Sebastian Surminski is a research assistant in the working group for Secure Software Systems at the University of Duisburg-Essen.
- since 02/2018
Research Assistant at the chair for Secure Software Systems (Syssec) ath the University of Duisburg-Essen
- 4/2017 - 02/2018
Research Assistant at the chair for Modelling of Adaptive Systems (MAS) ath the University of Duisburg-Essen
- 4/2014 - 04/2017
Master's studies in Applied Computer Sciences - Systems Engineering at the University of Duisburg-Essen (graduated with M.Sc.)
- 10/2007 - 4/2014
Bachelor's studies in Applied Computer Sciences at the University of Paderborn (graduated with B.Sc.)
Honours and Awards:
- Distinguished Technical Poster Award at NDSS 2019
- Best Paper Award at MMBnet 2017
Sebastian Surminski works as researcher within the CRC 1119 CROSSING in project S2 on remote attestation.
- Cloosters, Tobias; Surminski, Sebastian; Sangel, Gerrit; Davi, Lucas: SALSA: SGX Attestation for Live Streaming Applications. In: Proc. of 7th IEEE Secure Development Conference (SecDev). 2022. CitationAbstractDetails
Intel SGX is a security feature of processors that allows running software in enclaves, isolated from the operating system. Even an attacker with full control of the computer system cannot inspect these enclaves. This makes SGX enclaves an
adequate solution to store and process highly sensitive data like encryption keys. However, these enclaves are still vulnerable to standard software attacks. While SGX allows static attestation, i.e., validating the integrity of the program code and data in the enclave, static attestation cannot detect run-time attacks.
We present SALSA , the first solution to allow run-time attestation of SGX enclaves. To show its applicability, we use SALSA to implement a video streaming service that uses an SGX enclave to decode the video stream. When a compromise of the SGX enclave is detected, the streaming of the video instantaneously stops. This shows a practical use-case for runtime attestation of SGX enclaves. In the evaluation, we show that the performance of this setup is sufficient to attest a live video streaming service.
- Surminski, Sebastian; Niesler, Christian; Brasser, Ferdinand; Davi, Lucas; Sadeghi, Ahmad-Reza: RealSWATT: Remote Software-based Attestation for Embedded Devices under Realtime Constraints. In: Proc. of the 28th ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, New York, USA 2021. doi:10.1145/3460120.3484788CitationDetails
- Paaßen, David; Surminski, Sebastian; Rodler, Michael; Davi, Lucas: My Fuzzer Beats Them All! Developing a Framework for Fair Evaluation and Comparison of Fuzzers. In: Proc. of 26th European Symposium on Research in Computer Security. Springer International Publishing, Darmstadt 2021. CitationDetails
- Niesler, Christian; Surminski, Sebastian; Davi, Lucas: HERA: Hotpatching of Embedded Real-time Applications. In: Proc. of 28th Network and Distributed System Security Symposium (NDSS). 2021. doi:10.14722/ndss.2021.24159Full textCitationAbstractDetails
Memory corruption attacks are a pre-dominant attack vector against IoT devices. Simply updating vulnerable IoT software is not always possible due to unacceptable downtime and a required reboot. These side-effects must be avoided for highly-available embedded systems such as medical devices and, generally speaking, for any embedded system with real-time constraints.
To avoid downtime and reboot of a system, previous research has introduced the concept of hotpatching. However, the existing approaches cannot be applied to resource-constrained IoT devices. Furthermore, possible hardware-related issues have not been addressed, i.e., the inability to directly modify the firmware image due to read-only memory.
In this paper, we present the design and implementation of HERA (Hotpatching of Embedded Real-time Applications) which utilizes hardware-based built-in features of commodity Cortex-M microcontrollers to perform hotpatching of embedded systems. HERA preserves hard real-time constraints while keeping the additional resource usage to a minimum. In a case study, we apply HERA to two vulnerable medical devices. Furthermore, we leverage HERA to patch an existing vulnerability in the FreeRTOS operating system. These applications demonstrate the high practicality and efficiency of our approach.
- Surminski, Sebastian; Rodler, Michael; Davi, Lucas: Poster: Automated Evaluation of Fuzzers - Distinguished Technical Poster Award. In: Proc. of 26th Network and Distributed System Security Symposium (NDSS). 2019. Full textCitationAbstractDetails
Fuzzing is a well-known technique for automatically testing the robustness of software and its susceptibility to security-critical errors. Recently, many new and improved fuzzers have been presented. One critical aspect of any new fuzzer is its overall performance. However, given that there exist no standardized fuzzing evaluation methodology, we observe significant discrepancy in evaluation results making it highly challenging to compare fuzzing techniques.
To tackle this deficiency, we developed a new framework, called FETA, which automatically evaluates fuzzers based on a fixed and comprehensive test set enabling objective and general comparison of performance results. We apply FETA to various recently released academic and non-academic fuzzers, eventually resulting in a large scale evaluation of the current state-of-the-art fuzzing approaches.
- Sebastian Surminski, Christian Moldovan; Hoßfeld, Tobias: Practical QoE Evaluation of Adaptive Video Streaming. In: Reinhard German, Kai-Steffen Hielscher; Krieger, Udo R. (Ed.): Measurement, Modelling and Evaluation of Computing Systems. Springer International Publishing, Cham 2018, p. 283-292. Full textCitationDetails
- Sebastian Surminski, Christian Moldovan; Hoßfeld, Tobias: Saving Bandwidth by Limiting the Buffer Size in HTTP Adaptive Streaming. In: Krieger, Udo R.; Schmidt, Thomas C.; Timm-Giel, Andreas (Ed.): MMBnet 2017 - Proceedings of the 9th GI/ITG Workshop „Leistungs-, Verlässlichkeits- und Zuverlässigkeitsbewertung von Kommunikationsnetzen und Verteilten Systemen“. University of Bamberg Press, Hamburg 2017, p. 5-21. doi:10.20378/irbo-49762Full textCitationDetails
- Moldovan, Christian; Metzger, Florian; Surminski, Sebastian; Hoßfeld, Tobias; Burger, Valentin: Viability of Wi-Fi Caches in an Era of HTTPS Prevalence. In: Society, Ieee Communications; Electrical, Institute Of; Electronics Engineers, Institute of Electrical; Engineers, Electronics (Ed.): IEEE ICC'17: Bridging People, Communities, and Cultures. Paris, France 2017. Full textCitationDetails