Projects
Future and Running
ExViPaS
In ExViPaS, we will research the possibilities of applying architectural risk analysis to hardware designs. Therefore, we will document hardware-related security patterns (and anti-patterns), strengthening the knowledge of hardware security. We will open-source the project results and the developed tooling, allowing hardware engineers to use the research results.
Project duration: 2024 - 2027
Publications:
Finished
ML-SAST
In the first project phase, the ML-SAST project advertised by the BSI deals with the question of which machine learning-based approaches exist to detect security errors in C/C++ software. As part of the second project phase, an ML-based detection method based on these approaches was implemented. I was involved in this project as an external supervisor.
Project duration: 2021 - 2022
Publications: 26, 34
SecProPorts
The SecProPorts project deals with the conception and prototype implementation of a secure reference architecture for port telematics systems. Modeling approaches with UML/OCL, but also blockchain technologies, are used here. I took part in the proposal writing, as well as, in the supervision of the project.
Project duration: 2018 - 2021
Publications: 14, 19, 20
PortSec
The PortSec project dealt with IT risk management in port telematics based on software architecture. The planned and implemented security architecture was extracted using static software analyses and converted into UML/OCL models. These were then examined for security problems. I was involved in the proposal process and supervising the project’s progress.
Project duration: 2016 - 2018
Publications: 12, 14, 15, 16
SecPatterns
The SecPatterns project investigated the awareness and distribution of security patterns. In addition, existing security patterns were formalized so that they could be extracted using static software analysis. The publication was created in collaboration with the SecPatterns project.
Project duration: 2016 - 2018
Publications: 16
ZertApps
In the ZertApps project, a lightweight certification concept for Android apps was designed. A central component of the certification process was static software analysis, which automated and accelerated it. I was involved in writing and working on the project.
Project duration: 2014 - 2015
Publications: 9, 10, 11, 15
ASKS
The ASKS project focused on the security analysis of business-critical JavaEE applications. The security of the software was analyzed and evaluated based on the software architecture. For the project, architectural views of the software were extracted using static code analysis and examined for security problems. This project was the start of ArchSec (see tools section). As part of the ASKS project, I was responsible for working on the project work packages.
Project duration: 2010 - 2012
Publications: 5, 6, 7, 15