Vacancies

We are constantly looking for strong individuals to join our team. There are opportunities at all levels: student assistants (studentische/wissenschaftliche Hilfskraft), PhD students and research assistants (wissenschaftliche Mitarbeiter), as well as postdocs. If you don't see a suitable position posted here but think you would be a good fit for us anyway, don't hesitate to get in touch! There are usually more opportunities available, even on short notice.

Two Research Assistants for Securing Software Supply Chains (JS / WASM / Rust / C/C++)

We are looking to hire two research assistants (PhD students or postdocs) from July 2021 or as soon as possible, on a new project at federal salary level TV-ÖD E13 (approx. 52–65 kEUR depending on experience). The project is initially funded until November 2023.

Modern software supply chains are large and complex. For instance, installing a single node.JS package from NPM may recursively pull in hundreds of dependencies containing code written by thousands of developers. Every modern programming language has a package management system, and the mantra of "don't repeat yourself" has led to a proliferation of code dependencies for even minor functionality. This also leads to a security problem as we effectively trust every single developer account with push access to those repositories. There has been an increase in incidents where accounts were taken over and malicious code implanted into popular packages. This threat is only going to increase, and future attackers will likely be stealthier than those in the past.

The goal of this project is to develop techniques for automatic vetting of open source repositories, in particular for detecting implants of malicious code in source code. We will use a mix of static and dynamic techniques to achieve this goal: fuzzing or symbolic execution for differential testing of program versions, and modeling of implant code to detect dangerous patterns in code repositories using static analysis. We are particularly interested in NPM and JavaScript / WebAssembly, but depending on your interests and experience, we may pivot or extend the scope to Rust crates or C/C++ code submitted to community-driven Linux package managers.

Requirements

  • Master's degree (or equivalent) in computer science or a closely related discipline
  • Strong programming skills and the motivation to tackle challenging, unsolved problems
  • Fluency in written and spoken English (German not required)

Research Assistant in Smart Fuzzing

We are looking to hire a research assistant (PhD student or postdoc) from August 2021 or as soon as possible, on a new project at federal salary level TV-ÖD E13 (approx. 52–65 kEUR depending on experience). The project is initially funded until November 2023.

Fuzzing is one of the most successful contemporary methods for finding bugs and vulnerabilities in software. Its basic idea is attractively simple: feed random data to a program until it crashes or exhibits some other form of erroneous behavior. Now just what kind of random input to generate is an area of active research. Feedback-driven mutation-based fuzzing in particular is responsible for much of the success in recent years. Here, coverage data is collected for each run, and if some input is found to cover interesting new ground, it is used to spawn future generations of inputs. Because source code generally isn't available for many interesting settings, heuristics have to make do with binary-level coverage feedback.

In parallel work, we have built a machine learning system for recovering metadata such as function names for binaries. Because this metadata is lost during compilation, it is immensely valuable for reverse engineering. In this project, we will investigate the use of metadata (both original and automatically inferred) in fuzzing. Using function names and arbitrary labels for code regions, we will adjust seed prioritization in fuzzing as well as improve crash reporting and bucketing. This research will be conducted in the context of a larger project on fuzzing, which involves building and running an experimental fuzzing infrastructure on over 1000 CPU cores.

Requirements

  • Master's degree (or equivalent) in computer science or a closely related discipline
  • Strong programming skills and the motivation to tackle challenging, unsolved problems
  • Fluency in written and spoken English (German not required)

How to Apply

Applicants should prepare:

  • A covering letter describing your reasons and qualifications for pursuing the posted position, and the research topics you are interested in;
  • A current CV;
  • Two academic references, i.e., contact information of academics that are able to recommend you for the position.

Please send your application by e-mail directly to Johannes Kinder.

Bundeswehr University Munich is an equal opportunities employer and places particular emphasis on fostering career opportunities for women. Qualified women are therefore strongly encouraged to apply. Disabled persons with equivalent aptitude will be favored. Personal data and documents relating to the application process will be stored electronically.

About Us

Joining us will provide you with the opportunity to work in a high-energy environment in one of the most exciting research areas of computer science. You will join a network of international collaborators to work with cutting edge technology and push the boundaries of what is possible today. With PATCH still being a young research lab, you will be able to help shape the environment to your liking and leave your mark.

We are part of the Research Institute CODE, which has been founded in 2017 at Bundeswehr University Munich with the aim to become an internationally leading center for research in cyber security. The immediate goal is to grow the institute to 13 professors and 250 staff, which will make it one of the largest security clusters in Europe.

We are located in south-east Munich, a short walk from Neuperlach Süd station. Munich is consistently rated as one of the best cities to live in the world and a leading technology hub in Germany. Bundeswehr University Munich is one of the two only federal universities funded by the German Department of Defense. It is a research-intensive university with both military and civilian students.