Fabian Schwarz

Fabian Schwarz

Dr.-Ing., Cybersecurity researcher with focus on TEE-based system and network security architectures

Posts by Collection

portfolio

SENG: Application-grained Firewall Policies using TEE-based Traffic-to-App Attribution

Published:



Gateway firewalls isolate internal and external networks by mediating all network traffic and enforcing filter rules. To distinguish between benign and malicious sender applications, firewalls rely on heuristics (e.g., port information) or client-side identifiers (e.g., the process ID). However, these traffic attribution methods are unreliable and can be easily bypassed by attackers. Therefore, we propose SENG, a gateway-located service that cooperates with client-side runtimes to enable secure traffic-to-app attribution. The SENG runtimes protect client applications in trusted execution environments (TEEs) and share hardware-attested app identifiers with the SENG service to expose them to the firewall. That way, SENG enables gateway firewalls to securely attribute traffic to trusted applications and enforce app-grained firewall policies, even if the client systems have been compromised.

TrustedGateway: TEE-protected Routing and Firewalling for Network Gateways

Published:



The routing and firewall services of gateways form the core of a network’s functionality and security. However, their ever-increasing number of utility services and reliance on huge commodity OSes (e.g., Linux) has led to serious remote code execution vulnerabilities, enabling attackers to gain full control of gateways and their network policies. To restore trust in the security of consumer and enterprise networks, TrustedGateway protects the network traffic and core services of gateway routers against on-device attackers based on a trusted execution environment (TEE). That way, TrustedGateway guarantees the enforcement of trusted routing and firewall policies, even if the gateway OS has been compromised.

FeIDo: Recoverable FIDO2 Web Credentials using eIDs and TEEs

Published:



The flaws of password-based web authentication are still putting users at risk. The FIDO2 protocol is the current standard for mitigating the shortcomings of passwords by providing a secure authenticator as a strong second factor for 2FA. However, while web service support for FIDO2 is increasing, user adoption is lacking due to the need for specific user hardware and the missing support for secure account recovery on a device loss. Therefore, FeIDo proposes attribute-based web credentials based on electronic IDs (e.g., ePassports) and a remotely attestable, pseudonimizing proxy service protected by a trusted execution environment (TEE). FeIDo’s credentials are compatible with FIDO2, can be adopted by users with no extra costs, and allow for easy account recovery.

00SEVen: Remote Inspection of TEE VMs using In-VM Agents

Published:



While the strong hardware-based isolation of TEE VMs (TVMs) protects sensitive client data against a compromised cloud platform, it also renders existing VM introspection (VMI) capabilities unfeasible. Therefore, customers lose the capability to securely monitor their TVMs for in-VM attacks or perform a post-mortem analysis. Out-of-VM accesses are blocked while in-VM agents are not isolated from attackers that have compromised the TVM. 00SEVen overcomes these challenges by enabling secure remote VMI for AMD-based TVMs using new hardware-protected, attestable in-VM agents.

publications

Security Analysis of Mobile Banking Apps

Submitted in 2015

This bachelor thesis performs a threat analysis of German mobile banking apps on Android.

Recommended citation: Schwarz, Fabian Frank, "Security Analysis of Mobile Banking Apps". Bachelor Thesis. Saarland University. 2015

Kernel-based Process Monitoring of Network Services

Submitted in 2017

This master thesis presents a dynamic eBPF-based function tracing architecture, and combines it with static call graph tracing to analyze the potential of seccomp filters for decreasing the attack surface of network services.

Recommended citation: Schwarz, Fabian Frank, "Kernel-based Process Monitoring of Network Services". Master Thesis. Saarland University. 2017

SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients

Published in 29th USENIX Security Symposium, 2020 (accept rate: 16.1%)
Fabian Schwarz has given a talk on this publication at the venue

This paper presents a firewall extension that enables gateway firewalls to enforce secure per-application policies. SENG combines client-side TEEs (Intel SGX) with a gateway-located server to perform attestation-based traffic-to-app attribution.

Recommended citation: Schwarz, F. and Rossow, C., "SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients". In: 29th USENIX Security Symposium. August 2020
Download Paper | Download Slides | Download Prototype

TrustedGateway: TEE-Assisted Routing and Firewall Enforcement using ARM TrustZone

Published in 25th International Symposium on Research in Attacks, Intrusions and Defenses, 2022 (accept rate: 25.2%)
Fabian Schwarz has given a talk on this publication at the venue

This paper presents a new design for standalone gateway routers that protects their network traffic and policy enforcement against system-level attackers using the Arm TrustZone system-level TEE.

Recommended citation: Schwarz, F., "TrustedGateway: TEE-Assisted Routing and Firewall Enforcement using ARM TrustZone". In: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses. ACM, October 2022.
Download Paper | Download Prototype

FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs

Published in 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022 (accept rate: 19.3%)
Fabian Schwarz has given a talk on this publication at the venue

This paper addresses the cost and recovery issues of FIDO2 web authentication by presenting a design that combines electronic IDs with an attestable, TEE-protected credential service to derive secure attribute-based FIDO2 credentials.

Recommended citation: Schwarz, F., Do, K., Heide, G., Hanzlik, L., and Rossow, C., "FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs". In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. November 2022
Download Paper | Download Prototype

FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs (Extended Version)

Published in Publication Database of CISPA Helmholtz Center for Information Security (research paper: ACM CCS 2022), 2023

This technical report is an extended version of our FeIDo research paper. FeIDo addresses the cost and recovery issues of FIDO2 web authentication by combining electronic IDs with an attestable, TEE-protected credential service to derive secure attribute-based FIDO2 credentials.

Recommended citation: Schwarz, F., Do, K., Heide, G., Hanzlik, L., and Rossow, C., "FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs". Technical Report. January 2023
Download Paper | Download Prototype

00SEVen – Re-enabling Virtual Machine Forensics: Introspecting Confidential VMs Using Privileged in-VM Agents

Published in 33rd USENIX Security Symposium, 2024 (accept rate: TBA)
Fabian Schwarz has given a talk on this publication at the venue

This paper enables secure remote inspection of confidential AMD SEV-SNP virtual machines (TEE VMs) by introducing attestable, VMPL0-protected in-VM agents and VMPL-aware network channels.

Recommended citation: Schwarz, F. and Rossow, C., "00SEVen -- Re-enabling Virtual Machine Forensics: Introspecting Confidential VMs Using Privileged in-VM Agents". In: 33rd USENIX Security Symposium. August 2024
Download Paper | Download Slides | Download Prototype

supervision

DroidSand - A modular dynamic analysis platform for Android

Bachelor Cybersecurity Project, Saarland University, CISPA Helmholtz Center for Information Security, 2017

Cybersecurity Bachelor project by Tobias Kirsch and Jannik Pfeifer. The goal was to design a dynamic analysis system to monitor the system calls and service calls (intents) of Android applications within an emulator. The motivation was to augment our dynamic malware analysis sandbox (Sandnet) with support for system behaviour traces of malicious Android apps.

VMI-based behaviour monitoring of malware

Student Assistant, Saarland University, CISPA Helmholtz Center for Information Security, 2018

Project by student assistant Patrick Schmelzeisen. The goals was to extend our dynamic malware analysis sandbox (Sandnet) with capabilities to identify and hook dynamic libraries of user space malware via virtual machine introspection (VMI) techniques. In particular, we aimed at using the Drakvuf project for the Xen hypervisor to hook SSL/TLS libraries used by malware in order to monitor their unencrypted network traffic.

App-grained Netfilter Policies (SENG-Netfilter)

Student Assistant, Saarland University, CISPA Helmholtz Center for Information Security, 2020

Project by student assistant Leon Trampert. The goal was to implement a Linux Netfilter extension for our SENG research project, which enables the specification and enforcement of per-application firewall policies.

Deploying and extending a RISC-V CPU

Bachelor Cybersecurity Project, Saarland University, 2021

Cybersecurity bachelor project by Leon Trampert. The goals were to explore existing open-source RISC-V CPU (and SoC) designs, their deployment requirements, and the possibility to implement own CPU extension. In particular, Leon has explored the Rocket Chip and lowRISC projects and successfully deployed them on a Nexys A7 FPGA development board. In addition, he explored how to extend a Rocket Core CPU with custom coprocessor instructions.

Security analysis of LoRaWAN in ‘The Things Network’ implementation with device virtualization

Bachelor Thesis, TU Dortmund University, CISPA Helmholtz Center for Information Security, 2022

Bachelor thesis by Marcel Leuering at TU Dortmund University. The goal of the project was a security analysis of the LoRaWAN protocol as implemented in ‘The Things Network’ (TTN). The student investigated the LoRaWAN protocol and TTN implementation to identify potential vulnerabilities, and implemented a virtual end device and gateway to test attack vectors in a private setup based on the ‘The Things Stack’. The thesis concludes with an analysis of potential attacks and recommendations for the adoption of mitigation strategies.

talks