Home
I received my Ph.D. in 2019 from Paderborn University, and my M.Sc. in Computer Science in 2014 from EPFL.
My research interests are scalable static code analysis, usable tooling, and secure software engineering. In particular, I explored the usability of static analysis tools, from the optimization of the analysis algorithms to the implementation of their frameworks to the usability of their interfaces.
-
Search
Experience
-
Supervisor: Prof. Dr. Eric Bodden Summa cum laude, UPB doctoral dissertation award, Zonta club Paderborn award
-
Specialization in Internet Computing ISSS Excellence Award
-
Education
-
Developer usage of static analysis tools
Past research in the usability of static analysis tools has focused on usability issues encountered by software developers, and the causes of those issues in analysis tools. We adopt a user-centered approach, to understand how developers use analysis tools, which decisions they make, what they look for when making those decisions, and the motivations behind their strategies.
-
Explainability of static analysis results
Static analysis tools perform complex reasoning to yield warnings. Explaining this reasoning to the users is a known issue for the tools. We present the concept of analysis automata and detail three applications that enhance explainability: (1) Warning understanding, (2) Warning classification, and (3) Detection of bad analysis patterns.
-
Swan and SwanAssist
Swan is a semi-automated method for determining which methods of a given codebase or library can be involved in specific vulnerabilities.
-
Gamifying static analysis
Static analysis tools have well-documented usability issues. In this project, we explore how to build analysis tools that help code developers understand and fix complex bugs, and how to engage them with a comprehensive, user-friendly GUI.
-
VisuFlow
VisuFlow is a debugging environment designed to support static analysis writers understand and debug an analysis. It is written as an Eclipse plugin, and supports static data-flow analyses written on top of the Soot analysis framework.
-
Just in time analysis
The Just-in-time analysis concept aims at making static analysis more usable to the end user, often the code developer. It allows analysis writers to encode prioritization properties into the analysis. At runtime, certain paths are analyzed before others, allowing important results to be returned first. Cheetah is an implementation of the Just-in-Time analysis concept for taint analysis for Android applications. It is integrated in the Eclipse IDE as a plugin.
-
Automated benchmark management
ABM (automated benchmark management) is a methodology and a web application for automating the creation and maintenance of benchmark suites.
-
Boomerang
Boomerang is a demand-driven flow and context-sensitive pointer analysis for Java written in the IFDS framework.
Research projects
Distinctions
-
Why do software developers use static analysis tools? A user-centered study of developer needs and motivations
-
Explaining static analysis with rule graphs
-
Designing UIs for static analysis tools: evaluating tool design guidelines with SWAN
-
Proceedings of the 10th ACM SIGPLAN international workshop on the state of the art in program analysis
-
Why can't Johnny fix vulnerabilities: a usability evaluation of static analysis tools for security
-
Debugging static analysis
-
Explaining static analysis – a perspective
-
SwanAssist: semi-automated detection of code-specific, security-relevant methods
-
Doctoral thesis – User-centered tool design for data-flow analysis
Summa cum laude, UPB doctoral dissertation award, Zonta club Paderborn award -
Codebase-adaptive detection of security-relevant methods
Artifact evaluated -
Codebase-adaptive detection of security-relevant methods (TR)
-
Gamifying static analysis
-
VisuFlow: a debugging environment for static analyses
-
Explainable Static Analysis
-
Debugging static analysis (TR)
-
Just-in-time static analysis
Distinguished paper award, Artifact evaluated -
Boomerang: demand-driven flow- and context-sensitive pointer analysis for Java
Artifact evaluated -
Cheetah: just-in-time taint analysis for Android apps
-
Just-in-time static analysis (TR)
-
Toward an automated benchmark management system
-
Security analysis of TrueCrypt
-
Toward a just-in-time static analysis
Publications
-
Organizer / chair
- SOAP 2021, PC chair
- ISSTA & ECOOP 2021, publicity chair
- ECOOP 2020, artifact evaluation co-chair
- ECOOP 2019, posters chair
- ISSTA & ECOOP 2018, posters chair
- ECOOP 2017, doctoral symposium co-chair
-
PC member
- ISSTA 2022, doctoral symposium
- ICSE 2022, posters track
- ISSTA & ECOOP 2021, doctoral symposium
- ISSTA 2021, research track
- ASE 2020, research track
- ASE 2019, demonstrations track
- ISSTA 2019, artifact evaluation
- ECOOP 2019, artifact evaluation
- ECOOP 2019, doctoral symposium
- OOPSLA 2018, artifact evaluation
- ISSTA 2018, artifact evaluation
- ASE 2018, research track (sub-reviewer)
- OOPSLA 2017, artifact evaluation
- ESEC/FSE 2017, demonstrations track
- ECOOP 2017, artifact evaluation
- ESEC/FSE 2016, research track (sub-reviewer)
-
Journal reviewer
-
Student volunteer
-
Others
- ASE 2020, panelist at the PhD advice panel
- Forum EPFL alumni mentoring program 2020, mentor
- ECOOP 2016 summer school, graduate mentor
Service
-
Graduate teaching assistant
- Seminar: secure systems engineering, Paderborn university (winter 2018). The seminar yielded three technical reports:
- Designing code analyses for large software systems, Paderborn university (summers 2016-2019)
- Secure software development, TU Darmstadt (winter 2015)
- Designing code analyses for large software systems, TU Darmstadt (winter 2014)
-
Substitute lecturer
- Designing code analyses for large software systems, Paderborn university (summer 2018)
- Designing code analyses for large software systems, Paderborn university (summer 2016)
- Secure software development, TU Darmstadt (winter 2015)
-
Thesis supervision
- A tool for prototyping static analysis graphical user interfaces. G. S. Varma. (MA)
- Automating builds for open source software. Thoren Grüttemeier. (BA)
- Omniscient debugging for static analysis. Marcus Nachtigall. (MA)
- Indexing open-source JavaScript repositories. Ankur Gupta. (MA)
- Supporting incremental changes in static analysis code. Kaarthik Radhakrishna. (MA)
- Aliasing in incremental static analysis with IDEal. Shashank Subramanya. (MA)
-
Student supervision
- Project group: Delphi – mining software ecosystems using static program analysis (2019 - 2020)
- Project group: automated benchmark management (2018 - 2019)
- Undergraduate Capstone open source projects: filtering module for the automated benchmark management platform (2018)
- Project group: secure integration of cryptographic software (2017 - 2018)
- Project group: visualising data flows in static code analyses (2016 - 2017)
Teaching
-
Talks
- Filmfestival Mathematik Informatik. Heidelberg. (2019)
-
Exhibitions
- 30th international origami convention. Erkner. (2018)
- Paper heroes. Tel Aviv. (2017)
- Convention for creators. Lyon. (2017)
- Origami USA annual convention. New York. (2016)
- 28th international origami convention. Erkner. (2016)
- Star Wars origami exhibition. Zaragoza. (2016)
- Ultimate Origami Convention. Lyon. (2015)
- Model-making event. Samoëns. (2014)
-
Contests
- Origami Deutschland creation contest. 1st place. (2016)
- Origami Deutschland creation contest. 2nd place. (2015)
- MFPP creation contest. (2015)
- 8th JOAS origami model competition. 1st place, public’s choice. (2015)
- MFPP creation contest. 1st place, audience award. (2014)
-
Creations
- Models with diagrams:
- Black nightshade. Diagram in “Origami Deutschland 2016 convention book”. (Nov 2015)
- Butterfly. Diagram in “Origami Deutschland 2018 convention book”. (Dec 2015)
- Four-leaf clover. Diagram in “MFPP 2015 convention book”. (Dec 2014)
- Goldfish. Diagram in “CDO 2018 convention book”. (Dec 2017)
- Ivy leaf. Diagram in “Origami Deutschland 2015 convention book” and in MFPP 2015 convention book”. (May 2014)
- Jar Jar Binks head. Diagram in “The Fold” 2016. (Nov 2015)
- Leaf chopstick holder. Diagram in “The origami collection 2015” and in “Origami Deutschland 2015 convention book”. (May 2014)
- Monkey mask. Diagram in “The Paper” 2018. (Jul 2015)
- Oncidium. Diagram in “Origami Deutschland 2016 convention book”. (Oct 2014)
- ORI_Q swan. Diagram in “The Fold” 2016. (Nov 2015)
- Twin dolphins. Diagram in “The Fold” 2016. (Apr 2015)
- Winged heart. Diagram in “The origami collection 2016”. (May 2015)
- Yale-type cylinder lock key. Diagram in “The Fold” 2017. (Jan 2015)
- Models with crease patterns:
- Alsatian girl. Diagram in “Le pli #134” 2014 and in “The Fold” 2016. (Apr 2014)
- Mermaid. Diagram in “Le pli #138” 2015. (Apr 2015)
- Other models:
- 13 tales. (Apr 2016)
- 2018!. (Jan 2018)
- Angelfish. (Dec 2015)
- Ballerina. (May 2018)
- Bride. (Apr 2015)
- Brown bear. (Jul 2019)
- Charon. (Dec 2012)
- Cheetah head. (Jan 2017)
- Chinese coin. (Dec 2014)
- Cinderella. (Jan 2016)
- Courting cranes. (Feb 2019)
- Deer head. (Apr 2017)
- Doe head. (Apr 2017)
- Four mice. (Apr 2016)
- Hop-o’-my-thumb. (Mar 2016)
- Jar Jar Binks. (Nov 2015)
- Lady. (May 2018)
- Link. (Jun 2018)
- Little red riding hood. (Feb 2016)
- Lurking menace. (May 2016)
- Magic mirror. (Apr 2016)
- My little hero. (Aug 2017)
- Princess Zelda. (Jun 2018)
- Quetzalcoatl. (Jul 2014)
- Sadako. (Aug 2017)
- Sun Wukong. (Jul 2015)
- The angel. (Mar 2016)
- The beanstalk. (Apr 2016)
- The mermaid and the frog prince. (Jan 2016)
- The pied piper of Hamelin. (Jan 2016)
- The winged victory of Samothrace. (May 2013)
- The yellow dwarf. (Apr 2016)
- Tinker bell. (Mar 2016)
- Two (thousand) cranes. (May 2012)
- Wedding bouquet. (Feb 2016)
- Winged heart 2.0. (Oct 2015)
- Models with diagrams: