Over the past years, Soot has seen a larger and larger user base. It makes us happy that so many people find Soot useful, and we particularly enjoy also the help we have received in terms of feedback, bug reports, bug fixes or even newly contributed features. Thanks for giving back!
Early 2017 we plan to apply for government funding to aid the future development and maintenance of Soot.
Sounds great? Then please support us by filling out this little web form.
That way you can help us in two ways:
- By letting us know how we can improve Soot you can directly help us prioritize newly planned features.
- By stating your name and affiliation you help us showcasing Soot’s large user base.
We have now released the IT-security agenda which Thorsten Holz, Norbert Pohlmann, Matthew Smith and Jörg Hoffmann have proposed for our state of North-Rhine Westphalia. As one of the probably first major research endeavours worldwide it will put the humans into the focus of the IT-security research. The agenda is available for download here.
Copyright: Catharina Frank
Harvester has scored 1st place at this year’s German IT-Sicherheitspreis! Every two years, the Horst Görtz Foundation awards EUR 200,000 to the three winners, with the first place being awarded EUR 100,000. More at Heise (in German)
Many thanks to the judges and the foundation! Harvester will is planned to be available soon as a plugin into our CodeInspect framework. We are further thinking of providing a command-line version to interested customers.
I am happy and proud to present our first CCS paper! Co-authored with Philipp Holzinger, Stefan Triller and Alexandre Bartel, we present an in-depth study of all available Java exploits we were able to find online. The exploits cover all different sorts of attack vectors and more than 15 years, they highlight important weaknesses in the Java runtime. The study explains in detail the different weaknesses the exploits exploit. The paper is available here already. Further, we will soon make available some artifacts on this website (not the exploits, though).
Thanks to Marco Pistoia for his constructive feedback and Julian Dolby for providing us with the IBM JDKs we required for our study! Thanks also to Oracle which supported us through a Collaborative Research Grant and to the DFG’s Priority Program 1496 Reliably Secure Software Systems who funded the work through its project INTERFLOW!
See you all at Vienna!
I just learned that apparently I was selected to receive the ASE Distinguished Reviewer Award. Thanks a lot to the ASE authors for their positive vote! And more thanks go also to my staff for assisting my reviews. Thanks a lot guys, we all share this award! It’s the second in a row, too!
We are still looking for one to two postdoctoral researchers to complement our research group at Paderborn university. For further information, please consult our previous announcement here. As stated, please direct your applications to firstname.lastname@example.org
If you have a deep interest in software engineering, especially software security, the I am very much looking forward to your application! In particular, I am interested in candidates with a proven track record (at least two papers at very reputable venues) in any of those subject areas:
- Static and/or dynamic program analysis
- Software Security
- Systems Security
- Applied (!) cryptography and/or cryptanalysis
Yesterday I blogged about the accepted artifacts at ISSTA. I think it is worthwhile noting that out of the ten papers that got accepted and which had artifacts submitted there seven for which the artifacts checked out. That is a good thing!
What worries me, however, are the three papers for which Artifact evaluation failed. For those three papers, we were largely unable to reproduce their results, and yet the papers made it into the program. Moreover, for two of those three, the fact that they failed artifact evaluation was already known before the PC meeting, i.e., there would have been a chance to reject them.
The reason for why the PC did not is that only positive reviews were taken into account this time, in order not to discourage people from submitting artifacts in the future. We as a community should really think about whether we cannot find a way to make artifact evaluation the default so that people have no other chance than to submit all the evidence they have to back up their claims.
I was very pleasantly surprised when I received the ICSE Distinguished Reviewer Award today, especially given that out of the 19 papers I reviewed only two were finally accepted. I guess there must also be a helpful way to reject papers after all. So thanks a lot to the ICSE authors for their positive vote! And more thanks go also to Alexandre Bartel, Mauro Baluda, Philipp Holzinger, Siegfried Rasthofer, Stephan Huber and Steven Arzt for assisting my reviews. Thanks a lot guys, we all share this award!
We have just put online the positively evaluated artifacts for ISSTA’16. Congrats to the authors!
Attending ICSE? Then consider coming two days earlier to attend SEsCPS, the 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems, where I will be giving a keynote on the current state and challenges of CPS security. Abstract:
Many industrialized nations are currently pushing for smart cyber-physical systems as a major hope for new revenue models. But such systems become smart through connectivity, which opens them up to a whole range of new attack vectors. One may ask: why are current software-heavy cyber-physical systems as insecure as they are? My answer would be: why shouldn’t they be? Many such systems are designed and engineered by companies who never developed software engineering as a core competency. And how should such companies succeed where even the most prominent software vendors struggle? In this talk I will discuss my view of the challenges in secure software engineering and how the inclusion of hardware brings a whole new set of challenges to the game. I will outline my vision of secure systems engineering and raise a set of challenges that need to be addressed to make this vision become reality.