Become a Post-Doc Researcher at Paderborn University!

We are still looking for one to two postdoctoral researchers to complement our research group at Paderborn university. For further information, please consult our previous announcement here. As stated, please direct your applications to

If you have a deep interest in software engineering, especially software security, the I am very much looking forward to your application! In particular, I am interested in candidates with a proven track record (at least two papers at very reputable venues) in any of those subject areas:

  • Static and/or dynamic program analysis
  • Software Security
  • Systems Security
  • Applied (!) cryptography and/or cryptanalysis

Should we reject papers with bogus artifacts?

Yesterday I blogged about the accepted artifacts at ISSTA. I think it is worthwhile noting that out of the ten papers that got accepted and which had artifacts submitted there seven for which the artifacts checked out. That is a good thing!

What worries me, however, are the three papers for which Artifact evaluation failed. For those three papers, we were largely unable to reproduce their results, and yet the papers made it into the program. Moreover, for two of those three, the fact that they failed artifact evaluation was already known before the PC meeting, i.e., there would have been a chance to reject them.

The reason for why the PC did not is that only positive reviews were taken into account this time, in order not to discourage people from submitting artifacts in the future. We as a community should really think about whether we cannot find a way to make artifact evaluation the default so that people have no other chance than to submit all the evidence they have to back up their claims.

ICSE Distinguished Reviewer Award

I was very pleasantly surprised when I received the ICSE Distinguished Reviewer Award today, especially given that out of the 19 papers I reviewed only two were finally accepted. I guess there must also be a helpful way to reject papers after all. So thanks a lot to the ICSE authors for their positive vote! And more thanks go also to Alexandre Bartel, Mauro Baluda, Philipp Holzinger, Siegfried Rasthofer, Stephan Huber and Steven Arzt for assisting my reviews. Thanks a lot guys, we all share this award!

Boomerang accepted at ECOOP 2016

We are happy to announce, that a paper on our new algorithm for demand-driven context- and flow-sensitive points-to analysis, called Boomerang, has been accepted at the ECOOP 2016 conference. Download the paper here.

Boomerang is the first points-to analysis algorithm which on demand delivers in addition to computing points-to sets also the reverse information. Along with an allocation site, the analysis delivers all possible pointers in the current scope which point-to that particular allocation site. This feature is crucial for state-of-the-art clients such as taint and typestate analysis. On top of that, Boomerang enables client-driven context-resolution: The client can limit the search scope for the points-to analysis to the methods of interest.

For the evaluation we introduce PointerBench, the first benchmark suite to evaluate precision and soundness of points-to analyses. We hope for contributions to further enhance the benchmark suite and make points-to analyses comparable more easily.

Boomerang also received the artifact evaluation award.

Smart cyber-physical systems: Too big to fail, too smart to be secure?

Attending ICSE? Then consider coming two days earlier to attend SEsCPS, the 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems, where I will be giving a keynote on the current state and challenges of CPS security. Abstract:

Many industrialized nations are currently pushing for smart cyber-physical systems as a major hope for new revenue models. But such systems become smart through connectivity, which opens them up to a whole range of new attack vectors. One may ask: why are current software-heavy cyber-physical systems as insecure as they are? My answer would be: why shouldn’t they be? Many such systems are designed and engineered by companies who never developed software engineering as a core competency. And how should such companies succeed where even the most prominent software vendors struggle? In this talk I will discuss my view of the challenges in secure software engineering and how the inclusion of hardware brings a whole new set of challenges to the game. I will outline my vision of secure systems engineering and raise a set of challenges that need to be addressed to make this vision become reality.

Joint Android Hacking Event in Darmstadt & Paderborn

On the evening of June 1st we will be jointly organizing a CTF-style Android Hacking Event. At Fraunhofer SIT & TU Darmstadt the organization is lead by team[SIK], at Paderborn University & Fraunhofer IEM by the Software Engineering Group. As a “local hacker” you will be able to physically attend either event, either at Fraunhofer SIT (Rheinstr.) or at Zukunftsmeile 1 in Paderborn. We will try to have a video feed between the two events.

You can also participate as a remote hacker. Remote participants will be listed separately, as we expect them to be more advanced than the student hackers that we actually target with this event. Prices will only be given out to local student hackers.

To qualify, you must register (and solve a couple of challenges) by May 11th here.

CodeInspect awarded at the HIGHEST Startup Contest


CodeInspect was awarded the second prize at the HIGHEST startup contest at TU Darmstadt. In a multi-stage selection process, we had to convince the judges about our business concept for the need of more security in the mobile world. All in all, we competed against 74 other business ideas from different departments at the TU Darmstadt such as mechanical engineering, chemistry, etc.

More information about the other winners and the ceremony can be found here.