Soft­ware sys­tems safe and se­cure by design

The “Secure Software Engineering” workgroup researches, develops and evaluates methods and tools designed to make software systems secure from the ground up. Unfortunately, many software development processes currently in use still treat software system security as incidental. This means that security aspects are often examined at too late a stage, when securing the system correctly will quickly become expensive. The consequences are often disastrous and trigger the data leaks and other security incidents regularly observed today. Incidents such as these ultimately damage the reputations of the companies affected and cost them a significant portion of their revenue, quite apart from the real problems caused by data theft.

The workgroup’s primary aim is to avoid security problems such as these from the outset by developing software-based systems which include security as an integral part of the development process right from the very beginning. We therefore develop methods which enable software developers to ascertain all security requirements from a holistic perspective and then compare them with attack models and threat levels. In a second step, these requirements are compared with concrete implementation in program code. At this point we primarily employ automatic code analysis tools which can for example apply the techniques of static or dynamic analysis, but we also make use of tools to generate demonstrably secure program code from abstract, partly human-readable specifications.

Our research includes, but is not limited to, topics in the following areas:

  • Static, dynamic and hybrid program analysis
  • Automatic detection of software vulnerabilities and malware
  • Secure software engineering processes
  • Model-based development of mechatronic and embedded systems and of operational information systems

Events

27.04.2025 - 03.05.2025

STAT­IC 2025 In­ter­na­tion­al Work­shop on Ad­van­cing Stat­ic Ana­lys­is for Re­search­ers and In­dustry Prac­ti­tion­ers in Soft­ware…

Read more
07.11.2024 - 07.11.2024

In­vit­a­tion to the lec­tures by Mr Aniruddhan Mur­ali and Mr Noble Saji Math­ews (Uni­ver­sity of Wa­ter­loo, Canada) on 07 Novem­ber

Read more
27.10.2024 - 31.10.2024

Soft­ware En­gin­eer­ing Re­search Meth­ods Train­ing 2024

Read more
07.10.2024 - 10.10.2024

IEEE Se­cure De­vel­op­ment Con­fer­ence

Read more
25.09.2024 - 26.09.2024

heise devSec 2024

Read more
16.09.2024 - 20.09.2024

In­ter­na­tion­al Sym­posi­um on Soft­ware Test­ing and Ana­lys­is (IS­STA)

Read more
More events

Soft­ware tools

Cheetah

Just-in-time analysis

Learn more

CodeInspect

CodeInspect is a reverse-engineering framework for Android and Java applications.

Learn more

CogniCrypt

CogniCrypt is a static analysis tool for detecting misuse of cryptographic APIs. CogniCrypt is easily customizable, as the analysis is configured in the domain-specific CrySL language with rules for the respective cryptographic APIs.

Learn more

FlowDroid

FlowDroid is a context-, flow-, field- and object-sensitive and runtime-aware tool for static taint analysis for Android applications.

Learn more

Phasar

Phasar is a new static code analysis framework based on LLVM. Phasar offers various data flow solvers that allow the fully automated solution of arbitrary (decidable) data flow problems on the LLVM intermediate representation (LLVM IR). A user of the framework only has to provide the problem description.

Learn more

Soot

Soot is one of the most widely used analysis and transformation frameworks for Java bytecode and source code. Soot includes a variety of intermediate representations that make static programme analysis as easy as possible. Soot is not our own development, but the framework is currently maintained by us.

Learn more

SootUp

SootUp is the new version of the popular static analysis framework Soot, with a completely overhauled architecture.

Learn more

TamiFlex

TamiFlex is our solution to the dreaded "reflection problem" in static programme analysis for Java. With the help of so-called reflections, Java programmes can call methods and access fields and classes indirectly by passing a string to a special method of the Reflections API. These strings can be generated at runtime.

Learn more

VisuFlow

VisuFlow is a debugging environment for static data flow analysis based on the Soot analysis framework.

Learn more