About me
Starting from October 2024, I am working as a full-time substitute professor for Secure Systems at the University of Bremen. In parallel, I am a lecturer at the Computer Engineering Group at the Institute of Embedded Systems. The institute belongs to the Hamburg University of Technology, and I am holding this tenured position since October 2021. During my time in Bremen, I reduced this position to a part-time position. Between April and July 2024, I was working as a substitute professor at the University of Rostock. There, I hold the interim professorship in the software engineering department. During this time, I paused my lectureship at Hamburg University of Technology. Before October 2021, I was a research assistant and member of the software engineering group at the University of Bremen.
Research
My PhD thesis took quite a while because of several additional research topics I worked on. Besides writing grant proposals, I already advised colleagues working on different research projects related to static analysis and software security. After my PhD, I continued working on these topics in static analysis and software security and I am trying to use my knowledge in new domains, such as hardware design. Furthermore, I started with new topics, such as optimisation, where I am really interested in using software engineering knowledge in the optimisation domain.
Architectural Risk Analysis
I continue my work on architectural risk analysis using ArchSec. Currently, we transfer the ideas to the area of hardware design. Therefore, we are working on ideas to model hardware components using ArchSec and on a knowledge base containing hardware-related security flaws.
Optimisation research
Based on different research ideas, we are working on a research software for optimisation research and extended it with our research ideas. The corresponding tool, EvoAl focuses on making optimisation algorithms configurable by applying ideas from model-driven engineering. We aim at reducing the programming overhead to zero for standard optimisation algorithms. Instead, you write a configuration file using a domain-specific language to orchestrate the optimisation algorithm with different options.
Static Analysis and Security Research
We worked on using static analyses to extract different security aspects of software systems. SeeAuthZ, for instance, is a configurable analysis tool for extracting the implemented authorization policy. Therefore, it extracts the authorization facts that is enforced if the program accesses a sensitive resource. This information can be used to re-document the authorization policy if the developers lost it or never wrote it down or compare the implemented authorization policy with the planned policy to identify divergences.
For improving static analysis of enterprise systems, we created a new tool, called eNYPD for finding application’s entry-points and understanding the wiring of modern component-based software systems.
An interesting combination, which, hopefully, yields some interesting results is the combination of static analysis and machine learning to identify security bugs. In a joint project with the Federal Office for Information Security, we used ICFGs to identify suspicious parts of a software system without explicitly coding security bug patterns.
Data processing
Furthermore, I started to work on different aspects related to the collaborative research centre 1232. The main idea of the CRC is to find new materials using big data and machine learning. In this context, CoDaPro was developed. CoDaPro stands for component-based data processing and is a tool for data measurement and filtering.
PhD Topic
After my diploma thesis, I refocused on the topic of Software Security. In my PhD thesis, I focused on automating Microsoft’s Threat Modeling process. The publications can be found in the publications section and on my ResearchGate profile. The result of my thesis is ArchSec, the Architectural Security Tools Suite. It is integrated into Eclipse and is based on Soot, a great static analysis framework for Java-bytecode-based programs. To automate Microsoft’s Threat Modeling, I use static analyses to extract extended dataflow diagrams, an architectural view of a software system, automatically. Furthermore, a knowledge base was created to host security flaw patterns. These patterns are searched in the extended dataflow diagrams. For more details on ArchSec you can visit the ArchSec homepage.
Industry
After my graduation, I worked for Axivion GmbH for two years. Axivion is a static code analysis company, and their tool suite deals with inner software quality aspects and is now part of the Qt group. In my time at Axivion, I worked on different parts of their tool suite, starting with the analyser frontends, scripting binding, and their web interface. I also took part in workshops with customers regularly and gained insight into their software development processes. After two years, I decided to return to academia and focus on research.
Studies
I graduated in December 2007 from the University of Bremen, and my diploma thesis, which I wrote at Bosch Corporate Research, deals with clone detection for embedded software systems. The research question I dealt with was whether it is possible to reduce the memory footprint of embedded software systems using clone detection. The short answer to this question was: “No, it is not possible when using heavily optimising compilers.” During my studies, I focused on topics such as software engineering, compiler construction, static analysis, and reverse engineering.