Are There Also Shortcuts in .NET's Security Architecture ?


Thesis description:

Java is the first platform to feature a sophisticated code security model which is building on stack-based access control (SBAC) to guard sensitive operations in scenarios where possibly untrusted code should be executed. 

While this approach protected the broad userbase of Java for over a decade, recent work [1] shows that the implementation of the access control mechanism also included some optimizing shortcuts [2] which led to vulnerabilities of the Java platform.

The same security model which is underlying Java's code access control has also been implemented for the .NET platform. 

Currently, it is unknown if the implementations of the .NET Common Language Runtime (CLR), i.e. the implementations from Microsoft and Mono, are also prone to similar vulnerabilities based on such shortcuts.

The goal of this thesis is to transfer the state-of-the-art from Java to the .NET platform to gain insight into its strengths and weaknesses from a security point-of-view.

Related Work:

[1] Philipp Holzinger, Stefan Triller, Alexandre Bartel, and Eric Bodden. 2016. An In-Depth Study of More Than Ten Years of Java Exploitation. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 779-790. DOI:

[2] Philipp Holzinger, Ben Hermann, Johannes Lerch, Eric Bodden, and Mira Mezini. 2017. Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation. In 2017 IEEE Symposium on Security and Privacy (Oakland S&P). IEEE, IEEE Press. To appear.


  • Good understanding of the Java language.
  • Basic understanding of the .NET platform
  • Prior knowledge of static analysis is helpful, but not required.


The thesis will be written in English.


Dr. Ben Hermann: