Vacancies

We are constantly looking for strong individuals to join our team. There are opportunities at all levels: student assistants (studentische/wissenschaftliche Hilfskraft), PhD students and research assistants (wissenschaftliche Mitarbeiter), as well as postdocs. If you don't see a suitable position posted here but think you would be a good fit for us anyway, don't hesitate to get in touch! There are usually more opportunities available, even on short notice.

Research Assistant for Securing Software Supply Chains (JS / WASM / Rust / C/C++)

We are looking to hire a research assistant (PhD student or postdoc) to begin as soon as possible, on a new project at federal salary level TV-ÖD E13 (approx. 52–65 kEUR depending on experience). The project is initially funded until November 2023, with the possibility of extension.

Modern software supply chains are large and complex. For instance, installing a single node.JS package from NPM may recursively pull in hundreds of dependencies containing code written by thousands of developers. Every modern programming language has a package management system, and the mantra of "don't repeat yourself" has led to a proliferation of code dependencies for even minor functionality. This also leads to a security problem as we effectively trust every single developer account with push access to those repositories. There has been an increase in incidents where accounts were taken over and malicious code implanted into popular packages. This threat is only going to increase, and future attackers will likely be stealthier than those in the past.

The goal of this project is to develop techniques for automatic vetting of open source repositories, in particular for detecting implants of malicious code in source code. We will use a mix of static and dynamic techniques to achieve this goal: fuzzing or symbolic execution for differential testing of program versions, and modeling of implant code to detect dangerous patterns in code repositories using static analysis. We are particularly interested in NPM and JavaScript / WebAssembly, but depending on your interests and experience, we may pivot or extend the scope to Rust crates or C/C++ code submitted to community-driven Linux package managers.

Requirements

  • Master's degree (or equivalent) in computer science or a closely related discipline
  • Strong programming skills and the motivation to tackle challenging, unsolved problems
  • Fluency in written and spoken English (German not required)

Research Assistant in Smart Fuzzing

We are looking to hire a research assistant (PhD student or postdoc) to begin as soon as possible, on a new project at federal salary level TV-ÖD E13 (approx. 52–65 kEUR depending on experience). The project is initially funded until November 2023, with the possibility of extension.

Fuzzing is one of the most successful contemporary methods for finding bugs and vulnerabilities in software. Its basic idea is attractively simple: feed random data to a program until it crashes or exhibits some other form of erroneous behavior. Now just what kind of random input to generate is an area of active research. Feedback-driven mutation-based fuzzing in particular is responsible for much of the success in recent years. Here, coverage data is collected for each run, and if some input is found to cover interesting new ground, it is used to spawn future generations of inputs. Because source code generally isn't available for many interesting settings, heuristics have to make do with binary-level coverage feedback.

In parallel work, we have built a machine learning system for recovering metadata such as function names for binaries. Because this metadata is lost during compilation, it is immensely valuable for reverse engineering. In this project, we will investigate the use of metadata (both original and automatically inferred) in fuzzing. Using function names and arbitrary labels for code regions, we will adjust seed prioritization in fuzzing as well as improve crash reporting and bucketing. This research will be conducted in the context of a larger project on fuzzing, which involves building and running an experimental fuzzing infrastructure on over 1000 CPU cores.

Requirements

  • Master's degree (or equivalent) in computer science or a closely related discipline
  • Strong programming skills and the motivation to tackle challenging, unsolved problems
  • Fluency in written and spoken English (German not required)

PhD Student (Open Topic)

We are looking to hire a

PhD Student (Open Topic)

in the area of systems security / program analysis / machine learning, from December 1st, 2021. The position is fully funded at federal salary level TV-ÖD E13 (~52k EUR). Application deadline: September 30th, 2021.

Research Topics

This is an open topic position, but your research should align with the general areas of interest of the group. We're at home on the boundary of programming languages and systems security, and we like to turn deep theoretical concepts into practical solutions that work on real software.

Whether you prefer x86 assembly language or JavaScript, you should have a passion for building systems and a deep curiosity for how things work at a low level. To give an idea of what you might work on, some of the topics we are looking at right now are: using machine learning to aid reverse engineering; security analysis of WebAssembly programs; hardening software against speculative execution attacks; and automated testing of JavaScript.

Requirements

  • Master's degree (or equivalent) in computer science or a closely related discipline
  • Interest in research and teaching
  • Fluency in written and spoken English (German not required)

How to Apply

Applicants should prepare:

  • A covering letter describing your reasons and qualifications for pursuing the posted position, and the research topics you are interested in;
  • A current CV;
  • Two academic references, i.e., contact information of academics that are able to recommend you for the position.

Please send your application by e-mail directly to Johannes Kinder.

Bundeswehr University Munich is an equal opportunities employer and places particular emphasis on fostering career opportunities for women. Qualified women are therefore strongly encouraged to apply. Disabled persons with equivalent aptitude will be favored. Personal data and documents relating to the application process will be stored electronically.

About Us

The PATCH research lab has been led by Johannes Kinder since 2019 and is part of the Research Institute CODE of Bundeswehr University Munich. CODE has been founded in 2017 with the aim to become an internationally leading center for research in cyber security. The immediate goal is to grow the institute to 13 professors and 250 staff, which will make it one of the largest security clusters in Europe.

We are located in south-east Munich, a short walk from Neuperlach Süd station. Munich is consistently rated as one of the best cities to live in the world and a leading technology hub in Germany. Bundeswehr University Munich is one of the two only federal universities funded by the German Department of Defense. It is a research-intensive university with both military and civilian students.