Research Interests

My interests are generally aimed at Practical Security. This area provides a lot of problems that are not only interesting but also affect a large part of companies and normal users. Some of the problems I am interested in are listed here.

Spam (UBE/UCE) and Fraud (Phishing/Pharming) is something that certainly everyone who owns an email address was already confronted with. Be it a simple text spam mail advertising a pornographic web site, container spam (Pictures, Documents, etc) trying to sell you drugs or forged mails prompting you to "renew" your online banking account, everyone who receives them knows how annoying they are. But such mails are not only annoying; more than enough people are already victims of phishing and pharming attacks, causing a significant financial loss. In the past there have been very interesting approaches to solve the problem, but unfortunately, fighting spam is still an arms race. I'm interested in both identifying different kinds spam reliably and analyzing the infrastructures used by spammers to provide this constantly rising rate of spam. In 2006, container spam, i.e. mails containing their spam content in attachments (mostly graphics) posed a big problem and I started a project called "FuzzyOcr" to identify container spam in a fast and reliable way (see the Software section for more information). The software spread quickly and was one of the main reasons why the rate of image spam decreased drastically.

Statistical software vulnerability analysis and prediction is the art of looking at version archives to analyze software for vulnerabilities and to predict which components are likely to have more (as yet undetected) vulnerabilities. The project name for this work is Vulture; it has resulted in a paper that has been accepted for publication at ACM CCS 2007. Vulture's main result is that it is possible to predict which components will have more vulnerabilities than others: We correctly identify two thirds of all vulnerable components and about half of our predictions identify components that have had past vulnerabilities. We can also predict the ranking of components: the top 30 predicted vulnerable components contain on average 85% of the vulnerabilities of the real to 30 vulnerable components. That means that if you fix the top 30 predicted components, you will have fixed 85% of all vulnerabilities that you could have fixed at all.

Penetration Testing and Auditing is used to find security vulnerabilities in near-delivery or already delivered software systems. There are several ways of testing such systems: For blackbox testing, the tester has the same information available as any real attacker would have, whereas for whitebox testing, the tester is supplied with additional information, such as source code or other environmental data. I have specialized on white- and blackbox testing of web applications and I am also working on methods to aid this task or even automatize it. I also do such tests on the server/network layer, searching for possible weaknesses in network infrastructure that could allow attackers to gain foot in a network.

Publications

• Predicting Vulnerable Software Components (PDF). Accepted for publication at ACM CCS 2007, Alexandria, Virginia, USA.
• Bachelor Thesis: Predicting Security Vulnerabilities from Function Calls (PDF) 2007.

Software

• FuzzyOcr - Automated software that integrates into Spamassassin to identify different types of container spam using optical character recognition and several other metrics. See the Project Website for more details.

Recent Advisories

• Sphider 1.3.4 cross site scripting (TXT). Reflected HTML/Javascript injection into browser context.
• mvnForum 1.1 onclick cross site scripting (TXT). Persistent injection of arbitrary javascript code into browser context.

Education and Recent Positions

• July 2008:
  Bachelor of Science (B.Sc.)
• May 2006 - ongoing:
  System Administrator at the Institute for Computer Architecture and Parallel Computing
• October 2005 - ongoing:
  Studies in Computer Science and Mathematics at the Universität des Saarlandes, Saarbrücken, Germany
• October 2003 - June 2005:
  Preponed Studies ("Juniorstudium") in Computer Science at the Universität des Saarlandes, Saarbrücken, Germany
• July 2005:
  Abitur at the Gymnasium Ottweiler, Neunkirchen/Saar, Germany

Skills

Security related Skills

• Experienced in SQL injection, XSS techniques and other common web application flaws
• Linux kernel hardening
• Experienced in securing networks in general
• Good knowledge of applied cryptography
• Basic knowledge of buffer overflows and format string vulnerabilities
• Black- and whitebox penetration testing

Technical Skills

• Good experience with common network protocols and layers
• Linux administration
• Actively using OpenLDAP, MIT Kerberos and Samba
• Experienced with Apache, Tomcat, Postfix and Dovecot

Programming/Markup Languages

• Script languages: Perl, Python, Lisp
• Object oriented programming: C++
• Others: x86 Assembler, C
• Basic knowledge of LaTeX, HTML and Bash