Software has become an elementary part of our everyday lives. Users usually only notice the programs they interact with via graphical interfaces. However, in order for these to function properly, numerous other components are active in the background, such as the JavaScript engine of a web browser. Dr. Moritz Schloegel is interested in this type of software, especially its vulnerabilities. His research area is software security and program analysis. “My focus is on the automation of program analysis, especially in finding bugs and security vulnerabilities,” explains Schloegel. “My goal is to make software more secure.”
He was already familiar with CISPA from his doctoral studies, when his doctoral supervisor, Prof. Dr. Thorsten Holz, moved to the Center. Schloegel completed his doctorate at Ruhr University Bochum and then went on to do postdoctoral research at Arizona State University in the USA. “The size of the lab was a completely new experience: We had around 40 PhD students, plus several postdocs and professors. It was interesting to see how much everything there is organized around external funding and projects,” he says. At CISPA, he was particularly impressed by how much collaborative effort goes into research. “There is a very high standard of excellent research and a great team here,” stresses Schloegel. “This combination makes CISPA particularly attractive to me.”
How a Bachelor’s Thesis Led to a Career in Science
Dr. Moritz Schloegel decided on a career in science relatively late in his studies. “At the beginning of my studies, I definitely didn’t want to do a doctorate. My plan was more like: bachelor’s, master’s, then work,” he says. “My bachelor’s thesis supervisor then suggested that I turn my bachelor’s thesis into a paper. I surprisingly enjoyed that a lot.” This positive experience motivated him to pursue a doctorate. There he discovered how much he enjoyed research. “Learning new things and exploring topics without knowing the exact goal is incredibly exciting,” says the researcher. “It is particularly fulfilling to pass on knowledge and accompany students on their journey.” These experiences convinced him to devote his life to research.
Specialization in Automated Program Analysis
Schloegel compares finding bugs to a treasure hunt: “You find something that wasn’t intended and that even the developers overlooked. It’s a good feeling to eliminate problems before they can be exploited. Especially with browsers, this would have a direct impact on a lot of people.” A key approach to finding vulnerabilities is known as fuzzing. This involves special programs automatically generating a large number of inputs, executing the program, and analyzing its behavior. If an input causes a crash or unexpected behavior, researchers examine it more closely. This creates an automated cycle that allows researchers to efficiently test large amounts of code.
Without automation, code must be analyzed manually. “There are people who are extremely good at this. The problem, however, is that it cannot be scaled well to large amounts of code,” explains Schloegel. “Today, millions of lines of code are written, increasingly automated by AI systems. It is simply not possible to check all of this manually. That is why fuzzing is such an important component.” However, processes such as the evaluation of vulnerabilities found or the automatic correction of errors are not yet fully automated. This is precisely where Schloegel sees great potential for future research.
Reproducibility in Research
Another topic Schloegel is working on is the reproducibility of scientific results. “We have noticed that in the field of fuzzing, results are often difficult to reproduce. This is due to the strong dependence on chance and small details,” says the researcher. In this context, he also criticizes the CVE identifier system, a standard for documenting publicly known security vulnerabilities. In his view, there is a lack of careful examination of the reported security vulnerabilities in some cases. “This creates false incentives to collect CVEs in order to make research results look better, which raises ethical and scientific questions,” explains Schloegel. Although these issues are not his main focus, they are very important for the further development of his field of research: “They affect the quality and credibility of our research. That’s why I’m also involved in workshops and discussions on these issues.”
Tenure Track and Building a Research Group
One of the biggest challenges for him at the moment is building his research group. “Finding the right people is really difficult,” says the CISPA researcher. “My field of research is deeply rooted in the technical fundamentals of software, and this knowledge is often only touched upon in university studies. It requires a lot of initiative and practice. That’s why the pool of interested people is very small, both nationally and internationally.” In the long term, he would like to specifically promote young talent through teaching: “I am planning a lecture on reverse engineering and exploitation in which students can apply the basics in practice,” says Schloegel. “These skills can be developed through practice and repetition.” In this way, he not only wants to build up his own research group but also help shape the entire field of automated program analysis in the long term.
