In September 2021, I left the University of Bremen, where I was a research assistant and member of the software engineering group. Now, I am a lecturer at the Hamburg University of Technology where I am part of the Computer Engineering Group at the Institute of Embedded Systems.
Currently, I am working on different ideas in the area of software security and static analysis. I try to continue my work on architectural risk analysis using ArchSec. Furthermore, I am trying to combine machine learning with static analysis. An interesting combination, which, hopefully, yields some interesting results. Lastly, we created a new tool, called eNYPD for finding application’s entry-points.
My PhD thesis took quite a while because of several additional research topics I worked on. Besides of writing grant proposals, I already advised colleagues working on different research projects related to static analysis and software security.
In the last years, I started to use static analyses to extract different security aspects of software systems. SeeAuthZ, for instance, is a configurable analysis tool for extracting the implemented authorization policy. Therefore, it extracts the authorization facts that enforced if the program accesses a sensitive resource. This information can be used to re-document the authorization policy if the developers lost it or never wrote it down or compare the implemented authorization policy with the planned policy to identify divergences.
Furthermore, I started to work on different aspects related to the collaborative research centre 1232. The main idea of the CRC is to find new materials using big data and machine learning. In this context, CoDaPro was developed. CoDaPro stands for component-based data processing and is a tool for data measurement and filtering. Additionally, I worked on aspects of the machine learning and evolutionary algorithm’s part. You can find more details on my publications page.
After my diploma thesis, I refocused on the topic of Software Security. In my PhD thesis, I focused on automating Microsoft’s Threat Modeling process. The publications can be found in the publications section and on my ResearchGate profile. The result of my thesis is ArchSec, the Architectural Security Tools Suite. It is integrated into Eclipse and is based on Soot, a great static analysis framework for Java-bytecode based programs. To automate Microsoft’s Threat Modeling, I use static analyses to extract extended dataflow diagrams automatically. Furthermore, a knowledge base was created hosting security flaw patterns. These patterns are searched in the extended dataflow diagrams. For more details on ArchSec you can visit the ArchSec homepage.
After my graduation, I worked for Axivion GmbH for two years. Axivion is a static code analysis company, and their tools deal with inner software quality aspects. In my time at Axivion, I worked on different parts of their tool suite, starting with the frontends, scripting binding, and their web interface. I also took part in workshops with customers regularly and gained insight into their software development processes. After two years, I decided to return to academia and focus on research.
I graduated in December 2007 from the University of Bremen, and my diploma thesis, which I wrote at Bosch Corporate Research, deals with clone detection for embedded software systems. The research question I dealt with was whether it is possible to reduce the memory footprint of embedded software systems using clone detection. The short answer for this question was: “No, it is not possible when using heavily optimising compilers.” During my studies, I focused on topics such as software engineering, compiler construction, static analysis, and reverse engineering.