About Me
I am a research assistant and member of the
software engineering group group at the Universität Bremen
in Germany. I graduated in December 2007, and my diploma thesis,
which I wrote at Bosch
Corporate Research, deals with clone detection for embedded
software systems. The research question I dealt with was whether
it is possible to reduce the memory footprint using clone
detection.
After my graduation, I worked for
Axivion GmbH for two years. Axivion is a static code analysis
company, and their tools deal with inner software quality aspects.
In my time at Axivion, I worked on different parts of their tool
suite, starting with the frontends, scripting binding, and their
web frontend. I also took part in workshops with customers
regularly and got an insight into their software development
processes. After two years, I decided to return to academia and
focus on research.
Research Interests
After my diploma thesis, I refocused on the topic of Software
Security. In my PhD thesis, I focus on automating
Microsoft's Threat Modeling process. Several publications can
be found on my
ResearchGate profile. The result of my thesis is the
ArchSec environment, the Architectural Security Tools Suite. It
is integrated into Eclipse
and is based on Soot,
a static analysis framework for Java-bytecode based programs. To
automate Microsoft's Threat Modeling, I use static analyses to
extract extended dataflow diagrams automatically. Furthermore, a
knowledge base was created hosting security flaw patterns. These
patterns are searched in the extended dataflow diagrams.
In the last years, I started to use static analyses to extract
different security aspects of software systems.
SeeAuthZ, for instance, is a configurable analysis tool for
extracting the implemented authorization policy. Therefore, it
extracts the authorization facts that enforced if the program
accesses a sensitive resource. This information can be used to
redocument the authorization policy if the developers lost it or
never wrote it down or compare the implemented authorization policy
with the planned policy to identify divergences.
Furthermore, I started to work on different aspects related to the
collaborative
research centre 1232. The main idea of the CRC is to find new
materials using big data and machine learning. In this context,
CoDaPro was developed. CoDaPro
stands for component-based data processing and is a tool for data
measurement and filtering. Additionally, I worked on aspects of the
machine learning and evolutionary algorithm's part.
Currently, I am trying to combine machine learning with static
analysis. An interesting combination, which, hopefully, yields some
interesting results.
Personal Interests
Some years ago, I developed a small open-source utility that
converts annotations, made with an Amazon Kindle in a PDF file,
back to the file. This is necessary since the annotations are
stored in a separate undocumented binary file. The project is
called kindle annotations and can be found on
GitHub. Pitifully, since I do not use my kindle anymore, it is
orphaned.
If I need a break from computers and programming, I like to take
pictures. Especially on trips to conferences, I carry my camera
with me all the time. But I also like to make portraits and other
stuff.
Publications
2021
Christina Plump, Bernhard J. Berger, Rolf Drechsler
Improving Evolutionary Algorithms by Enhancing an Approximative Fitness Function Through Prediction Intervals.
In 2021 IEEE Congress on Evolutionary Computation (CEC), 2021.
Christina Plump, Bernhard J. Berger, Rolf Drechsler
Domain-driven Correlation-aware Recombination and Mutation Operators for Complex Real-world Applications.
In 2021 IEEE Congress on Evolutionary Computation (CEC), 2021.
2020
Bernhard J. Berger, Rodrigue W. Nguempnang, Karsten Sohr and Rainer Koschke.
Static Extraction of Enforced Authorization Policies - SeeAuthz.
In Proceedings of the 20th IEEE International Working Conference on Source Code Analysis and Manipulation, 2020.
2019
Bernhard J. Berger, Karsten Sohr, Rainer Koschke.
The Architectural Security Tool Suite - ArchSec.
In Proceedings of the 19th IEEE International Working Conference on Source Code Analysis and Manipulation., Cleveland, Ohio, 2019. Best Engineering Paper Award
Bernhard J. Berger, Christian Maeder, Rodrigue W. Nguempnang, Karsten Sohr, Carlos E. Rubio-Medrano.
Towards Effective Verification of Multi-Model Access Control Properties.
In Proceedings of the 24th ACM Symposium on Access Control Models and Technologies (SACMAT 2019), Toronto, Kanada, 2019.
2018
Rainer Koschke, Urs-Bjoern Schmidt, Bernhard J. Berger.
Built-in Clone Detection in Meta Languages.
In Proceedings of the Conference on Source Code Analysis and Manipulation, IEEE Computer Society Press, September 2018; 165-170.
2016
Bernhard J. Berger, Karsten Sohr and Rainer Koschke.
Automatically Extracting Threats from Extended Data Flow Diagrams.
In Proceedings of the 8th International Symposium on Engineering Secure Software and Systems, London, April 2016.
2015
Marc-Andre Laverdiere, Bernhard J. Berger and Ettore Merlot.
Taint analysis of manual service compositions using Cross-Application Call Graphs.
In 22nd International Conference on Software Analysis, Evolution and Reengineering (SANER), 2015, IEEE, pages 585-589, 2015.
2014
Bernhard J. Berger and Karsten Sohr and Udo H. Kalinna.
Architekturelle Sicherheitsanalyse für Android.
In D-A-CH Security 2014: Bestandsaufnahme - Konzepte - Anwendungen - Perspektiven, SysSec, pages 287-298, 2014.
Steffen Bartsch, Bernhard J. Berger, Eric Bodden, Achim D. Brucker, Jens Heider, Mehmet Kus, Sönke Maseberg, Karsten Sohr and Melanie Volkamer.
Zertifizierte Datensicherheit für Android-Anwendungen auf Basis statischer Programmanalysen.
In GI Sicherheit 2014, Lecture Notes in Informatics, pages 283-291, GI, 2014.
2013
Steffen Bartsch, Bernhard J. Berger, Michaela Bunke and Karsten Sohr.
The Transitivity-of-Trust Problem in Android Application Interaction.
In Proceedings of the 8th International Conference on Availability, Reliability and Security, (accepted for publication), 2013.
Bernhard J. Berger, Karsten Sohr and Rainer Koschke.
Extracting and Analyzing the Implemented Security Architecture of Business Applications.
In Proceedings of the 17th European Conference on Software Maintenance and Reengineering, pp. 285-294, IEEE Computer Society Press, 2013.
2012
Bernhard J. Berger and Karsten Sohr.
An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling.
In Information Security and Privacy Research - IFIP Advances
in Information and Communication Technology, Volume 376/2012, Springer, 2012.
2011
Bernhard J. Berger, Michaela Bunke and Karsten Sohr.
An Android Security Case Study with Bauhaus.
In Proceedings of the 18th Working Conference on Reverse Engineering.
IEEE Computer Society, 2011.
Bernhard J. Berger and Michaela Bunke.
Software Security Comprehension.
In WSR 2011 / Softwaretechnik-Trends, 31(2), 2011.
2010
Karsten Sohr and Bernhard J. Berger.
Idea: Towards Architecture-Centric Security Analysis of Software.
In Proceedings of the Second International Symposium on Engineering Secure Software and
Systems. Springer, 2010.
2008
Bernhard J. Berger, Rainer Koschke.
Reduzierung der Programmgröße durch Klonerkennung.
In GI Jahrestagung(2). Gesellschaft für Informatik, 2008.
2007
Bernhard J. Berger.
Klonmanagement: Klonerkennung für eingebettete Systeme.
Diploma Thesis, Universität Bremen, 2007.
Supervised Diploma, Master and Bachelor Theses
In Progress
Phillipp Schönemann.
Erkennung von Datenschutzrechtsverstößen in Fremdbibliotheken mit- tels Programmanalyse.
Bachelor Thesis, Universität Bremen, 2021.
2021
Peer Overbeck.
Extraktion und Prüfung der Laufzeitkonfiguration von JavaEE-Anwendungscontainern.
Master Thesis, Universität Bremen, 2019.
2019
Sven Höper.
Extraktion und Prüfung der Laufzeitkonfiguration von JavaEE-Anwendungscontainern.
Bachelor Thesis, Universität Bremen, 2019.
Norman Lipkow.
Statische Extraktion von Zugriffsberechtigungen in Java-basierten Software-Systemen.
Bachelor Thesis, Universität Bremen, 2019.
Jasper Wiegratz.
Sicherheitsgrundlagen von Docker-Images im Kontext der Softwareentwicklung mit DevOps am Beispiel eines Continuous Integration und Delivery Prozesses.
Bachelor Thesis, Universität Bremen, 2019.
Erik Schmitt.
Erstellung partieller Aufrufgraphen von Java-Softwaresystemen.
Bachelor Thesis, Universität Bremen, 2019.
2018
Tobias Böhnisch.
Konzeption und Entwicklung einer datengetriebenen und plattform- übergreifenden Software zur Begleitung von Schülertutorien in der Chemie.
Master Thesis, Universität Bremen, 2018.
Lasse Künzel.
Sichere Verwendung der QT Bibliothek.
Bachelor Thesis, Universität Bremen, 2018.
Dario Treffenfeld-Mäder.
Konzeption und prototypische Entwicklung einer Plattform zur Unterstützung des Programmverstehens der IT-Sicherheit von Anwendungen.
Bachelor Thesis, Universität Bremen, 2018.
2017
Henning Ziegler.
Analyse der Verwendung von Kryptographie-APIs in Java-basierten Anwendungen.
Master Thesis, Universität Bremen, 2017.
Daniel Tietjen.
Validierung eines RBAC-Ecore-OCL-Modells mittels des USE-Tools.
Master Thesis, Universität Bremen, 2017.
2016
Tobias Peters.
Optimierung von statischen Programmanalysen für Android-Applikationen mit Hilfe von Ersatzbibliotheken.
Master Thesis, Universität Bremen, 2016.
Maximilian Schönborn.
Detektion von SharedPreferences-Einträgen in Android Apps mit Hilfe statischer Programmanalyse.
Master Thesis, Universität Bremen, 2016.
2015
Stefan Gommer.
Identifikation von kritischen Informationsflüssen in Android-Anwendungen auf Basis von statischen Programmanalysen.
Master Thesis, Universität Bremen, 2015.
Sebastian Feldmann.
Konzeption und Implementierung einer Eingabeprüfung für Struts-basierte Webanwendungen.
Bachelor Thesis, Universität Bremen, 2015.
Florian Thomas.
Modellierung von Informationen zur Interprozesskommunikation in Android-Anwendungen für Datenflussdiagramme.
Bachelor Thesis, Universität Bremen, 2015.
Alex Antoni.
Darstellung von Ergebnissen statischer Codeanalysen installierter Android APK-Dateien auf dem Gerät des Nutzers.
Bachelor Thesis, Universität Bremen, 2015.
2014
Denis Szadkowski.
Evaluation eines Werkzeugs zur statischen Analyse von SSL/TLS-Schwachstellen.
Bachelor Thesis, Universität Bremen, 2014.
Christian Liebig.
Sicherheitsanalyse von mobilen Geschäftssanwendungen.
Master Thesis, Universität Bremen, 2014.
2013
Romi Sorge.
Statische Analyse von Android-Applikationen.
Master Thesis, Universität Bremen, 2013.
Axel Auffarth.
Modellierung von Sicherheitsaspekten in Softwarearchitekturen.
Master Thesis, Universität Bremen, 2013.
2012
Tillmann Runkel.
Codetransformationen in Java-Enterprise-Applikationen zur Verbesserung statischer Codeanalysen.
Diploma Thesis, Universität Bremen, 2012.