Dipl.-Inf. Bernhard J. Berger
About Me
I am a research assistant and member of the software engineering group group at the Universität Bremen in Germany. I graduated in December 2007, and my diploma thesis, which I wrote at Bosch Corporate Research, deals with clone detection for embedded software systems. The research question I dealt with was whether it is possible to reduce the memory footprint using clone detection.
After my graduation, I worked for Axivion GmbH for two years. Axivion is a static code analysis company, and their tools deal with inner software quality aspects. In my time at Axivion, I worked on different parts of their tool suite, starting with the frontends, scripting binding, and their web frontend. I also took part in workshops with customers regularly and got an insight into their software development processes. After two years, I decided to return to academia and focus on research.
Research Interests
After my diploma thesis, I refocused on the topic of Software Security. In my PhD thesis, I focus on automating Microsoft's Threat Modeling process. Several publications can be found on my ResearchGate profile. The result of my thesis is the ArchSec environment, the Architectural Security Tools Suite. It is integrated into Eclipse and is based on Soot, a static analysis framework for Java-bytecode based programs. To automate Microsoft's Threat Modeling, I use static analyses to extract extended dataflow diagrams automatically. Furthermore, a knowledge base was created hosting security flaw patterns. These patterns are searched in the extended dataflow diagrams.
In the last years, I started to use static analyses to extract different security aspects of software systems. SeeAuthZ, for instance, is a configurable analysis tool for extracting the implemented authorization policy. Therefore, it extracts the authorization facts that enforced if the program accesses a sensitive resource. This information can be used to redocument the authorization policy if the developers lost it or never wrote it down or compare the implemented authorization policy with the planned policy to identify divergences.
Furthermore, I started to work on different aspects related to the collaborative research centre 1232. The main idea of the CRC is to find new materials using big data and machine learning. In this context, CoDaPro was developed. CoDaPro stands for component-based data processing and is a tool for data measurement and filtering. Additionally, I worked on aspects of the machine learning and evolutionary algorithm's part.
Currently, I am trying to combine machine learning with static analysis. An interesting combination, which, hopefully, yields some interesting results.
Personal Interests
Some years ago, I developed a small open-source utility that converts annotations, made with an Amazon Kindle in a PDF file, back to the file. This is necessary since the annotations are stored in a separate undocumented binary file. The project is called kindle annotations and can be found on GitHub. Pitifully, since I do not use my kindle anymore, it is orphaned.
If I need a break from computers and programming, I like to take pictures. Especially on trips to conferences, I carry my camera with me all the time. But I also like to make portraits and other stuff.
Contact
Postal Address
Arbeitsgruppe Softwaretechnik
Universität Bremen FB03
Postfach 33 04 40
28334 Bremen
Room
MZH 3090
Telephone
+49-(0)421-218-64472
Publications
2021
Improving Evolutionary Algorithms by Enhancing an Approximative Fitness Function Through Prediction Intervals.
In 2021 IEEE Congress on Evolutionary Computation (CEC), 2021.
Domain-driven Correlation-aware Recombination and Mutation Operators for Complex Real-world Applications.
In 2021 IEEE Congress on Evolutionary Computation (CEC), 2021.
2020
Static Extraction of Enforced Authorization Policies - SeeAuthz.
In Proceedings of the 20th IEEE International Working Conference on Source Code Analysis and Manipulation, 2020.
2019
The Architectural Security Tool Suite - ArchSec.
In Proceedings of the 19th IEEE International Working Conference on Source Code Analysis and Manipulation., Cleveland, Ohio, 2019. Best Engineering Paper Award
Towards Effective Verification of Multi-Model Access Control Properties.
In Proceedings of the 24th ACM Symposium on Access Control Models and Technologies (SACMAT 2019), Toronto, Kanada, 2019.
2018
Built-in Clone Detection in Meta Languages.
In Proceedings of the Conference on Source Code Analysis and Manipulation, IEEE Computer Society Press, September 2018; 165-170.
2016
Automatically Extracting Threats from Extended Data Flow Diagrams.
In Proceedings of the 8th International Symposium on Engineering Secure Software and Systems, London, April 2016.
2015
Taint analysis of manual service compositions using Cross-Application Call Graphs.
In 22nd International Conference on Software Analysis, Evolution and Reengineering (SANER), 2015, IEEE, pages 585-589, 2015.
2014
Architekturelle Sicherheitsanalyse für Android.
In D-A-CH Security 2014: Bestandsaufnahme - Konzepte - Anwendungen - Perspektiven, SysSec, pages 287-298, 2014.
Zertifizierte Datensicherheit für Android-Anwendungen auf Basis statischer Programmanalysen.
In GI Sicherheit 2014, Lecture Notes in Informatics, pages 283-291, GI, 2014.
2013
The Transitivity-of-Trust Problem in Android Application Interaction.
In Proceedings of the 8th International Conference on Availability, Reliability and Security, (accepted for publication), 2013.
Extracting and Analyzing the Implemented Security Architecture of Business Applications.
In Proceedings of the 17th European Conference on Software Maintenance and Reengineering, pp. 285-294, IEEE Computer Society Press, 2013.
2012
An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling.
In Information Security and Privacy Research - IFIP Advances
in Information and Communication Technology, Volume 376/2012, Springer, 2012.
2011
An Android Security Case Study with Bauhaus.
In Proceedings of the 18th Working Conference on Reverse Engineering.
IEEE Computer Society, 2011.
Software Security Comprehension.
In WSR 2011 / Softwaretechnik-Trends, 31(2), 2011.
2010
Idea: Towards Architecture-Centric Security Analysis of Software.
In Proceedings of the Second International Symposium on Engineering Secure Software and
Systems. Springer, 2010.
2008
.
Reduzierung der Programmgröße durch Klonerkennung.
In GI Jahrestagung(2). Gesellschaft für Informatik, 2008.
2007
.
Klonmanagement: Klonerkennung für eingebettete Systeme.
Diploma Thesis, Universität Bremen, 2007.
Supervised Diploma, Master and Bachelor Theses
In Progress
Erkennung von Datenschutzrechtsverstößen in Fremdbibliotheken mit- tels Programmanalyse.
Bachelor Thesis, Universität Bremen, 2021.
2021
Extraktion und Prüfung der Laufzeitkonfiguration von JavaEE-Anwendungscontainern.
Master Thesis, Universität Bremen, 2019.
2019
Extraktion und Prüfung der Laufzeitkonfiguration von JavaEE-Anwendungscontainern.
Bachelor Thesis, Universität Bremen, 2019.
Statische Extraktion von Zugriffsberechtigungen in Java-basierten Software-Systemen.
Bachelor Thesis, Universität Bremen, 2019.
Sicherheitsgrundlagen von Docker-Images im Kontext der Softwareentwicklung mit DevOps am Beispiel eines Continuous Integration und Delivery Prozesses.
Bachelor Thesis, Universität Bremen, 2019.
Erstellung partieller Aufrufgraphen von Java-Softwaresystemen.
Bachelor Thesis, Universität Bremen, 2019.
2018
Konzeption und Entwicklung einer datengetriebenen und plattform- übergreifenden Software zur Begleitung von Schülertutorien in der Chemie.
Master Thesis, Universität Bremen, 2018.
Sichere Verwendung der QT Bibliothek.
Bachelor Thesis, Universität Bremen, 2018.
Konzeption und prototypische Entwicklung einer Plattform zur Unterstützung des Programmverstehens der IT-Sicherheit von Anwendungen.
Bachelor Thesis, Universität Bremen, 2018.
2017
Analyse der Verwendung von Kryptographie-APIs in Java-basierten Anwendungen.
Master Thesis, Universität Bremen, 2017.
Validierung eines RBAC-Ecore-OCL-Modells mittels des USE-Tools.
Master Thesis, Universität Bremen, 2017.
2016
Optimierung von statischen Programmanalysen für Android-Applikationen mit Hilfe von Ersatzbibliotheken.
Master Thesis, Universität Bremen, 2016.
Detektion von SharedPreferences-Einträgen in Android Apps mit Hilfe statischer Programmanalyse.
Master Thesis, Universität Bremen, 2016.
2015
Identifikation von kritischen Informationsflüssen in Android-Anwendungen auf Basis von statischen Programmanalysen.
Master Thesis, Universität Bremen, 2015.
Konzeption und Implementierung einer Eingabeprüfung für Struts-basierte Webanwendungen.
Bachelor Thesis, Universität Bremen, 2015.
Modellierung von Informationen zur Interprozesskommunikation in Android-Anwendungen für Datenflussdiagramme.
Bachelor Thesis, Universität Bremen, 2015.
Darstellung von Ergebnissen statischer Codeanalysen installierter Android APK-Dateien auf dem Gerät des Nutzers.
Bachelor Thesis, Universität Bremen, 2015.
2014
Evaluation eines Werkzeugs zur statischen Analyse von SSL/TLS-Schwachstellen.
Bachelor Thesis, Universität Bremen, 2014.
Sicherheitsanalyse von mobilen Geschäftssanwendungen.
Master Thesis, Universität Bremen, 2014.
2013
Statische Analyse von Android-Applikationen.
Master Thesis, Universität Bremen, 2013.
Modellierung von Sicherheitsaspekten in Softwarearchitekturen.
Master Thesis, Universität Bremen, 2013.
2012
Codetransformationen in Java-Enterprise-Applikationen zur Verbesserung statischer Codeanalysen.
Diploma Thesis, Universität Bremen, 2012.
Awards
2019
Best Engineering Paper Award
IEEE International Working Conference on Source Code Analysis
and Manipulation (SCAM).
Committees
2018
Artifact Evaluation Committee
ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA).
Other
2021
Member of a
habilitation process at the University of Bremen.
2017
Reviewer for the
IEEE Transactions on Software Engineering
(c) 2021 @ Bernhard J. Berger