The Secure Software Engineering Group is currently involved in the following projects.
Security analysis of the Java Runtime
Oracle Inc. 2014-2016
In this project, funded by an Oracle Collaborative Research grant, we investigate how one can detect vulnerabilities automatically in code bases as large as the Java Class Library. In addition, we research possible restructurings of the Java runtime that will make it less vulnerable to attacks in the future, while maintaining its versatility. This is in collaboration with Cristina Cifuentes from Oracle Labs Brisbane and with Andrew Gross from Oracle USA.
Finding and Demonstrating Undesired Program Behavior (TESTIFY)
In this joint project with Andreas Zeller from Saarland University we try to combine techniques from static analysis, test-case generation and dynamic analysis to determine as much as possible "interesting" runtime behavior of mobile applications, in particular Android malware. The techniques will be the first ones to reliably cope with highly obfuscated applications that try to prevent exactly such analyses through evasion techniques.
Runtime Verification beyond Monitoring (ARVI)
European Cooperation in Science and Technology (COST)
This Action aims to build expertise by putting together active researchers in different aspects of runtime verification, and meeting with experts from potential application disciplines. The main goal is to overcome the fragmentation of RV research by (1) the design of common input formats for tool cooperation and comparison; (2) the evaluation of different tools, building a growing sets benchmarks and running tool competitions; and (3) by designing a road-map and grand challenges extracted from application domains.
CROSSING - Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments
Within the DFG's Collaborative Research Center (Sonderforschungsbereich) 1119, CROSSING, we are heading the project on the Secure Integration of Cryptographic Software. Together with Mira Mezini's Software Technology Group, we are researching means to aid developers in integrating cryptographic libraries securely into their software systems.
INTERFLOW: Hybrid Static/Dynamic Inter-application Data-flow Analysis
In this project within the DFG Priority Program 1496 Reliably Secure Software Systems we research how Android apps of untrusted sources can be secured by enforcing security policies through a combination of static and dynamic techniques, without requiring any modifications to the Android platform. In other words, the technique should run on any stock Android platform.
Security Process Analytics
SAP AG, 2014-2015
In this project together with the Code Analysis team of SAP we employ big-data mining and machine-learning techniques to better understand the effects of strategic decisions within and changes to SAP's secure-software development process. As a mid-term goal, the project is meant to predict the likely impact of planned changes.
Fraunhofer Gesellschaft, 2013-2019
An idea becomes an innovation, if it comes to use. The grant »Fraunhofer Attract« offers outstanding external scientists the opportunity to develop their ideas towards an actual application within an optimally equipped Fraunhofer institute operating close to the market. Within the project we develop code analysis tool for Secure Software Engineering. The grant's volume is about 2.5 Million Euro.
ZertApps - Certified Security of Mobile Apps
The ZertApps project (Certified Security of Mobile Applications) aims to provide a comprehensive security analysis infrastructure for Android apps. Static and supplementary dynamic analyses shall be developed to detect security vulnerabilities in Android apps supporting the specific Android framework constructs, e.g., interprocess communication. In particular, we will deal with the aspect of colluding apps, where one app allows another app to access its permissions (maybe, inadvertently). Another central aspect of the ZertApps project is to develop a lightweight certification process for the security and privacy of apps. Last but not least, usability will play an important role since the analysis results must be presented to an analyst in a comprehensible fashion.
Partners: OTARIS Interactive Services GmbH, datenschutz cert GmbH, SAP AG, Fraunhofer Institute for Secure Information Technology SIT, TU Darmstadt
European Center for Security and Privacy by Design (EC SPRIDE)
The BMBF project EC SPRIDE provides the base funding for our group. Within this project, we develop method, tools and techniques to secure software systems upfront, by means of a constructive approach to software security.
Provably secure program executions through declaratively defined dynamic program analyses (RUNSECURE)
DFG, within the Emmy Noether Program, 2012-2017
Within the Emmy Noether project RUNSECURE we develop a novel programming language for developing provably correct dynamic analyses and security monitors. In result programmers will be able to obtain programs that are protected from certain classes of vulnerabilities by design. Find out more…
Landes-Offensive zur Entwicklung Wissensch.-ökonomischer Exzellenz (LOEWE), 2008-2016
CASED is a collaborative project of the Technische Universität Darmstadt, the Fraunhofer Society and the University of Applied Science (Hochschule) Darmstadt. In the research areas Secure Data, Secure Things, and Secure Services the cluster develops applicable basic knowledge and IT security solutions. Thanks to its broadly-based position in regards to topics and competencies, the cluster and its headquarters CASED can realize especially complex projects efficiently and sustainably. Our group is part of the research area Secure Services and of the Secure Software Engineering lab.
GoRETech – Go Runtime Enforcement Techniques
The goal of the project is to develop and apply static analysis and dynamic enforcement techniques and tools for the highly concurrent programming language Go, with a special focus on analysis for security-related properties. The Go language is a modern programming language that is finding growing adoption for server-side and cloud development, as well as attracting attention as a teaching-language for concurrency, e.g. at MIT. It offers a wide range of communication mechanisms: shared variables, locks, or typed channels.
Google Faculty Research Awards
Google Faculty Research Awards are highly competitive awards given out by Google as unrestricted gifts to the academic research community. Google awards about 100 Google Faculty Awards twice a year to promote promising research projects in the field of computer science. For Winter 2012/2013, about 600 entries have been submitted from 46 countries, 102 were successful. TU Darmstadt was the only German university to receive two awards at once, both in the area of IT security.
Proving Security Properties of Services
Horst Görtz Foundation, 2011-2014
Within this project, we design and implement methods and tools to prove security properties of individual software component, such as services, opposed to entire closed programs. Find out more…
Runtime Verification for ABS Product Lines
In this project, we develop techniques to runtime-check safety and security properties for product lines expressed in the Abstract Behavioral Specification (ABS) language. Find out more…