Dr. Karsten Sohr

I am currently a researcher at the Center for Computing Technologies (TZI) at the Universität Bremen.
Here, I'm the coordinator for the development of the topic "Information Security".

Research Interests                                 

• Role-based access control (RBAC)
• Secure mobile applications, Java security
• Formal Methods and security

Research Grants

Various research grants allowed us to establish the research area "Information Security" at the Universität Bremen with currently 13 researchers.

• XMELD - Modeling E-Government Business Processes with UML and OCL
• ForRBAC - Formal Specification, Verification and Enforcement of Role-Based Security Policies (funded by the DFG)
• ORKA - Organisational Control Architecture (funded by the BMBF)
• ITSec - E-Learning Portal for IT-Security (Customer: Institut für Wissenstransfer)
• RFIDSec - Technology-centered RFID security (funded by the BMBF)
• SIMOIT - Secure Access of Mobile Employees to the IT Infrastructure of SMEs (funded by the German Federal State of Bremen)
• SiWear - Secure Wearable Computing (funded by the BMWI)
• Mobile Phone-Demonstrator - Demonstration of security risks of mobile phones (BSI)
• FIDeS -Intrusion Detection System Based on Combined Methods of Artificial Intelligence (funded by the BMBF)
• VOGUE - Trusted Mobile Access to Enterprise Networks (funded by the BMBF)
• ASKS - Architecture-Centric Security Analysis of Business Applications (funded by the BMBF)

Publications

1. B. Berger, K. Sohr.  An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling. In Proc. of the 27th IFIP International Information Security and Privacy Conference (IFIP Sec 2012), Crete, Greece, 2012. To appear.
2. B. Berger, M. Bunke, K. Sohr. An Android Security Case Study with Bauhaus (Short Paper). In Proc. of the 18th Working Conference on Reverse Engineering (WCRE 2011), Limerick, Ireland, 2011.
3. M. Kuhlmann, K. Sohr, M. Gogolla. Employing UML and OCL for Designing and Analyzing Role-Based Access Control. In Mathematical Structures in Computer Science, 2011. To appear
4. C. Elfers, H. Birkholz, B. Samjeske, K. Sohr. Unternehmensübergreifender Austausch von sicherheitsrelevantem Wissen. In Datenschutz und Datensicherheit (DuD), Vol. 4, 2011.
5. M. Kuhlmann, K. Sohr, M. Gogolla. Comprehensive Two-Level Analysis of Static and Dynamic RBAC Constraints with UML and OCL. In Proc. 5th IEEE International Conference on Secure Software Integration and Reliability Improvement (SSIRI 11), Jeju Island, South Korea, June 2011. Best paper award.
6. M. Bunke, K. Sohr. An Architecture-Centric Approach to Detecting Security Patterns in Software. In Proc. 3^rd International Symposium on Engineering Secure Software and Systems (ESSoS 2011), Madrid, Spain, February 2011.
7. K. Sohr, T. Mustafa, A. Nowak. Software Security Aspects of Java-Based Mobile Phones. In Proceedings of the 26^th ACM Symposium on Applied Computing, Taichung (SAC 2011), Taiwan 2011.
8. N. Kuntze, R. Rieke, G. Diederich, R. Sethmann, K. Sohr, T. Mustafa, K. Detken. Secure mobile business information processing. Proc. of the 6^th IEEE/IFIP International Symposium on Trusted Computing and Communications (TrustCom-10), Hongkong, China, December 2010.
9. R. Rittmeier, K. Sohr. A basic security concept for surgeries with the help of attack trees and under consideration of health telematics (only German). Proc. Workshop Secure IT for tomorrow's health care, Mannheim, Germany, Springer, LNI P-174, 2010.
10. C. Elfers, M. Horstmann, K. Sohr, O. Herzog. Typed Linear Chain Conditional Random Fields and their Application to Intrusion Detection. In Proceedings of the 11^th International Conference on Intelligent Data Engineering and Automated Learning (IDEAL 2010), LNCS, Paisley, Scotland, 2010.
11. T. Mustafa, M. Drouineaud, K. Sohr. Towards Formal Specification and Verification of a Role-Based Authorization Engine using JML (Position Paper). In Proceedings of the 5^th ACM ICSE Workshop on Software Engineering for Secure Systems (SESS10), Cape Town, South Africa, May 2010.
12. K. Sohr, B. Berger. Idea: Towards Architecture-Centric Security Analysis of Software. Proc. 2^nd International Symposium on Engineering Secure Software and Systems (ESSoS 2010). Pisa, Italy.
13. S. Edelkamp, C. Elfers, M. Horstmann, M.-S. Schröder, K. Sohr, T. Wagner. Early Warning and Intrusion Detection based on Combined AI Methods. First Workshop on Intelligent Security (SecArt 09), Thessaloniki, Greece, 2009.
14. C. Alm, M. Drouineaud, U. Faltin, K. Sohr, R. Wolf. A Classification Framework Designed for Advanced Role-based Access Control Models and Mechanisms, Technical Report No. 51, TZI at the Universit„t Bremen, 2009.
15. S. Bartsch, K. Sohr, C. Bormann. Supporting Agile Development of Authorisation Rules for SME Applications. Proc. of the 3^rd International Workshop on Trusted Collaboration (TrustCol-2008), Orlando, FL, USA, November 13 - 16, 2008.
16. T. Mustafa, K. Sohr, D.-H. Dang, M. Drouineaud, S. Kowski. Implementing Advanced RBAC Functionality with USE. Proc. of the 8^th OCL Workshop at the UML/MoDELS Conferences, Toulouse, Electronic Communications of the EASST, Volume 15, 2008.
17. K. Sohr, T. Mustafa, G.-J. Ahn, X. Bao. Enforcing Role-Based Access Control Policies in Web Services with UML and OCL, 24^th Annual Computer Security Applications Conference, Anaheim CA, December 2008. A slightly longer version can be found here.
18. S. Sch„fer, K. Sohr. RFID-Authentisierung in der Lieferkette der Automobilindustrie, D-A-CH Security, Berlin, 2008.
19. K. Sohr, M. Drouineaud, G.-J. Ahn, M. Gogolla. Analyzing and Managing Role-Based Access Control Policies. IEEE Transactions on Knowledge and Data Engineering, Vol. 20, No. 7, 2008. Preprint available.
20. M. Kus, M. Lawo, M. Ronthaler, R. Sethmann, K. Sohr, K. Wind. Angepasste Benutzerschnittstellen f’r das Wearable Computing im Projekt SiWear. Workshop Nomadic & Wearable User Interfaces, Mensch und Computer 2007, Weimar, September 2-5, 2007.
21. T. Hollstein, M. Glesner, U. Waldmann, H. Birkholz, K. Sohr. Security challenges for RFID key applications. 3^rd Workshop on RFID Systems and Technologies, Duisburg, Germany, 2007.
22. U. Waldmann, T. Hollstein, K. Sohr. Technology-integrated Security for RFID Systems (only German). Study funded by the Federal Ministry of Research and Education (BMBF), May 2007.
23. A. Schaad, K. Sohr, M. Drouineaud. A Workflow-based Model-checking Approach to Inter- and Intra-analysis of Organisational Controls in Service-oriented Business Processes, Journal of Information Assurance and Security, Volume 2, Issue 1, 2007.
24. A. Schaad, K. Sohr. A workflow instance-based model-checking approach to analysing organisational controls in a loan origination process. 1^st International Workshop on Secure Information Systems (SIS Æ06). Wisla, Poland, 2006.
25. A. Schaad, V. Lotz, K. Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies, Lake Tahoe, CA, 2006.
26. K. Sohr, G.-J. Ahn, M. Gogolla, L. Migge. Specification and validation of authorisation constraints with UML and OCL. In Proceedings of 10th European Symposium on Research in Computer Security (ESORICS), LNCS 3679, Milan, Italy, September 12-14, 2005.
27. K. Sohr, G.-J. Ahn, L. Migge. Articulating and enforcing authorisation policies with UML and OCL. In Proceedings of ACM ICSE Workshop on Software Engineering for Secure Systems (SESS05), St. Louis, Missouri, May 15-16, 2005 and ACM SIGSOFT Software Engineering Notes.
28. K. Sohr, M. Drouineaud, G.-J. Ahn. Formal specification of role-based security policies for clinical information systems. In Proceedings of the 20th ACM Symposium on Applied Computing, Santa Fe, New Mexico, 2005.
29. M. Drouineaud, M. Bortin, P. Torrini, K. Sohr. A first step towards the formal verification of security policy properties of RBAC. In H.-D. Ehrich, K.-D. Schewe (Eds.), Proceedings of the 4th International Conference on Quality Software (QSIC), Braunschweig, Germany, 2004.
30. M. Drouineaud, A. L’der, K. Sohr. A role-based access control model for agent-based control systems. In Proceedings of the 1st IEEE International Conference on Industrial Informatics, Banff,  Canada, 2003.
31. T. Mossakowski, M. Drouineaud, K. Sohr. A temporal-logic extension of role-based access control covering dynamic separation of duties. In Proceedings of the 4th International Conference on Temporal Logic, July 2003.
32. S. Deter, K. Sohr. Pini: A Jini-Like Plug&Play Technology for the KVM/CLDC. In Proceedings of the Innovative Internet Computing Systems, International Workshop IICS 2001, Ilmenau, Germany, June 21-22, 2001.
33. K. Sohr. Die Sicherheitsaspekte von mobilem Code. Dissertation, Universitaet Marburg, July 2001.
34. K. Sohr. Sandkastenspiele. c't, No. 11, 226-232, 2000.
35. K. Sohr. Nicht verifizierter Code: eine Sicherheitsluecke in Java. In C. Cap (Eds.), JIT '99, Springer-Verlag, 171-181, September 1999.

Master and Diploma Theses

1. Kim Schoen: Sichere Kommunikation in sporadischen Kundenbeziehungen, 2003
2. Daniela Bork: Sicherheitszertifizierung am Beispiel eines Marktplatzverbundes, 2003
3. Ersin Ürer: Untersuchung von WLAN-Sicherheitsprotokollen, 2005
4. Lars Migge: Spezifikation und Durchsetzung rollenbasierter Security Policies, 2005
5. Tanveer Mustafa: Design and Implementation of an Role-based Authorization Engine, 2006
6. Xinyu Bao, Yan Guo: Durchsetzung von organisatorischen Richtlinien in Web Services mit Hilfe von UML und OCL, 2007
7. Silke Schäfer: Konstruktion sicherer RFID-Anwendungen, 2007
8. Adrian Nowak: Sicherheitsaspekte mobiler Endgeräte, 2007
9. Stefanie Gerdes: Role-based security concept for hospitals with consideration of recent developments in health telematics, 2007 (only German)
10. Meike Klose: Grundzüge eines IT-Sicherheitskonzeptes für Apotheken unter der Berücksichtigung der Gesundheitstelematik, 2008
11. Marc Ebler: Eine Sicherheitsanalyse zum Einsatz von mobilen Endgeräten im Außendienst, 2008
12. Assoulian Mkliwa Tchamsi: Umsetzung von dynamischen RBAC Policies mit Hilfe von UML und OCL, 2009
13. Raffael Rittmeier: Grundzüge eines Sicherheitskonzepts für Arztpraxen unter Berücksichtigung der Gesundheitstelematik, 2009 (only German)
14. Jan Osmers: Guidelines for high information security concerning mobile work, 2010
15. David Kamga Adamo: Development of a role-based authorization engine for workflows based on a model checker, 2010
16. Florian Junge: Dynamic generation of attack trees for networks with the help of a modular tool, 2010
17. Stefan Klement: Security aspects of the Google Android Platform  (German only), 2011
18. Bernd Samjeske: Entwicklung eines erweiterbaren ontologiebasierten Asset-Managements  (German only), 2011

Teaching

• Spring 2005: Information security I (with Prof. Dr. Carsten Bormann)
• Spring 2007: Information security I (with Prof. Dr. Carsten Bormann)
• Fall 2008: Information security I (with Prof. Dr. Carsten Bormann)
• Fall 2009: Information security I (with Prof. Dr. Carsten Bormann)
• Fall 2010: Information security I (with Prof. Dr. Carsten Bormann)
• Fall 2011: Information security I (with Prof. Dr. Carsten Bormann)

Scientific Service

• Journal of Systems and Software (JSS)
• Information and Software Technology (IST)
• IEEE Transactions on Parallel and Distributed Systems (TPDS)

1. IEEE Software

Other Responsibilities

• Information Security Bremen (more to come)
• BremSec-Forum (a network for security officers of organisations; co-organiser: Siemens Bremen and GDD)
• Health Solution Group

Contact