Both corporate and private data are the target of illegal attacks, e.g. with malware or spyware, but also of legal, commercial offers such as trackers and ad networks. All data is valuable, whether it accumulates on the web, resides in the cloud or is stored on our end devices. We are researching methods to evaluate and improve the security of software. Furthermore, this is intended to contribute to ensuring the privacy of our data. We cover a broad range of both analytic and constructive methods towards enabling secure and privacy-preserving software systems.
On the analytical side of the spectrum, we develop novel methods to comprehend software systems by slicing and modularizing them as a prerequisite for subsequent code analyses. This enables the modular reasoning of the resulting code modules.
Furthermore, we provide a general-purpose platform for static analysis of programs, which serves as the basis for more specific analysis tools for examining Java bytecode. This platform enables a quick, reliable, and loosely-coupled analysis of different code aspects. We also use machine learning to enhance the detection capabilities of specific analyses. These specific analyses provide the ability to scan (a) a whole application or (b) its libraries for their harmfulness or potential dangerousness. Our analyses have a major impact on the quality and security of software systems because even systems that appear secure at first glance may contain insecure code hidden from even the most trained eye.
Moreover, we not only analyze software systems using our own heuristics and methodologies, but also provide specification systems that can be used by the domain expert to guide how our systems should perform its analysis. To this end, we designed a specification language that allows the specification of rules for the correct use of specific components, from which correct integration code is synthesized and proposed to application developers. The abstraction level of this language is high enough for non-programmers to use them, at the same time without compromising on expressivity.
Finally, we focus on privacy-by-design with the development of languages for privacy-preserving computations. To this end, we designed a query language for data-intensive applications whose runtime environment automatically generates and deploys sub-computations over nodes of the above systems to optimize performance while protecting the processed data from unauthorized access.