In their latest work applying the Combinatorial Security Testing (CST) approach to Bluetooth Low Energy devices, Dominik Schreiber, Manuel Leithner, Jovan Zivanovic and Dimitris Simos of the MATRIS group of SBA Research, the researchers uncovered 19 distinct vulnerabilities in 10 Bluetooth LE devices. Most of these issues could be used to remotely freeze the devices indefinitely (also known as a Denial of Service), while others lead to incorrect behavior or core dumps being emitted over debugging connections, indicating potentially exploitable conditions. The work is originally based on a fuzzing approach called SweynTooth but extended towards combinatorial security testing, offering a mathematically guaranteed degree of coverage based on an attack grammar.

All affected vendors were contacted to facilitate a coordinated responsible disclosure process, minimizing the impact to end users by enabling device manufacturers to release updated firmware versions before vulnerabilities are published. Additionally, related CVEs are in the process of being assigned.

The work titled Bluetooth Low Energy Security Testing with Combinatorial Methods has been accepted to the 2025 USENIX Annual Technical Conference and will be presented in July 2025 in Boston, MA.

Represented by Dimitris Simos (CST Project Lead), Bernhard Garn and Manuel Leithner, as well as by Markus Klemen (Managing Director of SBA Research), MATRIS research in combinatorial security testing was prominently presented to the attendees during the ceremony.

Combinatorial Security Testing offers an innovative combination of mathematical guarantees and effective identification of vulnerabilities. It allows testers, developers and scientists to rapidly find and fix flaws in security- and safety-relevant applications. For its practical relevance and achievements in transferring these results of innovative applications of discrete mathematics to real-world security testing benefitting Austrian companies, the CST project as finalist for the 2025 Houska Prize in the category ‘Non-University Research’ was awarded a prize of 10,000 Euro.

In 2025, the Houska Prize celebrated its 20^th round, proudly sponsored by the B&C Private Foundation. The Houska Prize recognizes and promotes business-related research and innovation. B&C’s goal with the Houska Prize is to strengthen the business location Austria as well as to appreciate outstanding research work. The Houska Prize is unique in its kind and in 2025 a total endowment of EUR 760,000 was awarded between the winners as well as nominees in the categories University Research, Non-University Research and Research & Development in SMEs, as well as for the Mariella Schurz Prize.

Andrea Bombarda (University of Bergamo) and Bernhard Garn (MATRIS)  served as PC Co-Chairs together with General Chair Angelo Gargantini (University of Bergamo).

IWCT 2025 proudly featured a keynote given by Dr. Juraj Somorovsky, Professor at Paderborn University (Germany), titled “Lessons learned from systematic security testing of TLS”: Transport Layer Security (TLS) is one of the most important cryptographic protocols, securing a vast range of communications, including web traffic, email, chat, and VPNs. Given its widespread importance, TLS implementations have become prime targets for numerous famous attacks. To detect TLS attacks automatically, Juraj – together with his System Security Group at UPB – developed a flexible tool for TLS security evaluations called TLS-Attacker. He demonstrated how combinatorial testing integrated into TLS-Attacker leveraged a practical TLS test suite called TLS-Anvil that found new exploits, cryptographic problems, and interoperability issues.  

Manuel Leithner presented a paper on the practical integration of Combinatorial (Security) Testing workflows in Continuous Integration and Deployment environments (joint work with Jovan Zivanovic, Reinhard Kugler and Dimitris Simos), continuing to support a shift of combinatorial testing methods towards practical applicability.

Bernhard Garn presented the paper titled “Combinatorial Methods for Enhancing the Resilience of Production Facilities”; joint work with Konstantin Gerner and Wolfgang Czerni (both Infraprotect), Rick Kuhn and Raghu Kacker (both NIST) and Klaus Kieseberg and Dimitris Simos. In their paper, they applied combinatorial methods to generate crisis scenarios for production facilities with the goal of strengthening their resilience by identifying weaknesses in operational aspects or crisis response plans, extending previous work from the domain of disaster research. This paper highlights the wide range of topics covered at IWCT 2025.

More applications of combinatorial testing were presented in the papers:

•  “A Search-Based Benchmark Generator for Constrained Combinatorial Testing Models” by Paolo Arcaini (National Institute of Informatics), Andrea Bombarda (University of Bergamo), Angelo Gargantini (University of Bergamo)
• “Combinatorial Test Design Model Creation using Large Language Models” by Deborah Furman (IBM), Eitan Farchi (IBM Haifa Research Lab), Michael Gildein (IBM), Andrew Hicks (IBM), Ryan Rawlins (IBM)
• “Evaluating Large Language Model Robustness Using Combinatorial Testing” by Jaganmohan Chandrasekaran (Virginia Tech), Ankita Ramjibhai Patel (The University of Texas at Arlington), Erin Lanus (Virginia Tech), Laura Freeman (Virginia Tech)
• “Utilizing Ontologies for Combinatorial Testing” by Franz Wotawa (Graz University of Technology)
• “Towards Accessibility of Covering Arrays for Practitioners of Combinatorial Testing” by Ulrike Grömping (BHT – Berliner Hochschule für Technik)
• “Testing Tool for Combinatorial Transition Testing in Dynamically Adaptive Software Systems” by Pierre Martou (UCLouvain / ICTEAM), Benoît Duhoux (Université catholique de Louvain), Kim Mens (Université catholique de Louvain, ICTEAM), Axel Legay (Nexova)
• “Extended Abstract of Poster: STARS: Tree-based Classification and Testing of Feature Combinations in the Automated Robotic Domain” by Till Schallau (TU Dortmund University), Dominik Schmid (TU Dortmund University), Nick Pawlinorz (TU Dortmund University), Stefan Naujokat (TU Dortmund University), Falk Howar (TU Dortmund University)
• “Data Frequency Coverage Impact on AI Performance” by Erin Lanus (Virginia Tech), Brian Lee (Virginia Tech), Jaganmohan Chandrasekaran (Virginia Tech), Laura Freeman (Virginia Tech), M S Raunak (NIST), Raghu Kacker (NIST), Rick Kuhn (NIST)
• “A Combinatorial Approach to Reduce Machine Learning Dataset Size” by Megan Olsen (Loyola University Maryland), M S Raunak (NIST), Rick Kuhn (NIST), Fenrir Badorf (Loyola University Maryland), Hans van Lierop (Loyola University Maryland), Francis Durso (Johns Hopkins University)
• “Fairness Testing of Machine Learning Models Using Combinatorial Testing in Latent Space” by Arjun Dahal (University of Texas at Arlington), Sunny Shree (University of Texas at Arlington), Jeff Lei (University of Texas at Arlington), Raghu Kacker (NIST), Rick Kuhn (NIST)

Dimitris Simos, in his capacity as IWCT Steering Committee Chair, formulated the strategic direction of the workshop in cooperation with members of the Steering Committee, bolstered by great suggestions provided by the IWCT community in attendance.

On behalf of the Organizers of IWCT 2025, we would like to thank all authors of accepted papers, all presenters and all participants! Furthermore, we would like to thank the Organizing Committee of ICST 2025 for their support; with special appreciation to the ICSTW Co-Chairs Matteo Biagiola, Mitchell Olsthoorn and Francesca Lonetti, the Finance Co-Chairs Domenico Amalfitano and Vincenzo Riccio, the Registration Chairs Aurora Ramírez and Baharin Aliashrafi Jodat as well as the Local Arrangement Chair Alessandra De Benedictis!

NCSR-D was founded in July 1961 as a research centre for nuclear research, Demokritos is today the largest multidisciplinary research centre of Greece with approximately 180 researchers in tenured and tenure-track positions and over 500 research personnel working in projects funded mainly by grants from state funds, the European Union and private industries.

Bernhard Garn participated as trainee in the 1st NERO Winter School on Fire Spread and Behavior Reconstruction, which was held between February 18 – 21, 2025, at the Command Center of the Autoridade Nacional de Emergência e Proteção Civil (engl.,Portuguese National Authority for Emergency and Civil Protection; ANEPC) in Carnaxide, Portugal.

The Winter School focused on advancing knowledge and skills in reconstructing wildfire spread and estimating fire behavior descriptors such as the rate of spread via remote sensing. Theoretical aspects presented included remote sensing principles and data applications as well as different data sources such as satellite and airborne data together with their individual characteristics. Practical skills were improved when working in groups on case studies for wildfire reconstruction using Python and QGIS.

Experts in remote sensing, programming, and GIS, including professionals from EUMETSAT, conducted the trainings. Attendees were grateful for the insights provided by members of ANEPC. The Winter School was an overall success, much knowledge acquired by the trainees and perfectly organized by Akli Benali (Vice-Chair of NERO). Special thanks for this Winter School go to the fellow participating trainees, the excellent trainers and dedicated organizers – especially Akli Benali, and to the members of the Command Center of ANEPC for their openness and willingness to share knowledge as well as their great hospitality!

Bernhard Garn is Management Committee (MC) member for Austria in the COST Action european Network on Extreme fiRe behaviOr (COST Action CA22164 NERO). Learn more about the NERO network here: https://nero-network.eu/

COST (European Cooperation in Science and Technology) is a funding agency for research and innovation networks. Our Actions help connect research initiatives across Europe and enable scientists to grow their ideas by sharing them with their peers. This boosts their research, career and innovation.

Visit COST at www.cost.eu

On Tuesday, February 25, 2025, Ludwig Kampel and Bernhard Garn joined the event “SBA Security Meetup hosted by Dynatrace!” to present a combinatorial approach to consistency testing of LLMs that is being implemented within KomMKonLLM. The presentation about KomMKonLLM – given jointly by Ludwig and Bernhard – generated much interest from the audience and the ensuing discussion covered several different aspects on the topic of consistency (testing) of LLMs.

You can find more information on the official project homepage of KomMKonLLM here: https://www.netidee.at/kommkonllm and you can get in contact about KomMKonLLM at (n o sp ac es): “K omMKon LLM@s ba-resear ch.o r g ”.

The research project combinatorial security testing of the MATRIS Research Group has been nominated in the category Non-University Research for the 2025 Houska Prize!

Since its establishment in 2005, the Houska Prize is sponsored by the B&C Private Foundation to promote business-related research and innovation. The Houska Prize expresses the appreciation for outstanding research work that has been performed in Austria. The year 2025 marks the 20^th round of the Houska Prize and the winners will be announced in an award ceremony on 9 April 2025.

The keynote was followed by an intensive round of questions from the audience moderated by Ingo Pill. Topics put forward included the impact of multiple, simultaneously occurring disasters as well as thoughts on technical aspects on how to start designing for resilience right from the beginning.

https://conf.researchr.org/home/dx-2024

https://conf.researchr.org/info/dx-2024/invited-speakers

The talk of Dimitris was well received and several questions were discussed during as well as after the talk. Professor Tina Wakolbinger, Head of the Research Institute for Supply Chain Management, moderated the event.

Klaus and Bernhard from the DEFSYS team also attended the event at WU.

The slides of the talk are available here:

References:
[DS] https://www.wu.ac.at/fileadmin/wu/d/i/itl/MSc_SCM/Vortragsreihe_Lecture_Serie_Interdisciplinary/Ank%C3%BCndigung_Dimitris_Samos_WS2425.pdf

[LS-RI_SCM] https://www.wu.ac.at/en/scm/events/speaker-series/winter-semester-2024-2025