Cutting-edge Cybersecurity
We are an innovation-driven company with broad expertise in cybersecurity. Rooted and well-connected in the research community, our mission is to bring next-generation security technologies from research into industry-leading products.
In our earlier positions at the Technical University of Darmstadt and the automotive industry, we published our innovative research on top-tier international security conferences while applying our ideas to large-scale industry projects with real-world impact.
The experience we gained as academic and industrial researchers puts us into the unique position to build solutions that unite the industry’s requirements on practicality and efficiency with the latest and best security proposed by the research community.
Technologies & Expertise
The SANCTUARY team combines a unique set of expertise to support you in all your cybersecurity projects.
Security Architectures
Our cutting-edge security architectures combine compartmentalization and asset protection with modern security features like secure boot, attestation, virtual TPMs/HSMs, and many more.
Software Security
Protect your individual applications based on our tremendous expertise in software attacks & defenses. Our advanced secure logging and health monitoring solutions ensure control over the complete security lifecycle.
Trusted Computing
From TPMs over Secure Elements to Trusted Execution Environments (TEEs), we protect your software based on your security requirements. We have years-long experience – from major TEEs (SGX, SEV, TrustZone) to emerging TEEs (Intel TDX, Arm CCA) or RISC-V TEEs.
Software Testing
Preventing bugs in software releases can be challenging. In our software components, we already use a combination of static analysis, unit testing, and fuzzing integrated into our CI pipeline. We have experience in fuzzing all software layers, from application to firmware.
Complex Software Systems
Our products and background make us experts in everything kernel and underneath. We are regularly building and modifying Linux kernels, Android, real-time operating systems (RTOS), hypervisors, and even firmware and bootloaders.
Embedded Platforms
While our products started on Arm Cortex-A platforms, we are continuously expanding our technology and experience on other platforms, particularly RISC-V and Arm Cortex-M/R, but also other microcontrollers.
Project Management
As a startup funded by the German Ministry of Education and Research, with years of experience in DFG, EU, and other research projects, we know how to plan, manage, and execute research projects. We also have a strong background in industrial projects with big and small corporates.
Selected Publications
With the advent of new mission concepts, such as multi-tenant spacecraft, interconnected spacecraft networks, or AI-supported autonomy, onboard spacecraft software needs to provide a growing number of functionalities. However, as onboard software grows more complex, the probability of software bugs rises as well, becoming an increasingly important factor in spacecraft safety, reliability, and cybersecurity considerations.
In this paper, we introduce a novel software architecture for onboard software that builds on a strong hardware-assisted isolation mechanism. Our architecture leverages hardware extensions from Arm processors already deployed today (e.g., in CubeSats) that are becoming common in the space sector. By separating software components into hardware-assisted compartments, we ensure that they cannot affect each other, even when one component crashes. Further, our architecture allows to detect faulty software components and restart them into a safe configuration, reducing dependency on the spacecraft’s safe mode. Especially for missions in which different parties jointly utilize (parts of) a spacecraft, such as hosted payloads or multi-tenant spacecraft, our architecture provides strong safety and cybersecurity guarantees due to the strong separation between components. Due to these properties operating spacecraft becomes inherently more reliable while simplifying onboard software development, as the inherent safety and cybersecurity guarantees reduce the need to extensively test individual software components or auditing of external software. We evaluated our novel software architecture thoroughly on a hardware development board. The research project was done in collaboration with the European Space Agency (ESA).
You can download the full publication here.
Embedded systems are at the core of many security-sensitive and safety-critical applications, including automotive, industrial control systems, and critical infrastructures. Existing protection mechanisms against (software-based) malware are either too complex, expensive, or do not meet real-time requirements.
In the TyTAN paper from 2015, we very early proposed a security architecture for embedded systems that provides security functionalities which are today summarized under the term “trusted computing”. In particular, TyTAN offers (1) hardware-assisted strong isolation of dynamically configurable tasks and (2) real-time guarantees. We implemented TyTAN on the Intel Siskiyou Peak embedded platform and demonstrated its efficiency and effectiveness through extensive evaluation. The research project was done in collaboration with the Intel corporation.
You can download the full publication here.
Fuzzing is an automated software testing technique broadly adopted by the industry. A popular variant is mutation-based fuzzing, which discovers a large number of bugs in practice. While the research community has studied mutation-based fuzzing for years now, the algorithms’ interactions within the fuzzer are highly complex and can, together with the randomness in every instance of a fuzzer, lead to unpredictable effects. Most efforts to improve this fragile interaction focused on optimizing seed scheduling. However, real-world results like Google’s FuzzBench highlight that these approaches do not consistently show improvements in practice. Another approach to improve the fuzzing process algorithmically is optimizing mutation scheduling. Unfortunately, existing mutation scheduling approaches also failed to convince because of missing real-world improvements or too many user-controlled parameters whose configuration requires expert knowledge about the target program. This leaves the challenging problem of cleverly processing test cases and achieving a measurable improvement unsolved.
We present DARWIN, a novel mutation scheduler and the first to show fuzzing improvements in a realistic scenario without the need to introduce additional user-configurable parameters, opening this approach to the broad fuzzing community. DARWIN uses an Evolution Strategy to systematically optimize and adapt the probability distribution of the mutation operators during fuzzing. We implemented a prototype based on the popular general-purpose fuzzer AFL. DARWIN significantly outperforms the state-of-the-art mutation scheduler and the AFL baseline in our own coverage experiment, in FuzzBench, and by finding 15 out of 21 bugs the fastest in the MAGMA benchmark. Finally, DARWIN found 20 unique bugs (including one novel bug), 66% more than AFL, in widely-used real-world applications.
You can download the full publication here.
From industry automation to smart home, embedded devices are already ubiquitous, and the number of applications continues to grow rapidly. However, the plethora of embedded devices used in these systems leads to considerable hardware and maintenance costs. To reduce these costs, it is necessary to consolidate applications and functionalities that are currently implemented on individual embedded devices. Especially in mixed-criticality systems, consolidating applications on a single device is highly challenging and requires strong isolation to ensure the security and safety of each application. Existing isolation solutions, such as partitioning designs for Arm-based microcontrollers, do not meet these requirements. In this paper, we present SafeTEE, a novel approach to enable security- and safety-critical applications on a single embedded device. We leverage hardware mechanisms of commercially available Arm-based microcontrollers to strongly isolate applications on individual cores. This makes SafeTEE the first solution to provide strong isolation for multiple applications in terms of security as well as safety. We thoroughly evaluate our prototype of SafeTEE for the most recent Arm microcontrollers using a standard microcontroller benchmark suite.
You can download the full publication here.
Security architectures providing Trusted Execution Environments (TEEs) have been an appealing research subject for a wide range of computer systems, from low-end embedded devices to powerful cloud servers. The goal of these architectures is to protect sensitive services in isolated execution contexts, called enclaves. Unfortunately, existing TEE solutions suffer from significant design shortcomings. First, they follow a one-size-fits-all approach offering only a single enclave type, however, different services need flexible enclaves that can adjust to their demands. Second, they cannot efficiently support emerging applications (e.g., Machine Learning as a Service), which require secure channels to peripherals (e.g., accelerators), or the computational power of multiple cores. Third, their protection against cache side-channel attacks is either an afterthought or impractical, i.e., no fine-grained mapping between cache resources and individual enclaves is provided.
In this work, we propose CURE, the first security architecture, which tackles these design challenges by providing different types of enclaves: (i) sub-space enclaves provide vertical isolation at all execution privilege levels, (ii) user-space enclaves provide isolated execution to unprivileged applications, and (iii) self-contained enclaves allow isolated execution environments that span multiple privilege levels. Moreover, CURE enables the exclusive assignment of system resources, e.g., peripherals, CPU cores, or cache resources to single enclaves. CURE requires minimal hardware changes while significantly improving the state of the art of hardware-assisted security architectures. We implemented CURE on a RISC-V-based SoC and thoroughly evaluated our prototype in terms of hardware and performance overhead. CURE imposes a geometric mean performance overhead of 15.33% on standard benchmarks.
You can download the full publication here.
For a complete list of research publications please visit our Google scholar profile.