoß) (HEEG02) Date/Time: 2025-08-27 11:00 ‒ 12:00 Abstract: Hilbert’s dream of mechanising all of mathematics was dealt fatal blows by Gödel, Church, and Turing in the 1930s, almost a hundred years ago. Paradoxically, assisted and automated theorem proving have never been as popular as they are today! Motivated by algorithmic problems in discrete dynamics, non-linear arithmetic, and program analysis, we examine the decidability of various logical theories over the natural numbers, and discuss a range of open questions at the intersection of logic, automata theory, and number theory. Bio: Joël Ouaknine is a Scientific Director at the Max Planck Institute for Software Systems in Saarbrücken, Germany, where he leads the Foundations of Algorithmic Verification group. He also holds secondary appointments as Professor of Computer Science at Saarland University and as Emmy Network Fellow at Keble College, Oxford University. His research interests straddle theoretical computer science and mathematics, and lie mainly at the confluence of dynamical systems and computation, making use of tools from number theory, Diophantine geometry, algebraic geometry, and mathematical logic. Other interests include the algorithmic analysis of real-time, probabilistic, and infinite-state systems (e.g. model-checking algorithms, synthesis problems, complexity), logic and applications to verification, automated software analysis, and concurrency. Prior to joining MPI-SWS, Joël worked as an academic in the Computer Science Department at Oxford University from 2004 to 2016, becoming Full Professor in 2010. He earned a BSc and MSc in Mathematics from McGill University, and received his PhD in Computer Science from Oxford in 2001. He held postdoc positions at Tulane University and Carnegie Mellon University, and served twice as visiting professor at the Ecole Normale Supérieure de Cachan, France. In both 2007 and 2008 he received an Outstanding Teaching Award from Oxford University, and the following year he was awarded an EPSRC Leadership Fellowship, enabling him to focus (almost) exclusively on research for a period of five years. He is the recipient of the 2010 Roger Needham Award, given annually “for a distinguished research contribution in Computer Science by a UK-based researcher within ten years of his or her PhD”, and in 2015 was awarded an ERC Consolidator Grant to carry out research in dynamical systems. He was elected member of Academia Europaea in 2020, and the same year received the Arto Salomaa Prize (jointly with James Worrell), for “outstanding contributions to Theoretical Computer Science, in particular to the theory of timed automata and to the analysis of dynamical systems”. He was elected Fellow of the ACM in 2021 for “contributions to algorithmic analysis of dynamical systems”. In 2024, he was awarded an ERC Synergy Grant for the project “Dynamical and Arithmetical Model Checking” (DynAMiCs), jointly with Valérie Berthé and Florian Luca. This endeavour, lying at the interface of mathematics and theoretical computer science, aims to revolutionise the algorithmic theory of discrete linear dynamical systems and related formalisms, tackling longstanding open problems in the field. https://cysec.wien/news/2025-08-12_def_con_ctf_2025/ KuK Hofhackerei, a collective of top Austrian cybersecurity talents from leading universities, has achieved an impressive 9th place at the prestigious DEF CON CTF Finals in Las Vegas. The team consists of around 30 members, most of whom are bachelor’s and master’s students from TU Wien, TU Graz, the University of Vienna, JKU Linz, and St. Pölten University of Applied Sciences. They are joined by several PhD students and experienced IT security professionals with the team captain being Marco Squarcina, Senior Scientist in the Research Unit Security and Privacy at TU Wien. KuK Hofhackerei meets regularly at TU Wien, SBA Research, and TU Graz to collaborate on security challenges and prepare for international competitions. The DEF CON CTF competition consists of two stages: remote Qualifying Rounds, followed by the onsite Finals. Earlier this year, KuK Hofhackerei achieved an impressive 6th place in the annual DEF CON CTF Qualifiers, competing against more than a thousand elite teams worldwide. This outstanding performance earned them a place at the onsite Finals during DEF CON — the largest and most respected hacker conference in the world. In the Finals, the best teams from around the world face off in high-pressure, real-time challenges — simultaneously attacking and defending computer systems. The tasks span a broad range of cybersecurity disciplines, pushing participants to the limits of their skills and showcasing cutting-edge security expertise. Unlike most CTF competitions, which are held entirely online, the DEF CON Finals take place onsite in Las Vegas. Preparations for the event are therefore intensive, requiring the development of custom tools, strategies, and workflows long before the competition begins. At the 2025 DEF CON CTF Finals, KuK Hofhackerei delivered an outstanding performance, securing 9th place among the world’s top 12 teams. Facing the very best in the field, the team solved a wide range of complex challenges, demonstrating exceptional technical skill, teamwork, and resilience under intense time pressure. This achievement further cements Austria’s position on the global cybersecurity stage and highlights the exceptional talent emerging from the nation’s universities and research institutions. KuK Hofhackerei is backed by a strong network of academic and industry partners that provide resources, expertise, and financial support, enabling the team to perform at the highest level. Platinum Sponsors Dynatrace, Erste Bank und Sparkasse played a key role in making participation possible. Academia has also shown remarkable commitment, with Technische Universität Wien, Technische Universität Graz, and SBA Research as Gold Sponsors, and FH St. Pölten – University of Applied Sciences and Johannes Kepler Universität Linz as Silver Sponsors. Thanks also go to Silver Sponsors Bosch and Siemens for their valuable contributions, and to CyberSecurityAustria (CSA) for their ongoing support. https://cysec.wien/news/2025-07-28_casc_cav_2025_vampire/ The CADE ATP System Competition (CASC) is the annual world championship for fully automatic, classical logic automated theorem proving (ATP) systems. It publicly evaluates and compares the capabilities of ATP systems, encourages research and development, and promotes robust, deployable tools for real-world applications. CASC also fosters interaction among ATP researchers and raises awareness of ATP technology beyond the research community. Systems are assessed by the number of problems they solve within defined time limits, the quality of their solutions, and their average solving time. The competition is chaired by an independent panel of expert researchers. The Vampire theorem prover has made history at the annual CASC-30 by winning all eight theorem‑proving divisions. This marks the first time in CASC history that a single prover has achieved a complete sweep. Even more impressively, Vampire solved more problems than all other competing systems combined. Automated reasoning is now a cornerstone of verifying the correctness of modern software systems and services — from Boolean satisfiability (SAT) and satisfiability modulo theories (SMT) to automated theorem proving in first‑order and higher‑order logic. Vampire has evolved into one of the most advanced ATP systems available, excelling in saturation‑based theorem proving for practical applications such as software certification, security analysis, and the automation of mathematics. The diary of improvements in Vampire since the 2013 tutorial paper by Laura Kovács and Andrei Voronkov was presented at the flagship International Conference on Computer Aided Verification (CAV 2025), where the work was honored with the Distinguished Paper Award. The paper’s authors are: Filip Bártek (Czech Technical University in Prague), Ahmed Bhayat (University of Manchester), Robin Coutelier (TU Wien), Márton Hajdu (TU Wien), Matthias Hetzenberger (TU Wien), Petra Hozzová (Czech Technical University in Prague), Laura Kovács (TU Wien), Jakob Rath (TU Wien), Michael Rawson (University of Southampton), Giles Reger (University of Manchester), Martin Suda (Czech Technical University in Prague), Johannes Schoisswohl (TU Wien), Andrei Voronkov (University of Manchester / EasyChair). The latest developments in Vampire include: Advanced logical reasoning in polymorphic first‑order logic with theories, induction, and quantifiers. Integration of SAT solving with first‑order theorem proving via the AVATAR framework. Native quantified reasoning with mixed arithmetic, enhanced by superposition and quantifier elimination. Second‑order induction schemata embedded as inference rules in proof search. Full support for higher‑order logic, program synthesis, and counterexample generation. These advances allow Vampire to outperform or complement state‑of‑the‑art reasoners, including leading SMT solvers and inductive theorem provers. Its unmatched performance at CASC‑J12 demonstrates its ability to consistently prove more problems than any other system across every competition division. With a decade of continuous development, a new permissive license, and unprecedented reasoning power, Vampire stands as a key tool for advancing formal verification, logic program validation, system security, and the automation of complex mathematical reasoning. © Daniela Jung © TPTP World https://cysec.wien/news/2025-07-27_kronen_interview_kovacs_weissenbacher/ In the latest episode of krone.tv’s science program Wiener Wissen (aired July 27, 2025), Laura Kovacs and Georg Weissenbacher warned that digital threats increasingly permeate everyday life and urged the public to be far more cautious with their data. Laura Kovacs cautioned that many actors “exploit, hack, and attack our computer systems and carry out cyberattacks.” Georg Weissenbacher highlighted the trade‑off behind “free” online services: “If you’re not paying for the product, then you are the product. Everything we do is monitored by someone.” He argues that IT systems — servers, computers, mobile phones, etc. — are under constant threat, and that no system can ever be 100% secure. That’s why it’s important to keep the bar really high; this starts with system design (using rigorous, formal development methods). But users also need to be careful: keep your systems up to date, use two‑factor authentication, and think twice about whether you really need an app or a service — and if it’s free, ask yourself why a company would offer it for free. TUW scientists noted that social‑engineering attacks occur by phone (vishing): seemingly harmless calls with “three or four questions” can be enough for people to divulge sensitive information. Please access the video by visiting Kronen Zeitung https://cysec.wien/news/2025-07-11_dimva_2025_arp/ The SIG SIDAR Conference on Intrusion Detection, Malware, and Vulnerability Assessment (DIMVA) brings together experts and researchers to discuss the latest advancements, challenges, and solutions in cybersecurity. The event focuses on detecting and mitigating intrusions, analyzing malware threats, and assessing system vulnerabilities to enhance digital defense strategies. Daniel Arp delivered a keynote at DIMVA'25, which was held in Graz from July 9 to 11, 2025. Title: Lessons Learned in Mobile Malware Detection with Machine Learning Abstract. Mobile malware continues to pose a serious threat to the security and privacy of mobile device users. In response, the research community has developed a wide range of machine learning-based detection approaches over the past decade, aiming to overcome the limitations of traditional signature-based techniques. While these learning-based methods have demonstrated strong potential, the field still faces a number of unresolved challenges—such as concept drift and evolving adversarial behaviors—that must be addressed to ensure sustained effectiveness in real-world environments. In this talk, we reflect on a decade of research in machine learning-based mobile malware detection, discuss key lessons learned, and highlight ongoing challenges that present opportunities for future work. https://cysec.wien/news/2025-07-03_robustifai/ RobustifAI is a Horizon Europe project aimed at creating a comprehensive design and deployment methodology for reliable, robust, and trustworthy Generative AI (GenAI). The project officially started on June 1, 2025, and will run for 36 months with a total budget of €9.3 million, of which the Austrian contribution is approximately €1.36 million. Securing this funding is a significant achievement for the RobustifAI consortium, as only three out of 131 submitted proposals were selected for funding. TU Wien has joined the RobustifAI consortium, which brings together 18 partners from 12 countries — 17 from Europe and one from India. The consortium includes seven universities, two research and technology organizations, five SMEs, and four major companies: Collins Aerospace, Siemens, Thales, and Thales SIX GTS FRANCE. TU Wien is represented by Prof. Ezio Bartocci, Professor of Formal Methods in Cyber-Physical Systems at the Faculty of Informatics. He contributes renowned expertise in the rigorous development and analysis of learning-enabled autonomous systems to the consortium. The AIT Austrian Institute of Technology brings its strengths in applied formal methods for AI-based systems and in shaping future AI policies. The RobustifAI project aims to develop practical solutions to improve the robustness and trustworthiness of GenAI, particularly in safety-critical applications. GenAI, including foundation models, has significant potential to transform industries by learning patterns from data and generating new content. However, its current weaknesses — especially in technical, operational, and user-related robustness — can lead to misuse, safety risks, and barriers to broader adoption. RobustifAI focuses on addressing these challenges in Human-Cyber-Physical Systems (HCPS)—complex environments where computers, networks, humans, and physical processes work together to monitor and control real-world systems. Such systems are widely used in areas like transportation, healthcare, energy, and manufacturing. Such systems are particularly demanding for GenAI because they involve real-time operations, safety-critical decisions, physical impacts, and human interaction. These complexities make robustness essential. By improving GenAI’s reliability in HCPS, RobustifAI aims to develop methods and tools that can be applied across different industries, unlocking the full potential of generative AI in a safe, trustworthy, and scalable way. © AIT https://cysec.wien/news/2025-07-03_measurable_ai/ A team at TU Wien, composed of Dr. Andrey Kofnov, Dr. Daniel Kapla, Prof. Ezio Bartocci, and Prof. Efstathia Bura, has developed an innovative method to measure and control uncertainty in artificial intelligence (AI) systems. Their approach offers mathematical guarantees on how safely a neural network operates within defined input ranges, helping to prevent certain types of errors. AI technologies are already deeply integrated into our daily lives—from smartphones to self-driving cars. However, even small changes in input data, such as slight image distortions or background noise, can sometimes lead to unexpected or unsafe decisions. This new method makes it possible to predict and precisely limit how much AI outputs can vary, even when inputs are uncertain. The TUW researchers use a geometric approach, treating all possible inputs as a high-dimensional space. By systematically dividing this space, they can accurately calculate the range of outputs a neural network can produce and mathematically rule out certain errors. Although the method is not yet suitable for very large AI models, it already works effectively for smaller neural networks and represents an important step toward more trustworthy, explainable, and safer AI systems. The research was conducted within TU Wien’s DC SecInt, which fosters interdisciplinary collaboration in the field of secure, reliable, and ethically responsible technology. The results will be presented at the 42nd International Conference on Machine Learning (ICML 2025), one of the world’s leading conferences on machine learning. The original scientific publication is available here. A full article with commentary from the authors is available in both German and English. https://cysec.wien/news/2025-07-04_lecture_agarwal/ Talk by Sharad Agarwal Location: TU Wien, FAV Hörsaal 3 Zemanek (Seminarraum Zemanek, Favoritenstraße 9-11, Erdgeschoß) (HEEG02) Date/Time: 2025-07-04 11:00 ‒ 12:00 Abstract: Recently, there has been a surge in SMS scams affecting users globally. Scammers send text messages impersonating well-known brands or individuals, luring victims into clicking malicious URLs, calling fraudulent phone numbers, or replying via text or email. In this talk, I present findings from my PhD research, which provides a comprehensive categorization of SMS scams and an in-depth analysis of two major types: the Hi Mum and Dad scam (a conversational scam) and delivery scams (URL-based smishing). While conversational scams often lead to Authorized Push Payment (APP) fraud, URL-based smishing scams typically result in unauthorized fraud, such as Card-Not-Present (CNP) fraud. The outcomes of these three research projects have been published or accepted at ACM IMC 2024, USENIX Security 2025, and NSPW 2025, respectively. Bio: Sharad Agarwal is a final-year PhD candidate at University College London (UCL), where he specializes in combating online financial fraud. He studies cybercrime longitudinally using a data-driven approach. His research has been published at top academic venues like USENIX Security and Financial Cryptography and has been cited in major news outlets such as The Times. Alongside his Ph.D., he works as a Product Analyst at Stop Scams UK, helping translate research into real-world impact. https://cysec.wien/news/2025-07-04_ethical_hacking_bootcamp/ From July 4–6, 2025, TU Wien will once again host the Vienna Ethical Hacking Bootcamp. This intensive, practice-oriented training program focuses on cybersecurity fundamentals, ethical hacking techniques, and real-world attack scenarios. Participants gain hands-on experience in areas such as penetration testing, vulnerability assessment, and defensive strategies, guided by industry professionals. The bootcamp is designed to develop practical skills for students, young professionals, and cybersecurity enthusiasts. Around 150 participants are expected to attend the Vienna Ethical Hacking Bootcamp, including national hacking teams from Austria, Croatia, the Czech Republic, Hungary, Slovakia, Slovenia, Serbia, Germany, Switzerland, and Italy. The bootcamp is designed to offer hands-on training and networking opportunities, while also serving as preparation for international competitions such as the European Cyber Security Challenge 2025. The event will also function as a training ground for Team Europe in the lead-up to the International Cyber Security Challenge 2025, scheduled to take place in Japan in November. The bootcamp features a distinguished lineup of international trainers and expert sessions, including: Thomas Weber – Hardware & Firmware Hacking Jan Gocník – Reverse Engineering Davide Maiorca – Digital Forensics Philippe Dourassov – Web Security Philipp Beer – Mobile Security Gabriele Digregorio – Advanced Debugging A highlight of the program will be Philipp Beer’s preview of recent mobile security research, which is scheduled to be presented at USENIX Security 2025 in August. On the second day, a Capture The Flag (CTF) competition will take place, using challenges developed for the Austria Cyber Security Challenge 2025 finals. This will provide participants with an opportunity to test and demonstrate their skills in a high-pressure, real-world environment. Updated On July 4, TU Wien Rector Jens Schneider and Dean of Informatics Gerti Kappel opened the event, underscoring the university’s dedication to cybersecurity education and the development of future talent. https://cysec.wien/news/2025-06-10_voices_innovation_kovac/ TU Wien Informatics brought together leading female computer scientists to share their experiences, challenges, and insights as researchers in academia. The event reflected TU Wien’s ongoing commitment to diversity and innovation, reinforcing the university’s role in fostering creativity, advancing urban technologies, and driving responsible AI research. Laura Kovács joined Monika Henzinger (Institute of Science and Technology Austria), Gabriele Kotsis (Johannes Kepler University Linz), Claudia Plant (University of Vienna), and Marta Sabou (Vienna University of Economics and Business) for a high-level discussion on advancing gender equity in computer science. The panel was moderated by TU Wien Informatics Dean Gerti Kappel, who emphasized the exceptional contributions of Austrian female computer scientists and the continued need to promote gender equality in science and research. The discussion focused on key challenges and strategies throughout academic careers, including mentorship, dual-career dynamics, flexible career pathways, and early encouragement of girls’ interest in STEM. Panelists highlighted critical career stages—particularly postdoctoral transitions and maternity leave—where many women encounter systemic obstacles. They advocated for structured mentoring programs, family-friendly institutional policies, and supportive frameworks such as tenure-track positions and improved childcare options. A central theme was the “leaky pipeline” in academia, where talented women leave research due to structural barriers. The panel stressed the importance of proactive, inclusive measures to help women thrive and lead in academic and scientific environments. Encouragingly, panelists observed a positive trajectory in gender equity, with increasing awareness and improved representation in committees, awards, and leadership roles. The conversation concluded on an optimistic note, envisioning a future in which AI and other transformative technologies are shaped by diverse voices and equitable participation. The importance of visible female role models was recognized as essential for inspiring future generations of scientists and driving lasting cultural change in research. © Amélie Chapalain / TU Wien Informatics https://cysec.wien/news/2025-06-11_lecture_nuzzo/ Talk by Pierluigi Nuzzo Location: TU Wien, EI 2 Pichelmayer HS (Gußhausstraße 25, Stiege 8, 2nd floor) (CF0235) Date/Time: 2025-06-11 17:00 ‒ 19:00 Abstract: Increasingly more sophisticated tasks that were previously allocated to humans are expected to be performed by software, including modern artificial intelligence (AI) methods, in a variety of mission-critical cyber-physical systems, for example, in avionics, automobiles, robotics, and manufacturing. One of the biggest challenges to trustworthy autonomy is arguably in showing that these software and AI-enabled autonomous functions, running on heterogeneous, interconnected sensing, computation, and actuation platforms, will still satisfy the stringent safety and dependability requirements of mission-critical systems in uncertain or unpredictable environments. In this talk, I will introduce our approach to design-time assurance for autonomous cyber-physical systems, leveraging the rich modeling and specification formalism of assume-guarantee contracts and their probabilistic extensions. I will present how contracts enable compositional, quantitative requirement analysis and system verification in the presence of uncertainty as well as correct-by-construction, logically constrained decision-making and learning under uncertainty. I will then discuss how contracts can provide the semantic foundation for the automated construction of assurance cases, structured arguments about system dependability, which can accelerate system certification and help transition from a process-driven to a property-driven and evidence-based certification approach. Finally, I’ll conclude with a vision, mediated by contracts, for continuous assurance of intelligent autonomous systems. Bio: Pierluigi Nuzzo is an Associate Professor in the Department of Electrical Engineering and Computer Sciences at UC Berkeley. Before joining UC Berkeley, he was the Kenneth C. Dahlberg Chair and an Associate Professor of Electrical and Computer Engineering and Computer Science at the University of Southern California. He received a PhD degree from UC Berkeley, and BS and MS degrees from the University of Pisa and the Sant’Anna School of Advanced Studies in Pisa. He also held research positions at the University of Pisa and IMEC, Leuven, Belgium, working on mixed-signal integrated circuit design. His research revolves around high-assurance design of cyber-physical systems and systems-on-chip, spanning the whole spectrum from the mathematical foundations to design tools and applications, with emphasis on compositional methods for system design and requirement engineering. His research interests include methodologies and tools for the design, verification, and certification of artificial intelligence and autonomous systems, and the analysis and design of secure and trustworthy hardware platforms. His awards include the IEEE Council on Electronic Design Automation (CEDA) Ernest S. Kuh Early Career Award, the Okawa Research Grant, the IEEE Technical Committee on Cyber-Physical Systems Early-Career Award, the DARPA Young Faculty Award, the NSF CAREER Award, the UC Berkeley EECS David J. Sakrison Memorial Prize, and several best paper and design competition awards. This lecture is part of the Current Trends in Computer Science Lecture Series by the TU Wien Informatics Doctoral School. https://cysec.wien/news/2025-06-03_tuw_opensci_huber_kovac/ The first Open Science Day at TU Wien, organized by the TU Wien Library with the support of the Vice-Rector for Digitalization and Infrastructure, offers a dynamic platform for exchange, learning, and networking for researchers, academics, and students—whether you publish Open Access, manage research data, work with Open Source code, or engage in Citizen Science. On the second session of the event, titled “Research Practices – From Open Access to AI,” two presentations by CySec faculty members were scheduled. Marcus Huber from the Faculty of Physics delivered a talk on “Community-led publishing: Opportunities, challenges and pitfalls using the example of Quantum,” where he explored innovative models of scholarly communication that prioritize openness, collaboration, and community governance. This presentation addressed the potential benefits and drawbacks of such publishing frameworks in advancing scientific dissemination. Following this, Laura Kovacs from the Faculty of Informatics presented on “Automated Reasoning,” providing insights into the latest advances in AI-driven methods for formal verification and logic. Her talk highlighted how automated reasoning techniques are transforming research practices by enabling more efficient and reliable verification of complex systems, thus contributing to enhanced rigor in computational science and cybersecurity. Together, these talks illustrated the dynamic intersection of open access initiatives and artificial intelligence in shaping the future of research methodologies. © UNESCO CC BY SA https://cysec.wien/news/2025-05-22_smart_fabini_2025/ SMART Automation AUSTRIA is Austria’s leading trade fair for industrial automation. It brings together technology providers, manufacturers, researchers, and decision-makers to showcase innovations in automation, digitization, and smart production. The event serves as a key platform for networking, knowledge exchange, and exploring the future of industrial transformation. At SMART Automation AUSTRIA 2025, Austria’s premier industrial automation trade fair, held on May 22, 2025 in Linz, Joachim Fabini participated as a research representative in a high-level panel discussion on “Cybersecurity in Industry – Is Europe Becoming a Digital Colony?”. Hosted in the Kongresssaal of the Design Center Linz, the session featured lightning talks and a panel discussion with leading figures from industry and academia. Dr. Fabini contributed insights on Europe’s digital dependence, the challenges of securing industrial environments, and the role of cyber resilience in maintaining digital sovereignty across European manufacturing and critical infrastructure. The panel tackled strategic questions regarding: Reducing reliance on non-European technologies Strengthening cybersecurity in interconnected production systems Aligning IT and OT security practices Building the capabilities needed to remain competitive and sovereign in a digital future The event highlighted that cybersecurity is no longer a back-office issue but a boardroom priority, vital for ensuring Europe’s long-term industrial competitiveness. https://cysec.wien/news/2025-05-19_etaps_kovacs/ International Joint Conferences on Theory and Practice of Software (ETAPS) is a premier annual event uniting four major software science conferences — Programming Languages and Implementation (ESOP), Foundations of Software Engineering (FASE), Theoretical Foundations of Software Science (FoSSaCS), and Tools and Algorithms for System Analysis (TACAS) — along with satellite workshops. Since 1998, it has provided a collaborative platform for academic and industry researchers to exchange ideas across diverse software disciplines. With close to a thousand rigorously reviewed paper submissions each year, ETAPS fosters high-quality research and vibrant international collaboration. Prof. Laura Kovács has been appointed President and Chair of the Steering Committee of ETAPS, recognizing her outstanding contributions and leadership in software theory and practice. In this role, she will guide the strategic direction and oversee the organization of ETAPS, ensuring the continued excellence and impact of this premier international forum for software research. https://cysec.wien/news/2025-06-06_acsd_2025_arp/ Austrian Computer Science Day is an annual event that brings together researchers, educators, and practitioners from across Austria’s computing and technology sectors. It fosters collaboration, showcases innovative research, and highlights both emerging and established talent in the field. Daniel Arp will deliver a research talk at ACSD, scheduled for June 6, 2025, in the Aula of the University of Innsbruck. Title: Lessons Learned in Mobile Malware Detection with Machine Learning Abstract. Mobile malware continues to pose a serious threat to the security and privacy of mobile device users. In response, the research community has developed a wide range of machine learning-based detection approaches over the past decade, aiming to overcome the limitations of traditional signature-based techniques. While these learning-based methods have demonstrated strong potential, the field still faces a number of unresolved challenges—such as concept drift and evolving adversarial behaviors—that must be addressed to ensure sustained effectiveness in real-world environments. In this talk, we reflect on a decade of research in machine learning-based mobile malware detection, discuss key lessons learned, and highlight ongoing challenges that present opportunities for future work. https://cysec.wien/news/2025-06-02_lecture_quiring/ Talk by Erwin Quiring Location: TU Wien, FAV Hörsaal 3 Zemanek (Seminarraum Zemanek, Favoritenstraße 9-11, Erdgeschoß) (HEEG02) Virtual location: https://live.video.tuwien.ac.at/watch?l=wUSYcGK83g1TCxLqRtEuF Date/Time: 2025-06-02 17:00 ‒ 18:00 Abstract: The emergence of generative artificial intelligence (AI) has revolutionized content creation, enabling us to produce highly authentic digital media such as images, videos, texts, and music that is hard to distinguish from real media. Despite many positive applications, this also leads to considerable concerns on the misuse potential, such as recent incidents in elections or recent phishing attempts have effectively demonstrated. In my talk, we revisit how AI is misused and how it might be misused in the future. Then, we dive into possible countermeasures to mitigate this misuse, including passive detection approaches and recent watermarking trends. Bio: Erwin Quiring is a researcher at the Ruhr University Bochum, Germany. He received a Ph.D. in computer science from TU Braunschweig and has worked as postdoctoral researcher at ICSI @ UC Berkeley from 2023 to 2024. His research vision is to foster the trustworthiness of AI. In particular, he works on the reliability, efficiency, and security of AI. One of this main research areas is the detection of AI-generated content. Contact him at erwin.quiring@rub.de https://cysec.wien/news/2025-06-23_lecture_sutcliffe/ Talk by Geoff Sutcliffe Location: TU Wien, EI 2 Pichelmayer HS (Gußhausstraße 25-25a, 1040 Wien) (CF0235) Date/Time: 2025-06-23 13:00 ‒ 14:00 Abstract: The TPTP World is the established infrastructure used by the Automated Theorem Proving (ATP) community for research, development, and deployment of ATP systems. The data, standards, and services provided by the TPTP World have made it easy to develop, evaluate, and deploy ATP technology. This talk and tutorial reviews the core features of the TPTP World, describes key services of the TPTP World, and presents some successful applications. The use of ATP as the reliable substrate to subsymbolic AI systems (e.g., LLMs), to form neurosymbolic AI systems, is reviewed. More details at The TPTP World - Infrastructure for Automated Reasoning Bio: Geoff Sutcliffe is a Professor in the Department of Computer Science at the University of Miami. He received a BSc(Hons) and MSc from the University of Natal, and a PhD in Computer Science from the University of Western Australia. His research is in the area of Automated Theorem Proving (ATP), particularly in the evaluation and effective use of ATP systems. His most prominent achievements are the development and ongoing maintenance of the TPTP World, and the development and ongoing organization of the CADE ATP System Competition. He is one of the leaders of the StarExec project. His research has produced over 160 refereed journal, conference, and workshop papers. https://cysec.wien/news/2025-09-22_aisec_summerschool_2025/ The first Summer School on AI and Cybersecurity will take place from 22 to 26 September 2025 at TU Wien. This premier, week-long event stands at the intersection of cutting-edge research and practical application, bringing together leading experts, researchers, and students from around the world to explore the transformative impact of artificial intelligence on modern cybersecurity. Participants will dive into key topics such as explainable AI, threat detection, adversarial machine learning, and secure system design through a dynamic mix of hands-on workshops, inspiring lectures, and collaborative projects. Whether you’re a student looking to deepen your knowledge, a practitioner seeking new tools, or a researcher exploring emerging trends, the Summer School offers a unique opportunity to engage with a vibrant international community and experience TU Wien’s innovative academic environment. Featured Speakers Lorenzo Cavallaro, University College London, UK Rachel Cummings, Columbia University, USA Kathrin Grosse, IBM Research, Switzerland Xiaowei Huang, University of Liverpool, UK Maura Pintor, Università di Cagliari, Italy Christian Wressnegger, Karlsruhe Institute of Technology, Germany This event is supported by: Austrian Science Fund (FWF) SFB SPyCoDe Austrian Institute of Technology (AIT) Center for Artificial Intelligence and Machine Learning (AIML) Organizing Committee Daniel Arp, TU Wien, Austria Ezio Bartocci, TU Wien, Austria Matteo Maffei, TU Wien, Austria Stefan Neumann, TU Wien, Austria Andreas Steininger, TU Wien, Austria © Andreas Brandstätter https://cysec.wien/news/2025-05-07_lecture_buchmann/ Talk by Johannes Buchmann Location: TU Wien, Campus Karlsplatz, Hörsaal 7 Schütte-Lihotzky (1040 Vienna, Karlsplatz 13, Erdgeschoss) (AHEG07) Date/Time: 2025-05-07 15:00 ‒ 17:00 Abstract: Information technology plays a crucial role in all areas of society, the economy, and science. Therefore cybersecurity is of utmost importance. But it is not enough to ask whether security is guaranteed at present. Instead, we must also consider whether cybersecurity is ensured in a sustainable manner—for example, whether protection mechanisms remain effective over the long term. In this talk, we outline the key protection goals that cybersecurity technologies must achieve. We discuss what sustainability means in the context of these goals and examine the extent to which current technologies can meet these requirements. Finally, we explore the scientific challenges that need to be addressed in order to ensure sustainable cybersecurity and privacy in the future. Bio: Johannes Buchmann is a computer scientist and mathematician. He developed algorithmic algebraic number theory for cryptographic applications, and gained worldwide recognition through his research in the field of cryptography. Johannes Buchmann developed cryptographic methods, such as encryption and electronic signatures, and his work also focuses on issues of data protection and privacy. Johannes Buchmann attaches great importance to the development of crypto procedures that can also withstand attacks by quantum computers (post-quantum crypto procedures). Researchers assume that there will be quantum computers in the future that can override many of today’s cryptological security procedures (RSA, ECC). In their work, Johannes Buchmann and his team are addressing issues of long-term security – in particular the long-term storage of confidential data, and the long-term archiving of signed documents. Johannes Buschmann co-founded the Center for Advanced Security Research Darmstadt and FlexSecure GmbH in in cooperation with the company T-Systems and the German Center for Artificial Intelligence (DZKI). The talk is a part of the Public Lecture Series ‘Sustainability in Computer Science’ under the auspices of Informatik Austria. https://cysec.wien/news/2025-04-24_assai_maffei/ The Association for Scientific Exchanges between Austria and Italy (Associazione per gli Scambi Scientifici Austria Italia, ASSAI) brings together Italian academics and researchers residing and working in Austria. Its primary goal is to promote inter-university cooperation and scientific exchange between Italy and Austria. It achieves this by operating as a think-tank platform, which facilitates the transfer of experiences and best practices from its members to the scientific communities of both nations. Austria presents a particularly interesting ecosystem for Italian researchers, with its community of Italian scientists being the second largest after the German community, and the largest in any German-speaking country. The first session of “In Dialogo con ASSAI,” held on April 24th, kicked off a promising series of events centered on “Artificial Intelligence in Research and Innovation.” This event gathered experts from various fields, including physics, cybersecurity, linguistics, and sociology, to delve into the practical impacts of AI. Professor Matteo Maffei and other leading researchers, during a session moderated by Caterina Vizzardelli, President of ASSAI, shared deep insights on how AI is being integrated into cybersecurity. Their discussions explored how these technological advancements are shaping current and future security protocols, demonstrating the vast applications and implications of artificial intelligence. The session fostered an open and multidisciplinary dialogue, providing a vibrant platform for attendees to discuss the intersections of AI with various scientific and cultural realms. The dynamic exchange of questions and ideas from the participants highlighted the session’s success and set the stage for further discussions in this evolving field. This first meeting showcased the profound influence of AI on diverse sectors and set a robust foundation for subsequent dialogues focused on specific applications of AI in research and innovation. https://cysec.wien/news/2025-05-27_dighum_2025/ The first Digital Humanism Conference will take place from May 26 to 28, 2025, in Vienna, focusing on the theme “Shaping our digital future.” The event will gather global thinkers, innovators, and policymakers to discuss the potential of Digital Humanism and its impact on society. It aims to address the profound transformation of societies through information technology, particularly artificial intelligence, and to explore ways to advance democracy, human rights, diversity, and environmental sustainability in the digital age. The conference will serve as a key international forum under the patronage of Federal President Alexander Van der Bellen, fostering discussions on integrating digital developments with democratic values and the common good. Martina Lindorfer and Matteo Maffei will participate in the panel “Cybersecurity in New Times”, scheduled for May 27. At the presentation of the conference, Martina underscored the critical role of technical expertise in addressing today’s socio-political challenges. Issues like IT security, data protection, and algorithmic fairness are no longer niche topics — they influence nearly every aspect of daily life, from education and elections to communication and healthcare. This conference serves as a platform to bring together the expertise needed to shape informed, responsible, and sustainable solutions for the digital era. © Stadt Wien / David Bohmann https://cysec.wien/news/2025-05-30_lecture_karame/ Talk by Ghassan Karame Location: TU Wien, FAV Hörsaal 1 Helmut Veith - INF (Favoritenstraße 9-11, Erdgeschoß) (HEEG02) Virtual location: https://live.video.tuwien.ac.at/watch?l=beJAN1gHpvaihUhG2habKP Date/Time: 2025-05-30 10:00 ‒ 11:00 Abstract: Decentralized platforms support transparency and enable open access and participation. It is expected that decentralization will stimulate innovation and will positively impact the digital experience of many enterprises around the globe, e.g., in applications for payments, machine learning, social networks, etc. Unfortunately, the precise relationship between “decentralization” and platform security remains unclear. It is commonly believed that greater decentralization improves security by distributing power across more nodes. Yet, in some applications, an increasing number of nodes also leads to higher network delays, and the extent to which these delays impact security is not well understood. In this talk, I will explore how decentralization influences the security of two prominent emerging decentralized applications: Nakamoto-style blockchains and Decentralized Machine Learning. Bio: Since November 2021, Ghassan Karame is a full Professor of Computer Science at the Ruhr-University Bochum (RUB) - leading the Chair for Information Security. Ghassan is a Principal Investigator (PI) in the Cluster of Excellence CASA (Cyber Security in the Age of Large-Scale Adversaries) and, since October 2023, the Director (and a PI) at the Horst Goertz Institute for IT Security (HGI). He is also involved as a (part-time) Chief Scientific Advisor at NEC Laboratories Europe. Before joining RUB, he was working as an NEC Fellow and was leading the Security research group at NEC Labs in Germany. Prior to joining NEC Labs, he was working as a postdoctoral researcher in the Institute of Information Security of ETH Zurich, Switzerland. Since 2011, he holds a PhD degree in Computer Science from ETH Zurich. Ghassan is interested in all aspects of security and privacy with a focus on decentralized security, and platform security. https://cysec.wien/news/2025-04-20_def_con_2025/ DEF CON CTF is one of the most well-known and highly regarded annual hacking competitions held during the DEF CON conference, one of the largest hacker conventions globally. The event features two main stages: the Qualifying Rounds, where teams compete remotely to solve cybersecurity challenges, and the Finals, which are held onsite at the conference. During the finals, top qualifying teams engage in a live competition, simultaneously attacking and defending systems in real-time. DEF CON CTF challenges participants with tasks that span various cybersecurity skills, pushing the boundaries of the field and highlighting cutting-edge security expertise. Team KuK Hofhackerei, comprising members from Austria’s CTF (Capture-The-Flag) community, represents a collaborative force in cybersecurity. The team includes participants from several notable groups: WE_0WN_Y0U, a joint team from TU Wien, the University of Vienna, and SBA Research, LosFuzzys from TU Graz, Sigflag from Johannes Kepler University Linz, Team Austria, which brings together the nation’s top talents. After competing intensely for 48 hours in the qualification round, KuK Hofhackerei earned a remarkable 6th place out of more than 1300 teams, securing their spot in the DEF CON CTF Final in Las Vegas this year. This achievement highlights their years of dedication and the strong teamwork ethos prevalent in Austria’s CTF scene. This synergy among team members and support from educational and research institutions underscores the robust framework that advances Austria in the international cybersecurity arena. DEF CON CTF is not only a competition but also a showcase of the highest level of cybersecurity expertise, where participants often have to solve challenges that are yet to become known or widespread in the wider security community. The event helps push the boundaries of what is understood and possible within the field of cybersecurity. https://cysec.wien/news/2025-04-15_kurier_interview_maffei/ The Austrian Science Fund (FWF) is the national central funding organization for fundamental research. Through a rigorous international peer review process, the FWF supports thousands of outstanding researchers and their innovative ideas at universities and other research institutions. By fostering scientific excellence across all disciplines, the FWF contributes to the advancement of knowledge, strengthens Austria’s research ecosystem, and enhances the country’s international competitiveness in science and innovation. Among the projects funded by the FWF is SPyCoDe, coordinated by TU Wien, which brings together five research institutions across Austria. In a recent interview with FWF, Prof. Matteo Maffei shared insights into his research on securing digital technologies that are used daily by billions of people worldwide. The discussion focuses on how blockchain technologies, web browsers, and mobile applications can be designed to resist misuse and criminal activities while preserving user privacy. Maffei explains how his team develops innovative cybersecurity solutions that protect both end users and software developers from cyberattacks. By combining formal methods, program analysis, and secure system design, the research aims to create security mechanisms that are not only theoretically sound but also practical and scalable. A central theme of the interview is usability. Maffei highlights the importance of what he calls “one-button solutions” — approaches that hide complex security processes behind simple, intuitive interfaces. Such solutions are crucial for ensuring that strong security guarantees can be widely adopted without increasing complexity for users or developers. The interview also underscores the broader impact of this research. Maffei’s work has contributed significantly to Vienna’s international reputation as a leading hub for cybersecurity and privacy research, demonstrating how fundamental computer science can translate into real-world security and societal benefit. Watch the video on YouTube to learn more https://cysec.wien/news/2025-04-03_lecture_fedyukovich/ Talk by Grigory Fedyukovich Location: TU Wien, EI 4 Reithoffer HS (Haupttrakt, Gußhausstraße 25-25a, 2. Stock) (CF0245) Date/Time: 2025-04-03 15:00 ‒ 16:00 Abstract: State-of-the-art solvers for constrained Horn clauses (CHC) are successfully used to generate reachability facts for software using its symbolic encoding. In this talk, I will present a new application of CHCs to test-case generation, a problem of finding a set of tuples of input values to a program under which the program visits as many branches as possible. The key insight to achieve maximality is to identify and skip blocks of code that are provably unreachable. The new approach to test case generation called HORNTINUUM uses CHC to construct different program unrollings incrementally and extract test cases from models of satisfiable formulas. At the same time, a CHC solver keeps track of CHCs that represent unreachable blocks of code, making the unrolling process more efficient. In practice, this lets HORNTINUUM terminate early while guaranteeing maximal coverage. HORNTINUUM exhibits promising performance: it generates high coverage in most cases and takes less time on average than state-of-the-art based on bounded model checking, concolic execution, and/or fuzzing. Bio: Grigory Fedyukovich is an Assistant Professor at Florida State University. He completed his Ph.D. at the University of Lugano under the supervision of Prof Natasha Sharygina, a postdoc at the University of Washington with Prof Rastislav Bodik, and a postdoc at Princeton University with Prof Aarti Gupta. His main research interests are in the fields of automated reasoning, software verification, and synthesis. https://cysec.wien/news/2025-03-27_ar_dc_hiring/ The newly established Doctoral College “Automated Reasoning,” funded by the Austrian Science Fund (FWF), is designed to educate the next generation of experts in automated reasoning. The program addresses foundational questions such as how to rigorously define safety and security across various domains and applications. It also focuses on developing automated techniques and analyses to ensure the safety and security of electronic systems and explores synergies between the fields of security and artificial intelligence (see our list of potential research topics). Doctoral College “Automated Reasoning” offers ten PhD positions. Successful applicants will work on exciting projects at the intersection of security and artificial intelligence with Automated Reasoning at the core. The positions are expected to start in October 2025 for a period of expected 4 years each. All research projects are expected to span several sub-disciplines (such as formal methods and artificial intelligence) and each doctoral student will be supervised by at least two professors (see our list of faculty members of the doctoral college) with complementary research experience. Tasks: Perform independent research on the respective research topic Present research results at international conferences and other scientific events Successful completion of milestones and curriculum of the doctoral college Participation in scientific events and other outreach activities organized by the doctoral college and the Doctoral School of TU Wien Write a dissertation and publications Participation in organizational and administrative tasks of the doctoral college Your profile: A diploma or master university degree in computer science, computer engineering, or mathematics Experience in relevant research fields of the selected project(s) are of advantage Excellent communication and writing skills in English Active participation in scientific collaboration Team competences and problem-solving skills Positive attitude and contribution to the work environment Striving for continuous personal development We offer: Diverse and exciting research projects on cutting edge topics Continuing personal development and professional education High-quality supervision by renowned scientists Ample possibilities for building an international research network, completing secondments, and establishing research collaborations Courses on transferable skills Competitive salary Social benefits (e.g., health insurance, etc.) Administrative support in study and organizational questions Central location with excellent accessibility in a city regularly ranked first worldwide for best quality of life Diverse and exciting tasks More details and application information can be found here. https://cysec.wien/news/2025-03-14_sub_auspiciis_moosbrugger/ Marcel Moosbrugger received his doctorate sub auspiciis, a recognition for exceptional academic achievements, under the auspices of the Federal President of the Republic of Austria and the rectorate of TU Wien. Federal President Dr. Alexander Van der Bellen awarded Marcel Moosbrugger the Ring of Honor of the Republic of Austria in Hofburg on March 14. Marcel Moosbrugger’s Doctoral Thesis “Automated Analysis of Probabilistic Loops” was supervised by Laura Kovács and co-supervised by Ezio Bartocci. Marcel Moosbrugger graduated as a Bachelor with Honors from TU Wien Informatics in 2019, and he he was a Distinguished Young Alumn Award winner in 2020. He received his Master’s Degree in 2020, and he won the Diploma Thesis Award of the City of Vienna in 2021. He was also nominated for the Austrian Master Thesis Prize and the Christiana Hörbiger Prize. During his studies, he supported eduLAB’s “Abenteuer Informatik” project, and he is currently working as an External Research Engineer at Huawei. Dr. Moosbrugger’s Doctoral Thesis advanced the automated analysis of probabilistic loops by developing new theoretical and computational methods. It introduced a fully automated approach for computing higher moments of program variables using linear recurrences with constant coefficients, suitable for a broad class of probabilistic loops. This method was part of a new framework called the theory of moment-computable loops, which proved complete for programs incorporating branching, polynomial arithmetic, and varied probability distributions. Additionally, a novel technique for automatic sensitivity analysis was developed to cater to probabilistic systems with unknown parameters, extending its application to non-moment-computable loops. The thesis also addressed the computational challenges in deriving polynomial invariants for probabilistic loops, identifying these problems as Skolem-hard. Despite these challenges, practical methods were proposed for computing bounded polynomial invariants and approximating polynomial loops with linearizable ones. The thesis presented Polar, a tool that implemented these techniques, demonstrating superior performance on complex benchmarks. It also introduced Amber, the first tool to certify both probabilistic termination and non-termination, highlighting significant theoretical and practical contributions to probabilistic program analysis. ©Klaus Ranger ©Klaus Ranger ©Peter Lechner https://cysec.wien/news/2025-03-06_best/ From March 6 to March 9, 2025, BeSt, Austria’s largest education fair for careers, studies, and further education took place. Numerous exhibitors presented their educational offerings, and this time, they even competed in a contest. The highest goal of the fair is to provide students and all those interested in further education with an optimum amount of information under one roof — and that with free admission. For the first time, a panel of experts evaluated the innovation, creativity, and advisory expertise of the exhibition stands and determined a “Best-of BeSt.” In the “Universities” category, TU Wien, FH Joanneum, and the University of Vienna emerged as winners. Ezio Bartocci and Martina Lindorfer joined the TU Wien team at BeSt, the prominent education fair, where they showcased the university’s diverse degree programs. A highlight of the event was the demonstration of Scuderia Segfault’s autonomous racing car, a prime example of cyber-physical systems in action. Alongside team members Mónika Farsang, Felix Resch, and Andreas Brandstätter, CySec faculty members represented the Faculty of Computer Science. They engaged with attendees, answering questions and providing a hands-on look at what studying Computer Engineering at TU Wien involves, as well as ongoing research in security and privacy. https://cysec.wien/news/2025-02-28_madweb__2025/ The Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) focuses on the convergence of browser evolution and web security, aiming to foster discussions on all aspects of web security and privacy. Since merging with the SecWeb workshop in 2025, MADWeb has expanded its agenda to include innovative security mechanisms, enhanced browser interfaces, and secure web application development frameworks. The workshop encourages submissions that rethink web security from the ground up and is particularly welcoming of works in progress and presentations from junior researchers exploring new ideas. At MADWeb 2025 that was co-located with the Network and Distributed System Security (NDSS) Symposium Marco Squarcina served as a Program Committee Co-Chair, playing a crucial role in shaping the conference agenda and steering the peer review process. MADWeb focuses on key issues in web security and privacy, such as browser security, web authentication, security of emerging technologies, and privacy-enhancing technologies. The workshop also explores advanced topics like machine learning applications for web security, DNS privacy, and the detection of malicious web activities. The program features a mix of keynote talks, technical sessions, and discussions. Highlights include a keynote on web security through the lens of content integrity and sessions that blend network security with web technologies, such as leveraging IP geolocation for VPN detection and exploring the state of HTTPS adoption. The event also addresses new challenges in browser security, digital forensics, and the evolving landscape of Web3 security, illustrating the breadth of topics covered and the impact of technological advancements on web security. © Wes Hardaker During his visit to the University of California, San Diego, Marco participated in the Mozilla Security Research Summit 2025, which was hosted in San Diego as part of Mozilla’s Security Engineering University Relationship Framework (SURF) initiative. This initiative aims to enhance collaboration between Mozilla and the academic community by leveraging academic talent to tackle Mozilla-specific security and privacy engineering research challenges and to strengthen Mozilla’s connections with academia. The summit attracted a diverse audience, including Mozilla engineers, academics, and PhD students. It was structured to encourage Mozilla engineers to present research challenges to the academic community, fostering potential collaborations. The engineers and researchers delivered talks on a variety of topics, including tracking protection, language-based security, cryptography, web measurement, and machine learning. https://cysec.wien/news/2025-02-26_ndss_2025/ The Network and Distributed System Security (NDSS) Symposium is a premier forum that promotes the exchange of information among researchers and practitioners in the field of network and distributed system security. This symposium emphasizes the practical aspects of security, particularly focusing on the design and implementation of actual systems. It provides a platform for discussing the latest research and developments in Internet security, making it a vital event for staying updated on cutting-edge advances in the field. At NDSS 2025, held from 24 to 28 February 2025 in San Diego, California, Giulia Scaffino presented work titled “Alba: The Dawn of Scalable Bridges for Blockchains,” coauthored with Lukas Aumayr (TU Wien), Mahsa Bastankhah (Princeton University), Zeta Avarikioti (TU Wien), Matteo Maffei (TU Wien). Over the past decade, the emergence of cryptocurrencies has significantly engaged both academic and industrial sectors, fostering a robust and varied blockchain ecosystem with innovative applications. A key development in this area has been the creation of blockchain “bridges.” These bridges are designed to improve interoperability between different blockchains, each with unique attributes, facilitating asset transfers crucial for maximizing the potential of Decentralized Finance (DeFi) systems. Despite their increasing popularity, existing trustless bridge protocols face challenges. Some, like light-client-based bridges, transmit too much information, while others, such as those using zero-knowledge proofs, require extensive computational resources. These inefficiencies often arise from the need to securely prove the inclusion of a transaction on one blockchain to another, a process that is sometimes redundant due to the capabilities of off-chain solutions like payment and state channels to handle transactions securely without on-chain publication. However, traditional bridges do not yet support the verification of these off-chain payments, highlighting a significant gap in current blockchain interoperability solutions. Giulia’s presentation introduced the innovative concept of “Pay2Chain” bridges, which harness the benefits of off-chain solutions to circumvent the limitations of existing bridges. The proposed Pay2Chain bridge, named Alba, is designed to enable the efficient, secure, and trustless execution of conditional payments or smart contracts on a target blockchain, triggered by off-chain events. Alba not only offers technical benefits but also significantly enhances the ecosystem of the source blockchain by supporting DeFi applications, multi-asset payment channels, and optimistic stateful off-chain computation. The team formalized the security of Alba against Byzantine adversaries within the Universal Composability (UC) framework and further enriched the analysis with game-theoretic insights. They also introduced formal scalability metrics to validate Alba’s efficiency. Empirical evaluations have confirmed that Alba’s communication complexity and on-chain costs are highly efficient, with its optimistic case incurring only twice the cost of a standard Ethereum transaction for token ownership transfer. This presentation underscored Alba’s potential to significantly advance blockchain interoperability and efficiency. © Wes Hardaker https://cysec.wien/news/2025-02-26_tuw_alumni_magazin/ TU Wien alumni club serves as a platform for exchange, offering information on current developments at the university and fostering networking among its members. Through its activities and resources, the association promotes a lifelong connection between TU Wien and its alumni, in line with the graduation pledge to “remain connected to TU Wien.” The March 2025 issue (No. 58) of the TU Wien Alumni Magazine is dedicated to the theme “Security Strategies for a Connected Future.” In this thematic edition, members of the Cybersecurity Center (CySec) contribute five articles that showcase TU Wien’s strengths in cybersecurity research, education, and societal impact. In the article “CySec – Cybersecurity at the Center,” Olha Denisova presents CySec as TU Wien’s interdisciplinary response to the rapidly escalating threats of cybercrime, data breaches, fraud, and system manipulation, whose global costs are projected to reach USD 10 trillion annually by 2026. Founded in 2023 under the leadership of Matteo Maffei and Tanja Zseby, CySec brings together 23 faculty members and around 150 researchers from computer science, electrical engineering, physics, statistics, architecture, and law. The article highlights CySec’s core research outputs in secure communication protocols, software verification, and vulnerability analysis, as well as its strong international visibility through leading conferences, public events, and collaborations with top universities and technology companies. Beyond research excellence, CySec’s societal impact lies in educating the next generation of cybersecurity experts and actively promoting diversity and inclusion in the field. Marco Squarcina examines Capture the Flag (CTF) competitions as a powerful training ground for cybersecurity professionals and a cornerstone of CySec’s educational mission. The article traces TU Wien’s more than 20-year engagement in ethical hacking, beginning with the founding of the CTF team We_0wn_Y0u (W0Y) and extending to major initiatives such as the Austria Cyber Security Challenge and the European Cyber Security Challenge. It demonstrates how hands-on, gamified learning equips students with technical expertise, creativity, and teamwork skills essential for modern cyber defense, while contributing to national and European cybersecurity talent pipelines. The article, authored by Georgia Avarikioti from the TU Wien Blockchain Hub, addresses two key challenges limiting the widespread adoption of blockchain technologies: scalability and interoperability. It explains how CySec-affiliated researchers develop layer-2 protocols and cross-chain solutions that enable secure and efficient transactions without compromising decentralization or trust. These innovations support applications ranging from decentralized finance to secure digital contracts and Web3 infrastructures, highlighting the broader societal impact of building fairer and more trustworthy digital economic systems. Elena Andreeva analyzes how cryptographic standards shape real-world security, privacy, and trust, and why flawed standardization decisions can have far-reaching consequences. Led by Andreeva, the Symmetric Cryptography Group at TU Wien contributes both to the design of novel cryptographic algorithms and to the critical evaluation of existing standards. The article discusses successful standards such as AES, problematic cases marked by insufficient transparency, and standards rendered obsolete by advances in cryptanalysis, underscoring CySec’s role in advancing robust, future-proof security technologies. The final contribution, “Lost Between Reality and Fiction: Authenticity and Privacy in the Age of AI,” by Dominique Schröder, addresses one of the most pressing challenges of the digital era: distinguishing authentic information from manipulated or AI-generated content. Against the backdrop of deepfakes, automated text generation, and large-scale disinformation, the article explores how modern IT security techniques — such as digital signatures, cryptographic authentication, and fully homomorphic encryption — can ensure authenticity while preserving privacy. By presenting practical scenarios from media verification to encrypted data processing in healthcare and business, the article highlights concrete technological approaches to counter disinformation and strengthen trust in digital media and democratic processes. https://cysec.wien/news/2024-12-19_kurier_interview_lindorfer/ Martina Lindorfer joined the recent episode of KURIER-TV’s “Spontan gefragt” as an IT security expert and computer scientist. Along with IT and business consultant Georg Krause, she discussed the complex world of cybercrime, shedding light on the sophisticated nature of modern hacking operations and explored various aspects of digital threats and defensive strategies. During the discussion, Martina emphasized the evolution of hacking from covert operations to highly professional and often state-funded activities. She highlighted the common use of phishing attacks, which deceive users into revealing sensitive information through seemingly harmless communications like SMS or emails. Lindorfer detailed how these attacks mimic legitimate platforms to lure individuals into providing their credentials, directly benefiting criminals. Lindorfer also spoke on the issue of ransomware, where criminals paralyze company operations by encrypting data and demanding ransoms for decryption. She noted that while some victims might regain access to their data upon paying the ransom, others may find themselves caught in ongoing extortion schemes. Addressing the broader implications of these threats, Lindorfer stressed the importance of enhancing digital literacy to fortify society against such vulnerabilities. She advocated for comprehensive digital education in schools, viewing it as crucial to equipping future generations with the skills necessary to navigate and secure the digital landscape effectively. Lindorfer’s insights underscored a critical message: “The weakest link is still the human.” This assertion calls for a concerted effort to bolster human defenses alongside technological ones, ensuring that digital security becomes a fundamental aspect of education and daily practice. Please access the article and accompanying video by visiting futurezone.at https://cysec.wien/news/2025-03-04_lecture_katz/ Talk by Jonathan Katz Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstraße 9-11, Erdgeschoß) (HEEG02) Date/Time: 2025-03-04 09:30 ‒ 10:30 Abstract: Protocols for distributed (threshold) key generation (DKG) in the discrete-logarithm setting have received a tremendous amount of attention in the past few years. Several synchronous DKG protocols have been proposed, but most such protocols are not fully secure: they either allow corrupted parties to bias the key, or are not robust and allow malicious parties to prevent successful generation of a key. We explore the round complexity of fully secure DKG in the honest-majority setting where it is feasible. We show the impossibility of one-round, unbiased DKG protocols (even satisfying weaker notions of security), regardless of any prior setup. On the positive side, we show various round-optimal protocols for fully secure DKG offering tradeoffs in terms of their efficiency, necessary setup, and required assumptions. Slides, Video Paper Bio: Jonathan Katz recently joined Google as a Senior Staff Research Scientist, after more than 20 years as a professor at the University of Maryland where he also served as director of the Maryland Cybersecurity Center. He is a co-author of the widely used textbook “Introduction to Modern Cryptography” (now in its third edition) and also offers a free online course on cryptography through Coursera. Katz has received an Alexander von Humboldt Research Award, a UMD Distinguished Scholar-Teacher Award, and an ACM SIGSAC Outstanding Contribution Award. He is a fellow of the IACR and the ACM. https://cysec.wien/news/2025-03-01_acsc_2025/ CySec is actively collaborating with Cyber Security Austria to organize and host the yearly Austria Cyber Security Challenge. This event is a Capture The Flag (CTF) competition aimed at identifying and nurturing young talents in the field of cybersecurity. The challenge is designed to engage participants in solving security-related puzzles and tasks, offering them a platform to showcase their skills and potential in cybersecurity under a competitive setting. This initiative, organized by Cyber Security Austria, not only helps in discovering emerging talents but also in fostering a stronger cybersecurity community. ACSC 2025 Program Overview The Austria Cyber Security Challenge 2025 will commence with an engaging kick-off event in Vienna. Participants will have the opportunity to meet the organizers and other competitors in person. For those unable to attend, the event will also be streamed online. Kick-off Event Date & Time: February 21, from 17:00 to 18:00 Main Location: TU Wien - FAV Hörsaal 1, Favoritenstraße 11, 1040 Wien Online Access: Available via Discord Language: English (Questions in German are welcome) Alternative Locations: FH St. Pölten, JKU Linz, LosFuzzys Graz This initial event is an entry-level gathering designed to explain the competition format. Attendance is not mandatory but is encouraged for newcomers. You can solve all challenges at any time during the qualification period (01.03.-01.05., eg the first challenge to be released can still be solved in the very last minutes before submission close). Qualification Rounds The qualification stage is a single-player jeopardy competition spanning two months, with challenges released in two waves. This phase involves cooperation with German and Swiss counterparts. 1st Qualifying Wave Date & Time: March 1st, 18:00 CEST Format: Online 2nd Qualifying Wave Date & Time: April 1st, 18:00 CEST Format: Online Challenges can be solved at any time from March 1st to May 1st. Even challenges released early in the qualification can be addressed up until the final submission deadline - May 1st, 18:00 CEST Finals Competitors who achieve a top ranking in their qualification category will be invited to the team-based finals, which promise a dynamic mix of collaboration and competition. Dates: June 24th - 26th Location: Dornbirn Events Include: Team-building (junior & senior categories), Competition, Award Ceremony https://cysec.wien/news/2025-06-24_acsc_2025_finals/ Organized by Cybersecurity Center TU Wien and Cyber Security Austria, the Austria Cyber Security Challenge (ACSC) 2025 is one of the country’s leading platforms to discover and support emerging cybersecurity talent. By combining competition, education, and collaboration, the challenge not only showcases individual skill but also promotes Austria’s strategic cybersecurity capabilities. The highly anticipated finals of the ACSC 2025 will take place in Dornbirn from June 24th to 26th, bringing together Austria’s most promising cybersecurity talents for an exciting and competitive event. After two months of intense online qualification rounds, the top 20 participants in each category—junior, senior, and open—have secured their spots in the finals. The event will feature a dynamic Capture The Flag (CTF) competition, complemented by various team-building activities that foster both technical skills and community engagement. This year’s qualification phase demonstrated strong engagement and skill among participants: 870 registered participants, 37 unique challenges, 2945 valid solutions submitted. Finalists are now preparing for the concluding stage of the challenge, which includes: Team-based CTF competitions Team-building sessions (especially for junior and senior categories) Award ceremony honoring the ACSC 2025 champions Updated We would like to congratulate all participants on their achievements and the winners on their well-deserved victory: Junior (14 – 20 years): Hannah Fluch Mátyás Zsombor Roman Ortner Christopher Haindl Aurel Schauer Senior (20 to 25 years): Lea Holter Jonas Heschl George Raul Michael Dunca Felix Mayer Christoph Tantscher Open (open to all): Jonas Konrad Stephan Stöger Luke Finn Zamponi All results are available here: Scoreboard Our sincere thanks go to the entire organizing team for their great work and dedication. The ORF report on the final is available here: https://on.orf.at/video/14281673/15904841/finale-der-austria-cyber-security-challenge-vorarlberg-heute-vom-26062025. https://cysec.wien/news/2025-02-17_competenzforum_maffei/ This week marked the kickoff for the new AI & Security Competence Forum, initiated by Thomas Stubbings, CEO at CTS (Cyber Trust Services), and Alexander Janda, Secretary General of KSÖ (Competence Center for Secure Austria). The event brought together leading minds in technology to address the most pressing cyber challenges since the internet’s inception. Prof. Matteo Maffei participated in a panel discussion with Ralf Schneider, Head of AI Security & Security Consulting at Deutsche Telekom Security, and Johann Schlaghuber, Head of Cybersecurity at Siemens Aktiengesellschaft Österreich. Together, they explored complex topics ranging from data and identity theft to ethical concerns in digital security. The discussion encompassed specific threats and broader ethical issues. Participants at the forum reached a consensus on the need for Europe to intensify its efforts in managing AI and cybersecurity issues responsibly and effectively. The AI & Security Competence Forum is poised to become a crucial platform for ongoing discussions, with further sessions highly anticipated. https://cysec.wien/news/2025-02-11_wasm_2025/ Carnegie Mellon University’s WebAssembly Research Center (WRC) hosts the WebAssembly (Wasm) Research Days, gathering a diverse group of researchers from academia, industry, and the W3C Community Group responsible for WebAssembly standards. WRC’s partners, such as Woven by Toyota, Shopify, Siemens, and DFINITY, along with representatives from major tech firms like Google, Mozilla, Apple, and others, participate in the event to foster collaboration across various sectors and explore current and future applications of WebAssembly. The Research Days provide a platform for in-depth discussions, sharing insights, and integrating theoretical research with practical applications, thereby enhancing the understanding and impact of WebAssembly in the technology landscape. At Wasm 2025, held on February 11, Markus Scherer presented “Wappler and Beyond: Reachability and Noninterference Analysis for WebAssembly,” joint work with Jeppe Fredsgaard Blaabjerg (Aarhus University, Denmark), Alexander Sjösten, Magdalena Solitro, Matteo Maffei (TU Wien). The presentation explored the ongoing research on the static analysis of WebAssembly by the research group, highlighting Wappler as the first sound and automated technique in this domain. Wappler’s core method involves encoding WebAssembly’s semantics into Horn clauses, making it compatible with automated theorem provers like z3. The discussion then advanced to current research efforts that extend Wappler’s capabilities to noninterference analysis. This hyperproperty, crucial for security, aids in evaluating potential threats, particularly how an attacker might compromise system integrity and confidentiality. Given WebAssembly’s critical role as a conduit linking various system components, understanding this aspect is particularly significant. Video Wappler: Sound Reachability Analysis for WebAssembly Previuos Talk https://cysec.wien/news/2025-02-28_symposium_radical_software/ The symposium “Radical Software: Women, Art & Computing 1960–1991” is organized by TU Wien Informatics, Kunsthalle Wien, and the Wolfgang Pauli Institute (WPI) as part of an exhibition examining the history of digital art through a feminist lens. Keynote speeches and panel discussions will underscore and delve into the pivotal roles women have played in advancing computer technology and digital art. The event is supported by: Austrian Science Fund (FWF), Let’s empower Austria (LeA), Semantic and Cryptographic Foundations of Security and Privacy by Compositional Design (SPyCoDe). Location: TU Wien, Prechtl-Saal (AAEG18) Date/Time: 2025-02-28 09:00 ‒ 17:15 Registration: Participation in the event is free of charge, but registration is required. Program 09:00–09:30 - Opening, registration, and coffee 09:30–10:00 - Welcome Address by Michelle Cotton (Artistic Director, KHW), the Rectorate of TU Wien, and Laura Kovács (TU Wien Informatics & WPI) 10:00–10:30 - Keynote by Margit Rosen (KHW) 10:30–11:30 - Session 1: “Zeros and Ones, Computing before Microprocessing” by Ina Wagner (TU Wien), Zsofi Valyi-Nagy (KHW) 11:30–12:00 - Q&A moderated by Philipp Steger (TU Wien) 12:00–13:15 - Lunch break 13:15–13:45 - Keynote by Gerti Kappel (Dean, TU Wien Informatics) 13:45–15:15 - Session 2 by Anne-Mie Van Kerckhoven (KHW), Nadia Thalmann (MIRALab, University of Geneva), Tamiko Thiel (KHW) 15:15–15:45 - Q&A moderated by Tamiko Thiel (KHW) 15:45–16:15 - Coffee break 16:15–17:15 - Closing Remarks chaired by Michelle Cotton with Gudrun Bielz, Inge Borchardt, Anna Bella Geiger, Dominique Gonzalez-Foerster, Liliane Lijn, Sylvia Roubaud, Ruth Schnell, Nina Sobell, Tamiko Thiel, Anne-Mie Van Kerckhoven From 17:15 - Drinks and Exchange with speakers, panelists, and guests © Amélie Chapalain https://cysec.wien/news/2025-01-28_alpsy_2025/ The research workshop “Algebraic Aspects in the Design and Cryptanalysis of Modern Symmetric Cryptography” (ALPSY) is designed to provide a platform for joint scientific discussions, initiate research collaborations, and showcase and explore research findings and challenges within the field. At ALPSY 2025, which took place from January 25 to 29, 2025, at the Obergurgl Center of the University of Innsbruck, two presentations were given by CySec members. Stefano Trevisani’s presentation, titled “Flexible Modes for Arithmetization-Oriented Compression Functions: Verifiable Computation and ZK-SNARKs,” delved into the complex relationship between hash functions and ZK-SNARKs, with a focus on arithmetization-oriented hash functions and compositional paradigms. He introduced two new families of modes, PGV-ELC and ELC-P, which are designed to enhance the flexibility and security of cryptographic systems. The presentation highlighted the security features of these modes, particularly their indifferentiability, a crucial attribute for the robustness of cryptographic schemes. Trevisani provided a detailed comparison of the security aspects of these modes, along with benchmarking results from Groth16 and Plonky2 to evaluate their performance under real-world conditions. Additionally, the discussion on Merkle Tree arity benchmarks showcased the efficiency of these modes in various configurations and their alignment with targeted design strategies in cryptography. Presentation Marek Sefranek delivered a comprehensive presentation on hash functions within the context of PIOP-based SNARKs, emphasizing their role in zero-knowledge proofs and zk-SNARKs. These technologies enable proving truths such as age verification or GDPR compliance without revealing underlying data, thus enhancing privacy and security across systems like blockchains and anonymous cryptocurrencies like Zcash. His discussion highlighted the applications of zero-knowledge proofs in enforcing protocols in multi-party computations, verifiable computation, and establishing trust in decentralized systems. Sefranek also explored the broader SNARK landscape, including recursive SNARKs and Polynomial Interactive Oracle Proofs (PIOPs), discussing their integration into cryptographic systems. Sefranek also raised several open questions that continue to challenge the field, such as proving the security of the Fiat-Shamir transformation outside the Random Oracle Model (ROM) and identifying the necessary properties of hash functions that go beyond collision resistance and pseudorandomness to achieve correlation intractability. These questions underscore the ongoing need for theoretical and practical advancements in constructing hash functions that can meet the stringent requirements of advanced cryptographic systems. Presentation https://cysec.wien/news/2025-01-30_vienna_inn_conf_2025/ The 10th Vienna Innovation Conference will address key challenges and opportunities in Vienna’s role as an economic and innovation hub. Discussions will focus on how to enhance competitiveness, leverage new technologies like quantum computing and AI, and efficiently use resources to drive economic growth and environmental sustainability. The conference will also explore strategies for navigating the energy transition and labor market challenges, building on the WIEN 2030 innovation strategy. Key topics include healthcare prevention, cyber-security, and the economic potential of the evolving food sector. Martina Lindorfer, a CySec Faculty member, Associate Professor at TU Wien, and Key Researcher at SBA Research, will participate in the panel “@Risk: Are Our Data Safe?” The discussion will explore the evolution of data security, the impact of artificial intelligence, and Vienna’s standing in the global cybersecurity landscape. Other panelists include Joe Pichlmayr (IKARUS and CSA CyberSecurityAustria), Ronke Babajide (Fortinet), Silvie Schmidt (FH Campus Wien), Stephanie Jakoubi (SBA Research), and Dominik Meisinger (brutkasten). https://cysec.wien/news/2025-01-23_erc_kovacs/ Prof. Laura Kovacs has been awarded a Proof of Concept Grant from the European Research Council (ERC) for the development of LEARN — an interface designed to streamline the use and application of existing logic tools within the software industry. These tools go beyond mathematical assertions to include comprehensive software analysis, ensuring error-free operation and consistent delivery of correct outcomes under all logical conditions. ERC grants are among the most prestigious in the European research landscape, and receiving one is a significant honor that recognizes exceptional scientific achievements. Laura Kovacs exemplifies this with her receipt of four ERC grants: an ERC Starting Grant in 2014, her first Proof of Concept Grant, an ERC Consolidator Grant in 2020, and now, another Proof of Concept Grant. These grants are specifically aimed at translating the scientific results of successfully completed ERC projects into practical applications, such as developing commercially viable products. LEARN is designed to significantly reduce costs associated with rectifying software update errors. It enables software developers to master logical modeling through an intuitive, interactive interface while also generating autonomous proof strategies that ensure system security. Laura Kovacs’ team, which has previously developed software tools for these purposes, is now ready to move to the next phase of the project: crafting LEARN. This interface will facilitate easy access to sophisticated methods, making them straightforward to learn and implement. The grant provides €150,000 over 1.5 years and positions LEARN for industrial use. Major companies like Amazon, Certora, and Microsoft are lined up as early adopters. Additionally, the tool will enhance academic learning, allowing hundreds of students at TU Wien to improve their skills in logic and software analysis. Also read: TUW Informatics announcement https://cysec.wien/news/2024-12-24_erwin_schr%C3%B6dinger_program_tairi/ The Erwin Schrödinger program is designed to support highly qualified early-stage postdoctoral researchers from all disciplines by offering them the chance to advance their careers through stays at top international research institutions. The program not only facilitates these career-enhancing opportunities but also supports the participants upon their return to Austria. Its primary goals are to foster independent research projects, enhance international experience, and introduce new research methods and approaches. Ultimately, the program aims to enrich the Austrian research landscape through significant knowledge transfer and to bolster the global experience of its researchers. Erkan Tairi completed his Ph.D. in 2024 at the Security & Privacy Research Unit of TU Wien under the supervision of Matteo Maffei and Daniel Slamanig. His thesis, “Foundations of Adaptor Signatures for Distributed Ledger Protocols,” explores cryptographic protocols to boost scalability and interoperability across cryptocurrencies like Bitcoin and Ethereum, focusing on payment channels and atomic swaps using adaptor signatures. Despite their reliance on proven cryptographic principles, these protocols are not secure against quantum threats and lack modular security analysis. Erkan’s research introduces a post-quantum adaptor signature scheme, establishes its security in a quantum setting, and integrates it into a modular framework for enhanced security. He also developed LedgerLocks, a system for creating secure blockchain applications, demonstrating its effectiveness in securing payment channels and privacy-preserving hubs. Erkan has been awarded the Erwin Schrödinger Fellowship by the FWF and will pursue postdoctoral research, focusing on advanced public-key encryption using lattice-based cryptography for cloud computing and other areas vulnerable to quantum computing. His project aims to develop encryption schemes that support privacy-preserving computations and provide fine-grained data access, enhancing post-quantum security. He will explore new lattice-based functional encryption schemes and evaluate the limits of current assumptions and techniques, creating new models to address these challenges. The project includes two years at UC Berkeley hosted by Prof. Sanjam Garg and a subsequent year at IST Austria with Prof. Krzysztof Pietrzak. https://cysec.wien/news/2024-12-09_acsac_2024/ The Annual Computer Security Applications Conference (ACSAC) serves as a platform for leading researchers, practitioners, and security professionals from academia, industry, and government to present and discuss the latest advancements in cybersecurity. With its peer-reviewed technical papers, invited talks, panels, national interest discussions, and workshops, ACSAC remains committed to its mission of exploring practical solutions for computer and network security technologies. Since 2017, ACSAC has actively promoted the publication of software and data artifacts associated with academic research papers presented at the conference. This initiative underscores the importance of publishing artifacts to enhance research reproducibility and support the real-world adoption of innovative and reliable security solutions. To further this goal, ACSAC launched the Artifacts Competition in 2022, encouraging submissions of cybersecurity artifacts previously published in peer-reviewed venues across academia and industry. Martina Lindorfer has achieved a significant milestone by being named a Senior Fellow at the Applied Computer Security Associates (ACSA). This prestigious recognition follows her outstanding contributions, including two years as Program Committee Chair and two prior years as Artifact Evaluation Chair. During the Opening Remarks at ACSAC 2024, the ACSAC Program Chairs emphasized the extensive effort involved in organizing the conference. The event attracted a record number of 381 submissions, which were reviewed in two rounds by 171 Program Committee Members. Ultimately, 83 submissions were accepted, reflecting an acceptance rate of 21.8%. Since security research is often criticized for the poor reproducibility of its results, the Program Chairs introduced Reproduction and Replication (R+R) Papers this year. This track solicited studies that confirm, question, or clarify the results of previous research. Authors followed this call and out of 50 submissions in this track, 7 papers made it into the final program. This new track further strengthens ACSAC’s commitment to reproducibility since the introduction of the Artifact Evaluation in 2017 as the first security conference to do so. Artifact Evaluation is a crucial part of the review process, ensuring that published papers are supported by high-quality artifacts, such as software, hardware, and datasets, which can be reused and built upon by others. Reviewers play a central role in this effort by assessing artifacts for their consistency with the paper, completeness, quality of documentation, and ease of reuse for future research. Beyond evaluation, reviewers collaborate closely with authors to refine artifacts that may not initially meet the required standards. Through actionable and interactive feedback, they guide authors in revising their work to align with the necessary criteria, fostering a process of continuous improvement and ensuring high-quality outcomes. This year, Carlotta Tagliaro, a PreDoc Researcher in the Security and Privacy Research Unit, made significant contributions as an Artifact Reviewer. In recognition of her exceptional efforts, she was honored with the Distinguished Artifact Reviewer Award at ACSAC 2024. The Artifacts Competition is another significant initiative by ACSA, designed to recognize exceptional cybersecurity artifacts that have made a meaningful and lasting impact on the security and privacy research communities. Daniel Arp, as part of an international team of researchers, has been named a finalist in the competition for TESSERACT. TESSERACT is an open-source framework designed to provide unbiased, realistic, and time-aware evaluations of machine learning-based malware classification. Originally introduced alongside a research paper published at the USENIX Security Symposium 2019, the framework showcased methods to eliminate experimental bias in malware classification research. Since its release, TESSERACT has been widely recognized, featured in keynotes and seminars, and adopted by academics and practitioners globally. It has played a pivotal role in shaping research questions and advancing experimental designs in ML-based malware detection, amassing 415 Google Scholar citations as of September 2024. https://cysec.wien/news/2024-12-09_ar_dc_founded/ The new Doctoral College “Automated Reasoning,” funded with nearly €2.5 million by the Austrian Science Fund (FWF), is set to offer thirteen PhD positions. Led by Professor Georg Weissenbacher, the college represents a collaborative effort among the Research Units of Cyber-Physical Systems, Formal Methods in Systems Engineering, Machine Learning, Security and Privacy, and Software Engineering at TU Wien Informatics. Security and Machine Learning have a massive societal impact: the safety of self-driving cars and the accuracy of judicial or medical decisions made by artificial intelligence hinges on the reliability of the underlying software and algorithms. How can we safeguard electronic systems against catastrophic malfunctions? Automated reasoning and formal verification are increasingly deployed as a countermeasure to these threats. Automated reasoners nowadays routinely perform millions of security checks in cloud computing, analyze millions of lines of code, and are increasingly used to ensure the robustness and fairness of neural networks. These advances are driven by foundational research as well as applications, within a remarkably close collaboration of industrial research labs and academia. Consequently, there is a large demand for experts in these fields. The solution to this shortage lies in the education of future leaders at the intersection of security and machine learning with a strong background in automated reasoning. The doctoral program on Automated Reasoning is designed to educate these experts. On a scientific level, it targets foundational questions such as rigorously defining the notion of safety and security across domains and applications, the development of automated techniques and analyses to ensure safety and security of electronic systems, and explores synergies between the fields of security and artificial intelligence. The scientific excellence of the program is warranted by a faculty of seven outstanding researchers (and recipients of competitive awards) with close ties to industry. Doctoral students receive solid foundations spanning several of the sub-disciplines that make up the program (through area courses). The interdisciplinarity of their research is ensured via close co-supervision by faculty members with complementary expertise and frequent exchange and collaboration with their colleagues (in retreats, seminars, and social events). Moreover, the program provides the opportunity of international secondments or internships with our research partners in industry and academia, exposing the students to novel ideas, different working cultures, and opening up new career perspectives. Throughout the program, students are offered mentoring and support for career planning, and workshops on innovation and entrepreneurship. Moreover, a strong focus on ethics early in the program prepares the students for difficult ethical questions they are going to face in their careers. The new Doctoral College has seven Principal Investigators (PIs): Ezio Bartocci, Professor of Cyber-Physical Systems Maria Christakis, Professor and Head of the Research Unit Software Engineering Katalin Fazekas, Assistant Professor of Formal Methods in Systems Engineering Thomas Gärtner, Professor and Head of the Research Unit Machine Learning Laura Kovacs, Professor and Head of the Research Unit Formal Methods in Systems Engineering Matteo Maffei, Professor and Head of the Research Unit Security and Privacy https://cysec.wien/news/2024-12-02_informatics_award_2024/ The TU Wien Informatics Awards recognizes the most outstanding students from the faculty across all academic levels - Bachelor’s, Master’s, and Doctoral - and various research areas. This accolade highlights exceptional achievements and academic excellence within the TU Wien community, spotlighting the diverse and innovative work being conducted by its students. As an annual acknowledgment of the high standards of scholarship and research at the university, the awards serve as a platform to showcase the cutting-edge projects and theses that are shaping the future of informatics. This year, the Best Dissertation Award at TU Wien Informatics was presented to Lukas Aumayr for his thesis titled “Foundations of Bitcoin-Compatible Scalability Protocols,” supervised by Matteo Maffei, Professor and Head of the Research Unit Security and Privacy. Andreas Steininger, Director of the Doctoral School, emphasized the rigorous selection process and the significant contributions to the scientific community made by all nominated theses. Six students were nominated for the Best Dissertation Award; however, Lukas Aumayr’s dissertation particularly stood out. Lukas Aumayr’s work addresses scalability issues in permissionless blockchains, which enable decentralized money transfers among mutually untrusted users. The thesis evaluates existing Payment Channel Networks (PCN) protocols across security, privacy, efficiency, and functionality, highlighting their limitations. It introduces novel Bitcoin-compatible protocols such as Sleepy Channels for offline security, Blitz for faster multi-channel payments, and Thora for secure non-linear updates, among others. These novel protocols leverage Bitcoin’s scripting limitations to ensure broad compatibility with various cryptocurrencies, thereby enhancing scalability and broadening blockchain applications. Ivana Bocevska, currently a bachelor’s student at our faculty, was honored with the Siemens Award of Excellence for her outstanding achievements as she begins her master’s studies under the supervision of Prof. Laura Kovács. Sponsored by Siemens AG Österreich and endowed with €1,000, the Siemens Award of Excellence is granted annually by the faculty to celebrate top-performing female students at both the bachelor’s and master’s levels. © Amélie Chapalain © Amélie Chapalain https://cysec.wien/news/2024-11-25_lecture_kovacs/ Talk by Laura Kovacs Date/Time: 2024-11-25 17:00 ‒ 18:00 Abstract: We advocate a game-theoretic approach for the security analysis of blockchain protocols. Doing so, we model protocols as games to precisely capture security properties and apply automated reasoning techniques to determine whether a game-theoretic protocol model is game-theoretically secure. Security analysis becomes a satisfiability checking problem in first-order real arithmetic, which we solve within our CheckMate verifier. Our method has been successfully applied to decentralized protocols, board games, and game-theoretic examples. This is a joint work with Ivana Bocevska, Lea Brugger, Anja Petkovic Komel, Sophie Rain and Michael Rawson. The talk is a part of the seminar series “Women in Logic Online”. Video Bio: Laura Kovács is a full professor of computer science at the TU Wien, leading the automated program reasoning (APRe) group of the Formal Methods in Systems Engineering division. Her research focuses on the design and development of new theories, technologies, and tools for program analysis, with a particular focus on automated assertion generation, symbolic summation, computer algebra, and automated theorem proving. She is the co-developer of the Vampire theorem prover and a Wallenberg Academy Fellow of Sweden. Her research has also been awarded with an ERC Starting Grant 2014, an ERC Proof of Concept Grant 2018, an ERC Consolidator Grant 2020, and two Amazon Research Awards (2020 and 2023). Recently, she received financial support from LEA Frauenfonds to disseminate unplugged computer science to elementary schools, while organizing computer science workshops with school children at the TU Wien. https://cysec.wien/news/2024-11-20_essai_2024/ The European Symposium on Security and AI (ESSAI) was held for the first time during the European Cyber Week (ECW) on November 20 and 21, 2024. This event focuses on the security of artificial intelligence systems, covering topics such as data integrity and privacy, the use of artificial intelligence to enhance cybersecurity, and the malicious use of generative artificial intelligence. Speakers at the event presented work that has been recognized at leading conferences in artificial intelligence and security. Daniel Arp presented his work titled “Dos and Don’ts of Machine Learning in Computer Security,” which was previously featured at the USENIX Security Symposium 2022. Alongside his co-authors, Arp delves into the critical intersection of machine learning and computer security. As computing systems grow more powerful and massive datasets become increasingly accessible, machine learning algorithms have catalyzed significant breakthroughs across various fields. These developments have significantly impacted computer security, leading to innovative work on learning-based systems for malware detection, vulnerability discovery, and binary code analysis. However, despite their potential, these learning-based security systems are susceptible to subtle pitfalls that can severely impair their performance and make them unreliable for security tasks and practical deployment. In his paper, Arp critically examines these issues. He identifies common design, implementation, and evaluation pitfalls in learning-based security systems by reviewing 30 papers from top-tier security conferences over the past decade. His study confirms that such pitfalls are prevalent in current security research. Through empirical analysis, Arp demonstrates how these pitfalls can skew results, leading to unrealistic performance assessments and misinterpretations that obscure the true nature of security challenges. To combat these issues, he offers actionable recommendations to help researchers avoid or mitigate these pitfalls and highlights unresolved problems in applying machine learning to security. Arp’s presentation also outlines directions for future research, aiming to refine the application of machine learning in enhancing computer security. https://cysec.wien/news/2024-11-26_lecture_oneill/ Talk by Adam O’Neill Location: TU Wien, FAV Hörsaal 2 (Favoritenstraße 9-11, Erdgeschoß) (HEEG03) Date/Time: 2024-11-26 15:00 ‒ 16:00 Abstract: Provable security is the science of building cryptographic protocols out of building blocks in a sound way. Namely, one proves the only way to break a protocol is to break one of the building blocks. But does every secure protocol have such a proof? What if we can’t find one? This talk will introduce the concept of “idealized models,” which are artificial models of computation created by cryptographers to address this issue. We will describe what idealized models are and why they are used. Then, we will describe our on-going line of research aimed at better analyses in such models, as well as ultimately transitioning the proofs to do without idealized models. This gives greater assurance in the security of many widely used cryptographic protocols. The talk will be high-level and not assume previous knowledge of cryptography. Bio: Adam O’Neill is an Assistant Professor in the Manning College of Information and Computer Sciences at the University of Massachusetts, Amherst. Previously, he was an Assistant Professor of Computer Science at Georgetown University. He received his Ph.D. in Computer Science at the Georgia Institute of Technology and held postdoctoral appointments at the University of Texas at Austin and Boston University. Recently, he received the CRYPTO 2022 Test-of-Time Award. https://cysec.wien/news/2024-11-18_fintech_week_maffei/ FinTechWeek Vienna stands as an essential communication hub, designed to bridge the gap between innovative FinTech startups, established banking institutions, and regulatory bodies. This collaboration is dedicated to fostering a deep, mutual understanding across sectors. Each year, FinTechWeek features a rich variety of engaging events, from high-caliber panel discussions to insightful presentations and compelling keynote speeches. The program covers a broad spectrum of topics, including financial literacy, the future of payments, cybersecurity updates, and the latest developments in FinTech, PropTech, blockchain, and securities. The 2024 opening session, themed ‘Cybersecurity in the Age of AI,’ highlighted Prof. Matteo Maffei as a keynote speaker, emphasizing his expertise in addressing critical issues within the industry. In his presentation “Cybersecurity and AI: The Good, the Bad, and the Ugly,” Prof. Maffei discussed the interaction between AI and cybersecurity, pointing out both its strengths and weaknesses. He referenced ongoing research under CySec, explaining how machine learning is applied in cybersecurity and highlighted key challenges such as sampling bias, inaccuracies in labeling, and data snooping which introduce hidden biases. Maffei explained that these issues could lead to models forming false connections and biases if influenced by the test data. He also noted the lack of robust baseline methods and appropriate measures for evaluating systems in scenarios with imbalanced data or where low false-positive rates are critical. He mentioned that often, the real-world use and possible security risks are not fully considered when these systems are evaluated, which can leave them open to vulnerabilities. Maffei emphasized the urgent need for thorough and realistic development and evaluation methods, which are key focuses of CySec’s team’s current and future research. Their work includes advancing blockchain technologies, creating smart contract verifiers, theorem provers, and enhancing web and mobile security. Collaboration with the industry, comprehensive training for the new generation, and outreach initiatives that reach everyone from children to the youth demonstrate their commitment to widespread and significant impact. https://cysec.wien/news/2024-11-08_corl_2024/ The Conference on Robot Learning (CoRL) is a scientific conference dedicated to sharing and exploring cutting-edge research and innovation at the intersection of robotics and machine learning. The conference attracts a global audience of researchers, practitioners, and industry experts who are eager to present their findings, discuss challenges, and shape the future of robot learning. At CoRL 2024, held from November 6 to 9, 2024, in Munich, Germany, Thies Oelerich introduced “Language-guided Manipulator Motion Planning with Bounded Task Space,” co-authored with Christian Hartl-Nesic and Andreas Kugi. Their work advocates for the use of language-based robot control, a method that leverages large language models (LLMs) to interpret environmental contexts for robot manipulator guidance. Despite the versatility of LLMs, safety and performance issues often arise, typically manifesting as jerky robot movements. To address this, the team developed a novel modular framework for zero-shot motion planning in manipulation tasks, which does not rely on motion-planning-specific training. This framework integrates an LLM with a vision model to generate Python code that collaborates with a new path planner. This planner constructs a piecewise linear reference path with safety bounds, ensuring secure navigation. Additionally, an optimization-based planner within the BoundMPC framework executes optimal, safe, and collision-free trajectories along this path. The effectiveness of this innovative approach is demonstrated through various everyday manipulation tasks in both simulated and experimental settings. Poster, Video https://cysec.wien/news/2024-11-14_meeting_usa_dcio/ CySec hosted a productive and engaging meeting between young scientists from TU Wien and affiliated initiatives and representatives from the US Embassy in Vienna. The event focused on advancements in cybersecurity, digital innovation, and diversity in technology, bringing together experts to exchange ideas, showcase initiatives, and foster international collaboration. Marco Squarcina, Senior Scientist at TU Wien, opened the session by presenting the university’s cutting-edge research in cybersecurity. He introduced the “Shecurity” initiative, a program designed to empower women in technology and promote gender diversity in the cybersecurity field. Following this, Carrie Cowan, Head of the Digital Innovation School at the Complexity Science Hub Vienna (CSH), provided an insightful overview of CSH’s activities, emphasizing their contributions to digital transformation and innovation. Markus Schweiger, Head of the International Office at TU Wien, introduced key representatives from the US Embassy, including Deputy Chief Information Officer (DCIO) for Enterprise Services Laura Williams, DT Information Management Chief Christina Bergen, and DT Customer Engagement Chief Susan Danewitz. Schweiger invited them to share their experiences as women in the tech field, offering valuable perspectives on overcoming challenges and seizing opportunities in the industry. Laura Williams, a career member of the Senior Foreign Service, captivated the audience with her extensive experience managing global information technology platforms that keep US diplomats connected worldwide. Throughout her career, she has safeguarded sensitive data, advocated for innovative knowledge management practices, and harnessed cutting-edge technologies to advance public diplomacy. © Marco Squarcina The meeting concluded with a dynamic Q&A session, where attendees posed insightful questions to the panelists. Discussions spanned topics such as navigating global cybersecurity challenges, offering career advice for aspiring professionals in the U.S. cybersecurity field, examining the impact of politics on cybersecurity roles, and exploring the evolving influence of artificial intelligence as both a threat and a defense mechanism. Panelists also shared reflections on their most challenging experiences and outlined future goals for addressing pressing cybersecurity issues. The thoughtful responses and open dialogue underscored the importance of collaboration and mutual learning in tackling global challenges in cybersecurity and innovation. This meeting highlighted TU Wien’s commitment to fostering international partnerships and addressing critical issues at the intersection of technology, diversity, and innovation. It provided a platform for meaningful dialogue, offering inspiration and practical insights for the next generation of cybersecurity professionals. © Marco Squarcina https://cysec.wien/news/2024-11-13_ifm_kovacs_2024/ The International Conference on Integrated Formal Methods (iFM) is a premier academic event focused on exploring topics such as model checking, theorem proving, and formal verification. It aims to develop new techniques that integrate multiple formal methods and bridge the gap between theory and practical application. iFM significantly impacts fields like software engineering, system design, security, and verification by addressing the complexities of modern systems and enhancing system verification and design processes. This approach promotes safer, more reliable, and efficient computational systems. Prof. Laura Kovács, a prominent member of the CySec Faculty and Head of the Formal Methods in Systems Engineering Research Unit (FORSYTE, served as the PC Chair at iFM 2024. Alongside her, Daniela Kaufmann, a research fellow in the Automated Program Reasoning (APRe group, played a significant role as a Program Committee member and co-chair of Artifact Evaluation. Thomas Hader, a PreDoc Researcher at FORSYTE and a student at DC SecInt, contributed as a member of the Artifact Evaluation Program Committee. The conference, renowned for its extensive program, featured keynote speeches from industry leaders, peer-reviewed academic papers, and insightful discussions. This diverse format provided a dynamic platform that significantly enhanced networking opportunities and fostered collaboration among attendees from various disciplines, enriching both the academic and professional experiences of all participants. The contributions of the FORSYTE group, led by Prof. Kovács, underscored the event’s emphasis on cutting-edge research in formal methods in systems engineering. https://cysec.wien/news/2025-11-09_kth_keynote_maffei/ Prof. Matteo Maffei delivered a lecture titled “Verification of Global Safety Properties in Deep Neural Networks with Confidence” at the Center for Cyber Defence and Information Security (CDIS). Prof. Matteo Maffei’s keynote addressed how to make modern AI systems trustworthy when they are deployed in safety- and security-critical domains such as autonomous driving, finance, and cyber-physical systems. He showed that widely used notions like robustness and fairness can be expressed as global 2-safety properties, which relate pairs of neural network executions rather than individual inputs. The talk introduced a confidence-aware notion of global robustness, where only high-confidence classifications must remain stable under small input perturbations, and proposed a verification approach based on self-composition and a piecewise-linear abstraction of the softmax function. This allows these rich properties to be checked using existing neural network verification tools such as Marabou. Experimental results on standard robustness benchmarks and fairness-sensitive datasets (e.g. German Credit, COMPAS) demonstrate that the method can certify meaningful confidence thresholds and explore trade-offs between accuracy, robustness, and fairness. Prof. Maffei concluded with an outlook on scaling the technique to larger models and integrating it into the broader TU Wien Cybersecurity Center agenda on trustworthy AI. Reference: Presentation https://cysec.wien/news/2024-11-08_csaw_2024/ CSAW, established in 2003 and now the world’s most comprehensive student-run cybersecurity event, is celebrating its 21st year. It offers a robust platform for experiential learning and aims to motivate students to engage with and build careers in cybersecurity. Hosted by five global academic centers, CSAW presents a series of evolving cyber competitions designed to adapt to the rapidly changing threat landscape influenced by advancements in technologies like additive manufacturing, machine learning, and cloud-based AI. As the largest event of its kind, CSAW attracts the brightest minds from high school to doctoral levels, challenging them with diverse cybersecurity tasks and contributing significantly to the development of awareness, proficiency, and innovation in the cybersecurity field. CSAW'24 marks the 8th anniversary of CSAW Europe organized by Grenoble INP - Esisar in Valence, France. Lea Salome Brugger, a former master’s student at TU Wien and now a PhD student at ETH Zürich, won 3rd place at the CSAW Applied Research Competition in cybersecurity. She presented the paper “CheckMate: Automated Game-Theoretic Security Reasoning,” co-authored with Laura Kovács, Anja Petković Komel, Sophie Rain, and Michael Rawson. CheckMate is an innovative framework designed to fully automate the analysis of game-theoretic security, particularly for blockchain technologies. It examines security protocols by modeling them as games to ensure incentive compatibility and resistance to Byzantine faults. This system not only suggests defensive strategies to secure protocols but also identifies potential vulnerabilities. In cases where protocols are not initially secure, CheckMate can determine the conditions needed to achieve security. It employs a rigorous method of game-theoretic security encoding in first-order linear real arithmetic, simplifying complex security analysis into solvable problems. Additionally, CheckMate efficiently manages the division of cases based on arithmetic terms. Testing has shown that CheckMate can scale up to handle extremely complex games, analyzing trillions of strategies, including those used in Bitcoin’s Lightning Network. Earlier this year, Sophie Rain received the Best Presentation Award at LPAR-25 (Logic for Programming, Artificial Intelligence, and Reasoning conference) for advanced work in scaling CheckMate. https://cysec.wien/news/2024-11-11_lecture_vienna_kovacs/ On November 11th and 13th, 2024, the Directorate-General of the Vienna Health Network (Wiener Gesundheitsverbund) hosted a compelling lecture series titled “Digitale Kompetenzen - Algorithmen, KI & Ethik.” The series explored how artificial intelligence and algorithms are transforming professional life in the healthcare sector and public administration, providing valuable insights into their applications and ethical considerations. Laura Kovács joined a panel of top-class experts from TUW and the Medical University of Vienna, delivering an insightful talk on Computational Thinking. She reflected on the relation between computational thinking and automated reasoning and described use cases of computational thinking in real world applications (event planning, puzzle solving, software safety and cybersecurity). Her presentation emphasized the limitations of AI systems and the importance of having computational thinking integrated in school education. https://cysec.wien/news/2024-11-04_osce_talk_squarcina/ Confidence and security-building measures (CBMs or CSBMs) — aimed at reducing the fear of attack among parties in a conflict situation — have been a fundamental part of arms control under the auspices of the Organization for Security and Cooperation in Europe (OSCE) since the early 1970s. Today, cybersecurity and resilience are key components of these measures, with the OSCE recognizing cooperation and information exchange between businesses, the scientific community, and public administrations as crucial factors. Austria, along with Belgium, Estonia, Italy, Sweden, and Finland, has co-adopted CBM 14 and initiated a series of events that highlight the pivotal role of public-private partnerships (PPP) in Austria’s national cyber strategy and ecosystem. Representatives from competent authorities and the private sector will share insights and discuss practical applications of these strategies. The inaugural event took place on November 4, 2024, in Vienna. Marco Squarcina delivered a key presentation on the challenges and ongoing activities conducted by him and other members of the Cybersecurity Center at TU Wien, along with our partners. Marco Squarcina’s presentation offers a comprehensive overview of his extensive involvement in cybersecurity, highlighting his role as a Senior Scientist at TU Wien and his pivotal contributions to various cybersecurity initiatives and competitions. Marco co-organizes the Austria Cyber Security Challenge (ACSC), serves as a head coach for Team Austria, and actively supports the European Cybersecurity Challenge (ECSC). He also co-organizes the Shecurity initiative, aiming to foster inclusivity in cybersecurity. In his presentation, Marco focuses on the ethical hacking landscape through the lens of Capture The Flag (CTF) competitions. He elaborates on these competitions where participants engage with vulnerable applications to uncover secret “flags,” simulating real-world cybersecurity threats across categories such as cryptography, web security, binary exploitation, and more. Marco provides an in-depth look at the Austria Cyber Security Challenge, emphasizing its development as Austria’s foremost cybersecurity training initiative since its establishment in 2012. The ACSC has seen significant growth, attracting over 6,000 participants directly involved in the competitions, with more than 18,000 attempting the entry-level challenges. These challenges are designed to be accessible, providing a practical and engaging way to introduce cybersecurity to newcomers. Marco details the successes stemming from the ACSC, including the creation of six innovative startups by participants who were inspired and empowered through their engagement with the challenge. This entrepreneurial spirit is fostered by the realistic and immersive nature of the competition scenarios, which provide not only skills but also insights into potential cybersecurity business opportunities. The media coverage of the ACSC has been substantial, with 681 reports highlighting the achievements and developments within the challenge, underscoring its importance as a national center of excellence in cybersecurity training. Marco points out that each year, the challenge culminates in the selection of new finalists who join the ranks of Team Austria, contributing fresh ideas and perspectives. On the European stage, Marco speaks about the ECSC, spearheaded by Austria under ENISA’s guidance, designed to combat the shortage of skilled professionals in the field. He also introduces the openECSC, an inclusive event that extends beyond traditional constraints to invite global participation. Internationally, Marco discusses the International Cyber Security Challenge (ICC), an ENISA initiative to broaden the reach of cybersecurity competitions worldwide. He proudly highlights Austria’s contributions to the ICC, including its role in training and mentoring upcoming cybersecurity talents through various international bootcamps. Marco’s presentation not only underscores his leadership and expertise but also emphasizes the collaborative efforts across nations to strengthen global cybersecurity defenses. https://cysec.wien/news/2024-11-15_lecture_stock/ Talk by Ben Stock Location: TU Wien, FAV Hörsaal 2 (Favoritenstraße 9-11, Erdgeschoß) (HEEG03) Virtual location: https://tuwien.zoom.us/j/69604596408 Date/Time: 2024-11-15 09:00 ‒ 10:00 Abstract: The Web is a great place to measure many things: client-side headers, JavaScript functionality, or insecure server-side code. In this talk, I will share insights into Web measurements from two angles: first, can we make Web measurement reproducible by design such that others can confirm or refute our findings? Second, where are the red lines when considering server-side security checks such as looking for SQL injections? Bio: Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web and network security, with a recent focus in particular on (un)usability of security mechanisms. His group regularly publishes at all major security conferences and Ben serves on the PC and in chair roles for various security conferences. Beyond the focus on academic output, together with his students, he regularly aims to bridge the gap between scientists and practitioners through talks at non-academic conferences like OWASP AppSec or Ruhrsec. https://cysec.wien/news/2025-10-22_wem_lecture_kovacs/ The Wilhelm Exner Medaillen Stiftung is an Austrian foundation that awards the Wilhelm Exner Medal to outstanding scientists and innovators whose achievements have had a significant impact on the economy and society. Established by the Austrian Trade Association, the foundation promotes the link between science, research, and industry by recognizing excellence in applied scientific work. In connection with the medal, the foundation organizes the Exner Lectures, a distinguished lecture series that brings together leading international experts to present and discuss cutting-edge research and its societal and technological implications. Laura Kovacs delivered one of the Exner Lectures 2025, dedicated to Sepp Hochreiter, a pioneering figure in artificial intelligence whose groundbreaking work has shaped the field. In her talk, “Automated Reasoning for Reliable IT Systems,” she examined the increasing reliance of everyday activities such as online banking, mobile communication, air traffic management, and prompt engineering on highly complex computer systems. As these systems continue to grow in scale and functionality, so do the risks of software errors and security vulnerabilities, underscoring the need for rigorous methods to ensure their reliability. The lecture highlighted formal automated reasoning as a foundational area of AI and a key technological investment for ensuring system reliability and security. Kovacs presented recent advances in automated reasoning and demonstrated their applications in planning, code safety, and cybersecurity. The research underpinning this work has been supported by major competitive funding, including an ERC Starting Grant (2020), a WWTF ICT Grant (2022), an Amazon Research Award (2023), and an ERC Proof of Concept Grant (2024). In her interview, Laura also presents a practical and forward-looking approach centered on the certification of trustworthy AI systems. She points out that one of the main challenges is explaining AI hallucinations in language that is clear and accessible to non-technical audiences. To make this phenomenon more tangible, she and her team often use a simple game to illustrate how such errors can occur. @ Stefan Radel, Stephan Blahut https://cysec.wien/news/2025-01-27_lecture_fuchsbauer/ Talk by Georg Fuchsbauer Virtual location: https://tuwien.zoom.us/j/63867281732?pwd=WEFYQ3pHdU1tK2JMSTlBSFlRWFpxZz09 Date/Time: 2025-01-27 17:00 ‒ 18:00 Abstract: The move from “proof of work” to “proof of stake” has arguably overcome the problem of energy waste in blockchains. However, for public verifiability, most systems require all transactions to be stored forever, by every full node. In Bitcoin this data now amounts to over 600GB, while in Ethereum it is over 1TB. We will overview two approaches to space-efficient systems. “Mimblewimble” is a protocol where spent transactions can be erased from the blockchain while maintaining verifiability. “Mina” goes further and, using a heavy-weight cryptographic concept called zk-SNARK, reduces its blockchain size to 22kB, which will never grow. Video The talk is a part of the Public Lecture Series ‘Sustainability in Computer Science’ under the auspices of Informatik Austria. https://cysec.wien/news/2024-10-19_der_standard_adventure_informatics/ In the recent article “Tanzen im Algorithmus: Wie man Kindern Informatik beibringt” (“Dancing the Algorithm: How to Teach Children Computer Science”), Der Standard spotlights the pioneering work of Prof. Laura Kovacs and the eduLAB team at TU Wien in making computer science engaging and accessible for young learners — all without the use of computers. The article features a visit to one of the hands-on, unplugged workshops held at TU Wien’s Faculty of Informatics. In these sessions, primary school children explore fundamental computer science concepts such as algorithms, logic, and problem-solving through interactive activities, movement, and games. These workshops are part of the Adventure Informatics initiative, led by Prof. Kovacs and developed by eduLAB. “We want to show that you don’t need to code to understand computer science,” says Laura Kovacs in the article. “Even solving a Sudoku puzzle is informatics.” She emphasizes the importance of introducing digital literacy at the primary school level to nurture logical thinking and spark curiosity — especially among girls, who are still underrepresented in the field. Supported by TU Wien, the Vienna Science and Technology Fund (WWTF), and the Let’s Empower Austria initiative, the program reaches around 3,000 schoolchildren annually. Workshop topics range from basic algorithmic thinking to an unplugged introduction to artificial intelligence — all designed to be inclusive, intuitive, and fun. With growing demand, Kovacs and her team are working to expand the initiative and create dedicated workshop spaces. As Der Standard notes, the impact is already visible: many children leave the workshops inspired — and excited to return to TU Wien one day as university students. © Amélie Chapalain https://cysec.wien/news/2024-12-20_lecture_kerschbaumer/ Talk by Christoph Kerschbaumer Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstraße 9-11, Erdgeschoß) (HEEG02) Date/Time: 2024-12-20 11:00 ‒ 12:00 Abstract: The Hypertext Transfer Protocol, generally displayed as http in a browsers address-bar, is the fundamental protocol through which web browsers and websites communicate. However, data transferred by the regular http protocol is unprotected and transferred in cleartext, such that attackers are able to view, steal, or even tamper with the transmitted data. Carrying http over the Transport Layer Security (TLS) protocol, generally displayed as https in the address-bar of a browser, fixes this security shortcoming by creating a secure and encrypted connection between the browser and the website. Over the past few years we have witnessed tremendous progress towards migrating the web to rely on https instead of the outdated and insecure http protocol. Within this talk we will highlight initiatives from browser vendors as well as community efforts to accelerate the migration from http to https and explore additional privacy mechanisms within a web browser which eventually will provide a browsing experience we want: secure and privacy-respecting! Bio: Dr. Christoph Kerschbaumer has over two decades of experience in software engineering and computer security. His work ranges from designing secure systems with fail-safe defaults to fighting cross-site scripting to preventing man-in-the-middle attacks. Currently he is managing the Firefox Security Engineering team at Mozilla and is mentoring software engineers around the world to reach their full potential. He received his PhD in Computer Science from the University of California, Irvine, where he focused his research on information flow tracking techniques within web browsers. Prior to being a graduate research scholar, he received a M.Sc. and B.Sc. in Computer Science from the Technical University Graz, Austria. https://cysec.wien/news/2024-11-25_lecture_pietrzak/ Talk by Krzysztof Pietrzak Date/Time: 2024-11-25 17:00 ‒ 18:00 Zoom Abstract: The Bitcoin blockchain achieves consensus in an open setting, i.e., where everyone can participate. This was believed to be impossible, the key idea to make this possible was to use computing power rather than some kind of identities for voting through “proofs of work”. Unfortunately, this approach is not sustainable: the Bitcoin blockchain burns roughly as much electricity as a country like Austria. We will outline sustainable alternatives for achieving a Bitcoin-like blockchain, with a focus on using disk space instead of computation and how this is realized in the Chia Network blockchain. The talk is a part of the Public Lecture Series ‘Sustainability in Computer Science’ under the auspices of Informatik Austria. Bio: Krzysztof Pietrzak is a Professor at the Institute of Science and Technology Austria (IST Austria) and leads the cryptography group. He earned his PhD in computer science from ETH Zurich in 2005. Before joining IST, he spent five years as a postdoc at Centrum Wiskunde & Informatica (CWI) in Amsterdam, and prior to that, one year as a postdoc at the École Normale Supérieure in Paris. His current research interests include leakage and tamper-resilient cryptography, key derivation, and pseudoentropy. https://cysec.wien/news/2024-10-21_lecture_gruss/ Talk by Daniel Gruss Location: online Date/Time: 2024-10-21 17:00 ‒ 18:00 Abstract: Global ICT electricity consumption is already beyond 11 percent of the worldwide electricity production and still increasing. By 2030 it may reach around 25 percent. Previous approaches to improve efficiency and performance have often sacrificed security, leading to disastrous security issues like Meltdown and Spectre. Patching just these two vulnerabilities increases power consumption on affected computers by a seemingly harmless 5 percent. By 2030, this may be more than 1 percent of the global electricity production by just a single out of thousands of patches. This development is not sustainable, and in this talk, we will discuss both the problem and potential revolutionary solutions. The talk is a part of the Public Lecture Series ‘Sustainability in Computer Science’ under the auspices of Informatik Austria. Video Bio: Daniel Gruss is a professor in Information Security at the Graz University of Technology, Institute of Applied Information Processing and Communications. He finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel’s research focuses on software-based attacks and defenses on microarchitectural layers in hardware and software. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He frequently speaks at top international venues, such as Black Hat, Usenix Security, IEEE S&P, ACM CCS, Chaos Communication Congress, and others. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018 and designed the software patch (KAISER) against Meltdown which is now integrated in every operating system. https://cysec.wien/news/2024-10-18_talk_khodayari/ Talk by Soheil Khodayari Location: TU WienHA0102 Date/Time: 2024-10-18 11:00 ‒ 12:00 Abstract: The recent rapid evolution of client-side technologies have introduced new variants of traditional security issues that now manifest exclusively on client-side JavaScript programs. We have little-to-no knowledge of these new emerging threats, and exploratory security evaluations of JavaScript-based web applications are impeded by the scarcity of reliable and scalable testing techniques. In this work, we address these challenges by presenting JAW, an open-source, static-dynamic framework to study client-side vulnerabilities at scale, focusing particularly on client-side request forgery and DOM Clobbering vulnerabilities where we investigate their patterns, prevalence, and impact in the wild. We instantiate JAW on over half a million pages of top 10K sites, processing over 56B lines of code in total, showing that these new variants are ubiquitous on the Web. We demonstrate the impact of these vulnerabilities by constructing proof-of-concept exploits, making it possible to mount arbitrary code execution, information leakage, open redirections and CSRF also against popular websites that were not reachable through the traditional attack vectors. Finally, we review and evaluate the adoption and efficacy of existing countermeasures against these attacks, including input validation and browser-based solutions. Bio: Soheil Khodayari is a PhD student in the Research Group Giancarlo Pellegrino at the CISPA Helmholtz Center for Information Security https://cysec.wien/news/2024-10-28_lecture_reardon/ Talk by Joel Reardon Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstraße 9-11, Erdgeschoß) (HEEG02) Date/Time: 2024-10-28 16:15 ‒ 17:15 Abstract: While legal scholars have cited decades of computer science research that demonstrates why anonymity is a hard problem (and that datasets should not be labelled as “anonymous” cavalierly), industry and legal practitioners have not heeded those warnings: many organizations trafficking in consumer data continue to make assertions that, for example, hashed email addresses are anonymous and cannot reveal the original email address, and that device-based identifiers, such as advertising IDs, only identify devices and not people. We acquired datasets from multiple data brokers to empirically demonstrate why these assertions are false. Using publicly available email addresses found in data breaches posted on the Internet, we show that one can reidentify 88% of the hashed email addresses that we obtained. Reidentifying hashed email addresses need not rely on illicit data: by constructing rainbow tables, we reidentified a majority of the hashed email addresses. In all cases, the hashed email addresses were linked to other device-based identifiers (e.g., mobile data advertising IDs, IPs, etc.), demonstrating why device-based identifiers have long been considered personally identifiable information. Relatedly, organizations trafficking in this data make another assertion, that this data was collected from consumers with their consent. To evaluate this claim, we performed a survey (n = 369), in which we emailed the reidentified individuals in our datasets to recruit them to participate in a survey. This survey asked participants about their recollections of having provided consent and whether they would prefer that the data brokers delete their data. Bio: Joel Reardon is an associate professor at the University of Calgary who researches mobile security and privacy issues and data collection done through those devices. He has also co-founded the privacy analytics company AppCensus. He received his Bachelors and Master’s at the University of Waterloo and his Doctor of Sciences at the ETH Zurich. His research has been covered by the CBC, the BBC, the Washington Post, and the Wall Street Journal, among other places. His research has received the Emilio Aced Research and Personal Data Protection Award, the CNIL - Inria Data Protection Award, and the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies. He likes bicycling and snowboarding and is currently trying to improve his French. https://cysec.wien/news/2024-10-15_lecture_schr%C3%B6der/ Inaugural lecture by Dominique Schröder Location: TU Wien, EI 9 Hlawka-Hörsaal (Gußhausstraße 27-29, Stiege 1, Erdgeschoß, Raum CAEG17) Date & Time: 2024-10-15; 17:00 - 19:00 Abstract: Data collection is growing rapidly due to the increasing number of connected devices, from smartphones to smart home systems, and advances in artificial intelligence that make data processing more efficient. Businesses and governments are collecting data to enhance decision-making, improve services, and create personalized experiences. For example, smart healthcare can monitor patients remotely, connected devices can optimize energy use, and smart cities can reduce traffic congestion. However, this data collection raises privacy concerns, such as the risk of sensitive health data being exposed, devices recording conversations without consent, and personal data being shared with third parties. Privacy is often seen as a problem or unnecessary because of common prejudices. One is the belief that “I have nothing to hide,” which leads people to dismiss privacy concerns as irrelevant to them personally. Another misconception is that privacy hinders technological progress, with some seeing it as an obstacle to innovation in areas such as AI, smart devices, or personalized services. In this talk, I will address both misconceptions. First, I will show how even small pieces of information can uniquely track and identify individuals, proving that privacy concerns affect everyone, not just those with “something to hide”. Second, I will show how privacy-enhancing technologies enable modern advances without violating individual privacy. From encrypted communications to differential privacy in data analysis, these tools allow us to innovate while protecting personal information at the same time, proving that privacy and technological progress can coexist. Slides https://cysec.wien/news/2024-10-16_lecture_guizzardi/ Talk by Giancarlo Guizzardi Location: TU Wien, HS 14A Günther Feuerstein (Karlsplatz 13, Stiege 3, 3. Stock) (AB0306) Date/Time: 2024-10-16 11:15 ‒ 12:30 Abstract: Cyber-human systems are formed by the coordinated interaction of human and computational components. In this talk, I will argue that these systems can only be designed as trustworthy systems if the interoperation between their components is meaning preserving. For that, we need to take the challenge of semantic interoperability between these components very seriously. I will discuss a notion of trustworthy semantic models and defend its essential role in addressing this challenge. Finally, I will advocate that engineering and evolving these semantic models as well as the languages in which they are produced require a hybrid intelligence augmentation program resting on a combination of techniques including formal ontology, logical representation and reasoning, crowd-sourced validation, and automated approaches to mining and learning. Bio: Prof. Dr. Giancarlo Guizzardi is a Full Professor at the University of Twente. Before joining Twente, he was a Full Professor at the Free University of Bozen-Bolzano, in the Italian Alps, where he led the Conceptual and Cognitive Modelling Research Group (CORE). Prior to that, he co-founded and co-directed the Ontology and Conceptual Modelling Research Group (NEMO) in Brazil for 10 years. He is highly active in the fields of Formal and Applied Ontology, Conceptual Modelling, Information Systems Engineering, and Enterprise Computing/Business Informatics. His research follows a multidisciplinary approach, integrating insights from Philosophy, Logics, Linguistics, and Cognitive Science to address a variety of complex challenges in these areas. He is also a Guest Professor at Stockholm University, Sweden, where he collaborates on scientific research in the fields of Value-Based Modelling, Formal and Applied Ontology in Cyber-Social Systems, and Ethical Requirements for Information Systems. Prof. Guizzardi has published approximately 400 papers and has taken on key leadership roles in major conferences within his fields, such as ER, FOIS, IEEE CBI, and EDOC. He has served as Program Committee Chair, General Chair, Steering Committee Member, and Keynote Speaker at prominent events including ER, BPM, CAiSE, and IEEE ICSC. Currently, he is an Associate Editor for the journals Applied Ontology, Data & Knowledge Engineering, and Enterprise Modelling and Information Systems Architectures. He also serves on the Advisory Board of the International Association for Ontologies and its Applications (IAOA). In addition to his academic work, Prof. Guizzardi has led numerous technology transfer projects in areas such as Telecommunications, Risk Management, e-Government, Digital Journalism, Complex Media Management, Distributed Software Development, and Energy, among others. https://cysec.wien/news/2024-10-11_ecsc_final_2024/ From October 8th to 11th, the European Cybersecurity Challenge (ECSC) took place in Turin, Italy. This annual competition brings together teams of 10 participants, aged 14 to 24, from European countries and select non-European invitees. Over two days, the teams competed in intense Capture The Flag (CTF) cybersecurity challenges to determine the European champion. Supported by ENISA, the European Union Agency for Cybersecurity, the ECSC aims to cultivate cybersecurity talent and raise awareness across Europe. This year, Team Austria secured 5th place in the European Cybersecurity Challenge, where 37 teams demonstrated their IT security skills. The winner, Germany, scored 5823.83 points, while Austria earned 3776.46. In Stage 1, the teams tackled various tasks in the Jeopardy-style competition, inspired by real-world IT security challenges, and Austria even took the lead at times during this phase. In Stage 2, the classic Attack/Defense scenario was played out, where teams had to secure their own systems while attacking others. This stage was more challenging for Austria, leaving them ranked 29th initially. However, after a strong comeback, Team Austria climbed to second place in the live standings. In an outstanding individual performance, Matthias Pleschinger from Team Austria not only won all three preliminary rounds of the openECSC competition but also the final. Competing against over 4,000 players from more than 140 nations, he was the only participant to solve all the challenges, earning a standing ovation at the award ceremony. Despite these impressive achievements, the team is already looking ahead to next year’s European Championship, determined to break into the top 3. The experience gained from both national and European competitions will play a key role in their future preparations. https://cysec.wien/news/2024-10-07_noileg_interview_kovacs/ While every researcher’s career path is unique, it’s important for young scientists at the beginning of their journey to understand that the challenges they encounter can be overcome. This is why sharing successful experiences is so crucial. Graduating from the University of Timisoara, earning a master’s degree from the Johannes Kepler University in Linz, followed by postdoctoral scholarships in Lausanne and Zurich, a professorship in Gothenburg, Sweden, and a current position as a university lecturer at the Vienna University of Technology — Laura Kovacs’s professional journey has been marked by numerous transitions. Yet, her passion for research and deep love for mathematics and logic have remained constant throughout. She shares her experience in an interview with the Romanian Nőileg Magazine. Laura Kovács earned her Ph.D. in Computer Science with the highest distinction from the Research Institute for Symbolic Computation (RISC-Linz) at Johannes Kepler University in 2007, and her Habilitation in Computer Science from the Vienna University of Technology (TU Wien) in 2012. Her research focuses on developing mathematical methods in IT to ensure the correctness of software systems. She has contributed to numerous research projects, including recent ones such as ForSmart: Effective Formal Methods for Smart-Contract Certification, Abenteuer Informatik für Volksschulen, and SpyCoDe: Semantic and Cryptographic Foundations of Security and Privacy by Compositional Design. She has been recognized with numerous awards, including the Amazon Research Award (2024), the ERC Consolidator Grant (2020), the ERC Proof of Concept Grant (2018), and the ERC Starting Grant (2014). She is currently a Full Professor and Head of the Research Unit for Formal Methods in Systems Engineering. The academic environment and her father’s love for mathematics greatly influenced Laura’s future interests. She was fortunate to enter the first mathematics and informatics program of Western University of Timisoara. Her curiosity and wide-ranging interests matched perfectly with this interdisciplinary program. However, it wasn’t just luck that paved her way to success—it was her outstanding academic results and her openness to working anywhere in the world, adapting to different demands, and meeting the highest standards. Prof. Kovacs emphasizes how important it is for researchers to stay on the move, to embrace change, and to apply themselves. ‘There are always new opportunities out there, and you have to be open to them,’ she says. Addressing early-career researchers, she encourages them not to fear the challenges that come with creating something new, but to be fascinated by research. One of her secrets to success, she reveals, is finding joy in your work—whether it’s teaching, mentoring students, creating new things, or achieving meaningful results. ‘There is quite a lot of competition in IT, but when you come up with something new and it works, it’s great.’ Laura’s words of support are especially important for female researchers, who still face many challenges: ‘There are more and more opportunities, and it’s worth looking for them and taking advantage of them! It’s about what we feel like doing, what we are motivated to do, what we are interested in, and what makes us curious.’ https://cysec.wien/news/2024-10-04_teaching_award_2024/ The “Best Teacher Award” was established to recognize the exceptional dedication of motivated and inspiring lecturers who teach in over 2,000 courses at TU Wien each semester. The award is divided into three categories: Best Teacher, Best Lecturer, and Best Gender-Sensitive Teaching. The Best Teacher Award celebrates lecturers who demonstrate outstanding commitment, deliver exceptional teaching, and create a supportive learning environment for their students. This year, the Best Teacher Award at TU Wien is proudly presented to Dr. Astrid Weiss from the Research Unit for Human-Computer Interaction. The course “Introduction to Security” by Mauro Tempesta, Matteo Maffei, Marco Squarcina, and Sebastian Roth was nominated for the Best Lecture Award. Dr. Astrid Weiss is an Assistant Professor at TU Wien and a member of the Human-Computer Interaction Group at the Institute of Visual Computing and Human-Centered Technology. Her passion lies in exploring how people interact with adaptive technologies in their daily lives and understanding the factors that influence their acceptance or rejection. She is widely regarded as a pioneer in combining empirical social research with robotics. Throughout her career, Weiss has received several prestigious awards, including the Hertha Firnberg Award (2012) and the Elise Richter Grant (2017) from the FWF Science Fund, both aimed at supporting the academic careers of young female researchers. In 2013, she was recognized as one of the “25 Women You Need to Know in Robotics” by RoboHub, and in 2017, she was a speaker at TEDx TU Wien. In 2018, she was elected as a member of the Young Academy of the Austrian Academy of Sciences. Before joining TU Wien, Astrid worked with the Vision4Robotics Group at the Automation and Control Institute (ACIN). Prior to that, she was a senior researcher leading an interdisciplinary team at the ICT&S Center at the University of Salzburg, where she focused on “Adaptive Systems.” Astrid holds a PhD in Sociology and Human-Computer Interaction and a Master’s degree in Sociology, both from the University of Salzburg. In 2022, she achieved another significant milestone by successfully defending her habilitation, earning the venia docendi for Human-Computer Interaction. Award Ceremony Video https://cysec.wien/news/2024-10-03_eaward_2024/ The eAward, presented by Report magazine, has been recognizing outstanding digitalization projects in Austria since 2005. This year, the “Shecurity” hacker training course for women received the award in the “Education and Social Issues” category. Unique in Europe, this program is the result of a collaboration between SBA Research, CSA Cybersecurity Austria, and TU Wien. Its goal is to boost women’s participation in the male-dominated field of cybersecurity and is open to participants without any prerequisites. Through monthly evening and hybrid sessions, girls, women, and FINTA individuals can access a free, university-level introduction to cybersecurity. The program’s goal is to spark interest, build peer support networks, and foster professional growth. In just six months, the course has attracted 170 participants aged 15 to 65, with varying levels of experience. The award highlights the growing recognition that cybersecurity urgently needs skilled women professionals and acknowledges the valuable contributions they can bring to the field’s advancement. Foto: Milena Krobath https://cysec.wien/news/2024-10-23_digitalcitywien_kovacs/ Prof. Laura Kovacs is a participant in the Panel Discussion on the Impacts and Benefits of AI for Citizens at Vienna Digital Days 2024. Location: Technisches Museum Wien, Festsaal Date & Time: 2024-10-23; 16:30-17:30 The panel discussion will focus on the application perspective, exploring the impacts and potential benefits of AI in citizens’ daily lives. Key areas of focus will include technology assessment and security. The discussion will revolve around three primary topics: the labor market and education, data security, and health, with a particular emphasis on its effects on perception and medicine. Speakers on the panel: Daniela Berndl-Schwerdtner, Head of Jobs PLUS Education, waff Dr. Gerald Bader, Head of AI & Analytics, Eviden Michael Mürling, Head of Marketing & Communications, AIT Center for Digital Safety & Security Univ. Prof. Siegfried Meryn, Founder & CEO, Future Health Lab Univ. Prof. Laura Kovacs, TU Wien https://cysec.wien/news/2024-09-30_raid_2024/ The International Symposium on Research in Attacks, Intrusions, and Defenses (RAID) brings together leading researchers and practitioners from academia, government, and industry to discuss cutting-edge research in computer and information security. RAID 2024 took place in Padua, Italy, from September 30 to October 2, 2024. Martina Lindorfer, Aakanksha Saha, Carlotta Tagliaro, and Martina Komsic contributed to two presentations at the event. Aakanksha Saha presented her research, “ADAPT it! Automating APT Campaign and Group Attribution by Leveraging and Linking Heterogeneous Files,” co-authored with Jorge Blasco, Lorenzo Cavallaro, and Martina Lindorfer. The study addresses the growing complexity of Advanced Persistent Threats (APTs), which have increasingly challenged cybersecurity efforts across industries, governments, and democratic institutions. The rise in the number of actors and the sophistication of their campaigns has made tracking and attributing APTs more difficult. Traditional methods relying on threat intelligence often lead to fragmented information, delays in connecting campaigns with specific threat groups, and misattribution. In response to these challenges, Saha introduced ADAPT, a machine learning-based approach that automates APT attribution at two levels: the campaign level, to identify samples with similar objectives, and the group level, to identify samples operated by the same entity. ADAPT supports various heterogeneous file types, including executables and documents, and links them through shared features to find connections. Evaluated on datasets from MITRE and 6,134 APT samples from 92 threat groups, ADAPT proved highly effective in clustering and attribution, significantly improving the ability to track APTs. Through real-world case studies, ADAPT demonstrated its capability to effectively identify clusters representing threat campaigns and associate them with their respective groups, marking a major advancement in automating APT attribution. Carlotta Tagliaro presented a study on “Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols.” The research was conducted with Martina Komsic, Andrea Continella, Kevin Borgolte, and Martina Lindorfer. The team performed a large-scale analysis of three widely-used IoT protocols — MQTT, CoAP, and XMPP. They compiled a dataset of over 337,000 backend deployments, augmented with geographical and provider data, and carried out non-invasive active measurements to assess three major security threats: information leakage, weak authentication, and denial-of-service attacks. The study revealed significant immaturity in IoT backend security. Among the key insights, the researchers discovered that 9.44% of backends expose sensitive information, 30.38% of CoAP-speaking backends are vulnerable to denial-of-service attacks, and an alarming 99.84% of MQTT and XMPP backends use insecure transport protocols, with only 0.16% adopting TLS (of which 70.93% implement a vulnerable version). https://cysec.wien/news/2024-09-26_sib_2024/ SIB is a workshop dedicated to exploring the scalability and interoperability of blockchains. It seeks to bridge theoretical and practical perspectives by gathering experts from security, cryptography, distributed systems, economics, and policy-making. Scalability focuses on sustaining a blockchain’s performance — specifically throughput and latency — as its network expands. Interoperability involves linking multiple blockchains to enhance protocol functionalities. The objective of SIB is to explore cutting-edge solutions in scalability and interoperability, evaluate their benefits, and examine the potential drawbacks. At SIB 2024, held on September 26, 2024, at the Austrian National Bank (OeNB) in Vienna, Austria, Zeta Avarikioti served as the Chair of the Organizing Committee, while Lukas Aumayr, Matteo Maffei, and Giulia Scaffino contributed as members of the Program Committee for the workshop. Giulia Scaffino chaired Session 1: Consensus Layer and presented “Blink: An Optimal Proof of Proof-of-Work,” her joint study with Lukas Aumayr, Zeta Avarikioti, Dionysis Zindros, and Matteo Maffei, during Session 3 on Interoperability. Blink is the first provably secure O(1) PoW light client that operates without a trusted setup. It can be used for various applications, from payment verification to bootstrapping and supporting blockchain bridges. This innovation marks a significant departure from traditional methods, where light clients like the Simplified Payment Verification (SPV), initially described by Nakamoto in the Bitcoin whitepaper, required resources that increased linearly over time. The team has proven that Blink is secure within the Bitcoin Backbone model and has evaluated its proof size, demonstrating that, as of this writing, Blink can secure a commitment to the current state of Bitcoin by downloading only 1.6KB. This is in stark contrast to the 67.3MB and 197KB required for SPV and zk-based clients, respectively. Lukas Aumayr chaired Session 3: Interoperability and also took the stage at Session 2: Payment Channels, unveiling groundbreaking research titled “Securing Lightning Channels against Rational Miners.” Conducted with collaborators Zeta Avarikioti, Matteo Maffei, and Subhra Mazumdar, the study provided the first evidence that Lightning channels could withstand timelock bribing attacks under rational behavior conditions. This assumes channel parties continuously monitor the transaction pool (mempool) and prevent draining the channel funds in one direction. This research underscores the importance of maintaining a coin reserve within each channel, a strategy already implemented in the Lightning Network for different reasons. The team introduced “CRAB,” the first Lightning-compatible construction that ensures security against both Byzantine parties and rational miners without constant mempool monitoring. Furthermore, they showcased “Sleepy CRAB,” an innovative construction allowing participants to remain offline indefinitely, challenging the traditional need for constant online connectivity in payment channels. This breakthrough, backed by a proof-of-concept and an analysis of its Bitcoin cost implications, marks a significant advancement in blockchain technology, enhancing security and operational efficiency. https://cysec.wien/news/2024-09-10_scn_2024/ The 14th International Conference on Security and Cryptography for Networks (SCN 2024), held in Amalfi, Italy, from September 11-13, brought together researchers, practitioners, and developers in cryptography and information security. The conference fostered collaboration and exchange of techniques, tools, and ideas, driving innovation and strengthening connections in these vital fields. Among the original, high-quality research presented, two papers from TUW researchers, Marek Sefranek and Elena Andreeva, stood out for their theoretical and practical contributions. Marek Sefranek presented the latest findings from the COnFIDE project. His talk “How (Not) to Simulate PLONK” focused on PLONK, a zk-SNARK system designed by Gabizon, Williamson, and Ciobotaru. While PLONK had been deployed in various applications, its zero-knowledge property was only informally argued. Marek identified and fixed a vulnerability in the original specification, which led to an update in PLONK’s eprint version. He also provided a proof that the updated version achieves statistical zero-knowledge and demonstrated a flaw in the previous version. Marek Sefranek discusses critical PLONK zero-knowledge proof developments with o1Labs engineers: Youtube, Slides of the talk. Prof. Elena Andreeva co-authored the paper “OAE-RUP: A Strong Online AEAD Security Notion and Its Application to SAEF”, introducing a new security concept for online Authenticated Encryption with Associated Data (AEAD) schemes, particularly addressing the Release of Unverified Plaintexts (RUP), a significant concern for lightweight devices. The research demonstrates that SAEF, optimized for short message encryption, meets OAE-RUP security standards without modifications. SAEF effectively resists nonce misuse and plaintext leakage, offering enhanced security in encryption and decryption. Using the coefficient H technique, the team proved that SAEF achieves OAE-RUP security up to the birthday bound, making it highly resistant to attacks. This work offers a significant contribution to strengthening the security of online AE schemes, particularly in real-world applications where systems have limited memory and processing power. It ensures that even in cases of plaintext leakage before verification, both integrity and confidentiality remain protected, addressing a critical gap in existing AEAD schemes. https://cysec.wien/news/2024-09-18_acsc_2024/ The final of the Austrian Cybersecurity Challenge (ACSC) 2024, a major event in Austria’s cybersecurity community, took place in Vienna, co-hosted with IKT Security Conference. Students from across Austria showcased their skills in two age groups (14-20 and 21-25) and an open category. The TU Wien Cybersecurity Center, in collaboration with Cyber Security Austria and with support from the Federal Chancellery, the Ministry of Internal Affairs, and the Austrian Armed Forces, are organizing the ACSC with the goal of promoting ethical hacking, attracting young talent, and developing the next generation of highly skilled cybersecurity professionals. The final, held on September 18, marked the culmination of several rounds of competition. This year’s event brought together 15 teams to tackle 18 Capture-The-Flag (CTF) challenges. Among the participants were Team Austria, who will represent the country at the upcoming European Cybersecurity Challenge in Turin, and members of Shecurity, an initiative dedicated to promoting the involvement of women and girls in cybersecurity. While these teams took part in the competition, they did not compete for ranking positions. We extend our heartfelt congratulations to the winners of the ACSC 2024: Juniors: Michael Gangl, Bastian Uhlig, Ulrich Barnstedt, Christoph Tantscher, Julian Burger Seniors: Maximilian Seidler, Andreas Himmler, Jonas Konrad, Sebastian Felix, Philipp Remplbauer Open Class: Roland Wallner, Günter Ebermann, Paul Panosch. Our deepest thanks go out to all the organizers and supporters of the ACSC for their dedication and hard work: Patrick Pirker, Pentest @ Syslifters, Manuel Reinsperger, Pentest @ A1Digital and TU Wien student, Marcel Schnideritsch, HTBLA Kaindorf and BearingPoint, Marco Squarcina, Senior Scientist @ TU Wien, Team Austria members Johannes Berndorfer and Georg Felber, Daniel Marth @ RISE. The ACSC is a shining example of successful collaboration between Austrian universities, companies, and the public sector. We are confident that our joint efforts will nurture young talent in cybersecurity and help strengthen the security of our digital society. https://cysec.wien/news/2024-09-27_lecture_piskac/ Talk by Ruzica Piskac Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstr. 11, Room HEEG02) Date & Time: 2024-09-27; 9:00 - 10:00 Abstract: Zero-knowledge (ZK) protocols are well-known cryptographic primitives that allow one party to prove to another party a statement without revealing anything beyond the statement. A ZK protocol consists of two parties: a “prover” and a “verifier”. In our work, the prover holds a secret formula and its proof of validity and needs to convince the verifier about the correctness of the proof. The verifier validates the prover’s claims, by checking every step of the proof. To be able to do that without revealing any details about the formula, we use so-called commitment schemes. Commitment schemes are a fundamental part of zero-knowledge protocols as they allow a prover to commit to a value while keeping it hidden, ensuring the value cannot be altered later. A polynomial commitment scheme can be used to commit polynomials and prove the properties of the polynomials. Our work encodes proofs as polynomials and transforms this way checking the proofs steps into checking relations between polynomials. By doing these, we are able to verify the proof without revealing the formulae (and the proof itself). In this talk, we focus on proofs for formulas produced in the verification process and we explain how to encode them as polynomials. Initially, we developed a protocol for validating the unsatisfiability of Boolean formulas in privacy-preserving settings. We use the resolution calculus to produce a proof of unsatisfiability: we encoded each clause appearing in the proof as a polynomial and we reduced checking the correctness of the resolution rule to checking the divisibility of two polynomials. A natural extension of this technique is to consider more expressive logics, such as those supported by SMT (Satisfiability Modulo Theories) solvers. To this end, we extended our initial work and developed a virtual machine for validating general unsatisfiability proofs. This virtual machine can support the majority of popular theories when proving program safety while being complete and sound. To demonstrate this, we use theories of equality and linear integer arithmetic as examples. These theories require non-trivial checking procedures and we proposed optimized arithmetizations based on multiset interpretation and polynomial encodings. Finally, we will conclude the talk by outlining how this approach benefits and empowers the verification process: we can now obtain privacy while preserving correctness. This talk is based on the following papers: [1] Ning Luo, Timos Antonopoulos, William Harris, Ruzica Piskac, Eran Tromer, Xiao Wang: Proving UNSAT in Zero Knowledge, CCS 2022 [2] Daniel Luick, John C. Kolesar, Timos Antonopoulos, William R. Harris, James Parker, Ruzica Piskac, Eran Tromer, Xiao Wang, Ning Luo: ZKSMT: A VM for Proving SMT Theorems in Zero Knowledge. USENIX ‘24 Security. Bio: Ruzica Piskac is a Professor of Computer Science at Yale University, where she leads the Rigorous Software Engineering (ROSE) group. Her research interests span the areas of software verification, security and applied cryptography, automated reasoning, and code synthesis. Much of her research has focused on using formal techniques to improve software reliability and trustworthiness. Piskac joined Yale’s Department of Computer Science in 2013. She was previously an Independent Research Group Leader at the Max Planck Institute for Software Systems in Germany. Her research has received a range of professional honors, including multiple Amazon Research Awards, Yale University’s Ackerman Award for Teaching and Mentoring, the Facebook Communications and Networking Award, and the Microsoft Research Award for the Software Engineering Innovation Foundation (SEIF). In 2019, Yale named Piskac the Donna L. Dubinsky Associate Professor of Computer Science. Piskac holds a Ph.D. from the Swiss Federal Institute of Technology (EPFL), where her dissertation won the Patrick Denantes Prize. Her current and recent professional activities include service as Program Chair of the 37th International Conference on Computer Aided Verification and the Steering Committee of the Formal Methods in Computer-Aided Design conference. Piskac has graduated five PhD students, four of them are currently holding a position of an assistant professor of computer science. https://cysec.wien/news/2024-08-28_talk_badaloni/ Talk by Federico Badaloni Location: TU Wien, FAV Hörsaal 2 (Favoritenstr. 9-11, Erdgeschoß, Room HEEG03) Date & Time: 2024-08-28; 10:00 - 11:00 Abstract: The limited scripting capabilities in Bitcoin-like cryptocurrencies have forced implementations of smart contracts as multi-party cryptographic protocols. To streamline this process, the BitML language allows for defining simple smart contracts and automatically translates them into protocols over transactions in the respective currency. However, BitML is limited to contracts operating upon the same cryptocurrency whereas many interesting financial applications involve assets on different blockchains, inducing more complicated cryptographic protocols for enforcing synchronous execution across these systems. In this talk, we introduce BitMLx, an extension of BitML that provides a high-level programming language to implement smart contracts executing synchronously on any two Bitcoin-like cryptocurrencies. We show a compiler from BitMLx to two BitML contracts and discuss how we can guarantee that participants executing the latter contracts end up at least as good as in the corresponding execution of the former BitMLx contract. Bio: Federico Badaloni is a PhD student at the Max Planck Institute for Security and Privacy, where he has been a part of the Heinz Nixdorf Research Group for Cryptocurrencies and Smart Contracts since March 2023. He completed his degree in Computer Science (“Licenciatura en Ciencias de la Computación”) at the National University of Rosario in Argentina in February 2022. His thesis focused on game theory, specifically studying the Fictitious Play algorithm for finding Nash equilibria. His current research focuses on the expressivity of programming languages for smart contracts on non-Turing-complete platforms. He is actively working on extensions and portability for the BitML language. In addition to this, he has a strong interest in applying smart contracts to the administration of collective commons, cooperatives, planned economies, and other tools that promote solidarity and horizontal collaboration without intermediaries. https://cysec.wien/news/2024-08-14_usenix_2024/ The USENIX Security Symposium is a prestigious conference in the field of computer security and privacy, drawing researchers, practitioners, system administrators, developers, and security experts from around the world. It provides a vital platform for exploring the latest breakthroughs and innovations in system and network security. This year, researchers from TUW made significant contributions to the symposium with two presentations, highlighting cutting-edge advancements in these critical areas of cybersecurity. Dr.-Ing. Sebastian Roth presented “Trust Me If You Can – How Usable Is Trusted Types in Practice?”, sharing findings from his research with Lea Gröber, Philipp Baus, Katharina Krombholz, and Ben Stock. He highlighted issues related to a novel web security mechanism called Trusted Types. By conducting a semi-structured interview and a live coding task with 13 real-world Web developers, they uncovered roadblocks that occur during the deployment of the security mechanism as well as strategies on how developers can circumvent those problems. Their work also identifies key weaknesses in the design and documentation of Trusted Types, that the standardization body should incorporate before the Trusted Types becomes a standard. Slides of the talk Artifact for Trust Me If You Can – How Usable Is Trusted Types In Practice? Pedro Bernardo presented a practical framework for formally and automatically detecting security flaws in client-side security mechanisms. The research was conducted by a team including Lorenzo Veronese, Valentino Dalla Valle, Stefano Calzavara, Marco Squarcina, Pedro Adão, and Matteo Maffei. The team leveraged Web Platform Tests (WPT), a popular cross-browser test suite, to automatically collect browser execution traces and match them against Web invariants—intended security properties of web mechanisms expressed in first-order logic. Their approach demonstrated effectiveness by validating 9 invariants against the WPT test suite, uncovering violations with clear security implications in 104 tests across Firefox, Chromium, and Safari. The root causes of these violations were disclosed to browser vendors and standardization bodies, resulting in 8 individual reports and one CVE for Safari. “Web Platform Threats: Automated Detection of Web Security Issues With WPT” Slides of the talk Sebastian Roth’s interview on the CISPA Podcast TL;DR, where he shares his views on an academic career, the role of developers in ensuring Internet security, and the critical importance of security standards for the web, can be heard in the episode titled ‘#CISPA@USENIX – Human Factors in Web Security with Sebastian Roth’ https://cysec.wien/news/2024-07-27_cav_2024/ The 36th International Conference on Computer Aided Verification (CAV) took place from July 22-27, 2024, at Concordia University in Montreal, Canada. As a leading global event, CAV provides a platform for cutting-edge research on the application of formal methods across various systems, including hardware, software, and communication protocols, while covering a wide range of models. The conference brings together both theoretical research and industrial case studies, all with a focus on leveraging automation to help designers create more reliable systems. At CAV 2024, SecInt student Anagha Athavale presented the latest findings from the TU Wien team on neural network verification. Her talk, titled “Verifying Global Two-Safety Properties in Neural Networks with Confidence,” was based on her co-authored paper with Ezio Bartocci, Maria Christakis, Matteo Maffei, Dejan Nickovic, and Georg Weissenbacher. This work introduced the first automated technique for verifying confidence-based 2-safety properties, such as global robustness and global fairness, in deep neural networks (DNNs). Despite the widespread use of DNNs in various applications, the formal verification of these safety properties has remained a significant challenge. Anagha’s approach combines self-composition with existing reachability analysis techniques and introduces a novel abstraction of the softmax function, making it suitable for automated verification. She also characterized and proved the soundness of this static analysis technique. This work addresses critical gaps in verifying the safety properties of DNNs, representing a significant advancement in ensuring their reliability. Slides of the talk https://cysec.wien/news/2024-07-08_csf_2024/ The Computer Security Foundations Symposium (CSF) is an annual conference for researchers to explore security theories, formal models, and verification techniques in computer security. Key topics include access control, information flow, cryptographic protocols, database security, language-based security, authorization, trust, verification, integrity, availability, and the role of formal methods in security research. At the 37th IEEE Computer Security Foundations Symposium (CSF 2024), held in Enschede, The Netherlands, from July 8-12, two research teams from CySec presented their findings on the intersection of theoretical computer science and computer security. Markus Scherer presented an innovative approach developed as part of the CDL-BOT project, titled “Wappler: Sound Reachability Analysis for WebAssembly,” co-authored with Jeppe Fredsgaard Blaabjerg, Alexander Sjösten, Magdalena Solitro, and Matteo Maffei. The presentation focused on enhancing the security and performance of WebAssembly (Wasm), a low-level language increasingly used in critical areas like web browsers, smart contracts, and edge computing. Given the critical need to identify and eliminate bugs and security vulnerabilities in these domains, Scherer introduced Wappler, the first fully sound and automated static analysis technique for WebAssembly. The team tackled several challenges due to the inherent complexity of Wasm’s formal semantics, its embedding in potentially malicious contexts, and its low-level nature, which complicates memory management and other core features. The Wappler approach works by encoding Wasm semantics into Horn clauses, making it accessible to automated theorem provers like z3. This innovative technique required addressing Wasm’s unsuitability for automated security proofs by introducing annotations for a precise and sound encoding. Scherer and his team also developed a formalism to specify embedder behavior and created a sound yet precise memory abstraction to handle the complexities of Wasm environments. The team demonstrated the flexibility of their logical formalism by encoding various general and Wasm-specific security properties. Additionally, their experimental evaluation on the official Wasm test suite showcased Wappler’s performance and effectiveness, making it a significant contribution to the field of WebAssembly security. Slides of the talk Stefano Trevisani presented the paper On Efficient and Secure Compression Functions for Arithmetization-Oriented Hashing. In collaboration with Elena Andreeva, Rishiraj Bhattacharyya, and Arnab Roy, he introduced PGV-LC compression modes to construct efficient and secure algebraic hash functions for Verifiable Computation, privacy-preserving Blockchains, and Zero-Knowledge SNARKs/STARKs. The researchers presented advancements in ZK-SNARKs, crucial for privacy-oriented payment systems, identity protocols, and anonymous voting systems, with a focus on improving the efficiency of Merkle Tree (MT) opening proofs, commonly verified through SNARK systems. Traditional hash functions like SHA-2 are inefficient in SNARK frameworks, leading the team to explore Arithmetization-Oriented (AO) cryptographic designs as a promising alternative. They introduced two new AO blockcipher-based compression modes, PGV-LC and PGV-ELC, extending the classical PGV approach. The Poseidon-DM hash function, instantiated by using PGV-LC, offers up to a 3x speed-up for native X86 execution and a 50% speed-up in the Groth16 SNARK framework compared to Poseidon. The work also demonstrates how wide arities can drastically improve the efficiency of Merkle Tree (MT) accumulators: An optimal choice of the arity allows Poseidon-DM to be up to 9x faster natively and up to 2.5x faster in Groth16, compared to Poseidon over binary trees. Slides of the talk https://cysec.wien/news/2024-07-06_workshop_ahytpra_2024/ Co-organized by ISTA, TU Wien, and WPI, and partially financed by FWF, this workshop aims to bridge the gap between practitioners from various disciplines and theorists at the forefront of developing frameworks for specifying hyperproperties. The workshop highlighted the crucial role of these frameworks in the industrial detection of critical vulnerabilities, such as Spectre and Meltdown. Participants explored both the theoretical base and practical applications of diagnosability and fault detection, employing sophisticated formalisms like epistemic temporal logic, and expanded these discussions to include asynchronous system operations. Additional topics covered included advanced methods for symbolic bug finding, bounded model checking in asynchronous contexts, and the application of modal and temporal logics for a rigorous definition and analysis of security properties. The event also introduced new logical frameworks and formalisms intended to enhance the expressive power and practical utility of hyperproperties in analyzing complex systems like recursive programs and probabilistic models. This comprehensive review not only revisited the historical challenges associated with hyperproperties but also charted future directions for their application in diverse and rapidly evolving technological landscapes. The workshop format emphasized interactivity, promoting open discussions and exchanges of ideas across different fields. This collaborative setting aimed to cultivate deeper insights and foster advancements in the field through interdisciplinary efforts. Notable keynote speakers included Boris Köpf, Musard Balliu, and Ashutosh Trivedi, whose expertise contributed significantly to the richness of the discussions. Keynote speaker - Boris Köpf (Azure Research) Topic: 20 Years of “20 Years of Covert Channel Modeling and Analysis” Date: 6.07.2024 Time: 9:40 Abstract - Research on hyperproperties, and in particular on information-flow properties, has had a long and active history. However, around the year 2000 the community critically noticed that their results have not had the desired impact in practice. Several authors tried to identify reasons for this lack of success, among them Jon Millen in his remarkable paper “20 Years of Covert Channel Modeling and Analysis”. Now, another 20 years later, we will re-evaluate this situation: I will first give an example of a successful industrial application of hyperproperties for the automatic detection of microarchitectural vulnerabilities such as Spectre and Meltdown. I will then use this example to revisit the blockers identified 20 years ago and illustrate how they can be avoided now and in the future. Keynote speaker - Musard Balliu (KTH, Sweden) Topic: Security Properties through the Lens of Modal Logic Date: 6.07.2024 Time: 14:00 Abstract - We introduce a framework for reasoning about the security of computer systems using modal logic. This framework is sufficiently expressive to capture a variety of known security properties, while also being intuitive and independent of syntactic details and enforcement mechanisms. We show how to use our formalism to represent various progress- and termination-(in)sensitive variants of confidentiality, integrity, robust declassification and transparent endorsement. In the second part of the talk, we focus on a specific modal logic, epistemic temporal logic, and show how to verify a range of properties by means of epistemic model checking and SMT solving. Video of the talk Keynote speaker - Ashutosh Trivedi (CU Boulder, USA) Topic: Expanding Horizons: Hyperproperties in CPS, Fairness, and Legal Compliance Requirements Date: 7.07.2024 Time: 9:30 Abstract - In recent years, the study of hyperproperties has provided profound insights into complex system behaviors, yet many practical fields remain unexplored territories for these concepts. This talk aims to highlight the connection between hyperproperty research and real-world applications, drawing from my work in related domains such as cyber-physical systems (CPS), software fairness, legal compliance, and metamorphic testing. I will illustrate how concepts developed for hyperproperties can be effectively applied to ensure system confidentiality, equitable outcomes, regulatory adherence, and robust software testing. By exploring these practical settings, I hope to invite hyperproperty researchers to venture into new areas, offering fresh challenges and groundbreaking possibilities for the application of their innovative research. Join me as we discuss these diverse fields, uncovering the potential for hyperproperties to revolutionize approaches and solutions across various disciplines. Video of the talk https://cysec.wien/news/2024-08-14_lecture_vasilakis/ Talk by Nikos Vasilakis Location: TU Wien, FAV Hörsaal 2 (Favoritenstr. 9-11, Erdgeschoß, Room HEEG03) Date & Time: 2024-08-14; 11:00 - 12:00 Abstract: Modern software incorporates thousands of third-party components. Bugs or security vulnerabilities in these components can seriously compromise the integrity of incorporating applications. Because of their widespread use, and the difficulty of vetting the enormous number of integrated components for vulnerabilities, they comprise a compelling target for attackers, who purposefully insert vulnerabilities into widely used components with the goal of compromising the integrity of entire software ecosystems. I will present a series of systems that leverage component boundaries to offer automated solutions to vulnerabilities that appear in the software component supply chain. These solutions leverage system- and language-level containment techniques to prevent different classes of attacks from affecting these applications and the broader system in which they execute. Combined, they provide a holistic and in-depth transformation-based approach to securing software ecosystems. Bio: Nikos Vasilakis is an Assistant Professor of Computer Science at Brown University. His research encompasses systems, programming languages, and security — and has been recognized by several distinguished paper awards. His current focus is on automatically transforming systems to add new capabilities such as parallelism, distribution, and security — against a variety of threat models. Nikos is also the chair of the Technical Steering Committee behind PaSh, a shell-script optimization system hosted by the Linux Foundation. https://cysec.wien/news/2024-07-01_dominique_schr%C3%B6der/ We are very happy to welcome Dominique Schröder at CySec! Dominique Schröder is joining the TUW as a new professor and will head the Privacy Enhancing Technologies research group as of September. Previously, he held the position of Full Professor of Applied Cryptography at Friedrich-Alexander University in Erlangen-Nürnberg. Before that, he was a tenured professor at Saarland University. Dominique completed his postdoctoral research at the University of Maryland, USA, under the guidance of Jonathan Katz. He earned his Ph.D. at the Technical University of Darmstadt, supervised by Marc Fischlin, and received his Diploma (equivalent to a Master’s degree) from the Technical University of Braunschweig. Dominique Schröder is deeply engaged in the field of cryptography, focusing on the development of privacy-preserving technologies that enhance security and privacy in practical applications. His research centers on integrating modern cryptographic methods, such as homomorphic cryptography and secure multiparty computation, with differential privacy techniques to maintain functionality in new applications without compromising individual privacy. Schröder is particularly interested in practical, decentralized cryptographic systems that do not depend on trusted parties. This interest extends to privacy-preserving cryptocurrencies and improving the efficiency of distributed systems. Schröder’s work also involves exploring advanced cryptographic primitives that boost privacy, including advanced signature schemes and functional commitments. He contributes significantly to the development and understanding of these primitives, adapting them for practical use while considering the reality of cryptographic systems that often rely on less-than-ideal conditions, such as low entropy sources or weak randomness. His research not only tests the boundaries of cryptographic theory and practice, using weak sources of secrets and randomness but also investigates the reliance of many practical cryptographic schemes on idealized models like the random oracle model. This approach helps bridge the gap between theoretical security and real-world applications, providing insights into both the challenges of realizing cryptographic tasks and the reliability of schemes used in practice. Check out the interview with Dominique Schröder in the #5QW series. https://cysec.wien/news/2024-07-08_euro_sp_2024/ The 9th IEEE European Symposium on Security and Privacy (EuroS&P) will take place from July 8-12, 2024, at the University of Vienna. EuroS&P stands as one of Europe’s premier conferences in computer security and electronic privacy. Organized this year by SBA Research in collaboration with the University of Vienna and TU Wien, the event aims to highlight cutting-edge advancements in the field and promote invaluable networking opportunities among researchers and industry practitioners. The 2024 edition of EuroS&P is expected to draw an impressive gathering of over 200 renowned researchers and professionals from more than 30 countries, reflecting its global influence and importance. Matteo Maffei has taken on the role of General Chair, alongside Edgar Weippl (University of Vienna). They are tasked with ensuring the seamless organization and successful execution of the conference. Additionally, Marco Squarcina is involved as a member of the Program Committee. The conference not only serves as a platform for presenting research and sharing insights but also fosters collaborations that drive innovation and address key challenges in the realms of cybersecurity and privacy. At the 3rd Workshop on Rethinking Malware Analysis (WoRMA), co-located with IEEE EuroS&P 2024, Aakanksha Saha presented the paper titled ‘Exploring the Malicious Document Threat Landscape: Towards a Systematic Approach to Detection and Analysis,’ co-authored with Jorge Blasco and Martina Lindorfer. They performed a measurement study that leveraged existing tools and techniques to detect, extract, and analyze malicious Office documents. They collected a substantial dataset of 9,086 malicious samples and revealed a critical gap in the understanding of how attackers utilized these documents. Their in-depth analysis highlighted emerging tactics used in both targeted and large-scale cyberattacks while identifying weaknesses in common document analysis methods. Through a combination of analysis techniques, they gained crucial insights valuable for forensic analysts to assess suspicious files, pinpoint infection origins, and ultimately contribute to the development of more robust detection models. The team made their dataset and source code available to the academic community to foster further research in this area. Aakanksha Saha also participated in a panel on ‘Rethinking Malware Analysis.’ https://cysec.wien/news/2024-07-05_lecture_bugiel/ Talk by Sven Bugiel Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstr. 9-11, Erdgeschoß, Room HEEG02) Date & Time: 2024-07-05; 10:00 - 11:00 Abstract: A cornerstone of mobile privacy and security is the permission system that enables users to selectively grant or revoke apps’ access to data. This pivotal role of permissions has earned them a lot of attention over the last 15 years by the research community, who identified its shortcomings and suggested improvements to it. In this talk, we briefly recap the access control model of the permission system “under the hood” and then take a step back to question whether we can do fundamentally better at the system design level. Central to this question is the existence of an ambient authority as the root of many problems and how we can get rid of it. To give food for thought, we base this discussion on a recent research work that proposes object capabilities as alternative access control model for Android and on looking at Google Fuchsia, Google’s latest operating system that is capability-based. We present some early results that show that even Fuchsia’s design is still not a sufficient solution and what the challenges are for such a paradigm shift in access control for (mobile) software stacks. Bio: Sven Bugiel is a security researcher focusing on (mobile) operating system security and trusted computing. In the past, he was particularly looking into mandatory access control systems for the Android OS and integrating hardware security building blocks into mobile operating systems. This interest has extended to object-capability systems and developing new confidential computing solutions. More recently, he also worked on the intersection of those topics with human-centered studies, authentication, and data science. Sven is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany since end of 2021. https://cysec.wien/news/2024-06-25_oenb_panel_maffei/ CBDC, or Central Bank Digital Currency, is a type of digital currency issued and regulated by a country’s central bank. Without replacing existing payment methods, CBDC opens new possibilities for improving payment systems. Numerous countries are actively developing similar projects. The Digital Euro project was initiated by the European Central Bank (ECB) in July 2021. On June 24, 2024, the ECB released its first report on the initial phase of the project, which began in November 2023. As a complex, multifaceted initiative, CBDC has garnered substantial support from various stakeholders who see it as a way to modernize the economy, improve transaction efficiency, and enhance the security of the monetary system. At the same time, it has raised notable concerns regarding privacy, the centralization of financial power, and the potential exclusion of vulnerable populations who may not have access to digital platforms. For this reason, the development and implementation of CBDCs require a collaborative approach, drawing on expertise from multiple fields. The Austrian National Bank (OeNB) held a high-profile technical event on ‘Digital Euro and Payment Transactions’ to discuss the ECB’s ongoing developments. Representatives from the Austrian banking sector, academia, commerce, and consumer advocacy groups participated. Together with OeNB and ECB experts, they explored the digital Euro’s potential, perspectives, and requirements. One of the crucial challenges in implementing the digital euro is ensuring the security of transactions and the protection of data. During the discussion, Matteo Maffei mentioned that the research community, including the CySec team, has developed a range of cryptographic protocols designed to secure privacy and meet regulatory guidelines for both cryptocurrencies and digital central bank currencies. https://cysec.wien/news/2024-06-23_lecture_cibe_fuchsbauer/ At the workshop titled “Cryptography in the Blockchain Era,” Prof. Georg Fuchsbauer delivered a talk that highlighted the latest advancements in cryptographic techniques within the rapidly evolving landscape of blockchain technology. His presentation covered fundamental challenges and emerging solutions for enhancing privacy, security, and scalability in decentralized networks. The workshop provided a platform for discussing critical advancements in cryptography, underscoring its importance in the blockchain era. Prof. Fuchsbauer explored the Mimblewimble protocol, a breakthrough in blockchain design that promises to improve both privacy and scalability. However, Mimblewimble has faced challenges in widespread adoption, particularly due to the absence of non-interactive transactions, where only the sender needs to be online. The talk included a detailed analysis of how non-interactive transactions and stealth addresses can be integrated into Mimblewimble. Prof. Fuchsbauer also discussed his recent work, which builds on prior research by Yu and Burkett, offering a revised scheme with a formal security analysis, a variant of which is now implemented by Litecoin in its Mimblewimble Extension Blocks (MWEB). The talk was well-received by the audience, consisting of cryptography experts and blockchain researchers, who were keen to explore the future of secure and efficient cryptocurrency technologies. References: Aggregate Cash Systems: A Cryptographic Investigation of Mimblewimble: Paper, Slides Non-interactive Mimblewimble transactions, revisited: Paper, Slides, Video https://cysec.wien/news/2024-06-19_der_standard_maffei/ On May 11, 2022, the European Commission proposed a law to prevent and combat child sexual abuse (CSA Regulation), mandating that social media platforms, email and chat providers, and other digital services monitor all user communications, both public and private. This regulation was subsequently extended on April 29, 2024, to remain in effect until April 3, 2026. Despite the critical need to address CSA, these measures have drawn considerable criticism. Prof. Matteo Maffei and leading cybersecurity researchers from Austria discussed with DER STANDARD the broad potential impacts on all EU citizens. They expressed concerns that scanning messages for illegal content before sending could undermine secure communications and potentially lead to mass surveillance. Beyond the implications for Europe’s messaging service market, experts also highlighted technological challenges and the unreliability of such a system. Matteo Maffei emphasized the profound impact on fundamental rights, comparing the scanning process to an invasive system where every letter is read, verified, and resealed before delivery. Researchers concurred on the importance of enhancing system security rather than compromising it, emphasizing that secure communication is a crucial, well-understood cornerstone of IT security that must be preserved. https://cysec.wien/news/2024-06-14_acsd_gaertner/ The Austrian Computer Science Day (ACSD) is an annual event that brings together computer scientists from across Austria and beyond to enhance the visibility of the field and promote collaboration. The program features scientific presentations from both established and early-career researchers. The 2024 edition focuses on the theme “Networks in Artificial Intelligence.” Prof. Thomas Gärtner delivered a lecture titled “Interactive Machine Learning with Graph-Structured Data.” Abstract: In this talk I will give an overview of our contributions to what I call interactive machine learning. Often, interaction in Computer Science is interpreted as the interaction of humans with the computer but I intend a broader meaning of the interaction of machine learning algorithms with the real world, including but not restricted to humans. Interactions with humans span a broad range, where they can be intentional and guided by the human or they can be guided by the computer such that the human is oblivious of being guided. Another example of an interaction with the real world is the use of machine learning algorithms in cyclic discovery processes such as drug design. Important properties of interactive machine learning algorithms include efficiency, effectiveness, responsiveness, and robustness. In the talk I will show how these can be achieved in a variety of interactive contexts, focussing on graph-structured data. Petra Hozzová, PhD student in the Automated Program Reasoning group, participated in the Special Session “Young Experts – Minute Madness” with her presentation “Inductive Reasoning in Superposition.” In this session, outstanding doctoral students in computer science from Austrian universities delivered 1-minute overview talks showcasing their research, followed by an interactive poster session. https://cysec.wien/news/2024-06-10_erc_maffei/ Prof. Matteo Maffei has received his second ERC grant for his research into the security aspects of blockchain technologies. Prof. Matteo Maffei and his team at the Security & Privacy Research Unit of the Institute of Logic and Computation are exploring the complex security issues of blockchain technologies. Following his ERC Consolidator Grant Foundations and Tools for Client-Side Web Security in 2018, Prof. Maffei has recently been awarded the prestigious ERC Advanced Grant, which provides approximately two and a half million euros over five years for his project “BlockSec.” Blockchain technology enables transactions and agreements without centralized authority, using ‘smart contracts’—self-executing codes that facilitate processes akin to a notarial supervisor. These contracts operate under a consensus code that, once initiated, runs automatically and cannot be altered, posing significant security concerns. Prof. Maffei emphasizes the necessity for mathematical reliability in blockchain systems, particularly given the substantial sums involved, with around $66.6 billion processed within the Ethereum ecosystem alone. His team applies methods from software verification, traditionally used in safety-critical domains like aviation software, to ensure the correctness and security of blockchain technologies. These methods mathematically verify that the software is error-free. Additionally, the project integrates game theory and cryptography to assess and enhance blockchain security. By considering interest-oriented behavior models from game theory, the team aims to ascertain that users cannot manipulate the system to others’ detriment. The project combines these theoretical approaches with practical cryptography and software engineering techniques to bolster the security of smart contracts and ensure the overall safety of blockchain applications. https://cysec.wien/news/2024-06-07_edulab_kovacs_2024/ On June 7th, decision-makers, teachers, students, and experts gathered for the eduLAB educational breakfast. eduLAB is a dynamic outreach initiative from the TUW Faculty of Informatics designed to introduce students from the 2nd grade onwards to the exciting world of computer science in a way that is both engaging and suitable for their age group. The project receives funding from TU Wien and additional support through grants from the Vienna Science, Research, and Technology Fund (WWTF) and Let’s Empower Austria (LEA). In 2023, eduLAB successfully engaged over 3000 students across Austria with its various educational programs, making significant strides in promoting computer science education among young learners. After the welcome speeches by Rector Jens Schneider, Federal Minister Martin Polaschek, Dean Gerti Kappel, and Professor Gerald Futschek, a brief introduction was given to the latest eduLAB AI initiative, which includes a new program for computer science education in schools. Prof. Laura Kovacs, the project leader, presented “Adventures of Computer Science for Elementary School”(Abenteuer Informatik fur Volksschulen)," an interactive exhibition designed for elementary schools. The exhibition introduces children to fundamental computer science concepts through age-appropriate, realistic, and playful tasks that spark curiosity and engagement. At the core of the initiative is a hands-on experience that brings key ideas of computer science to life. Visitors can experiment with puzzles, optical illusions, logic challenges, and problem-solving exercises that make learning both fun and intuitive. The program is designed to appeal to a broad audience, including school groups, beginners interested in computer science, as well as experienced students and professionals seeking a fresh perspective on fundamental concepts. Following the introduction, students and teachers from Feldgasse Gymnasium had the opportunity to get acquainted with the new eduLAB AI school workshops and actively try them out. Two workshops were available: “The Nursery”: In this workshop, participants plant a tree and save the world from an impending alien invasion. They explore the world of Machine Learning by helping decision trees grow. First, they create a tree that can recognize fruits. Then, they use a formula that allows a tree to grow “on its own” to differentiate friendly from dangerous aliens. “Seven Little Neurons”: In this workshop, participants become part of an artificial neural network. This network is then trained until it can play a game. Artificial neural networks are the foundation of many of today’s successful AI systems. However, how exactly a neural network “learns” often seems too complicated to understand. Participants experience firsthand that learning for a single neuron is not magic, and the system’s intelligence arises from the connection of many inconspicuous parts. eduLAB aims to demonstrate the excitement of computer science, highlight the real-life impact of AI, and prepare students to tackle future challenges. It not only introduces them to the field but also equips them with the skills to overcome these challenges. © Amélie Chapalain https://cysec.wien/news/2024-06-06_ethical_hacking_trainingscamp_2024/ From June 6-9, 2024, TU Wien will host the 2nd International Ethical Hacking Bootcamp. This event is organized by the TUW Cyber Security Center in collaboration with Cyber Security Austria and ViSP. The bootcamp will welcome approximately 130 participants from Team Europe and national teams across 10 countries, including Austria, Croatia, Czechia, Hungary, Slovakia, Slovenia, Serbia, Germany, Switzerland, and Italy. The comprehensive program is set to feature a blend of training sessions and competitive events, under the guidance of an international team of trainers: Lena Csomor (Switzerland), Jannik Hartung (Germany), Mario Polino (Italy), Yohann Roiron (France), and Johannes Kadak (Estonia). Goals of the Bootcamp: Engage with advanced security topics that extend beyond the scope of regular Capture The Flag (CTF) competitions. Enhance skills through learning and applying new concepts and techniques. Facilitate networking and peer interactions among participants from diverse national backgrounds. Promote team building in preparation for the European Cyber Security Challenge (ECSC) Finale in Torino, Italy. Provide an enjoyable and stimulating environment for participants who share a keen interest in cybersecurity. Establish a standardized preparatory training module for European national teams in anticipation of the ECSC finals. Update: A detailed report on the event is accessible here. ENISA highly values the contribution of 50 volunteers, including Marco Squarcina, for their outstanding support as trainers during the bootcamps. The agency expressed its sincere gratitude to all volunteers for their dedication and efforts in supporting the younger generation of cybersecurity talent — delivering valuable trainings, creating high-quality challenges, and contributing to the development of Team Europe. https://cysec.wien/news/2024-06-05_itsnow_saha_2024/ “IT-S NOW - Where Research Meets Society” (IT-S NOW) is a conference designed for both researchers and consumers to explore current topics in IT security for the Internet of Things (IoT). The event focuses on the latest security research in the IoT field and is aimed at anyone interested in learning more about IT security in daily life while exchanging knowledge with industry professionals. On the second day of IT-S NOW 2024, Aakanksha Saha delivered a talk on the challenges of attributing Advanced Persistent Threats (APTs), which pose significant risks to industries, governments, and democratic institutions. She highlighted the difficulties in attribution—identifying APT attackers—using case studies to show how APT groups adapt, share tools, and exploit various platforms to achieve their goals. This adaptability complicates attribution, often causing delays or inaccuracies. Saha emphasized the importance of building comprehensive datasets, standardizing APT group names, and recognizing common evasion techniques. She also explored the potential for automating attribution to address the growing complexity of APT campaigns. Video of the talk, Slides https://cysec.wien/news/2024-05-26_eurocrypt_2024/ Eurocrypt 2024, the 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, was held in Zurich, Switzerland, from May 26 to 30, 2024. The conference is organized by the International Association for Cryptologic Research (IACR) and coveres all aspects of cryptology. At Eurocrypt 2024, Georg Fuchsbauer delivered a presentation on his work with Mathias Wolf titled “Concurrently Secure Blind Schnorr Signatures.” Their research addresses a critical need for blind signatures in various applications, particularly within blockchain systems, where compatibility with existing signature schemes is essential. The team developed a concurrently secure blind-signing protocol for Schnorr signatures, which are becoming standardized and widely supported by major cryptocurrencies. Their protocol thwarts denial-of-service attacks by leveraging standard cryptographic primitives such as Non-Interactive Zero-Knowledge proofs (NIZK) and Public Key Encryption (PKE), assuming the unforgeability of Schnorr signatures. This protocol is the first to maintain compatibility with standard Schnorr implementations over 256-bit elliptic curves, a significant advancement for blockchain and cryptocurrency systems. Fuchsbauer and Wolf also introduced the novel concept of predicate blind signatures, allowing signers to define conditions that the blindly signed messages must meet. The researchers provided practical implementations and benchmarks for various use cases, including the example of blindly signing Bitcoin transactions only when they satisfy specific conditions defined by the signer, showcasing the real-world potential of their protocol. References: Paper, Slides of the talk, Video Georg Fuchsbauer also contributed to the research on “Updatable Public Key Encryption, Revisited,” co-authored with Joël Alwen and Marta Mularczyk. The team revisited the concept of Updatable Public Key Encryption (UPKE), originally introduced as a practical solution for building forward-secure cryptographic protocols. They observed that existing UPKE notions lack the syntactical flexibility and security required for many of the multi-party protocols that initially motivated UPKE’s development. In response, they provided a comprehensive taxonomy of UPKE properties—some of which had been overlooked in previous work—and offered a thorough overview of known UPKE constructions. The presentation also introduced a new formal definition for UPKE, capturing the key properties necessary for secure multi-party protocols. The team proposed a practical pairing-based UPKE construction that offers improved efficiency and security under a standard assumption in the random oracle and algebraic group models. This new construction significantly outperforms existing UPKE schemes, offering enhanced flexibility and stronger security guarantees. Notably, when applied to the Messaging Layer Security protocol (RFC9420), the new UPKE construction requires less than 2% of the bandwidth of the next-most efficient UPKE implementation, making it a standout advancement in the field. This work demonstrates the importance of improving UPKE to meet the growing demands of secure multi-party cryptographic protocols. References: Paper, Slides of the talk https://cysec.wien/news/2024-05-26_lpar_2024/ The International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR) is an academic event dedicated to exploring the latest advancements in automated reasoning, computational logic, programming languages, and their practical applications. This year, SecInt student Sophie Rain received the Best Presentation Award at LPAR-25 for her talk, “Scaling CheckMate for Game-Theoretic Security.” The research, conducted by Sophie Rain in collaboration with Lea Salome Brugger, Anja Petković Komel, Laura Kovács, and Michael Rawson, introduces CheckMate, a tool for automating the verification of game-theoretic security properties, with a particular focus on blockchain protocols. By utilizing automated reasoning techniques, CheckMate evaluates whether a game-theoretic protocol model is secure, ensuring Byzantine fault tolerance and incentive compatibility. The presentation detailed CheckMate’s input format, components, modes, and outputs. The tool was benchmarked using 15 different models, including decentralized protocols, board games, and game-theoretic examples. SecInt student Marton Hajdu presented rewriting techniques based on reduction orderings that generate “just enough” consequences to maintain first-order completeness. This research, co-authored with Laura Kovács and Michael Rawson, focuses on enhancing superposition-based first-order theorem proving by using reduction orderings to strike a balance, ensuring first-order completeness. However, gaps were identified when applying this approach to inductive reasoning. As a result, the authors extended the superposition calculus with new rewriting-based techniques to generate the necessary consequences for automating induction in saturation, which is crucial for improving reasoning processes. Marton also contributed to the research “Saturating Sorting without Sorts”, which addresses the functional correctness of programs using recursive data structures, with a specific focus on sorting algorithms. This work introduces a novel reasoning framework using many-sorted first-order logic to formalize the semantics of recursive programs, incorporating sortedness and permutation properties directly into the first-order formalization. Pamina Georgiou, Marton Hajdu, and Laura Kovács demonstrate the applicability of their framework on recursive sorting algorithms, including Mergesort and Quicksort. https://cysec.wien/news/2024-05-21_sp_2024/ The 45th IEEE Symposium on Security and Privacy (S&P) was held in San Francisco from May 20-22, 2024. Established in 1980, it remains the leading forum for showcasing advancements in computer security and electronic privacy. This year, members of CySec contributed to three presentations at this prestigious event. Philipp Beer presented “Tabbed Out: Subverting the Android Custom Tab Security Model”, a paper co-authored with Marco Squarcina, Lorenzo Veronese, and Martina Lindorfer. This pioneering study represents the first systematic security evaluation of Android’s Custom Tab component — a widely used component for displaying web content within apps. Their research uncovered significant flaws in the security design of Custom Tabs, posing severe threats to user security and privacy. These flaws could enable malicious applications to extract sensitive browsing data, violate web session integrity, and facilitate phishing attacks. The impact of their findings extends beyond theoretical concerns: following responsible disclosure, Google implemented several mitigations to address the discovered attack vectors. In recognition of their contributions, the researchers received a $10,000 bug bounty. Additionally, their ongoing collaboration with Google has resulted in significant updates to the Chrome Custom Tabs Security FAQ, enhancing clarifications to its security model. SecInt and SPyCoDe student Simon Jeanteur presented “CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model,” based on the corresponding published paper. This joint work with other TU Wien researchers, Laura Kovács, Matteo Maffei, and Michael Rawson, introduces the new home-brewed tool, CryptoVampire. This tool breaks new ground in protocol verification by enabling the first fully automated proofs using the innovative Computationally Complete Symbolic Attacker (CCSA) model. This advancement allows for the automatic verification of protocols in a stronger model than was previously possible. Sebastian Roth contributed to the study “Where Are the Red Lines? Towards Ethical Server-Side Scans in Security and Privacy Research,” alongside Florian Hantke, Rafael Mrowczynski, Christine Utz, and Ben Stock from CISPA Helmholtz Center for Information Security. This study focuses on server-side scanning (3S) on the Web, a crucial but under-researched area for understanding security and privacy risks online. The research team tackled the complexities and ethical dilemmas associated with large-scale server-side vulnerability investigations that can potentially harm servers, disrupt services, and cause financial and reputational damage. Roth and his colleagues developed five typical scenarios for 3S and conducted extensive qualitative analysis by interviewing 23 legal experts, members of Research Ethics Committees, and website and server operators, primarily using German law as the framework for their study. The team aimed to identify which types of server-side scans are considered acceptable and which actions might cross ethical ‘red lines.’ Furthermore, the team proposes best practices for future 3S research and a pre-registration process to address challenges related to the absence of judicial decisions and clear ethical guidelines. This approach aims to establish a more reliable and transparent environment for server-side scanning research, reducing uncertainty for both researchers and operators and fostering a safer web ecosystem. https://cysec.wien/news/2024-06-24_lecture_rieck/ Talk by Konrad Rieck Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstr. 9-11, Erdgeschoß, Room HEEG02) Date & Time: 2024-06-24; 16:00 - 17:00 Abstract: Source code often contains subtle stylistic patterns that can be used to identify its developer, an approach known as code stylometry. While a series of research has shown that code stylometry can recognize one programmer among hundreds of others, defenses against this approach have received little attention so far. In this talk, we address this research gap from two perspectives. First, we introduce a method for automatically imitating programming styles through semantic-preserving transformations. This method allows us to mislead correct identification and protect developers’ privacy. Second, however, we prove that true anonymity cannot be achieved in this way and that stylistic patterns remain in source code under realistic conditions. Our results thus underscore the need for raising awareness and further research into protecting developers’ privacy. Bio: Konrad Rieck is a Professor of Computer Science at TU Berlin, where he heads the Chair of Machine Learning and Security within the Berlin Institute for the Foundations of Learning and Data. Additionally, he is a Guest Professor at TU Wien. Previously, Konrad has been working at TU Braunschweig, University of Göttingen, and Fraunhofer Institute FIRST. His research interests revolve around computer security and machine learning. His group is developing novel methods for detecting computer attacks, analyzing malicious software and discovering security vulnerabilities. Moreover, the group explores the security and privacy of learning algorithms. Konrad is also interested in efficient algorithms for analyzing structured data, such as strings, trees, and graphs. His Erdős number is 3 (Müller → Jagota → Erdős) and his Bacon number is ∞. He is a very distant academic relative of Carl Friedrich Gauß (see here), although this doesn’t help when solving math problems. https://cysec.wien/news/2024-04-26_ara_awards/ The Amazon Research Awards (ARA) offer unrestricted funds and AWS Promotional Credits to academic researchers exploring a range of topics across multiple disciplines. It aims to fund research that is not only of high scientific quality but also has the potential to make significant contributions to both the research community and wider society. In 2024, 98 recipients from 51 universities in 15 countries were announced as award winners. Maria Christakis has received an award for her research, “Testing Dafny for Unsoundness and Brittleness Bugs,” and Laura Kovacs has been recognized for her study, “QuAT: Quantifiers with Arithmetic Theories are Friends with Benefits”. Both have been honored in the category of Automated Reasoning. https://cysec.wien/news/2024-04-23_lecture_casa_lindorfer/ The Cluster of Excellence CASA - Cyber Security in the Age of Large-Scale Adversaries is a leading center for pioneering IT security research at Ruhr University Bochum. CASA pursues the clear goal of ensuring that the digital world is sustainably more secure. Prof. Martina Lindorfer delivered a talk titled “Shedding Light on Data Collection and Security Issues in Modern Apps”. In her talk, Martina Lindorfer discussed the integral role of mobile phones in our daily lives, emphasizing how we rely on a wide array of apps for everything from communication to shopping, banking, and controlling smart home devices. She highlighted how, in the pursuit of maximizing user experience, apps collect and process an increasing amount of private information. With the rise of IoT devices, users have been surrendering even more private information about their daily lives and habits for the sake of convenience. Lindorfer pointed out that this private information has become a valuable commodity, with tech monopolies and shadow brokers collecting and aggregating data, not just to provide tailored content, but also for market research and targeted advertising. However, this process remains far from transparent, and our data is not always handled by trustworthy or secure entities. Even well-intentioned developers face challenges when dealing with supply chain issues, such as integrating libraries, external tools, and services. While existing legislation like the GDPR and CCPA, along with upcoming initiatives like the Cyber Resilience Act, aim to protect consumers from privacy invasions and insecure products, Lindorfer noted that the necessary techniques for automated technical analyses to enforce these laws remain an ongoing challenge. During her presentation, she shared her team’s ongoing research on developing scalable static and dynamic program analysis techniques for modern mobile and web-based apps, including their integration with IoT devices. These efforts enable large-scale measurements to promote transparency and accountability in how apps process and share private information. Lindorfer also addressed recent privacy measures by Apple and Google, which have increased transparency but still lack effective enforcement and accountability in how apps handle data. Finally, she touched on how new app programming paradigms undermine expected security and privacy guarantees. Video: CASA Distinguished Lecture with Martina Lindorfer https://cysec.wien/news/2024-04-18_kick_off/ Location: TU Wien, TUtheSky (BA11B09) Date/Time: 2024-04-18 15:00 On April 18, 2024, TU Wien inaugurated its Cybersecurity Center (CySec) with a high-profile event, marking a significant milestone in the field of cybersecurity. The launch attracted a diverse group of influential figures from various university faculties, leading industry representatives, and prominent government agencies. Notable participants included the Federal Chancellery of Austria; the Austrian Federal Ministry of Education, Science and Research (BMBWF); the Ministry of the Interior (BMI); as well as major corporations such as Amazon, Microsoft Research, UniCredit Bank Austria, and TÜV Austria. The event also gathered experts from the National Coordination Center for Cybersecurity, Cyber Security Austria, Competence Center Safe Austria (KSÖ), the Vienna City Administration, the Vienna Science and Technology Fund (WWTF), the Austrian Research Promotion Agency (FFG), the Vienna Business Agency, SBA Research, and the Austrian Institute of Technology. This diverse assembly of researchers, practitioners, and decision-makers shared a common goal: to forge strong collaborations and exchange knowledge to tackle cybersecurity challenges at both the local and global levels. Co-Director of the Cybersecurity Center, Univ. Prof.in Dipl.-Ing.in Dr.-Ing.in Tanja Zseby The event was opened by Co-Director of CySec Prof. Tanja Zseby, who highlighted the diversity of stakeholders and expressed optimism about the potential for synergies among these groups to enhance cybersecurity efforts across Austria. She underscored the importance of interdisciplinary collaboration among fields such as electrical engineering, mathematics, informatics, and physics, which she noted as vital for addressing complex cybersecurity challenges. Speaking on behalf of the Dean of the Faculty of Electrical Engineering and Information Technology, Prof. Zseby emphasized the importance of a research focus on network security, particularly on detecting and controlling malware spread and hiding within network traffic. She praised the resilience and dedication of practitioners working under constrained resources and called for increased collaboration between academia and industry to enhance security measures. Vice Rectorate Digitalisation and Infrastructure, Univ. Prof. Dipl.-Ing. Dr.techn. Wolfgang Kastner Prof. Wolfgang Kastner, Vice Rector for Digitalisation and Infrastructure, welcomed the participants on behalf of the Rectorate and emphasized the alignment of the CySec launch with TU Wien’s strategic goals. He outlined three primary objectives for the center: enhancing interdisciplinary exchanges within academia and industry, strengthening educational pathways to address the shortage of cybersecurity experts, and increasing societal awareness about cybersecurity through outreach activities. Prof. Kastner also highlighted the importance of integrating TU Wien’s IT security staff into innovative practices to align the administration with the center’s objectives. He stressed the collective responsibility of advancing cybersecurity initiatives at the university. Dean of the Faculty of Informatics, O. Univ. Prof.in Dipl.-Ing.in Mag.a Dr.in techn. Gerti Kappel Dean of the Faculty of Informatics at TU Wien, Prof. Gerti Kappel, highlighted the significant impact of cybersecurity across economic, political, and private spheres, emphasizing its role in protecting liberal democratic values through data protection, privacy, data sovereignty, and transparency. She outlined the critical contribution of the Faculty of Informatics to major research areas, including artificial intelligence and cybersecurity, and called for increased interdisciplinary collaboration and resources to enhance the university’s response to the dynamic challenges in information security. Prof. Kappel also stressed the need for comprehensive security measures across hardware, software, and systems, and advocated for ongoing expansion in areas like risk management and quantum cryptography to foster continual innovation and adaptation in cybersecurity practices. Co-Director of the Cybersecurity Center, Univ. Prof. Dr. Matteo Maffei At the presentation of the TUW Cybersecurity Center, Co-Director Prof. Matteo Maffei introduced the center, emphasizing its role as an inter-faculty hub designed to address complex challenges in today’s digital society through interdisciplinary research. Established in June 2023, the center unites expertise from various faculties including informatics, electrical engineering, physics, statistics, and architecture. It comprises 22 faculty members and about 150 researchers, including PhD students and postdocs. The center’s mission is to enhance and leverage the existing capabilities at TU Wien to establish it as a global leader in cybersecurity research, education, and societal outreach. CySec has already achieved significant milestones, notably in addressing the global shortage of IT and cybersecurity professionals. TU Wien has established a comprehensive educational pipeline from bachelor to PhD levels, designed to attract students worldwide who are interested in specializing in cybersecurity. Additionally, CySec is engaged in educational initiatives at school levels, aiming not only to raise cybersecurity awareness among children but also to equip teachers with the necessary resources to effectively educate students about security. TU Wien measures its research excellence not just by prestigious grants and academic publications but also by the societal impact of its research. Currently, the center manages around 16 million euros in funding, primarily used to support the salaries of its students and postdocs, thus significantly contributing to the local economy. CySec’s research has led to substantial real-world applications, improving the security of daily transactions involving major cryptocurrencies and decentralized finance systems. For instance, the center has developed protocols that strengthen the security of smart contracts and web security standards, which are implemented globally across millions of contracts and numerous web platforms. Other prominent research focuses on fortifying the infrastructure against cyber threats, thereby safeguarding mobile and IoT devices. Prof. Dr. Byron Cook, Vice President and Distinguished Scientist at Amazon AWS Prof. Dr. Nikolaj Bjorner, Partner Researcher at Microsoft Research In the keynote “The Business of Proof,” Prof. Byron Cook of Amazon AWS explored how formal methods enhance system reliability and security, emphasizing their commercial value. Following him, Prof. Nikolaj Bjorner from Microsoft Research discussed in “Formal Methods at Microsoft: Secure and Reliable Programs for Everyone, Everywhere” how these methods help develop secure, reliable software globally. Both presentations highlighted the critical role of formal methods in improving software standards at major tech companies like Amazon and Microsoft. Participants in the panel discussion explored various existing collaborations with TUW CySec and discussed ways to further bridge the gap between the scientific community and the business sector. Stephanie Jakoubi, Managing Board at SBA Research, and Andreas Köberl, Managing Director of TÜV TRUST IT TÜV AUSTRIA GmbH Stephanie Jakoubi from SBA Research detailed how CySec is actively collaborating with SBA Research and Women for Cyber to organize events, mentoring workshops, and training sessions, with a specific emphasis on developing female cybersecurity specialists. Andreas Köberl from TÜV Austria highlighted a successful partnership with TUW, which led to the creation of the S3 Safety Security Systems Lab. He noted this lab facilitates close cooperation with the scientific community from various industries and supports students, particularly PhD candidates. Joe Pichlmayr, CEO IKARUS, Managing Director of CSA Joe Pichlmayr (IKARUS Security Software) spoke about the benefits of long-term collaborations and expressed hope for establishing more sustainable initiatives that could significantly impact society in Austria, across Europe, and globally. He emphasized a common focus on developing a capacity-building program to inspire and train young people, educators, and trainers in cybersecurity. CySec and Cyber Security Austria are already working in this direction and are jointly organizing the Austrian Cyber Security Challenge, a leading IT security competition for students, and leading the Austrian team in the European Cyber Security Challenges. Daniele Sangion, CISO/CSO at UniCredit Bank Austria Daniele Sangion from UniCredit Bank Austria, in his speech, focused particularly on the significance of the threats we are facing and the global risks. The expected losses due to cybercrime are projected to incur a global cost of 10.5 trillion dollars. Amidst escalating misinformation, particularly related to AI, cybersecurity vulnerabilities, technological risks, and increasing losses due to cybercrime, coupled with a shortage of security experts, he underlined the urgent need for a collective effort and international collaboration to comprehensively tackle cybersecurity challenges. Hanna Wilhelmer from the Federal Chancellery of Austria outlined key challenges in cybersecurity from a policy angle during her presentation. She discussed the importance of raising awareness, defining Europe’s role in cybersecurity development, capacity building, and enhancing community and expert engagement. Wilhelmer detailed the function of the National Coordination Centre for Cybersecurity (NCC) and emphasized the need for an integrated approach and robust public-private partnerships, particularly involving the European Cybersecurity Competence Center. Wilhelmer concluded her speech by highlighting forthcoming opportunities in the Horizon Europe program, specifically mentioning significant research funding available for areas like post-quantum cryptography and tracking cryptocurrency transactions linked to criminal activities. She encouraged the audience, especially PhD students and researchers, to use the resources provided by the Austrian Research and Promotion Agency to craft project proposals and establish collaborations for European funding programs, with the ultimate aim of strengthening Europe’s cybersecurity framework. Hanna Wilhelmer, Project Lead at the Federal Chancellery of Austria In a compelling discussion, speakers underscored the crucial role of universities in imparting cybersecurity knowledge to a broader audience spanning industry and the public sector. They called for heightened cybersecurity awareness among top executives across various domains, including government and private sectors, labeling it a critical step toward wider cybersecurity integration. The dialogue further delved into the necessity for progressive educational strategies to address the rapidly evolving challenges posed by new technologies and emerging threats. Participants stressed the value of critical thinking and the adoption of a zero-trust security model, advocating for a departure from traditional methods in favor of more creative solutions. Additionally, the discussion acknowledged that cybersecurity involves more than just technical skills—it also demands effective communication and stringent risk management. The consensus among the speakers highlighted the significance of CySec’s interdisciplinary strategy, which not only concentrates on advanced research but also endeavors to close gaps in the comprehension and practical application of cybersecurity. This strategy is designed to ensure that all involved parties fully grasp the need for thorough cybersecurity practices, ultimately boosting the resilience of both societal structures and business ecosystems against cyber threats. https://cysec.wien/news/2024-04-22_wz_interview_lindorfer/ The article “Wie böse ist Google wirklich?” (How evil is Google really?) in “Wiener Zeitung” by Mathias Ziegler explores the dominance of Google in the search engine market over the past 25 years, highlighting its significant market share and the challenges this poses for competition. Since its beta phase ended in 1999, Google quickly became a global leader in search technology, significantly influencing how we access information online. Prof. Martina Lindorfer and Prof. Stefan Neumann commend Google’s effectiveness in delivering accurate search results and its superior mapping service. Martina acknowledges, ‘Google delivers the best results because of its market dominance,’ yet she expresses a personal conflict between using Google for its efficiency and opting for privacy-focused, open-source alternatives like DuckDuckGo. Lindorfer criticizes Google for displaying boxes in search results that contain content it does not own, which deters users from visiting the original websites, thus adversely affecting those sites’ revenues, particularly media outlets. The article discusses Google’s dominance in the tech industry, which is attributed to its ability to absorb competition and integrate various technologies into its ecosystem. The EU’s initiative to establish a European search index as an alternative to Google underscores the significant financial investment required. Google’s investments in education and non-profits, although beneficial, are partly strategic, aimed at cultivating a workforce that benefits its operations. Concerns are raised about Google’s potential influence on academic research, suggesting that its funding could compromise the integrity of scientific studies. Martina emphasizes that this contrasts with public universities’ goal of serving the public interest, highlighting a fundamental difference in objectives between corporate and academic research. The European Union has introduced regulations like the Digital Services Act and the Digital Markets Act to foster competition, particularly on mobile devices, but deeply rooted power structures make significant changes uncertain. Google’s strategy includes substantial financial investments to remain the default search engine across various platforms, further solidifying its market position. Data privacy concerns are also discussed, with Google’s collection of user data, even in private browsing modes, highlighted as problematic. The integration of commercial and non-commercial search results and the influence of Google’s advertising business on search outcomes are critiqued. https://cysec.wien/news/2024-04-08_ethical_hacking_workshop/ Since 2007, the TU Wien Informatics eduLAB, in collaboration with the Austrian Computer Society, has been hosting the Bebras Challenge (“Biber der Informatik”) for all Austrian school students from grades 3 to 12. The Bebras initiative is a global effort dedicated to fostering interest in Informatics and developing computational thinking skills of school students. These skills involve employing problem-solving strategies and techniques similar to those used by software engineers in programming and app development. This week, TUW CySec experts Carlotta Tagliaro and Marco Squarcina lent their support to this initiative, bringing their passion and expertise in Capture The Flag (CTF) competitions to the forefront. They guided the students through a series of practical challenges, demonstrating how to think like a hacker. Students of varying ages gained insights into how TU Wien is preparing the next generation of IT security professionals and had the opportunity to have all their questions answered. We are optimistic that such enlightening workshops will become a regular feature of our educational offerings. You can access the slides via this link https://cysec.wien/news/2024-03-26_lecture_h%C3%A4hnle/ Talk by Reiner Hähnle Location: TU Wien, FAV Hörsaal 1 Helmut Veith (Favoritenstr. 9-11, Erdgeschoß, Room HEEG02) Date & Time: 2024-03-26; 13:00 - 14:00 Abstract: The behavior of concurrent, asynchronous procedures depends in general on the call context, because of the global protocols that govern scheduling. This context cannot be specified with the state-based Hoare-style contracts common in deductive verification. Recent work generalized state-based to trace contracts, which permit to specify internal behavior of a procedure, such as calls or state changes, but not its call context. In this talk we discuss a program logic of context-aware trace contracts for specifying global behavior of asynchronous programs. We also provide a sound proof system that addresses two challenges: First, to observe the program state not merely at the end points of a procedure, we introduce the novel concept of an observation event. Second, to combat combinatorial explosion of possible call sequences of procedures, we adapt Liskov’s principle of behavioral subtyping to the analysis of asynchronous calls. This is a joint work with Eduard Kamburjan (U Oslo) and Marco Scaletta (TU Darmstadt). Bio: Reiner Hähnle is Professor in Software Engineering at the Computer Science Department of TU Darmstadt. He has wide-ranging interests in the formal foundations of software design, of programming languages, and of quality assurance by verification. He is co-initiator of the KeY project that maintains the well-known, eponymous Java verification tool and he is co-designer of the active object language ABS. He is co-founder of the Tableaux and IJCAR conference series and currently SC Chair of FASE. Notably, he was the first ever Wine Chair of an international Computer Science conference at ECOOP 2014. https://cysec.wien/news/2024-03-18_acsc_2024/ The qualifying rounds for this year’s Austria Cyber Security Challenge (ACSC) will start in a few days. A kickoff event is scheduled for March 16th from 2 p.m. to 4 p.m. at TUW and on Discord aimed at offering valuable insights to to provide participants with crucial insights into the competition’s rules and conditions, ensuring they are well-prepared for the challenges ahead. ACSC 2024 introduces a new modus operandi. Starting from March 18th, pupils, apprentices, and students can qualify for the final of ACSC 2024 in two age-graded categories. Anyone over 25 who is interested has the chance to compete for the Austrian national championship in the open class. The ACSC 2024 qualification will be structured into three distinct rounds, each lasting roughly a week: Round 1: March 18th to 24th Round 2: April 22nd to 28th Round 3: May 13th to 19th Participants can register at: https://verbotengut.at/anmeldung/ As in previous years, we will maintain a dedicated Discord channel for real-time queries about the qualification process and specific tasks. This year, the qualification challenges are drawn from the openECSC2024 competition, which sees concurrent participation from across Europe. These challenges are designed to cater to a broad spectrum of participants, from newcomers to highly skilled competitors, and will vary in difficulty. Expect the complexity of tasks to incrementally increase with each round, starting from relatively simpler challenges in Round 1 to more demanding ones in the final round. The top 20 school pupils, 20 students, and 21 open class competitors will secure a place in the mid-September ACSC finals in Vienna. Additionally, those who excel at a European level will earn an invitation to join Team Austria for the ECSC2024 finals in Turin, Italy, showcasing their qualifying prowess. In an enlightening conversation with “futurezone”, Marco Squarcina, the coach of Team Austria for the European Cyber Security Challenge (ECSC), shared his insights on the invaluable learning opportunities presented by the ACSC. He highlighted the diversity of skills that participants are required to master, ranging from web security, binary exploitation, cryptography, to reverse engineering. Marco emphasized the unique learning experience that encourages participants to concentrate on the vital components of systems or applications, to embrace the unknown, withstand pressure, and think on their feet. In his opinion, the competencies participants develop are not only pivotal within the cybersecurity industry but are also in high demand from companies. Moreover, he pointed out that the event serves as “an exceptional platform to connect with like-minded individuals and possibly forge new friendships.” Read the full interview with Marco Squarcina and Manuel Reinsperger on futurezone at “ACSC 2024: Diese Tipps geben Profis den Nachwuchs-Hackern“ https://cysec.wien/news/2024-02-21_orf_interview_fabini/ ORF DOK1 conducted a thought experiment to investigate, with tangible examples, the extent to which the Internet and various digital applications are woven into the fabric of our daily lives, and how a large-scale Internet outage could impact us. Hanno Settele and his team delved into this inquiry by examining scenarios involving the Vienna rescue team, the A1 Telekom data center, and REWE’s essential food supply chain. The investigation highlighted global consequences, such as how the digital breakdown of a port operator in Australia impacted its partner company, Cargo Partners, halfway across the globe in Fischamend. Another case study examined how a cyberattack immobilized the Austrian crane manufacturing company Palfinger, affecting all its international production sites for days. TUW Senior Scientist Joachim Fabini, along with other experts, shared insights on the benefits and hazards associated with our digital society. He pointed out the inherent complexity of the systems—both hardware and software in use—underscoring the inevitability of errors. Considering the omnipresent risk of failures, society must prepare for possible outcomes, with experts diligently working to mitigate such incidents. The film is available on the ORF website. https://cysec.wien/news/2023-12-15_women4cyber/ The Cybersecurity Center has joined the Women4Cyber Foundation initiative to promote, encourage, and support the active involvement of women in the field of cybersecurity. As part of our commitment to increasing female participation in cyber challenges and exercises, providing assistance to female students and academics pursuing technical studies, and supporting career planning in academia and business, we have collaborated with Women4Cyber Austria, SBA Research, and Cybersecurity Austria (CSA) to organize a series of seminars. On December 15, 2023, Marco Squarcina led the inaugural training session titled “Web Security Basics: A Glimpse Behind the Scenes of Websites.” The seminar covered topics such as the cursed web, the anatomy of web infrastructures, threat modeling, server-side security (command injection, SQLi), client-side security (XSS, CSRF, session fixation), and provided valuable resources and takeaways for all participants. Magdalena Solitro, a PhD student at TUW and a member of the SpyCoDe project, complemented the lecture with live demonstrations on SQLi. Together with Sarah Nöbauer and Xenia Indra, who shared their experiences of entering the field of cybersecurity and participating in the European Cybersecurity Challenge as part of Austria’s team, they served as exemplary role models for successful women in IT security. Read also: “If They Got into Cybersecurity – So Can You!“ © Marco Squarcina https://cysec.wien/news/2023-12-13_lecture_leymann/ Talk by Frank Leymann Location: TU Wien, FAV Hörsaal 1 (Favoritenstr. 9-11, Erdgeschoß, Room HEEG02) Date & Time: 2023-12-13; 13:00 - 15:00 Abstract: We remind the underpinnings of classical encryption, factorization and elliptical curves, and their relation to discrete logarithms. After very briefly sketching the key resources of quantum computing, Shor’s algorithm is revealed to solve the discrete logarithm problem. Thus, quantum computing is jeopardizing today’s cryptographic infrastructure. Lattice-based cryptography is introduced, and a brief overview on Dilithium and Kyber is given. These two algorithms are believed to be quantum safe, i.e. they promise to resist attacks by quantum (as well as classical) algorithms. While Dilithium and Kyber are already being standardized, a broad understanding of the above security threads is missing in industry. A sketch of activities of major industry players closes the talk. Bio: Frank Leymann is the first Kurt Gödel Visiting Professor and an honorary professor at TU Wien. He studied Mathematics, Physics, and Astronomy at the University of Bochum, Germany. After receiving his master’s degree in 1982, he pursued his PhD in Mathematics in 1984. Afterwards, he joined IBM Research and Development and worked for two decades for the IBM Software Group. In 2004, Frank Leymann was appointed as a full professor of computer science at the University of Stuttgart, where he founded the Institute of Architecture of Application Systems and serves as its director. His research interests encompass middleware in general, pattern languages, and cloud computing, with a current strong focus on quantum computing. Frank is an elected member of the Academy of Europe (Academia Europaea). He published uncountable papers in journals and proceedings, co-authored four textbooks, and holds more than 70 patents, especially in the area of workflow management and transaction processing. He served on steering-, program- and organization committees of many international conferences, and is (associated) editor of several journals. From 2006 to 2011, he was a member of the scientific directorate of Schloss Dagstuhl (Leibniz Center of Computer Science). In 2019, he was appointed as a Fellow at the Center of Integrated Quantum Science and Technology (IQST), and in 2020 he was appointed as Member of the Expert Council for Quantum Computing of the German Government. https://cysec.wien/news/2023-12-01_lecture_orru/ Talk by Michele Orrù Location: TU Wien, FAV Hörsaal 2 (Favoritenstr. 9-11) Or join online: Zoom Date & Time: 2023-12-01; 14:00 - 15:00 Abstract: We introduce and study elastic SNARKs, a class of proofs where the prover can select different time and memory tradeoffs, depending on the execution environment and the proved statement. The output proof is independent of the chosen configuration. We construct an elastic SNARK for rank-1 constraint satisfiability (R1CS). In a time-efficient configuration, the prover uses a linear number of cryptographic operations and a linear amount of memory. In a space-efficient configuration, the prover uses streaming algorithms and a quasilinear number of cryptographic operations with a logarithmic amount of memory. A key component of our construction is an elastic probabilistic proof. Along the way, we also formulate a streaming framework for R1CS that we deem of independent interest. We additionally contribute Gemini, a Rust implementation of our protocol. Our benchmarks show that Gemini, on a single machine, supports R1CS instances with tens of billions of constraints. Bio: Michele Orrù is a CNRS research scientist at Sorbonne Université. Previously, he was at UC Berkeley as a research scholar. He obtained his PhD from École Normale Supérieure, and his MSc in mathematics from the University of Trento. His research focuses on building authentication mechanisms that preserve user anonymity. He works on improving the efficiency and security of zero-knowledge proofs, lightweight anonymous credential systems, and confidential transactions. In the past, Michele has contributed to Python, Debian, and Tor. He co-designed GlobaLeaks, an open-source whistleblowing platform now translated into more than 90 languages and used by more than 300 organizations. Additionally, he co-authored the cryptography behind Google’s Trust Tokens. Currently, he is actively involved in maintaining the arkworks.rs algebra crate. https://cysec.wien/news/2023-11-29_ccs_2023/ TUW researches actively contributed to the ACM Conference on Computer and Communications Security (CCS) held in Copenhagen, Denmark, from November 26 to 30, 2023. This conference serves as the annual flagship event of the Special Interest Group on Security, Audit, and Control (SIGSAC) within the Association for Computing Machinery (ACM), attracting information security researchers, practitioners, developers, and users worldwide to explore cutting-edge ideas and results. During November 27-29, the conference featured the presentation of the following research contributions: CheckMate: Automated Game-Theoretic Security Reasoning authored by Lea Salome Brugger, Laura Kovács, Anja Petković Komel, Sophie Rain, and Michael Rawson, all from TUW, presented in the track “Formal Methods and Programming Languages.” CheckMate is a framework designed for automated game-theoretic security analysis, with a specific emphasis on blockchain technologies. The framework proves protocol security through defense strategies or identifies all possible attack vectors. In cases where protocols are deemed insecure, CheckMate provides the weakest preconditions for achieving security, if possible. CheckMate implements a sound and complete encoding of game-theoretic security in first-order linear real arithmetic, thereby reducing security analysis to satisfiability solving. Additionally, it automates the efficient handling of case splitting on arithmetic terms. Let’s Go Eevee! A Friendly and Suitable Family of AEAD Modes for IoT-to-Cloud Secure Computation by Amit Singh Bhati (KU Leuven, Belgium), Erik Pohle (KU Leuven, Belgium), Aysajan Abidin (KU Leuven, Belgium), Elena Andreeva (TUW), Bart Preneel (KU Leuven, Belgium) in the track: “Applied Cryptography”. Eevee, a novel and provably secure family of lightweight modes designed for authenticated encryption with associated data, was presented. The Eevee family boasts fully parallel decryption, making it well-suited for multi-party computation (MPC) protocols in which the round complexity depends on the function they compute. Moreover, the modes leverage the lightweight forkcipher primitive, characterized by fixed-length output expansion and a compact yet parallelizable internal structure. All Eevee members exhibit substantial improvements over the limited selection of state-of-the-art MPC-friendly modes and other standard solutions. IoTFlow: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis by David Schmidt (TUW), Carlotta Tagliaro (TUW), Kevin Borgolte (Ruhr University Bochum, Germany) and Martina Lindorfer (TUW) in the track “Network Security”. IoTFlow is introduced as a novel static analysis approach for IoT devices, utilizing their mobile companion apps to tackle challenges related to diversity and scalability. It combines Value Set Analysis (VSA) with more general data-flow analysis to automatically reconstruct and derive how companion apps communicate with IoT devices and remote cloud-based backends, what data they receive or send, and with whom they share it. https://cysec.wien/news/2023-11-26_imentor_2023/ Martina Lindorfer, an associate professor at TU Wien and a key researcher at SBA Research, joined as a speaker for the iMentor Workshop. The iMentor Workshop is dedicated to attracting, mentoring, and providing career guidance to early-stage graduate students from underrepresented communities who aspire to pursue a career in computer security. Attendees also have the opportunity to participate in the main ACM CCS conference, which serves as a premier platform for the rapid and extensive dissemination of groundbreaking research outcomes in the fields of computer and communications security. Martina gave a talk titled “IoTFlow the Making-Of: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis.” Using the preparation of her article presented at ACM CCS 2023 as an example, she shared with the iMentor cohort the behind-the-scenes journey of the IoTFlow paper — from its initial conception to the different iterations and revisions it underwent. Abstract: The number of “smart” devices, that is, devices making up the Internet of Things (IoT), is steadily growing. They suffer from vulnerabilities just as other software and hardware. Automated analysis techniques can detect and address weaknesses before attackers can misuse them. Applying existing techniques or developing new approaches that are sufficiently general is challenging though. Contrary to other platforms, the IoT ecosystem features various software and hardware architectures. We introduce IoTFlow, a new static analysis approach for IoT devices that leverages their mobile companion apps to address the diversity and scalability challenges. IoTFlow combines Value Set Analysis (VSA) with more general data-flow analysis to automatically reconstruct and derive how companion apps communicate with IoT devices and remote cloud-based backends, what data they receive or send, and with whom they share it. We analyzed 9,889 manually verified companion apps with IoT-Flow to understand and characterize the current state of security and privacy in the IoT ecosystem. We discovered various IoT security and privacy issues, such as abandoned domains, hard-coded credentials, expired certificates, and sensitive personal information being shared. https://cysec.wien/news/2023-11-24_lecture_torres/ Talk by Christof Ferreira Torres Location: TU Wien, FAV Hörsaal 2 (Favoritenstr. 9-11) Date & Time: 2023-11-24; 14:00 - 15:00 Abstract: Blockchains are complex decentralised systems that can be divided into different layers such as peer-to-peer networking, consensus protocols, smart contracts, wallets, etc. In this talk, I will focus on the privacy aspects of Web3 wallets. With the recent hype around the Metaverse and NFTs, Web3 is getting more and more popular. The goal of Web3 is to decentralize the web via decentralized applications. Wallets play a crucial role as they act as an interface between these applications and the user. Wallets such as MetaMask are being used by millions of users nowadays. Unfortunately, Web3 is often advertised as more secure and private. However, decentralized applications as well as wallets are based on traditional technologies, which are not designed with privacy of users in mind. In this talk, we will analyze the privacy implications that Web3 technologies such as decentralized applications and wallets have on users. To this end, I will present a framework that measures exposure of wallet information. Using this framework, we studied whether information about installed wallets is being used to track users online. First, we analyzed the top 100K websites and found evidence of 1,325 websites running scripts that probe whether users have wallets installed in their browser. Second, we measured whether decentralized applications and wallets leak the user’s unique wallet address to third-parties. We intercepted the traffic of 616 decentralized applications and 100 wallets and found over 2000 leaks across 211 applications and more than 300 leaks across 13 wallets. Our study shows that Web3 poses a threat to users’ privacy and that we require new designs towards more privacy-aware wallet architectures. Bio: Christof Ferreira Torres is a postdoctoral researcher at ETH Zurich. He is part of the Secure & Trustworthy Systems Group lead by Prof. Dr. Shweta Shinde. His research focuses on analyzing the security and privacy of distributed ledgers. He obtained a joint Ph.D. in computer science from the University of Luxembourg and the Technical University of Munich. His Ph.D. thesis focuses on the automated security assessment of smart contracts. He received the Excellent Doctoral Thesis award from the University of Luxembourg and Ripple’s Impact award for his research on the security of smart contracts. Prior to his Ph.D., he has been working as a security researcher at the Fraunhofer Institute for Applied and Integrated Security (AISEC) near Munich, Germany. https://cysec.wien/news/2023-10-24_european_cyber_security_challenge_2023/ Marco Squarcina, a Senior Scientist at TU Wien Informatics’ Security and Privacy Research Unit, is coaching the Austrian team for the European Cyber Security Challenge (ECSC) 2023. This year’s ECSC is scheduled from October 24 to 27 in Hamar, Norway, with 28 European countries participating and 7 international guests, including Canada, Singapore, and the US. This annual event is hosted by the European Union Agency for Cybersecurity (ENISA). With 14 years of experience in cybersecurity competitions, Marco believes they are an excellent way for participants to learn, develop, and network. He previously coordinated the ECSC in Vienna and is currently preparing the Austrian team for the 2023 Challenge. The European competition is the culmination of a rigorous selection process. Team members are chosen from participants in the Austrian Cyber Security Challenge (ACSC), a national competition open to all Austrian residents aged 14 to 25. Consequently, the Austrian team comprises 10 players selected based on their skills, motivation, and dedication. Notably, four team members, Matthias Monschein, Georg Felber, Lea Holter, and Manuel Reinsperger, are currently students at TU Wien Informatics. Marco is a strong advocate for using CTF-like competitions as an educational tool at TU Wien Informatics. This concept is now integrated into the new cybersecurity bachelor specialization, where students are not only encouraged to participate in ethical hacking competitions but also tasked with organizing their own Capture The Flag events. Moreover, TU Wien plays a pivotal role in coordinating the Austrian Cyber Security Challenge (ACSC) and is dedicated to establishing Vienna as a prominent European hub for students seeking to launch their careers in IT security. The university provides a range of educational programs at all levels of higher education, including bachelor’s, master’s, and PhD, featuring an extensive selection of specialized courses. Lastly, the local CTF team, WE_0WN_Y0U, is a collaborative effort between individuals from TU Wien, SBA Research, and Uni Wien, continuing activities initiated in their lectures. For the full interview with Marco Squarcina, visit the TUW Informatics website. https://cysec.wien/news/2023-08-09_usenix_blackhat_itsp_molecon_2023/ Marco Squarcina from TU Wien’s Institute for Logic and Computation shared findings on Internet security at the 32nd USENIX Security Symposium (August 9–11, 2023, Anaheim, CA, USA) and BlackHat USA 2023 (August 5-10, 2023, Mandalay Bay / Las Vegas). The research highlighted significant security gaps related to the challenges of maintaining backward compatibility and the complexities of multiple components and parties involved in web development, delivery, and operations. The study focused on the vulnerabilities of cookie files, revealing historical issues related to confidentiality and integrity. The increasing complexity of code, framework usage, and the intricate interaction between browsers and server-side applications were noted as potential sources for new vulnerabilities. The investigation delved into real-world implications, demonstrating how supposedly robust security measures could be circumvented, leaving web applications exposed to session integrity threats like session fixation and cross-origin request forgery. As a result of the authors’ responsible disclosure and proposed practical mitigations, the most significant security gaps surrounding the discovered problems have now been closed. However, Marco Squarcina emphasized in his interview that certain risks still persist. This is one of the topics Marco will cover at m0leCon 2023. In a related discussion on the Redefining CyberSecurity Podcast (released on August 2, 2023), Marco Squarcina and Pedro Adão from Instituto Superior Técnico, Universidade de Lisboa, conversed with ITSPmagazine’s Co-Founders, Sean Martin and Marco Ciappelli. The podcast explored broader web security issues, the importance of ongoing research, reporting vulnerabilities, and solutions to enhance overall web application security. The conversation also touched on the role of companies and the development community, as well as the impact of legislation in this domain. https://cysec.wien/news/2023-10-12_lecture_stathakopoulou/ Talk by Chrysoula Stathakopoulou Location: TU Wien, FAV Hörsaal 2 (Favoritenstr. 9-11) Date & Time: 2023-10-12; 11:00 - 12:00 Abstract: After carefully breaking down the consensus problem, designing a protocol allowing high throughput and low-latency becomes easier than ever, if one finds the right abstraction that is both powerful and simple. This talk introduces BBCA (Byzantine Broadcast with Complete-Adopt), a novel broadcast primitive which builds on top of Consistent Broadcast an interactive Complete-Adopt API which allows nodes to probe its internal state. We discuss how to leverage BBCA to build high-throughput and low latency consensus on a DAG and show how this design evolves from state of the art DAG based protocols. Bio: Chrysoula Stathakopoulou is a blockchain and distributed systems researcher at Chainlink Labs, passionate about decentralizing computation and trust with highly performant systems. Before joining Chainlink Labs, she worked at the blockchain group in IBM research focusing on consensus protocols. Her academic journey culminated in the successful completion of a PhD program at ETH Zurich. https://cysec.wien/news/2023-10-01_humanitiesfestival_lindorfer_2023/ The Vienna Humanities Festival brings together leading innovative thinkers from around the globe to explore and discuss the political, ecological, technological, economic, artistic, and philosophical challenges that can often seem daunting to individuals and communities. Through their insights, attendees will begin to delineate the changing landscapes of our new realities, gaining the necessary tools to navigate these terrains—whether local or global, virtual or tangible, revolutionary or reactionary—with enhanced confidence and a clearer sense of direction. Martina Lindorfer discussed in an interview how data protection, privacy, and IT security are increasingly critical issues. She highlighted the often overlooked security of private data, where many users, under the mistaken belief that they have nothing to hide, fail to recognize the serious threats they face. Additionally, she pointed out that cyberspace has become a crucial geopolitical arena. Cyber espionage is common among governments and NGOs, though rarely addressed, and the risk of sabotage through cyberattacks on infrastructure is a growing concern. Video https://cysec.wien/news/2023-09-15_lecture_mellia/ Talk by Marco Mellia Location: TU Wien, Lecture hall EI 4 - Reithoffer Hörsaal (Gußhausstraße 25 – 29) Date & Time: 2023-09-15; 2pm Abstract: Modern Artificial Intelligence technologies, led by Deep Learning, have gained unprecedented momentum over the past decade. Following this wave of “AI summer”, the network research community has also embraced AI/ML algorithms to address many problems related to network operations, management and cybersecurity. This talk will give an overview of some of the recent results in applying AI-based solution to automatically process traffic traces and detect novel attacks, prevent cybersquatting attacks, support forensic investigations, and open new opportunities to protect users from possible abuses. Bio: Marco Mellia is a full professor at Politecnico di Torino, Italy, where he is the coordinator of the SmartData@PoliTO center on Big Data, Machine Learning and Data Science. His research interests are in the area of Internet monitoring, users’ characterisation, cyber security, and big data analytics applied to different areas. He has co-authored over 250 papers published in international journals and presented in leading conferences. He won the IRTF ANR Prize at IETF-88, and best paper award at IEEE P2P’12, ACM CoNEXT’13, IEEE ICDCS’15. He is Fellow of IEEE and Editor in Chief of the Proceedings of the ACM on Networking. https://cysec.wien/news/2023-09-14_documentary_featuring_elena_andreeva/ On September 14th, TU Wien cryptography expert Prof. Elena Andreeva was featured in the Puls4 documentary «Attack from within the Internet». Prof. Andreeva opens the doors to her research space and group at TU Wien and explains the role of cryptography in today’s digital world. She also discusses how everyday devices like mobile phones can be vulnerable to cyber attacks. The documentary shines a light on the importance of cyber attacks prevention given their ubiquitous growth nowadays, both worldwide and more concretely, in Austria. As the attackers range from criminals to state-run organizations, the targets vary from public administration, states, critical infrastructure, and not least, to private individuals. The documentary presents a number of cyber attacks and discusses some directions towards prevention. https://cysec.wien/news/2023-08-28_sbc_2023/ The Science of Blockchain Conference 2023 (SBC'23) was jointly organized by the Stanford Center for Blockchain Research (CBR), IC3, and Berkeley RDI. It took place at the Arrillaga Alumni Center, Stanford University from August 28 to 30. This event highlighted significant technical advancements in the blockchain ecosystem and brought together leading researchers and practitioners. It featured in-depth discussions on the application of cryptography, decentralized protocols, formal methods, and empirical analysis — all aimed at boosting the security and scalability of blockchain technologies. The conference was designed to foster collaboration and cross-disciplinary exchange among experts specializing in blockchain protocol development, cryptography, distributed systems, secure computing, crypto-economics, and economic risk analysis, further enriching this dynamic field. Lukas Aumayr presented “Sleepy Channels,” a new solution to cryptocurrency scalability issues, developed in collaboration with Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Pedro Moreno-Sanchez, and Matteo Maffei. This Bitcoin-compatible bi-directional payment channel protocol operates without the need for watchtowers — third parties traditionally employed to monitor blockchain transactions to prevent fraud during periods when users are offline. Conventional payment channels face a significant challenge: both parties involved must continuously monitor the blockchain to detect and react to any outdated transactions posted by the other party. This requirement for constant vigilance can be exploited by malicious actors during disruptions like power outages. Watchtowers were introduced as a mitigation strategy, tasked with monitoring the blockchain on behalf of offline users. However, this solution has drawbacks, either requiring a trust-dependent model or the impractical locking up of large sums as collateral. “Sleepy Channels” eliminates the need for watchtowers by confining the time during which payment channel updates must be validated to a specific, short window. This approach incentivizes participants to remain online during this window by requiring them to lock in collateral, which is returned more quickly if they comply. Compatible with blockchains that can verify digital signatures, such as Bitcoin, this protocol has been shown through experimental results to manage communication and computation overhead comparably to existing protocols while eliminating the need for costly watchtower services. References: Paper, Video https://cysec.wien/news/2023-06-28_lecture_paterson/ Abstract: In this talk I’ll discuss a research theme that has emerged in the last few years, namely the analysis of deployed cryptographic systems. There is a small but dedicated group of researchers who do this kind of work. I’ll reflect on how we conduct this kind of research, why we do it, and what we can learn from it about how developers use (and abuse) cryptography. Bio: Kenneth Paterson is a Professor of Computer Science at ETH Zurich, where he leads the Applied Cryptography Group and is currently the head of department. He was Program Chair for Eurocrypt 2011 and Editor-in-Chief of the Journal of Cryptology from 2017 to 2020. He co-founded the Real World Cryptography series of conferences. His research has won best paper awards at conferences including ACM CCS 2016, 2022, IEEE S&P 2022, 2023, NDSS 2012, CHES 2018, and IMC 2018. He was made a Fellow of the IACR in 2017. In 2022, he was winner of the Golden Owl best teaching award for the Department of Computer Science at ETH. https://cysec.wien/news/2023-06-21_lecture_cachin/ Talk by Christian Cachin Location: TU Wien, FAV Hörsaal 3 (Favoritenstr. 9-11) Date & Time: 2023-06-21; 4pm Abstract: Reaching consensus despite faulty or corrupted nodes is a central question in distributed computing; it has received renewed attention over the last years because of its importance for cryptocurrencies and blockchain networks. Modern consensus protocols in this space have relied on a number of different methods for the nodes to influence protocol decisions. Such assumptions include (1) traditional voting, where each node has one vote, (2) weighted voting, where voting power is proportional to stake in an underlying asset, and (3) proof-of-X, which demonstrates a cryptographically verifiable investment of a resource X, such as storage space, time waited, or computational work. This talk will give an overview of blockchain consensus methods and then highlight recent work on constructing new consensus protocols and analyzing existing ones. Bio: Christian Cachin is a professor of computer science at the University of Bern, where he has been leading the Cryptology and Data Security Research Group since 2019. Prior to that he worked for IBM Research - Zurich for more than 20 years. He has held visiting positions at MIT and at EPFL and has taught at several universities during his career in industrial research. He graduated with a Ph.D. in Computer Science from ETH Zurich in 1997. He is an IACR Fellow, ACM Fellow, IEEE Fellow, recipient of multiple IBM Outstanding Technical Achievement Awards, and has also served as the President of the International Association for Cryptologic Research (IACR) from 2014-2019. With a background in cryptography, he is interested in all aspects of security in distributed systems and especially in cryptographic protocols, consistency, consensus, blockchains, and cloud-computing security. He is known for developing cryptographic protocols, particularly for achieving consensus and for executing distributed cryptographic operations over the Internet. In the area of cloud computing, he has contributed to standards in storage security and developed protocols for key management. He has co-authored a textbook on distributed computing titled Introduction to Reliable and Secure Distributed Programming. While at IBM Research he made essential contributions to the development of Hyperledger Fabric, a blockchain platform aimed at business use. https://cysec.wien/news/2023-06-15_ethical_hacking_bootcamp/ From June 6-8, 2023, more than 70 exceptional trainees from Austria, Croatia, Czech Republic, Hungary, Serbia, Slovakia, and Slovenia joined the International Ethical Hacking Bootcamp, organized by Cyber Security Austria and the TU Wien Cybersecurity Center. Since last year, when Europe’s Hacker Championship ECSC 2022 has put Vienna in the spotlight, it is on its way to becoming one of Europe’s leading capitals for cybersecurity, with tailored education, training and research. For three days, the teams delved into specific security terrains to prepare for the ECSC 2023 in Norway – including Windows Security (Patrick Pirker), Web Security (Marco Squarcina), AV/EDR Security (Benni Král), Krypto (Nastja Cepak), and Hardware Hacking (Thomas Weber). But no boot camp would be complete without a fight: The teams mixed to participate in a challenging Capture the Flag (CTF) competition. “With these initiatives, we want to get students interested in ethical hacking and cybersecurity at an early age,” says Joe Pichlmayr, Chair of Cyber Security Austria, “not only to address the acute shortage of skilled experts in this field but to make Vienna the cybersecurity training capital of Europe.” Marco Squarcina, Senior Scientist at the Security and Privacy Research Unit is excited for the new initative: “We are proud to connect talents across Europe and use our latest research findings to create innovative educational challenges for them!” https://cysec.wien/news/2023-06-12_csc_founded/ On June 12, 2023 the rectorate of TU Wien unanimously took the decision to found and finance the Cybersecurity Center, which brings together scientists from different faculties to foster collaboration in the interdisciplinary field of cybersecurity. Cybersecurity encompasses security, privacy, safety, accountability, trust, fairness and other civil rights, which are cornerstones of the digital society. The societal and industrial relevance of cybersecurity is witnessed among others by the new European General Data Protection Regulation (GDPR), which mandates the principle of security and privacy by design, i.e., the state-of-the-art in security and privacy is to be integrated since the early design phase in digital technologies; the societal, political, and economical impact of hacks and cyberattacks in times of peace and war; the demand for solutions to protect critical infrastructures and cyber-physical systems, which is amplified due to global conflicts, energy crisis and climate challenges the growing role of cryptocurrencies in the international economy; the importance of fairness and robustness in AI-driven systems the lack of experts in the field Cybersecurity is an inherently interdisciplinary field, which cross-cuts all disciplines in computer science and additionally spans over other fields, such as electrical engineering (networks, hardware, robots), physics (quantum computing and cryptography), and mathematics (statistics and data science), and law. TU Wien has a strong expertise in this domain, as witnessed by the number of prestigious grants (e.g, 6 ERC grants and 2 WWTF research group for young investigators), large scale projects (e.g., 3 Christian doppler labs and 1 FWF Special Research Program), as well as dedicated bachelor, master, and doctoral programs. The goal of the TU Wien Cybersecurity Center is to consolidate and expand the interfaculty expertise and initiatives in place, establishing TU Wien as an internationally leading center of excellence for research, teaching, and societal outreach in cybersecurity. https://cysec.wien/news/2024-06-11_talk_draschbacher/ Talk by Florian Draschbacher Location: TU Wien, FAV Hörsaal 2 (Favoritenstr. 9-11) Date & Time: 2024-06-11; 14:00 - 15:00 Abstract: Misuse of cryptographic APIs remains one of the most common flaws in Android applications. The complexity of cryptographic APIs frequently overwhelms developers. This can lead to mistakes that leak sensitive user data to trivial attacks. Despite herculean efforts by platform provider Google, countermeasures introduced so far were not successful in preventing these flaws. Users remain at risk until an effective systemic mitigation has been found. We propose a practical solution that mitigates crypto API misuse in compiled Android applications. It enables users to protect themselves against misuse exploitation until the research community has identified an effective long-term solution. CryptoShield consists of generic mitigation procedures for the most critical crypto API misuse scenarios and an implementation that autonomously extends protection onto all applications on an unrooted Android device. Our on-device CryptoShield Agent injects an instrumentation module into application packages, where it can intercept crypto API calls for detecting misuse and applying mitigations. Our solution was designed for real-world applicability. It retains the update flow through Google Play and can be integrated into existing MDM infrastructure. As a demonstration of CryptoShield’s efficiency and efficacy, we conduct automated (1604 apps) and manual (99 apps) analyses on the most popular applications from Google Play, as well as measurements on synthetic benchmarks. Our solution mitigates crypto API misuse in 96 % of all vulnerable apps, while retaining full functionality for 92 % of all apps. On-device instrumentation takes roughly 11 seconds per application package on average, with minimal impact on package size (5 %) and negligible runtime overhead (571 ms on average app launches, 101 ms worst-case mitigation overhead per crypto API call). Bio: Florian Draschbacher is a PhD student and university assistant at Institute of Applied Information Processing and Communications. Besides his main research focus on detecting and mitigating security vulnerabilities in mobile applications, he is avidly following any new developments revolving around mobile computing. This fascination has also lead him to participate in the mGov4EU project between 2021 and 2022 and to teaching IAIK’s Mobile Security course since 2021.