IEEE S&P Paper on Hardening the Java Runtime is now available

Our new S&P paper Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation is now available online. It is a follow-up work to our previous CCS’16 paper An In-Depth Study of More Than Ten Years of Java Exploitation. In this former paper we classified a large number of history Java exploits. In doing so, we found that the largest class of exploits was made possible by shortcuts in Java’s implementation of access control. In the S&P paper we now show that it is possible to go without those shortcuts, without any loss of performance. We also discuss the usability implications that this removal of shortcuts would have.

New Paper “The Soot-based Toolchain For Analyzing Android Apps”

Steven, Siegfried and I have just completed our invited paper for MOBILESoft’17. The paper The Soot-based Toolchain For Analyzing Android Apps summarizes for the first time the Soot-based tool chain for analyzing Android apps that we have built up over the past years. We hope you will enjoy the read!

And if you attend ICSE, maybe consider attending MOBILESoft as well, and you will be able to attend my keynote talk.

TV Interview on Smart Home Security

The local television interviewed me today on Smart Home Security. You can watch the video here. Skip to about 9 minutes.

Heise devSec()

Heise devSecThis year I am co-organizing Heise devSeC(), a new developer conference on secure software engineering. We welcome your submission by May 8th!

Join us at ESEC/FSE 2017 – in September in Paderborn

Featured

Further information available here

Help us improve Soot by giving us your feedback!

Soot LogoOver the past years, Soot has seen a larger and larger user base. It makes us happy that so many people find Soot useful, and we particularly enjoy also the help we have received in terms of feedback, bug reports, bug fixes or even newly contributed features. Thanks for giving back!

Early 2017 we plan to apply for government funding to aid the future development and maintenance of Soot. 

Sounds great? Then please support us by filling out this little web form.

That way you can help us in two ways:

  • By letting us know how we can improve Soot you can directly help us prioritize newly planned features.
  • By stating your name and affiliation you help us showcasing Soot’s large user base.

Thanks!

NRW’s research agenda on Human-centered Systems Security

Research AgendaWe have now released the IT-security agenda which Thorsten Holz, Norbert Pohlmann, Matthew Smith and Jörg Hoffmann have proposed for our state of North-Rhine Westphalia. As one of the probably first major research endeavours worldwide it will put the humans into the focus of the IT-security research. The agenda is available for download here.

Harvester scores 1st place at German IT-Sicherheitspreis

Copyright: Catharina Frank

Copyright: Catharina Frank

Harvester has scored 1st place at this year’s German IT-Sicherheitspreis! Every two years, the Horst Görtz Foundation awards EUR 200,000 to the three winners, with the first place being awarded EUR 100,000. More at Heise (in German)

Many thanks to the judges and the foundation! Harvester will is planned to be available soon as a plugin into our CodeInspect framework. We are further thinking of providing a command-line version to interested customers.

An In-Depth Study of More Than Ten Years of Java Exploitation

I am happy and proud to present our first CCS paper! Co-authored with Philipp Holzinger, Stefan Triller and Alexandre Bartel, we present an in-depth study of all available Java exploits we were able to find online. The exploits cover all different sorts of attack vectors and more than 15 years, they highlight important weaknesses in the Java runtime. The study explains in detail the different weaknesses the exploits exploit. The paper is available here already. Further, we will soon make available some artifacts on this website (not the exploits, though).

Thanks to Marco Pistoia for his constructive feedback and Julian Dolby for providing us with the IBM JDKs we required for our study! Thanks also to Oracle which supported us through a Collaborative Research Grant and to the DFG’s Priority Program 1496 Reliably Secure Software Systems who funded the work through its project INTERFLOW!

See you all at Vienna!

ASE Distinguished Reviewer Award

I just learned that apparently I was selected to receive the ASE Distinguished Reviewer Award. Thanks a lot to the ASE authors for their positive vote! And more thanks go also to my staff for assisting my reviews. Thanks a lot guys, we all share this award! It’s the second in a row, too!