Home · Research · Essays · Company · Link Farm · Podcast · Curriculum Vitæ · Impressum

Curriculum Vitæ

I work in computer security. In research, I use experimental methods to analyze security incidents and analyzing version archives to find and predict vulnerabilities. In my company, I help companies assess, manage, and mitigate risks that come from operating an IT infrastructure. You can also hire me as a freelance security consultant.

Research Interests

My research is in the field of Computer Security, focusing on system and software security. Most security problems are ultimately due to vulnerabilities in software, so I want to work at the point where security and software engineering meet. I want to find out ways to cheaply make software more secure. This means research into new technologies, as well as research into software and business processes in order to understand where vunerabilities ultimately come from and how they can be eliminated or mitigated. To do this, I use experimental and empirical methods. These make use of controlled program re-runs and of artifacts created during program development.

Education

3/2003–9/2007

Ph.D. in Computer Science, Saarland University, Saarbrücken, Germany. Thesis Topic: Repeating the Past: Experimental and Empirical Methods in System and Software Security.

Defense on February 6, 2008; grade: magna cum laude.

1986–1994

Diploma in Computer Science, Kaiserslautern University, Kaiserslautern, Germany.

Grade: With Honors (best possible grade).

Research Experience

7/2008–1/2011

Research Fellow, Universita degli Studi di Trento, Trento, Italy.

I worked on a EU project called MASTER, specifically on security and assurance indicators.

3/2003–9/2007

Scientific Assistant, Saarland U, Prof. Zeller, Saarbrücken, Germany.

I used data mining and statistical techniques on large software projects. This allowed me to predict which source files had as yet unknown vulnerabilities. In an application of this method to the Mozilla web suite, I produced a list of ten source files, five of which had security problems within the next six months. Work in progress includes trying to learn structured data in order to find vulnerability patterns and fixes. a broader study of the correlations between dependencies and vulnerabilities, and a broad study on correlations between source code metrics and vulnerabilities.

I also used capture/replay techniques to analyze security incidents automatically. This resulted in a system that successfully analyzed complex multi-stage attacks that cannot be analyzed with any other tool today. I used the same techniques to automatically find attack vectors for targeted attacks.

All my work was published at international top peer-reviewed conferences (NDSS, CCS and Software Engineering).

Teaching Experience

3/2003–9/2007

Teaching Assistant (TA) and Lecturer, Saarland U, Prof. Zeller, Saarbrücken, Germany

I gave a lecture on “Design of Secure Software Systems” that was nominated for Best Lecture Award in 2004. I also designed a new style of seminar, which has since been incorporated into the official module descriptions of the CS department. Besides acquainting the student with important papers in a specific field, these seminars have the additional goal of teaching students how to give compelling scientific presentations. The two instances when I taught this new seminar style were very well received by the students. Besides the courses listed below, which I either designed or where I was a major contributor, I also helped with two more Software Design labs (Winter 2006/2007, Winter 2004/2005), a Programming course (Summer 2007), and a Software Engineering course (Winter 2005/2006).

  • Seminar “Seminal Papers in Practical Computer Security” (Winter 2006/2007)
  • Seminar “Open Source Programming Tools” (Winter 2006/2007)
  • Lecture “Design of Secure Software Systems” (Summer 2004)
  • Software Design Lab (Winter 2003/2004)
  • C++ Refresher Course (Summer 2003)

2001–2002

TA and Lecturer, International University in Germany, Prof. Assenmacher, Bruchsal, Germany

  • Algorithms and Data Structures
  • Principles of Operating Systems
  • Software Engineering

Professional Experience

3/2003–present

Founder, Associate, and Chairman, Sasecure Computersicherheit GmbH, Saarbrücken, Germany.

This company specializes in consulting services that help companies understand and manage those risks that are induced by operating computers. This includes standard measures such as penetration testing and risk analysis, but also offers strategic services such as analysis of business processes. Companies that know and actively manage their risks have a competitive advantages over companies that do not, and those companies that invest in risk management will more likely prevail over their more reluctant competitors.

4/1998–2/2003

Founder, Associate and Executive, ASIS GmbH, Kaiserslautern, Germany

This company specialized in first-to-market industrial prototypes for financial institutions. Projects included: making one bank Y2K and Euro ready; programming the first German Home Banking Computer Interface (HBCI) server (for Siemens AG); mSign, a mobile digital signature application (for Brokat AG); and EPP, an XML-based protocol for processing mobile micropayments (for Encorus AG). When the company was sold to Brokat in 1999, I handled the financial and bookkeeping aspects, thereby gaining some knowledge of US-GAAP.

 

1/1997–4/1998

Freelancer, Saarbrücken, Germany

This was the forerunner to the company above. Projects include work on the HBCI server and on Y2K and Euro for the client bank.

3/1994–12/1996

System and Network Administrator, German Research Center for Artificial Intelligence (DFKI), Saarbrücken, Germany

The work included the administration of a heterogenous and geographically far-flung network of over 100 computers. In the course of my work, I developed a system that allowed for the database-supported remote administration and configuration of almost any computer. I also developed an early-warning system to detect network attacks (this was at a time when firewalls were new!).

Publications

conference papers

Stephan Neuhaus and Thomas Zimmermann. The Beauty and the Beast: Vulnerabilities in Red Hat's Packages. In Proceedings of the 2009 USENIX Annual Technical Conference (USENIX '09), June 2009. Acceptance rate: 16.8% (32/191). [PDF]

Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. Predicting vulnerable software components. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pages 529–540, October 2007. Acceptance rate: 18.2% (55/303).

Stephan Neuhaus and Andreas Zeller. Isolating cause-effect chains in computer systems. In Software Engineering (SE) 2007, Lecture Notes in Informatics, pages 169–180, March 2007. Acceptance rate: 18.6% (13/70).

Stephan Neuhaus and Andreas Zeller. Isolating intrusions by automatic experiments. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), pages 71–80, February 2006. Acceptance rate: 13.4% (17/127).

workshop papers

Stephan Neuhaus. Vorhersage von Lücken in Quellcode. In Proceedings des 2. SIDAR Graduierten-Workshops über Reaktive Sicherheit, page 10, 2007.

Stephan Neuhaus. Wie man Einbrüche mit Experimenten analysiert. In Proceedings des SIDAR Graduierten-Workshops über Reaktive Sicherheit, page 4, 2006.

Stephan Neuhaus. Experimentelle Methoden zum Aufspüren von Einbrüchen (8th Workshop on Software Reengineering). Softwaretechnik-Trends, 26(2):25–26, 2006.

Stephan Neuhaus. Isolating intrusions by automatic experiments. In Workshop “Trustworthy Software” 2006, Schloss Dagstuhl, Germany, 2006. 3 pages, Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI).

other publications

Stephan Neuhaus and Andreas Zeller. Schwachstellensucher. iX 4(2008):132–136.

Stephan Neuhaus. Statistical properties of IDEA session keys in PGP. [PS], 1993.

Stephan Neuhaus. Buffer Overflows und Lösungen dazu. Survey Article, [PDF], 2003.

Presentations

conference talks

Predicting Vulnerable Software Components, CCS 2007, Alexandria, VA, USA, 2 November 2007

Isolating Cause-Effect Chains in Computer Systems, SE 2007, Hamburg, Germany, 30 March 2007

Isolating Intrusions by Automatic Experiments, NDSS 2006, San Diego, CA, USA, 2 February 2006

workshop talks

Predicting Vulnerable Software Components, WISSec 2007, Luxembourg, Luxembourg, 20 September 2007

Vorhersage von Software-Schwachstellen, SPRING 2007, Dortmund, Germany, 25 July 2007

Wie man Einbrüche mit Experimenten analysiert, SPRING 2006, Berlin, Germany, 12 July 2006

Isolating Intrusions by Automatic Experiments, Trustworthy Systems Workshop 2006, Saarbrücken, Germany, 18 May 2006

invited talks

Experimental Methods of Intrusion Analysis, Luxembourg University, 2006, 7 November 2006

Statistical Tests, Dagstuhl Seminar on Dynamic Analysis, 2005, Dagstuhl, Germany, 29. June 2005

Professional Activities

pc membership

Workshop on Quality of Protection (CCS 2008)

external reviews

Deutsche Software Engineering-Konferenz (SE 2007)
Deutsche Software Engineering-Konferenz (SE 2005)
Transactions on Software Engineering (TSE, 2005)

memberships

ACM, IEEE Computer Society

Hobbies and Interests

music

Guitarist, singer, arranger, and band member.

Awards and Honors

1986

Third place in first round of Federal Mathematics Competition.

References

Prof. Andreas Zeller
Saarland University
Department of Informatics
Postfach 15 11 50
66041 Saarbrücken, Germany
Email: zeller [at] cs.uni-sb.de
Phone: +49 (681) 302-64011

Prof. Thomas Zimmermann
University of Calgary
Department of Computer Science
2500 University Drive NW
Calgary, Alberta, T2N 1N4, Canada
Email: zimmerth [at] cpsc.ucalgary.ca
Phone: +1 (403) 210-9470

Dr. Holger Assenmacher
Ternius GmbH

Lindenstraße 14
67685 Eulenbis, Germany
Email: assen [at] ternius.de
Phone: +49 (6374) 99 31 15

Valid XHTML 1.0 Strict Valid CSS!