Program Analysis for Vulnerability Detection Cristian-Alexandru Staicu



Zoom meeting invitation

Please check your emails (including the spam folder) to find the invitation for the Zoom meeting. 


Kick off the seminar

Hey all,

Thanks for choosing this seminar. Please vote in the following doodle, so we can agree on a time slot for the seminar (on Thursdays):
Additionally, please send me a list of five... Read more

Hey all,

Thanks for choosing this seminar. Please vote in the following doodle, so we can agree on a time slot for the seminar (on Thursdays):
Additionally, please send me a list of five topics you would like to be assigned to. The list should be ordered from your first preference to your fifth. 



P.S. I also sent you an email with additional information earlier today.



Program analysis is a mature research area at the intersection of programming languages, formal methods, and software engineering. One of its main applications is automatic vulnerability detection. However, the complexity of modern systems is overwhelming and the vulnerabilities to be detected are increasingly sophisticated. To account for these particularities, many recent approaches advocate for lightweight program analysis techniques or hybrid methods, i.e., static and dynamic analysis. This seminar explores the trade-offs involved in designing a program analysis that scales to analyzing the security of real systems. In this seminar, we will discuss recent research papers in the area in a reading group format. Each week, one student will present papers covering a given topic, followed by a discussion. All participants are expected to actively participate in the discussion by asking questions.


Instructor: Cristian-Alexandru Staicu

Time: Thursday, 15:00 (3pm)

Location: Zoom (Disclaimer) - link to the recurring meeting was sent by email.

Semester Plan

  • 5th of November - kick-off meeting,
  • 12th of November - Paul KrappenVulnerabilities in low-level programs,
  • 19th of November - Raoul ScholtesVulnerabilities in web applications,
  • 26th of November - Pit JostDetect misuses of crypto APIs,
  • 3rd of December - Tristan Hornetz, Removing vulnerabilities through debloating,
  • 10th of December - Jeremy Rack, Automatic patching of vulnerabilities,
  • 17th of December - Banji OlorundareFuzzing compilers and engines,
  • 7th of January - Tim WalitaVulnerabilities in software components and dependencies,
  • 14th of January  - Jonathan BuschVulnerabilities in mobile apps,
  • 21st of January  - Dominic TroppmannVulnerability prediction,
  • 28th of January  - Muhammad Bilal LatifMachine learning-aided vulnerability detection,
  • 4th of February - Dominik SautterAvailability vulnerabilities.

Grading system

The final grade is an aggregate of the following parts, both presentation and final report are mandatory:

  • 50% the final report,
  • 50% the presentation,
  • bonus: up to 15% for being active in class,
  • bonus: up to 15% for the hands-on exercise. 

Supporting Materials

Please find below a set of useful materials for the seminar:

  • The kick-off presentation's slides contain useful information about the structure and goals of this seminar, but also some required background for the assigned papers.
  • Sample presentation 1 - you should aim for this much content when presenting each of the assigned papers (approx. 10 minutes). See the kick-off presentation for the recommended presentation's structure.
  • Sample presentation 2 - a slightly longer presentation (approx. 15 minutes).
  • Consider using the following template for the report and its associated sources.


  1. Vulnerabilities in web applications
  2. Vulnerabilities in software components and dependencies
  3. Vulnerabilities in mobile apps
  4. Detect misuses of crypto APIs
  5. Vulnerabilities in low-level programs
  6. Fuzzing low-level programs
  7. Fuzzing compilers and engines
  8. Machine learning-aided vulnerability detection
  9. Availability vulnerabilities
  10. Automatic patching of vulnerabilities
  11. Removing vulnerabilities through debloating
  12. Vulnerability prediction

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators