Publications
List of Publications
Business Informatics Group, TU Wien
From Business Functions to Control Functions: Transforming REA to ISA-95
Alexandra MazakChristian HuemerKeywords:
Astract: In the context of smart factories, a seamless information exchange between information systems on the same layer (horizontal integration) and between information system son different layers (vertical integration) is a key issue. For this purpose we aim for an integrated modeling framework spanning over production chains and value networks. In building this framework, we first concentrate on the layers realizing the business functions and the manufacturing control functions. Thereby, we build up on the Resource Event Agent (REA)business ontology (ISO/IEC 15944-4) to describe external activities requiring horizontal integration with business partners and internal activities serving as a hook for vertical integration within a manufacturing enterprise. Furthermore, we base our framework on the ISA-95 industry standard (ANSI/ISA-95, IEC62264) to describe the vertical integration within an enterprise. In this paper, we demonstrate how information given in REA models is transformed to corresponding ISA-95 skeletons. In other words, we show how a model describing the main business functions of an enterprise is used to derive essential concepts relevant to the manufacturing execution system.
Mazak, A., & Huemer, C. (2015). From Business Functions to Control Functions: Transforming REA to ISA-95. In 2015 IEEE 17th Conference on Business Informatics. 17th IEEE Conference on Business Informatics, Lissabon, Portugal, EU. IEEE. https://doi.org/10.1109/cbi.2015.50
Global VoIP security threats - large scale validation based on independent honeynets
Markus GruberDirk HoffstadtAdnan AzizFlorian FankhauserChristian SchanesErwin RathgebThomas GrechenigKeywords:
Astract: Voice over IP (VoIP) gains more and more attractiveness by large companies as well as private users. Therefore, the risk increases that VoIP systems get attacked by hackers. In order to effectively protect VoIP users from misuse, researchers use, e.g., honeynets to capture and analyze VoIP attacks occurring in the Internet. Global VoIP security threats are analyzed by studying several millions of real-world attacks collected in independent VoIP honeynet solutions with different capture mechanisms over a long period of time. Due to the validation of results from several honeynet designs we have achieved a unique, much broader view on large scale attacks. The results show similar attacker behavior, confirm previous assumptions about attacks and present new insights in large scale VoIP attacks, e.g., for toll fraud.
Gruber, M., Hoffstadt, D., Aziz, A., Fankhauser, F., Schanes, C., Rathgeb, E., & Grechenig, T. (2015). Global VoIP security threats - large scale validation based on independent honeynets. In 2015 IFIP Networking Conference (IFIP Networking). IFIP Networking Conference (IFIP Networking 2015), Toulouse, Frankreich, EU. IEEE Conference Publications. https://doi.org/10.1109/ifipnetworking.2015.7145329
A Standards Framework for Value Networks in the Context of Industry 4.0
Alexandra MazakChristian HuemerKeywords:
Astract: The German initiative Industry 4.0 will involve amongst other issues networking and integration of several different parties (e.g., manufacturing companies, suppliers, cus- tomers, sub-contractors) through value networks. This initiative underpins that this collaborative partnership will only be feasible if standardization and open standards are available. For this purpose a reference architecture is needed to provide a technical description of these standards. In this context interoperability plays a major role for the seamless exchange of data and information among partners in these value networks. Interop- erability involves the interaction of different systems and their users. Information modeling is a key concept for providing interoperability. In this paper, we present a standards framework that highlights how existing standards intertwine to establish value networks in an Industry 4.0 context.
Mazak, A., & Huemer, C. (2015). A Standards Framework for Value Networks in the Context of Industry 4.0. In Proceedings of the 2015 IEEE International Conference on Industrial Engineering and Engineering Management. 2015 IEEE International Conference on Industrial Engineering and Engineering Management (IEEM), Singapore, Non-EU. IEEE. http://hdl.handle.net/20.500.12708/56405
Keywords: Transformation, SiTra, Java 8, Legacy Code
Astract: Although many different model transformation languages (MTLs) and model transformation frameworks (MTFs) exist, each of them is requiring a developer to learn an additional language. Moreover since many of them follow a declarative approach, they are often less intuitive for programmers familiar with imperative language. Therefore a Java based imperative library called jTL has been developed which enables the user to write the whole transformation process in pure Java. The resulting jTL is applicable to a wide range of transformation tasks that include classical graph based source models or especially source code translation, because transformation of legacy code is still a not yet solved challenge in software migration. Since source code transformation is a quite complex and performance intensive task, the jTL represents an easy to use approach, which focuses on goals like maintainability, readability, reusability and performance improvements. To achieve these goals two similar existing approaches were examined to uncover weaknesses and deduce possible improvements for the resulting jTL. Moreover jTL further benefits from new Java 8 features like bulk operation, lambda expression, functional interface and parallel stream processing. Although jTL has been kept as simple as possible, it is still a complete transformation approach, since it also supports further important features like tracing or reuse mechanisms like rule inheritance which should be part of every state of the art transformation language. As an evaluation, two concrete transformation examples are given that make use of jTL. This should give an idea how a transformation with jTL can be established and what differences and improvements come up with jTL in contrast to other Java based transformation solutions.
Eischer, B. (2015). Java Transformation Library (jTL) [Diploma Thesis, Technische Universität Wien]. reposiTUm. https://doi.org/10.34726/hss.2015.26549
Prying open Pandora's box: KCI attacks against TLS
Clemens HlauschekMarkus GruberFlorian FankhauserChristian SchanesKeywords:
Astract: Protection of Internet communication is becoming more common in many products, as the demand for privacy in an age of state-level adversaries and crime syndicates is steadily increasing. The industry standard for doing this is TLS. The TLS protocol supports a multitude of key agreement and authentication options which provide various different security guarantees. Recent attacks showed that this plethora of cryptographic options in TLS (including long forgotten government backdoors, which have been cunningly inserted via export restric- tion laws) is a Pandora's box, waiting to be pried open by heinous computer whizzes. Novel attacks lay hidden in plain sight. Parts of TLS are so old that their foul smell of rot cannot be easily distinguished from the flowery smell of 'strong' cryptography and water-tight security mechanisms. With an arcane (but well-known among some theoretical cryptographers) tool, we put new cracks into Pandora's box, achieving a full break of TLS security. This time, the tool of choice is KCI, or Key Compromise Impersonation.
The TLS protocol includes a class of key agreement and authentication methods that are vulnerable to KCI attacks: non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication - both on elliptic curve groups, as well as on classical integer groups modulo a prime. We show that TLS clients that support these weak handshakes pose serious security concerns in modern systems, opening the supposedly securely encrypted communication to full-blown Man-in-the-Middle (MitM) attacks.
This paper discusses and analyzes KCI attacks in regard to the TLS protocol. We present an evaluation of the TLS software landscape regarding this threat, including a successful MitM attack against the Safari Web Browser on Mac OS X. We conclude that the insecure TLS options that enable KCI attacks should be immediately dis- abled in TLS clients and removed from future versions and implementations of the protocol: their utility is extremely limited, their raison d'etre is practically nil, and the existence of these insecure key agreement options only adds to the arsenal of attack vectors against cryptographically secured communication on the Internet.
Hlauschek, C., Gruber, M., Fankhauser, F., & Schanes, C. (2015). Prying open Pandora’s box: KCI attacks against TLS. 9th USENIX Workshop on Offensive Technologies (WOOT 15), Washington D.C., Non-EU. http://hdl.handle.net/20.500.12708/86209
KCI-based Man-in-the-Middle Attacks against TLS
Clemens HlauschekMarkus GruberFlorian FankhauserChristian Schanes
Hlauschek, C., Gruber, M., Fankhauser, F., & Schanes, C. (2015). KCI-based Man-in-the-Middle Attacks against TLS. BSidesVienna 2015, Wien, Austria. http://hdl.handle.net/20.500.12708/86221
Schanes, C., Fankhauser, F., & Grechenig, T. (2015). Aktive Bewußtseinsbildung. Workshop Internationale Wirtschafts- und Industriespionage, Wien, Austria. http://hdl.handle.net/20.500.12708/86225
Kappel, G. (2015). From Software Modeling to System Modeling - Transforming the Change. 8th International Conference on Graph Transformation (ICGT), L’Aquila, Italy, EU. http://hdl.handle.net/20.500.12708/86247
Kappel, G. (2015). From Software Modeling to System Modeling- Transforming the Change. Ruzena Bajcsy Lectures on Communications, TU Darmstadt, Darmstadt, Germany, EU. http://hdl.handle.net/20.500.12708/86248
Keywords: Education, JavaScript, Java
Astract: In recent years, Single Page Applications (SPAs) emerged as a de-facto standard for modern, user-friendly web sites. While their advantages are manifold, SPAs massively impact the distribution of code and responsibility among an application: Where before, the web front-end of a Java application was essentially an orchestration of servlets and JavaServer Pages - driven from, and developed as part of the server - it is now an independent application in its own right. As a result of these developments, more and more developers are required to implement features to run in the browser, written in JavaScript. For companies as well as for individuals, the shift towards browser-centred engineering raises issues of developer education. Despite of their similar name and syntax, JavaScript and Java are highly different languages that require specific patterns and engineering practises. For a developer with many years of experience in Java or similar languages, learning JavaScript means more than just learning a new language: It requires a fundamental change in how to think about and approach programming problems - a so-called mind shift. The issue of knowledge transfer across programming paradigms and languages has been intensely researched in the field's transition from procedural to object-oriented programming, and diverse strategies have been proposed. The goal of this thesis is to show if, and how, existing strategies and experiences reflect in today's expert developer education, in the context of teaching JavaScript to expert Java developers. For this purpose, we conduct a qualitative content analysis of three real-world examples, each representing a popular format of eduction: (i) talks at developer-centred tech conferences, (ii) non-academic professional literature, and (iii) company-internal trainings. The on-hand thesis provides a detailed discussion of the phenomenon of (skill) transfer, which serves as the theoretical framework of our work. We present our research strategy based on Krippendorff's standard model for content analysis and discuss the results of our study on the level of individual cases as well as on an aggregate level.
Obweger, H. (2015). Teaching JavaScript to expert Java developers [Diploma Thesis, Technische Universität Wien]. reposiTUm. https://doi.org/10.34726/hss.2015.28365