Former Staff

Former Team Members

Former Academic Staff

Sebastian Surminski, M.Sc.

Email:: sebastian.surminski (at) uni-due.de

Bio
Curriculum Vitae
Honours and Awards
Projects
Publications

Bio:

Sebastian Surminski is a research assistant in the working group for Secure Software Systems at the University of Duisburg-Essen.

Curriculum Vitae:

since 02/2018: Research Assistant at the chair for Secure Software Systems (Syssec) ath the University of Duisburg-Essen
4/2017 - 02/2018: Research Assistant at the chair for Modelling of Adaptive Systems (MAS) ath the University of Duisburg-Essen
4/2014 - 04/2017: Master's studies in Applied Computer Sciences - Systems Engineering at the University of Duisburg-Essen (graduated with M.Sc.)
10/2007 - 4/2014: Bachelor's studies in Applied Computer Sciences at the University of Paderborn (graduated with B.Sc.)

Honours and Awards:

Distinguished Technical Poster Award at NDSS 2019
Best Paper Award at MMBnet 2017

Projects:

Sebastian Surminski works as researcher within the CRC 1119 CROSSING in project S2 on remote attestation.

Publications:

Surminski, Sebastian; Niesler, Christian; Davi, Lucas; Sadeghi, Ahmad-Reza: DMA'n'Play: Practical Remote Attestation Based on Direct Memory Access. In: Proc. of 21st International Conference on Applied Cryptography and Network Security (ACNS). Kyoto, Japan 2023. CitationAbstractDetails
Remote attestation allows validating the trustworthiness of a remote device. Existing attestation schemes either require hardware changes, trusted computing components, or rely on strict timing constraints. In this paper, we present a novel remote attestation approach, called DMA’n’Play, that tackles these practical limitations by leveraging DMA (direct memory access). Since DMA does not require CPU time, DMA’n’Play even allows attestation of devices with real-time constraints. To prevent the exploitation of side-channels which potentially could determine if the attestation is running, we developed DMA’n’Play To-Go, a small, mobile attestation device that can be plugged into the attested device. We evaluated DMA’n’Play on two real-world devices, namely a syringe pump and a drone. Our evaluation shows that DMA’n’Play adds negligible performance overhead and prevents dataonly attacks, by validating critical data in memory.
Surminski, Sebastian; Niesler, Christian; Linsner, Sebastian; Davi, Lucas; Reuter, Christian: SCAtt-man: Side-Channel-Based Remote Attestation for Embedded Devices that Users Understand. In: Proc. of the 13th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, Charlotte, NC, United States 2023. CitationAbstractDetails
From the perspective of end-users, IoT devices behave like a black box: As long as they work as intended, the user will not detect any compromise. The user has minimal control over the software. Hence, it is very likely that the user misses that illegal recordings and transmissions occur if a security camera or a smart speaker is hacked. In this paper, we present SCAtt-man, the first remote attestation scheme that is specifically designed with the user in mind. SCAtt-man deploys software-based attestation to check the integrity of remote devices, allowing users to verify the integrity of IoT devices with their smartphone. The key novelty of SCAtt-man resides in the utilization of user-observable side-channels such as light or sound in the attestation protocol.
Our proof-of-concept implementation targets a smart speaker and an attestation protocol that is based on a data-over-sound protocol. Our evaluation demonstrates the effectiveness of SCAtt-man against a variety of attacks and its usability based on a comprehensive user study with 20 participants.
Cloosters, Tobias; Surminski, Sebastian; Sangel, Gerrit; Davi, Lucas: SALSA: SGX Attestation for Live Streaming Applications. In: Proc. of 7th IEEE Secure Development Conference (SecDev). IEEE, 2022. doi:10.1109/SecDev53368.2022.00019Full text CitationAbstractDetails
Intel SGX is a security feature of processors that allows running software in enclaves, isolated from the operating system. Even an attacker with full control of the computer system cannot inspect these enclaves. This makes SGX enclaves an
adequate solution to store and process highly sensitive data like encryption keys. However, these enclaves are still vulnerable to standard software attacks. While SGX allows static attestation, i.e., validating the integrity of the program code and data in the enclave, static attestation cannot detect run-time attacks.
We present SALSA , the first solution to allow run-time attestation of SGX enclaves. To show its applicability, we use SALSA to implement a video streaming service that uses an SGX enclave to decode the video stream. When a compromise of the SGX enclave is detected, the streaming of the video instantaneously stops. This shows a practical use-case for runtime attestation of SGX enclaves. In the evaluation, we show that the performance of this setup is sufficient to attest a live video streaming service.
Surminski, Sebastian; Niesler, Christian; Brasser, Ferdinand; Davi, Lucas; Sadeghi, Ahmad-Reza: RealSWATT: Remote Software-based Attestation for Embedded Devices under Realtime Constraints. In: Proc. of the 28th ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, New York, USA 2021. doi:10.1145/3460120.3484788Citation Details
Paaßen, David; Surminski, Sebastian; Rodler, Michael; Davi, Lucas: My Fuzzer Beats Them All! Developing a Framework for Fair Evaluation and Comparison of Fuzzers. In: Proc. of 26th European Symposium on Research in Computer Security. Springer International Publishing, Darmstadt 2021. Citation Details
Niesler, Christian; Surminski, Sebastian; Davi, Lucas: HERA: Hotpatching of Embedded Real-time Applications. In: Proc. of 28th Network and Distributed System Security Symposium (NDSS). 2021. doi:10.14722/ndss.2021.24159Full text CitationAbstractDetails
Memory corruption attacks are a pre-dominant attack vector against IoT devices. Simply updating vulnerable IoT software is not always possible due to unacceptable downtime and a required reboot. These side-effects must be avoided for highly-available embedded systems such as medical devices and, generally speaking, for any embedded system with real-time constraints.
To avoid downtime and reboot of a system, previous research has introduced the concept of hotpatching. However, the existing approaches cannot be applied to resource-constrained IoT devices. Furthermore, possible hardware-related issues have not been addressed, i.e., the inability to directly modify the firmware image due to read-only memory.
In this paper, we present the design and implementation of HERA (Hotpatching of Embedded Real-time Applications) which utilizes hardware-based built-in features of commodity Cortex-M microcontrollers to perform hotpatching of embedded systems. HERA preserves hard real-time constraints while keeping the additional resource usage to a minimum. In a case study, we apply HERA to two vulnerable medical devices. Furthermore, we leverage HERA to patch an existing vulnerability in the FreeRTOS operating system. These applications demonstrate the high practicality and efficiency of our approach.
Surminski, Sebastian; Rodler, Michael; Davi, Lucas: Poster: Automated Evaluation of Fuzzers - Distinguished Technical Poster Award. In: Proc. of 26th Network and Distributed System Security Symposium (NDSS). 2019. Full text CitationAbstractDetails
Fuzzing is a well-known technique for automatically testing the robustness of software and its susceptibility to security-critical errors. Recently, many new and improved fuzzers have been presented. One critical aspect of any new fuzzer is its overall performance. However, given that there exist no standardized fuzzing evaluation methodology, we observe significant discrepancy in evaluation results making it highly challenging to compare fuzzing techniques.
To tackle this deficiency, we developed a new framework, called FETA, which automatically evaluates fuzzers based on a fixed and comprehensive test set enabling objective and general comparison of performance results. We apply FETA to various recently released academic and non-academic fuzzers, eventually resulting in a large scale evaluation of the current state-of-the-art fuzzing approaches.
Sebastian Surminski, Christian Moldovan; Hoßfeld, Tobias: Practical QoE Evaluation of Adaptive Video Streaming. In: Reinhard German, Kai-Steffen Hielscher; Krieger, Udo R. (Ed.): Measurement, Modelling and Evaluation of Computing Systems. Springer International Publishing, Cham 2018, p. 283-292. Full text Citation
Sebastian Surminski, Christian Moldovan; Hoßfeld, Tobias: Saving Bandwidth by Limiting the Buffer Size in HTTP Adaptive Streaming. In: Krieger, Udo R.; Schmidt, Thomas C.; Timm-Giel, Andreas (Ed.): MMBnet 2017 - Proceedings of the 9th GI/ITG Workshop „Leistungs-, Verlässlichkeits- und Zuverlässigkeitsbewertung von Kommunikationsnetzen und Verteilten Systemen“. University of Bamberg Press, Hamburg 2017, p. 5-21. doi:10.20378/irbo-49762Full text Citation
Moldovan, Christian; Metzger, Florian; Surminski, Sebastian; Hoßfeld, Tobias; Burger, Valentin: Viability of Wi-Fi Caches in an Era of HTTPS Prevalence. In: Society, Ieee Communications; Electrical, Institute Of; Electronics Engineers, Institute of Electrical; Engineers, Electronics (Ed.): IEEE ICC'17: Bridging People, Communities, and Cultures. Paris, France 2017. Full text Citation

Professor for Computer Science

Prof. Dr.-Ing. Lucas Davi