Picture of Christian Holler

Current Activities

At present, I work as a Senior Security Engineer for Mozilla Corporation, trying to make Firefox and other products more secure for all of us.

In 2011, I submitted my Master Thesis within the field of fuzz testing, which you can read here.


Christian Holler, M.Sc.
Mobile: +49 176 2198 5042

S/MIME: StartSSL X.509 Certificate
PGP: 0x72720F15

Email (Business): Click Here
Email (Private): Click Here

Research Interests

My interests are generally aimed at Practical Security. This area provides a lot of problems that are not only interesting but also affect a large part of companies and normal users. Some of the problems I am interested in are listed here.

In Fuzz Testing, the goal is to provoke failure of a software by supplying it random inputs. There are different kinds of testing strategies that depend on the target input type and the software itself. In my current work, I focus on grammar-based fuzzing, mostly in combination with mutation fuzzing. This combination targets software that is interpreting a certain language (e.g. JavaScript in your browser) as input and makes use of existing test cases that are written in the target language.

Former Research Areas

This section lists older research areas that I used to work on.

Spam (UBE/UCE) and Fraud (Phishing/Pharming) is something that certainly everyone who owns an email address was already confronted with. Be it a simple text spam mail advertising a pornographic web site, container spam (Pictures, Documents, etc) trying to sell you drugs or forged mails prompting you to "renew" your online banking account, everyone who receives them knows how annoying they are. But such mails are not only annoying; more than enough people are already victims of phishing and pharming attacks, causing a significant financial loss. In the past there have been very interesting approaches to solve the problem, but unfortunately, fighting spam is still an arms race. I'm interested in both identifying different kinds spam reliably and analyzing the infrastructures used by spammers to provide this constantly rising rate of spam. In 2006, container spam, i.e. mails containing their spam content in attachments (mostly graphics) posed a big problem and I started a project called "FuzzyOcr" to identify container spam in a fast and reliable way (see the Software section for more information). The software spread quickly and was one of the main reasons why the rate of image spam decreased drastically.

Statistical software vulnerability analysis and prediction is the art of looking at version archives to analyze software for vulnerabilities and to predict which components are likely to have more (as yet undetected) vulnerabilities. The project name for this work is Vulture; it has resulted in a paper that has been accepted for publication at ACM CCS 2007. Vulture's main result is that it is possible to predict which components will have more vulnerabilities than others: We correctly identify two thirds of all vulnerable components and about half of our predictions identify components that have had past vulnerabilities. We can also predict the ranking of components: the top 30 predicted vulnerable components contain on average 85% of the vulnerabilities of the real to 30 vulnerable components. That means that if you fix the top 30 predicted components, you will have fixed 85% of all vulnerabilities that you could have fixed at all.

Penetration Testing and Auditing is used to find security vulnerabilities in near-delivery or already delivered software systems. There are several ways of testing such systems: For blackbox testing, the tester has the same information available as any real attacker would have, whereas for whitebox testing, the tester is supplied with additional information, such as source code or other environmental data. I have specialized on white- and blackbox testing of web applications and I am also working on methods to aid this task or even automate it. I also do such tests on the server/network layer, searching for possible weaknesses in network infrastructure that could allow attackers to gain foot in a network.



Old Advisories


Education and Recent Positions


Security related Skills

Technical Skills

Programming/Markup Languages

Links to friends

Stephan Neuhaus, former advisor

Kim Herzig, former advisor

Sascha Just

About Me

I currently live in Bonn

I enjoy different styles of music but mostly I listen to electronic music.

Valid XHTML 1.0 Strict Valid CSS!