Bernhard J. Berger

Technische Universität Hamburg | TUHH · Institut für Eingebettete Systeme

Many existing software systems like logistics systems or enterprise applications employ data security in a more or less ad hoc fashion. Our approach focuses on access control such as permission-based discretionary access control (DAC), variants of role-based access control (RBAC) with delegation, and attribute-based access control (ABAC). Typically...

Architectural risk analysis is an important aspect of developing software that is free of security flaws. Knowledge on architectural flaws, however, is sparse, in particular in small or medium-sized enterprises. In this paper, we propose a practical approach to architectural risk analysis that leverages Microsoft’s threat modeling. Our technique de...

Which parts of a software system can be accessed by an attacker is a common question in software security. The answer to this question defines where to look for input validation vulnerabilities, which parts of a system to respect during Microsoft's Threat Modeling, or how to calculate security metrics. Identifying entry points of an application is,...

General-Purpose Computation on Graphics Processing Units (GPGPUs) are becoming crucial in accelerating computing capacity. Due to the massive parallelism capabilities of GPUs, they can achieve impressive speedups of up to 32 times compared to common CPUs. However, writing highly parallel code and utilizing a GPU is challenging for programmers. Deve...

Optimierung ist eine wesentliche Fragestellung in vielen Kontexten. Sei es Ressourcen-, Zeit-, Personal- oder nicht zuletzt auch Kosteneffizienz, regelhaft müssen Prozesse, Einstellungen, Zusammensetzungen – die Liste ließe sich beliebig fortsetzen − optimiert werden. Um das Optimierungsproblem zu lösen, gibt es viele unterschiedliche Techniken. Ei...

Optimisation problems with higher-dimensional search spaces do usually not only come with equality or inequality constraints, but also with dependencies between the different variables. In real-world applications, especially in experimental data from material sciences, these relations as well as the constraints may not be true for the entire search...

Evolutionary algorithms are a well-known optimi-sation technique, especially for non-convex, multi-modal optimi-sation problems. Their capability of adjusting to different search spaces and tasks by choosing the suitable encoding and operators has led to their widespread use in various application domains. However, application domains sometimes com...

Evolutionary algorithms are a well-known tool for optimising problems that are hard to solve analytically. They mirror the evolutionary approach of recombination and mutation as well as a selection process according to the fitness of an individual. Individuals who violate set search space restrictions are either killed at birth or penalised in thei...

Software systems are increasingly interconnected, and more and more devices have a permanent connection to the worldwide web. While this is convenient for end-users and desired by companies whose revenue is increased through more information on their customers, it results in an attractive attack vector not only for criminals trying to scam people b...

During the investigation of the security within a seaport ecosystem it turned out that the communication channels between major players, like shipping lines, terminal operators, customs or a Port Community System, may be open gateways for cyber threats. The trust between players is limited as they are frequently competitors, yet communication if no...

Architectural risk analysis is a manual technique to identify architectural security flaws that undermine a software system's security concept. The Architectural Security Tool Suite ArchSec automates this process by applying static analyses to automatically extract architectural security views and employing a knowledge base to automatically detect...

Evolutionary algorithms are a successful application of bio-inspired behaviour in the field of Artificial Intelligence. Transferring mechanisms such as selection, mutation, and re- combination, evolutionary algorithms are capable of surmounting the disadvantages of traditional methods. Adjusting an evolu- tionary algorithm to a specific problem req...

Evolutionary algorithms are a very general method for optimization problems that allow adaption to many different use cases. Application to real-world problems usually comes with features as constraints, dependencies and approximations. When a multidimensional search space comes with strings attached— namely dependencies between its dimensions— an...

We propose an extension over the traditional call graph to incorporate edges representing control flow between web services, named the Cross-Application Call Graph (CACG). We introduce a construction algorithm for applications built on the Jax-WS standard and validate its effectiveness on sample applications from Apache CXF and JBossWS. Then, we de...

Mobile phones have developed into complex platforms with large numbers of installed applications and a wide range of sensitive data. Application security policies limit the permissions of each installed application. As applications may interact, restricting single applications may create a false sense of security for end users, while data may still...

Security is getting more and more important for the software development process as the advent of more complex, connected and extensible software entails new risks. In particular, multi-tier business applications, e.g., based on the Service-Oriented Architecture (SOA), are vulnerable to new attacks, which may endanger the business processes of an o...

Security tools, using static code analysis, are employed to find common bug classes, such as SQL injections and cross-site scripting vulnerabilities. This paper focuses on another bug class that is related to the object-pool pattern, which allows objects to be reused over multiple sessions. We show that the pattern is applied in a wide range of Jav...

Mobile phones have developed into complex platforms with large numbers of installed applications and a wide range of sensitive data. Application security policies limit the permissions of each installed application. As applications may interact, restricting single applications may create a false sense of security for the end users while data may st...

Software security has made great progress, code analysis tools are widely-used in industry for detecting common implementation-level security bugs. However, given the fact that we must deal with legacy code we plead to employ the techniques long been developed in the research area of program comprehension for software security. In cooperation with...

Static security analysis of software has made great progress over the last years. In particular, this applies to the detection of low-level security bugs such as buffer overflows, Cross-Site Scripting and SQL injection vulnerabilities. Complementarily to commercial static code review tools, we present an approach to the static security analysis whi...

In diesem Paper wird die Untersuchung beschrieben, ob sich mit Hilfe von einfachen Refactorings Klone aus einem bestehenden,System in der Sprache C so ent- fernen lassen, dass die f¨ ur Software im Automobilumfeld geltenden nichtfunktionalen Anforderungen nicht negativ beeinflusst werden. Motivation hierf¨ ur ist die Tatsache, dass kopierter Quellt...

Software security is becoming more and more impor-tant with the increasing number of applications and platforms connected to the Internet, for example, en-terprise applications, smartphones or the iPad. The growing importance makes it a progressively interest-ing field for developers, software designers, end users, and enterprises. Fixing security...