Selected Publications

How does the Java 9 Module System affects the Security of the Java Platform
In TSE Journal, 2019

Different Java compilers and compiler versions, e.g., javac or ecj, produce different bytecode from the same source code. This makes it hard to trace if the bytecode of an opensource library really matches the provided source code. Moreover, it prevents one from detecting which open-source libraries have been re-compiled and rebundled into a single jar, which is a common way to distribute an application. Such rebundling is problematic because it prevents one to check if the jar file contains open-source libraries with known vulnerabilities. To cope with these problems, we propose the tool SootDiff that uses Soot’s intermediate representation Jimple, in combination with code clone detection techniques, to reduce dissimilarities introduced by different compilers, andcto identify clones. Our results show that SootDiff successfully identifies clones in 102 of 144 cases, whereas bytecode comparison succeeds in 58 cases only
In SOAP 2019, 2019

Recent & Upcoming Talks

Automatisierte Risikoabschätzung bzgl. der Nutzung unsicherer Open-Source-Komponenten
Oct 17, 2019 4:14 PM

Recent Posts

More Posts

++ Status Update +++


Image credit: Photo Pexels & Scrum Process

TL;DR Finding an easy-to-use scrum tool is not that easy. In this post, I’ll take a look at different tools that support Product Backlog Creation, Task Management, and Sprint Planning. While there exists a lot of different tools, I investigated OpenProject,, and Pivotal Tracker. While all tools support agile software development, backlogs, sprint planning, OpenProject and Pivotal Tracker target professional development teams including time and budget management. For an undergraduate course, we decided to use which provides a beautiful user interface and is boiled down to essential features, and thus is easy-to-use.


Image credit: Photo by Trent Erwin on Unsplash & Java Duke

With Java being one of the top three programming languages on GitHub 2017 1, it has been subject to several vulnerabilities and attacks undermining Java’s sophisticated security model 2. Often attackers found ways to access protected areas in Java, that originally should be isolated and inaccessible.


Image credit: Photo Pexels & Bug on pixabay

TL;DR One can find (almost) no vulnerabilities for popular Java libraries, e.g., apache-commons, google-guava, in the CVE and NDE database. See Chart
Are Java libraries secure by default?
Does no one reports vulnerabilities in Java libs?


What is SWTPra/SoPra?

As part of the Paderbon University Bachelor’s curriculum, undergraduate students have to participate in a practical course called Softwaretechnik Praktikum in short SWTPra.




As a student I worked on MechatronicUML. A Model-Driven Software Development toolchain for cyber-physical systems.

Soot - Java 9

As part of my life as a PhD student, I currently adapt Soot to work with Java 9.

Image credit: Photo by Tom Hermans on Unsplash


  • Fachgruppe Softwaretechnik
    Heinz Nixdorf Institut
    Universität Paderborn
    Fürstenallee 11
    33102 Paderborn