Andreas Happe

The field of software security testing, more specifically penetration testing, requires high levels of expertise and involves many manual testing and analysis steps. This paper explores the potential use of
large-language models, such as GPT3.5, to augment penetration testers with AI sparring partners. We explore two distinct use cases: high-level task planning for security testing assignments and low-
level vulnerability hunting within a vulnerable virtual machine.

For the latter,… Show more

The field of software security testing, more specifically penetration testing, requires high levels of expertise and involves many manual testing and analysis steps. This paper explores the potential use of
large-language models, such as GPT3.5, to augment penetration testers with AI sparring partners. We explore two distinct use cases: high-level task planning for security testing assignments and low-
level vulnerability hunting within a vulnerable virtual machine.

For the latter, we implemented a closed-feedback loop between LLM-generated low-level actions with a vulnerable virtual machine (connected through SSH) and allowed the LLM to analyze the machine state for vulnerabilities and suggest concrete attack vectors which were automatically executed within the virtual machine. We discuss promising initial results, detail avenues for improvement,
and close deliberating on the ethics of AI sparring partners. Show less

Offensive security-tests are commonly employed to pro-actively discover potential vulnerabilities. They are performed by specialists, also known as penetration-testers or white-hat hackers. The chronic
lack of available white-hat hackers prevents sufficient security test coverage of software. Research into automation tries to alleviate this problem by improving the efficiency of security testing. To achieve
this, researchers and tool builders need a solid understanding of how hackers… Show more

Offensive security-tests are commonly employed to pro-actively discover potential vulnerabilities. They are performed by specialists, also known as penetration-testers or white-hat hackers. The chronic
lack of available white-hat hackers prevents sufficient security test coverage of software. Research into automation tries to alleviate this problem by improving the efficiency of security testing. To achieve
this, researchers and tool builders need a solid understanding of how hackers work, their assumptions, and pain points.

In this paper, we present a first data-driven exploratory qualitative study of twelve security professionals, their work and problems occurring therein. We perform a thematic analysis to gain insights into the execution of security assignments, hackers’ thought processes and encountered challenges. This analysis allows us to conclude with recommendations for researchers and tool builders, to increase the efficiency of their automation and identify novel areas
for research. Show less

Achieving cloud security is not a trivial problem and developing and enforcing good cloud security controls is a fundamental requirement if this is to succeed. The very nature of cloud computing can add additional problem layers for cloud security to an already complex problem area. We discuss why this is such an issue, consider what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals through the use of unikernel based… Show more

Achieving cloud security is not a trivial problem and developing and enforcing good cloud security controls is a fundamental requirement if this is to succeed. The very nature of cloud computing can add additional problem layers for cloud security to an already complex problem area. We discuss why this is such an issue, consider what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals through the use of unikernel based systems. The main thrust of this paper is to discuss the key issues which need to be addressed, noting which of those might be covered by our proposed approach. We discuss how our proposed approach may help better address the key security issues we have identified. Show less

Recent publications combine secret-sharing with byzantine fault-tolerant distribution schemes into safe and secure storage systems. To our knowledge current publications describe chosen algorithms and implementations but do not highlight areas of conflict between secret-sharing and BFT algorithms in a systematic fashing. This paper presents different concrete problem areas and suggests possible solutions.

In this paper, we present the quantum key distribution (QKD) network designed and implemented by the European project SEcure COmmunication based on Quantum Cryptography (SECOQC) (2004–2008), unifying the efforts of 41 research and industrial organizations. The paper summarizes the SECOQC approach to QKD networks with a focus on the trusted repeater paradigm. It discusses the architecture and functionality of the SECOQC trusted repeater prototype, which has been put into operation in Vienna in… Show more

In this paper, we present the quantum key distribution (QKD) network designed and implemented by the European project SEcure COmmunication based on Quantum Cryptography (SECOQC) (2004–2008), unifying the efforts of 41 research and industrial organizations. The paper summarizes the SECOQC approach to QKD networks with a focus on the trusted repeater paradigm. It discusses the architecture and functionality of the SECOQC trusted repeater prototype, which has been put into operation in Vienna in 2008 and publicly demonstrated in the framework of a SECOQC QKD conference held from October 8 to 10, 2008. Show less

Cloud based collaboration give rise to many new applications and business opportunities in both domains, business and private. However building such systems in a secure and robust manner is a challenging tasks. We present a new architecture and prototype implementation for secure data sharing called ARCHISTAR, which is based on distributed storage technology and avoids any single point of trust or failure. It protects user data for confidentiality, integrity and availability – even from cloud… Show more

Cloud based collaboration give rise to many new applications and business opportunities in both domains, business and private. However building such systems in a secure and robust manner is a challenging tasks. We present a new architecture and prototype implementation for secure data sharing called ARCHISTAR, which is based on distributed storage technology and avoids any single point of trust or failure. It protects user data for confidentiality, integrity and availability – even from cloud providers – and resist active attacks or failures in a resilient way.
Show less

Modern cryptography provides for new ways of solving old problems. This paper details how HMACs or AEAD can be employed as an alternative to a traditional server-side temporal session store. This cryptography-based approach reduces the server-side need for state. When applied to database-based user-management systems it removes all database alteration statements needed for confirmed user sign-up and greatly removes database alteration statements for typical ``forgot password'' use-cases. As… Show more

Modern cryptography provides for new ways of solving old problems. This paper details how HMACs or AEAD can be employed as an alternative to a traditional server-side temporal session store. This cryptography-based approach reduces the server-side need for state. When applied to database-based user-management systems it removes all database alteration statements needed for confirmed user sign-up and greatly removes database alteration statements for typical ``forgot password'' use-cases. As there is no temporary data stored within the server database system, there is no possibility of creating orphaned or abandoned data records. However, this new approach is not generic and can only be applied if implemented use-cases fulfill requirements. This requirements and implications are also detailed within this paper. All examples are based upon common ``user sign-up''- and ``password forgotten/reset''-functionalities. Show less

Quantum Key Distribution (QKD) involves in a first step a physical exchange of quantum signals between a pair of devices, which can be carried out in numerous different ways. Whatever the realization of this ”physical layer” of QKD is, it outputs a pair of strongly correlated bit strings. The latter have then to be distilled by a fundamentally universal classical, post-processing protocol to yield Information Theoretically Secure (ITS)
keys. Post-processing communication requires… Show more

Quantum Key Distribution (QKD) involves in a first step a physical exchange of quantum signals between a pair of devices, which can be carried out in numerous different ways. Whatever the realization of this ”physical layer” of QKD is, it outputs a pair of strongly correlated bit strings. The latter have then to be distilled by a fundamentally universal classical, post-processing protocol to yield Information Theoretically Secure (ITS)
keys. Post-processing communication requires communication channel authentication, itself using key material. Key management in well defined crypto contexts is therefore a must for ITS post processing operation. Moreover real world QKD systems need to be seamlessly integrated in standard communication and to inter-operate with higher level applications providing communication security. Show less