Secure Software Engineering
Following the principle of security and privacy by design, the EC SPRIDE research group on Secure Software Engineering thrives to support software developers in designing and implementing software systems that are known upfront to be secure with respect to certain attack vectors. Opposed to offensive approaches to software security, like ethical hacking, our group specializes on constructive techniques for software security.
Our recipe to success is a unique novel combination of program synthesis and analysis techniques. In our group, we develop languages, mechanisms, processes and tools that allow software developers to clearly state security requirements and, if possible, synthesize partial implementations that achieve or help achieve these requirements. In cases where automated synthesis is impossible, and a programmer hence needs to implement security features by hand, we use automated program analyses to assist the programmer in deciding whether the implementation indeed fulfills the stated security requirements.
Our research is made possible through the Federal Ministry of Education and Research (BMBF) within EC SPRIDE, through the German Research Foundation within the Emmy Noether Project RUNSECURE, and through generous funding from the Horst Görtz Foundation. We receive additional funding from the German Academic Exchange Service (DAAD).
Looking for an interesting thesis topic in the area of Secure Software Engineering? We have made available a range of interesting topics on our website.
Have an even better idea for a topic in the area of Secure Software Engineering? By all means, let us know, we are always happy to host projects within our area of expertise.
In our new publication SPLlift – Statically Analyzing Software Product Lines in Minutes Instead of Years (to appear at PLDI’13) we show how to efficiently conduct inter-procedural, flow-sensitive, context-sensitive data-flow analysis for software product lines. Previously, such analyses would have taken years, due to the many software configurations a product line encodes. Our approach SPLlift processes the entire product line at once, and typically within minutes, without any loss of precision. It works for any IFDS-based data-flow analysis. SPLlift is available as an open-source extension to our IFDS/IDE solver Heros. To access our benchmark data, click here. This is joint work with Mira Mezini, Claus Brabrand, Társis Tolêdo, Márcio Ribeiro and Paulo Borba. go
Paper on Join Point Interfaces gets accepted at ACM TOSEM
At EC SPRIDE we worry a lot about what the future of secure software engineering is going to look like, and we are trying to shape that future for the better by developing tools, methods and programming languages that support a secure software design and implementation. One thing we have noticed over the past years is that many current applications and frameworks suffer from the fact that their security-related code is scattered throughout the program, and tangled with other code that is not at all related to security. From all the talk about AOP, we know that scattering and tangling can have detrimental effects, but this is especially true when talking about security. The repeated news reports about zero-day vulnerabilities in the JDK, for example, are just one instance of that problem. go
A recap on our research progress in 2012
The year is coming to an end, and in fact some believe so may the world, so I thought I would give everyone a recap of what we have worked on and accomplished in 2012. What an exciting year this was! Through funding by EC SPRIDE and my new Emmy Noether Group RUNSECURE, my group grew from a single PhD student to five! This was obviously quite an exciting but also challenging shift for me, coordinating such a large and new group is not an easy task – but at the end of the year I have to say that I think I am getting the hang of it.