Universität Bremen







Dr. Karsten Sohr


I am currently a senior researcher at the Center for Computing Technologies (TZI) at the Universität Bremen.
Here, I'm the coordinator for the development of the topic "Information Security".

Research Interests                              

  • Role-based access control (RBAC)
  • Secure mobile applications, Java security
  • Formal Methods and security


Timo Glander has detected two vulnerabilities in the Siemens SmartClient app for Android (remote control of ICS). More details can be found here. Siemens AG has also published an advisory.

The BMBF has granted the SecureSmartHomeApp project, in which App-controlled smart home systems will be systematically analyzed w.r.t. security. Based on these results and experiences, a reference security architecture for such systems will be developed (security-by-design approach).

We have found multiple vulnerabilities in the SAP app Mobile Documents Client (more details to come).

HP removed the app HPAnywhere from Google Play after Christian Liebig had detected a code injection vulnerability. A more detailed vulnerability report can be found here. Thanks to CERT/CC who coordinated communication with HP.

Siemens AG has published an advisory for the SPCAnywhere app (Android, iOS), in which Bernhard Berger, Kai Hillmann and I have detected several security flaws. The SPCAnywhere app allwos a user to remotely control an alarm system; the security holes allow an attacker to conduct a middleperson attack against the alarm system under certain conditions.Siemens AG has published a further advisory, now concerning communications security of the Android app HomeControl for Room Automation.

Update: Siemens AG has also published an advisory for the SmartClient app for Android (remote control of ICS); this app stored ICS passwords on the Android device with an unsecure key (WiFi address).

Research Grants

Over the years, we received funding from various funding bodies, which allowed us to establish the research area “Information Security at the Universität Bremen:

  • XMELD - Modeling E-Government Business Processes with UML and OCL
  • ForRBAC - Formal Specification, Verification and Enforcement of Role-Based Security Policies (funded by the DFG)
  • ORKA - Organisational Control Architecture (funded by the BMBF)
  • ITSec - E-Learning Portal for IT-Security (Customer: Institut für Wissenstransfer)
  • RFIDSec - Technology-centered RFID security (funded by the BMBF)
  • SIMOIT - Secure Access of Mobile Employees to the IT Infrastructure of SMEs (funded by the German Federal State of Bremen)
  • SiWear - Secure Wearable Computing (funded by the BMWI)
  • Mobile Phone-Demonstrator - Demonstration of security risks of mobile phones (BSI)
  • FIDeS -Intrusion Detection System Based on Combined Methods of Artificial Intelligence (funded by the BMBF)
  • VOGUE - Trusted Mobile Access to Enterprise Networks (funded by the BMBF)
  • ASKS - Architecture-Centric Security Analysis of Business Applications (funded by the BMBF)
  • SAiM – Protection of Android through Intelligent Monitoring (funded by the BMBF)
  • iMonitor – Implementation of Optimized and Parallel Inference Methods for SIEM Systems (funded by BMWI)
  • ZertApps – Certified Security of Mobile Applications (funded by the BMBF)
  • SecurityPatterns – Detection and Validation of Security Patterns (funded by the DFG)
  • CertifiedApplications – Lightweight Security Certification of Java Applications with the Help of Tool-Supported Program Analyses (funded by the BMWi)
  • PortSec – IT-risk management in the port telematics based on the software architecture (funded by the BMBF)
  • SecureSmartHomeAppDevelopment of secure mobile applications for controlling smart home systems (funded by the BMBF)


1.     K. Sohr, T. Mustafa, M. Gulmann, P. Gerken. Towards Security Program Comprehension with Design by Contract and Slicing, 2015. (This paper introduces a static analysis process that replicates procedures for security code audits and hence simplifies these processes.)

2.     F. Hilken, M. Schuster, K. Sohr, M. Gogolla. Integrating UML/OCL Derived Properties into Validation and Verification Processes. In Proc. 16th International Workshop in OCL and Textual Modeling, October 2, 2016, Saint-Malo, France.

3.     B. Berger, K. Sohr, R. Koschke. Automatically Extracting Threats from Extended Data Flow Diagrams. In Proc. 8th International Symposium on Engineering Secure Software and Systems (ESSoS 2016), London, April 2016.

4.     C. Medrano, G.-J. Ahn, K. Sohr. Achieving Security Assurance with Assertion-Based Application Construction. EAI Endorsed Transactions on Collaborative Computing, 2015.

5.     L. Hamann, K. Sohr, M. Gogolla. Monitoring Database Access Constraints with an RBAC Metamodel: a Feasibility Study. In Proc. 7th International Symposium on Engineering Secure Software and Systems (ESSoS 2015), Milan, Italy, March 2015.

6.     C. Medrano, G.-J. Ahn, K. Sohr. Achieving Security Assurance with Assertion-Based Application Construction. 9th Workshop on Trusted Collaboration (TrustCol-2014), Miami, Florida, 2014.

7.     B. Berger, K. Sohr, U. Kalinna. Architekturelle Sicherheitsanalyse für Android Apps, D-A-CH Security, Graz, 2014.

8.     T. Mustafa, K. Sohr. Understanding the Implemented Access Control Policy of Android System Services with Slicing and Extended Static Checking, International Journal of Information Security, Springer, Berlin, 2014. Supersedes technical report.

9.     S. Bartsch, B. J. Berger, E. Bodden, A. D. Brucker, J. Heider, M. Kus, S. Maseberg, K. Sohr, M. Volkamer. Zertifizierte Datensicherheit für Android-Anwendungen auf Basis statischer Programmanalysen (German only). In Proc. Sicherheit – Schutz und Zuverlässigkeit (GI Sicherheit 2014), Vienna, Austria, 2014.

10. O. Hofrichter, M. Gogolla, K. Sohr. UML/OCL based Design and Analysis of Role-Based Access Control Policies. In Proc. of the 1st International MODELS Workshop Towards the Model DrIven Organization (AMINO 2013), Miami, USA, 2013.

11. S. Bartsch, B. Berger, M. Bunke, K. Sohr. The Transitivity-of-Trust Problem in Android Application Interaction (Short Paper). In Proc. of the 8th International Conference on Availability, Reliability and Security (AReS 2013), Regensburg, Germany, 2013. To appear. A longer version as Technical Report available.

12. C. E. Rubio-Medrano, G.-J. Ahn, K. Sohr. Verifying Access Control Properties with Design by Contract: Framework and Lessons Learned. In Proc. 37th Annual International Computer Software & Applications Conference Kyoto, Japan, 2013.

13. B. Berger, K. Sohr, R. Koschke. Extracting and Analyzing the Implemented Security Architecture of Business Applications. In Proc. of the 17th European Conference on Software Maintenance and Reengineering (CSMR 2013), Genova, Italy, 2013.

14. M. Kuhlmann, K. Sohr, M. Gogolla. Employing UML and OCL for Designing and Analyzing Role-Based Access Control. In Mathematical Structures in Computer Science, Vol. 23, No. 4, 2013.

15. K. Sohr, M. Kuhlmann, M.Gogolla, H. Hu, G.-J.Ahn. Comprehensive Two-Level Analysis of Role-Based Delegation and Revocation Policies with UML and OCL. In Information and Software Technology (IST), Vol. 54, No. 12, December 2012.

16. H. Birkholz, I. Sieverdingbeck, K. Sohr, C. Bormann. IO: An interconnected asset ontology in support of risk management processes. In Proc. of the 1st  International Workshop on Security Ontologies and Taxonomies(SecOnT 2012), 2012.

17. B. Berger, K. Sohr. An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling. In Proc. of the 27th IFIP International Information Security and Privacy Conference (IFIP Sec 2012), Crete, Greece, 2012.

18. B. Berger, M. Bunke, K. Sohr. An Android Security Case Study with Bauhaus (Short Paper). In Proc. of the 18th Working Conference on Reverse Engineering (WCRE 2011), Limerick, Ireland, 2011.

19. C. Elfers, H. Birkholz, B. Samjeske, K. Sohr. Unternehmensübergreifender Austausch von sicherheitsrelevantem Wissen. In Datenschutz und Datensicherheit (DuD), Vol. 4, 2011.

20. M. Kuhlmann, K. Sohr, M. Gogolla. Comprehensive Two-Level Analysis of Static and Dynamic RBAC Constraints with UML and OCL. In Proc. 5th IEEE International Conference on Secure Software Integration and Reliability Improvement (SSIRI 11), Jeju Island, South Korea, June 2011. Best paper award.

21. M. Bunke, K. Sohr. An Architecture-Centric Approach to Detecting Security Patterns in Software. In Proc. 3rd International Symposium on Engineering Secure Software and Systems (ESSoS 2011), Madrid, Spain, February 2011.

22. K. Sohr, T. Mustafa, A. Nowak. Software Security Aspects of Java-Based Mobile Phones. In Proceedings of the 26th ACM Symposium on Applied Computing, Taichung (SAC 2011), Taiwan 2011.

23. N. Kuntze, R. Rieke, G. Diederich, R. Sethmann, K. Sohr, T. Mustafa, K. Detken. Secure mobile business information processing. Proc. of the 6th IEEE/IFIP International Symposium on Trusted Computing and Communications (TrustCom-10), Hongkong, China, December 2010.

24. R. Rittmeier, K. Sohr. A basic security concept for surgeries with the help of attack trees and under consideration of health telematics (only German). Proc. Workshop Secure IT for tomorrow's health care, Mannheim, Germany, Springer, LNI P-174, 2010.

25. C. Elfers, M. Horstmann, K. Sohr, O. Herzog. Typed Linear Chain Conditional Random Fields and their Application to Intrusion Detection. In Proceedings of the 11th International Conference on Intelligent Data Engineering and Automated Learning (IDEAL 2010), LNCS, Paisley, Scotland, 2010.

26. T. Mustafa, M. Drouineaud, K. Sohr. Towards Formal Specification and Verification of a Role-Based Authorization Engine using JML (Position Paper). In Proceedings of the 5th ACM ICSE Workshop on Software Engineering for Secure Systems (SESS10), Cape Town, South Africa, May 2010.

27. K. Sohr, B. Berger. Idea: Towards Architecture-Centric Security Analysis of Software. Proc. 2nd International Symposium on Engineering Secure Software and Systems (ESSoS 2010). Pisa, Italy.

28. S. Edelkamp, C. Elfers, M. Horstmann, M.-S. Schröder, K. Sohr, T. Wagner. Early Warning and Intrusion Detection based on Combined AI Methods. First Workshop on Intelligent Security (SecArt 09), Thessaloniki, Greece, 2009.

29. C. Alm, M. Drouineaud, U. Faltin, K. Sohr, R. Wolf. A Classification Framework Designed for Advanced Role-based Access Control Models and Mechanisms, Technical Report No. 51, TZI at the Universität Bremen, 2009.

30. S. Bartsch, K. Sohr, C. Bormann. Supporting Agile Development of Authorisation Rules for SME Applications. Proc. of the 3rd International Workshop on Trusted Collaboration (TrustCol-2008), Orlando, FL, USA, November 13 - 16, 2008.

31. T. Mustafa, K. Sohr, D.-H. Dang, M. Drouineaud, S. Kowski. Implementing Advanced RBAC Functionality with USE. Proc. of the 8th OCL Workshop at the UML/MoDELS Conferences, Toulouse, Electronic Communications of the EASST, Volume 15, 2008.

32. K. Sohr, T. Mustafa, G.-J. Ahn, X. Bao. Enforcing Role-Based Access Control Policies in Web Services with UML and OCL, 24th Annual Computer Security Applications Conference, Anaheim CA, December 2008. A slightly longer version can be found here.

33. S. Schäfer, K. Sohr. RFID-Authentisierung in der Lieferkette der Automobilindustrie, D-A-CH Security, Berlin, 2008.

34. K. Sohr, M. Drouineaud, G.-J. Ahn, M. Gogolla. Analyzing and Managing Role-Based Access Control Policies. IEEE Transactions on Knowledge and Data Engineering, Vol. 20, No. 7, 2008. Preprint available.

35. M. Kus, M. Lawo, M. Ronthaler, R. Sethmann, K. Sohr, K. Wind. Angepasste Benutzerschnittstellen für das Wearable Computing im Projekt SiWear. Workshop Nomadic & Wearable User Interfaces, Mensch und Computer 2007, Weimar, September 2-5, 2007.

36. T. Hollstein, M. Glesner, U. Waldmann, H. Birkholz, K. Sohr. Security challenges for RFID key applications. 3rd Workshop on RFID Systems and Technologies, Duisburg, Germany, 2007.

37. U. Waldmann, T. Hollstein, K. Sohr. Technology-integrated Security for RFID Systems (only German). Study funded by the Federal Ministry of Research and Education (BMBF), May 2007.

38. Schaad, K. Sohr, M. Drouineaud. A Workflow-based Model-checking Approach to Inter- and Intra-analysis of Organisational Controls in Service-oriented Business Processes, Journal of Information Assurance and Security, Volume 2, Issue 1, 2007.

39. Schaad, K. Sohr. A workflow instance-based model-checking approach to analysing organisational controls in a loan origination process. 1st International Workshop on Secure Information Systems (SIS Æ06). Wisla, Poland, 2006.

40. Schaad, V. Lotz, K. Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies, Lake Tahoe, CA, 2006.

41. K. Sohr, G.-J. Ahn, M. Gogolla, L. Migge. Specification and validation of authorisation constraints with UML and OCL. In Proceedings of 10th European Symposium on Research in Computer Security (ESORICS), LNCS 3679, Milan, Italy, September 12-14, 2005.

42. K. Sohr, G.-J. Ahn, L. Migge. Articulating and enforcing authorisation policies with UML and OCL. In Proceedings of ACM ICSE Workshop on Software Engineering for Secure Systems (SESS05), St. Louis, Missouri, May 15-16, 2005 and ACM SIGSOFT Software Engineering Notes.

43. K. Sohr, M. Drouineaud, G.-J. Ahn. Formal specification of role-based security policies for clinical information systems. In Proceedings of the 20th ACM Symposium on Applied Computing, Santa Fe, New Mexico, 2005.

44. M. Drouineaud, M. Bortin, P. Torrini, K. Sohr. A first step towards the formal verification of security policy properties of RBAC. In H.-D. Ehrich, K.-D. Schewe (Eds.), Proceedings of the 4th International Conference on Quality Software (QSIC), Braunschweig, Germany, 2004.

45. M. Drouineaud, A. Lüder, K. Sohr. A role-based access control model for agent-based control systems. In Proceedings of the 1st IEEE International Conference on Industrial Informatics, Banff,  Canada, 2003.

46. T. Mossakowski, M. Drouineaud, K. Sohr. A temporal-logic extension of role-based access control covering dynamic separation of duties. In Proceedings of the 4th International Conference on Temporal Logic, July 2003.

47. S. Deter, K. Sohr. Pini: A Jini-Like Plug&Play Technology for the KVM/CLDC. In Proceedings of the Innovative Internet Computing Systems, International Workshop IICS 2001, Ilmenau, Germany, June 21-22, 2001.

48. K. Sohr. Die Sicherheitsaspekte von mobilem Code. Dissertation, Universitaet Marburg, July 2001.

49. K. Sohr. Sandkastenspiele. c't, No. 11, 226-232, 2000.

50. K. Sohr. Nicht verifizierter Code: eine Sicherheitslücke in Java. In C. Cap (Eds.), JIT '99, Springer-Verlag, 171-181, September 1999.

Supervised Doctoral Theses

1.     Dr. Tanveer Mustafa: Static Security Analysis of Java Applications with an Approach Based on Design by Contract, 2013

Master and Diploma Theses

1. Kim Schoen: Sichere Kommunikation in sporadischen Kundenbeziehungen, 2003

2. Daniela Bork: Sicherheitszertifizierung am Beispiel eines Marktplatzverbundes, 2003

3. Ersin Ürer: Untersuchung von WLAN-Sicherheitsprotokollen, 2005

4. Lars Migge: Spezifikation und Durchsetzung rollenbasierter Security Policies, 2005

5. Tanveer Mustafa: Design and Implementation of an Role-based Authorization Engine, 2006

6. Xinyu Bao, Yan Guo: Durchsetzung von organisatorischen Richtlinien in Web Services mit Hilfe von UML und OCL, 2007

7. Silke Schäfer: Konstruktion sicherer RFID-Anwendungen, 2007

8. Adrian Nowak: Sicherheitsaspekte mobiler Endgeräte, 2007

9. Stefanie Gerdes: Role-based security concept for hospitals with consideration of recent developments in health telematics, 2007 (only German)

10. Meike Klose: Grundzüge eines IT-Sicherheitskonzeptes für Apotheken unter der Berücksichtigung der Gesundheitstelematik, 2008

11. Marc Ebler: Eine Sicherheitsanalyse zum Einsatz von mobilen Endgeräten im Außendienst, 2008

12. Assoulian Mkliwa Tchamsi: Umsetzung von dynamischen RBAC Policies mit Hilfe von UML und OCL, 2009

13. Raffael Rittmeier: Grundzüge eines Sicherheitskonzepts für Arztpraxen unter Berücksichtigung der Gesundheitstelematik, 2009 (only German)

14. Jan Osmers: Guidelines for high information security concerning mobile work, 2010

15. David Kamga Adamo: Development of a role-based authorization engine for workflows based on a model checker, 2010

16. Florian Junge: Dynamic generation of attack trees for networks with the help of a modular tool, 2010

17. Stefan Klement: Security aspects of the Google Android Platform  (German only), 2011

18. Bernd Samjeske: Entwicklung eines erweiterbaren ontologiebasierten Asset-Managements  (German only), 2011

19. Timo Reimerdes: Sicherheit und Privatsphäre in Sozialen Netzwerken, 2012

20. Bastian Breit: Sicherheitsaspekte von Android und mobilen Verkaufsportalen, 2013

21. Dimitri Hellmann: Angriffsszenarien ausgehend von Android-Anwendungen, 2013

22. Axel Auffarth: Modeling of Security Aspects in Software Architectures (German only), 2013

23. Christian Liebig: Security Analysis of Mobile Business Applications (German only), 2014

24. Malte Humann: Auswirkungen von Sensoreigenschaften auf die Angriffserkennung mittels Sensorfusion, 2014

25. Oliver Schnieders: Identitätsmanagement im E-Commerce, 2014

26. Tim Schleier: Erstellung einer bidirektionellen Kommunikation mit CBOR als Datenformat, 2014

27. Markus Gulmann: Statische Sicherheitsanalyse der Android Systemservices (German only), 2014

28. Katharina Hafner: Modellierung von Rollenkonzepten für Krankenhäuser mittels UML und OCL, 2015

29. Kevin Löhmann: Analyse und Beschreibung des Binder-Frameworks zur Interprozesskommunikation unter Android als Grundlage für weiterführende Sicherheitsbetrachtungen, 2015

30. Stefan Gommer: Identifikation von kritischen Informationsflüssen in Android-Anwendungen auf Basis von statischen Programmanalysen (German only), 2015

31. Kai Hillmann: Sicherheitsanalyse von App-gesteuerten Alarmanlagen, 2015 

32. Fritjof Bornebusch: New concept of the Android keystore service with regard to security and portability, 2016

33. Henning Ziegler: Analyse der Verwendung von Kryptographie-APIs in Java-basierten Anwendungen, 2016

34.Philipp Hirch: Automatische Inferenz von JML-Sicherheitsspezifikationen mit Exception Handling, 2016

35. Marcel Schuster: Modellierung und Validierung von Rechnernetzen auf unteren OSI-Schichten mit UML und OCL, 2017

Bachelor Reports

1.     Kai Hillmann. Darstellung und Analyse eines Konzeptes zur digitalen Beweissicherung, 2011

2.     Philipp Nguyen. NFC-Sicherheit mit Smartphones – Sicherheitsanalyse von Android-Applikationen mit NFC-Funktionalität, 2013

3.     Markus Gulmann. Sicherheitsanalyse ausgewählter Systemservices des mobilen Betriebssystems Android, 2013

4.     Alexander Neer. Richtlinien für den sicheren SSL/TLS-Einsatz, 2013

5.     Malte Batram. Dynamische Sicherheitsanalyse von ActionScript-bsaierten Webanwendungen, 2014

6.     Malte Kuhn. Anomalieerkennung von Applikationsverhalten auf Android, 2014

7.     Denis Szadkowski. Evaluation eines Werkzeugs zur statischen Analyse von SSL/TLS-Schwachstellen, 2014

8.     Patrick Hofmann. Entwicklung einer modularen Pentetration-Test-Suite zur Sicherheitsanalyse auf Android-Geräten, 2014

9.     Darstellung von Ergebnissen statischer Codeanalysen installierter Android apk-Dateien auf dem Gerät des Nutzers, 2015

10. Patrick Gerken. Statische Sicherheitsanalyse von Java Enterprise-Anwendungen mittels Program Slicing, 2015

11. Florian Thomas. Modellierung von Informationen zur Interprozesskommunikation in Android-Anwendungen für Datenflussdiagramme, 2015

12. Sebastian Feldmann. Konzeption und Implementierung einer Eingabeprüfung für Struts-basierte Webanwendungen, 2015

13. Daniel Müller. Untersuchung zur Broadcast-Sicherheit in Android-Apps, 2015

14. Daniel Schwarz. Sicherheitsanalyse der clientseitigen Umsetzung des OAuth-Protokolls in Android-Anwendungen, 2016

15. Maximilian Schönborn. Detektion von Shared Preferences-Einträgen in Android-Applikationen mit Hilfe statische Programmanalyse, 2016

16. Jan Bartkowski. Sicherheitsanalyse eines App-gesteuerten Smart Home Systems, 2016

17. Mathias Detmers.Evaluation des WALA-Slicers bzgl. der Anwendbarkeit auf sicherheitskritische Java-Programme, 2016

18. Patrick Lorenz. Sicherheitsanalyse von Smarthome Android Apps, 2017

19. Paul Warsewa. Informationssicherheit für Laien, 2017

20. Timo Glander. Sicherheitsanalyse einer Android App zur entfernten Steuerung eines Industrial Controllers, 2017


1.     Spring 2005: Information security I (with Prof. Dr. Carsten Bormann)

2.     Spring 2007: Information security I (with Prof. Dr. Carsten Bormann)

3.     Fall 2008: Information security I (with Prof. Dr. Carsten Bormann)

4.     Fall 2009: Information security I (with Prof. Dr. Carsten Bormann)

5.     Fall 2010: Information security I (with Prof. Dr. Carsten Bormann)

6.     Fall 2011: Information security I (with Prof. Dr. Carsten Bormann)

7.     Fall 2012: Information security I (with Prof. Dr. Carsten Bormann)

8.     Fall 2013: Information security I (with Prof. Dr. Carsten Bormann)

9.     Fall 2014: Information security I (with Prof. Dr. Carsten Bormann)

10.  Fall 2015: Information security I (with Prof. Dr. Carsten Bormann)

11.  Fall 2016: Information security I (with Prof. Dr. Carsten Bormann)

Scientific Service

1.     Journal of Systems and Software (JSS)

2.     Science of Computer Programming (SoCP)

3.     Information and Software Technology (IST)

4.     Computer Standards & Interfaces (CSI)

5.     Journal of Interactive Media

6.     IEEE Transactions on Parallel and Distributed Systems (TPDS)

7.     IEEE Software


Also, I was reviewer for the Netherlands Organisation for Scientific Research (NWO) and the National Research Foundation of Korea (NRF).



1.     Software Security Demonstrated with Android-Applications (German only), Universität Marburg, Germany, October 2014

2.     Architectural Risk Analysis for Android Applications (English version), 12th Annual Meeting of the GI Working Group „Formal Methods and Software Engineering for Safety and Security”, Bremen, March 2015

Other Responsibilities

1.     Intelligent Security at the Universität Bremen

2.     Information Security Bremen (more to come)

3.     BremSec-Forum (a network for security officers of organisations; co-organiser: Siemens Bremen and GDD)

4.     Health Solution Group


Dr. Karsten Sohr
Center for Computing Technologies (TZI)
Bibliothekstr. 1
D-28359 Bremen

Phone: +49 421 218 63922
Fax: +49 421 218 7000
E-Mail: sohrATtzi.de
Office: MZH, Room 5100
My PGP key




Author: Dr. Karsten Sohr




Last updated: August 25, 2016