Stephan Kleber

Stephan Kleber graduated from his studies of computer science at the University of Ulm in 2011 as Master of Science. Until 2012, he worked at the data processing service center of the University Medical Center Ulm (ZIK). During this time he also supervised courses and theses at the Institute of Media Informatics in the areas IT-Security and Privacy. 2012/2013 he worked in cooperation with the Institute of Information Resource Management and the Institute of Distributed Systems as research assistant in the bwGRiD-Portalproject. From 2013 to 2018 he was research assistant at the Institute of Distributed Systems.

Since 2019 he Stephan Kleber works ass Security Architect at Daimler TSS while he expedites his dissertation.

Research

I am interested in Security and Privacy in IT-Systems in general.

My emphasis lies in the areas:

Analysis of network protocols and Protocol Reverse Engineering
Usage of Physical(ly) Unclonable Functions (PUFs)
Security of wireless communications, especially of Implantable Medical Devices (IMDs)

Besides that my further interests are:

Security and forensics of mobile devices
Privacy implications on unsing mobile devices
Malware analyses
Penetration testing
Security of web technologies

Since 2008 I participated in the iCTF of UCSB with the team Ulm Security Sparrows of the University of Ulm on a regular basis.

Publications

2022

Kleber, S. and Kargl, F. 2022. Refining Network Message Segmentation with Principal Component Analysis. Proceedings of the tenth annual IEEE Conference on Communications and Network Security (Austin, TX, USA, Oct. 2022).

Reverse engineering of undocumented protocols is a common task in security analyses of networked services. The communication itself, captured in traffic traces, contains much of the necessary information to perform such a protocol reverse engineering. The comprehension of the format of unknown messages is of particular interest for binary protocols that are not human-readable. One major challenge is to discover probable fields in a message as the basis for further analyses. Given a set of messages, split into segments of bytes by an existing segmenter, we propose a method to refine the approximation of the field inference. We use principle component analysis (PCA) to discover linearly correlated variance between sets of message segments. We relocate the boundaries of the initial coarse segmentation to more accurately match with the true fields. We perform different evaluations of our method to show its benefit for the message format inference and subsequent analysis tasks from literature that depend on the message format. We can achieve a median improvement of the message format accuracy across different real-world protocols by up to 100 %.

Kleber, S., Stute, M., Hollick, M. and Kargl, F. 2022. Network Message Field Type Classification and Recognition for Unknown Binary Protocols. Proceedings of the DSN Workshop on Data-Centric Dependability and Security (Baltimore, Maryland, USA, Jun. 2022).

Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. In particular for binary protocols, existing approaches (1) lack comprehensive methods to classify or determine the data type of a discovered segment in a message, e.,g., a number, timestamp, or network address, that would allow for a semantic interpretation and (2) have strong assumptions that prevent analysis of lower-layer protocols often found in IoT or mobile systems. In this paper, we propose the first generic method for analyzing unknown messages from binary protocols to reveal the data types in message fields. To this end, we split messages into segments of bytes and use their vector interpretation to calculate similarities. These can be used to create clusters of segments with the same type and, moreover, to recognize specific data types based on the clusters' characteristics. Our extensive evaluation shows that our method provides precise classification in most cases and a data-type-recognition precision of up to 100% at reasonable recall, improving the state-of-the-art by a factor between 1.3 and 3.7 in realistic scenarios. We open-source our implementation to facilitate follow-up works.

2021

Kröll, T., Kleber, S., Kargl, F., Hollick, M. and Classen, J. 2021. ARIstoteles - Dissecting Apple’s Baseband Interface. Proceedings of the European Symposium on Research in Computer Security (2021).

Wireless chips and interfaces expose a substantial remote attack surface. As of today, most cellular baseband security research is performed on the Android ecosystem, leaving a huge gap on Apple devices. With iOS jailbreaks, last-generation wireless chips become fairly accessible for performance and security research. Yet, iPhones were never intended to be used as a research platform, and chips and interfaces are undocumented. One protocol to interface with such chips is Apple Remote Invocation (ARI), which interacts with the central phone component CommCenter and multiple user-space daemons, thereby posing a Remote Code Execution (RCE) attack surface. We are the first to reverse-engineer and fuzz-test the ARI interface on iOS. Our Ghidra scripts automatically generate a Wireshark dissector, called ARIstoteles, by parsing closed-source iOS libraries for this undocumented protocol. Moreover, we compare the quality of the dissector to fully-automated approaches based on static trace analysis. Finally, we fuzz the ARI interface based on our reverse-engineering results. The fuzzing results indicate that ARI does not only lack public security research but also has not been well-tested by Apple. By releasing ARIstoteles open-source, we also aim to facilitate similar research in the future.

2020

Kleber, S., Heijden, R.W. van der and Kargl, F. 2020. Message Type Identification of Binary Network Protocols using Continuous Segment Similarity. Proceedings of the Conference on Computer Communications (2020).

Protocol reverse engineering based on traffic traces infers the behavior of unknown network protocols by analyzing observable network messages. To perform correct deduction of message semantics or behavior analysis, accurate message type identification is an essential first step. However, identifying message types is particularly difficult for binary protocols, whose structural features are hidden in their densely packed data representation. In this paper, we leverage the intrinsic structural features of binary protocols and propose an accurate method for discriminating message types. Our approach uses a continuous similarity measure by comparing feature vectors where vector elements correspond to the fields in a message, rather than discrete byte values. This enables a better recognition of structural patterns, which remain hidden when only exact value matches are considered. We combine Hirschberg alignment with DBSCAN as cluster algorithm to yield a novel inference mechanism. By applying novel autoconfiguration schemes, we do not require manually configured parameters for the analysis of an unknown protocol, as required by earlier approaches. Results of our evaluations show that our approach has considerable advantages in message type identification result quality but also execution performance over previous approaches.

2019

Kleber, S. and Kargl, F. 2019. Poster: Network Message Field Type Recognition. Proceedings of the 26th Conference on Computer and Communications Security (London, UK, Nov. 2019), 2581–2583.

2018

Lukaseder, T., Stölze, K., Kleber, S., Erb, B. and Kargl, F. 2018. An SDN-based Approach for Defending Against Reflective DDoS Attacks. 2018 IEEE 43th Conference on Local Computer Networks (2018). (acceptance rate: 28%)

Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks.

Teaching

Supervision of theses

Gladly, I take the supervision of bachelor's, master's and diploma theses from any area of my research. Suggested topics can be found under Theses. Own propositions are welcome.

Excercises for Lectures

IT-Security [WiSe12] | [WiSe11 (MI)] | [WiSe10 (MI)]
Mobile Communications [WiSe13]
Introduction to Computer Networks [WiSe2014]
Advanced Concepts of Communication Networks [SoSe2018] | [SoSe2017] | [SoSe2016] | [SoSe2015] | [SoSe2014]

(Pro-)Seminars, Praktica und Project Modules

Privacy in the Internet [WiSe17] | [WiSe16] | [WiSe15] | [WiSe14] | [WiSe13] | [WiSe12]
Selected Topics in Distributed Systems/Research Trends in Distributed Systems [WiSe17] | [SoSe17] | [WiSe16] | [SoSe16] | [WiSe15] | [SoSe15] | [WiSe14] | [SoSe14] | [WiSe13] | [SoSe13] | [WiSe12]
Project Module: Computer Networks and IT-Security [WiSe16/SoSe17] | [WiSe15/SoSe16] | [WiSe14/SoSe15] | [WiSe13/SoSe14] | [WiSe12/SoSe13]