Software Security

Recent Courses

Winter 2025/2026

Lecture
Software Security 1
Seminar
Seminar Software Security

Summer 2025

Lecture
Software Security 2
Seminar
Seminar Software and Internet Security

Publications

Peer-Reviewed

StorFuzz: Using Data Diversity to Overcome Fuzzing Plateaus

Leon Weiß, Tobias Holl, Kevin Borgolte

Proceedings of the 48th IEEE/ACM International Conference on Software Engineering (ICSE), April 2026

To appear.

@inproceedings{icse2026-storfuzz,
  title     = {{StorFuzz: Using Data Diversity to Overcome Fuzzing Plateaus}},
  author    = {Weiß, Leon and Holl, Tobias and Borgolte, Kevin},
  booktitle = {Proceedings of the 48th IEEE/ACM International Conference on Software Engineering (ICSE)},
  date      = {2026-04},
  edition   = {48},
  editor    = {Mezini, Mira and Zimmermann, Thomas},
  location  = {Rio de Janeiro, Brazil},
  publisher = {Association for Computing Machinery (ACM)/Institute of Electrical and Electronics Engineers (IEEE)}
}

Hallucinating Certificates: Differential Testing of TLS Certificate Validation Using Generative Language Models

Talha Paracha, Kyle Posluns, Kevin Borgolte, Martina Lindorfer, David Choffnes

Proceedings of the 48th IEEE/ACM International Conference on Software Engineering (ICSE), April 2026

To appear.

@inproceedings{icse2026-hallucinating-certificates,
  title     = {{Hallucinating Certificates: Differential Testing of TLS Certificate Validation Using Generative Language Models}},
  author    = {Paracha, Talha and Posluns, Kyle and Borgolte, Kevin and Lindorfer, Martina and Choffnes, David},
  booktitle = {Proceedings of the 48th IEEE/ACM International Conference on Software Engineering (ICSE)},
  date      = {2026-04},
  edition   = {48},
  editor    = {Mezini, Mira and Zimmermann, Thomas},
  location  = {Rio de Janeiro, Brazil},
  publisher = {Association for Computing Machinery (ACM)/Institute of Electrical and Electronics Engineers (IEEE)}
}

Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols

Carlotta Tagliaro, Martina Komsic, Andrea Continella, Kevin Borgolte, Martina Lindorfer

Proceedings of the 27th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2024

@inproceedings{raid2024-iot-backends,
  title     = {{Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols}},
  author    = {Tagliaro, Carlotta and Komsic, Martina and Continella, Andrea and Borgolte, Kevin and Lindorfer, Martina},
  booktitle = {Proceedings of the 27th International Symposium on Recent Advances in Intrusion Detection (RAID)},
  series    = {Lecture Notes in Computer Science (LNCS)},
  date      = {2024-09},
  doi       = {https://doi.org/10.1145/3678890.3678899},
  edition   = {27},
  editor    = {Aafer, Yousra and Fratantonio, Yanick},
  isbn      = {979-8-4007-0959},
  location  = {Padua, Italy},
  publisher = {Springer International Publishing},
  url       = {https://doi.org/10.1145/3678890.3678899}
}

Are You Sure You Want To Do Coordinated Vulnerability Disclosure?

Ting-Han Chen, Carlotta Tagliaro, Martina Lindorfer, Kevin Borgolte, Jeroen van der Ham-de Vos

Proceedings of the 9th International Workshop on Traffic Measurements for Cybersecurity (WTMC), July 2024

@inproceedings{wtmc2024are-you-sure-you-want-to-do-cvd,
  title     = {{Are You Sure You Want To Do Coordinated Vulnerability Disclosure?}},
  author    = {Chen, Ting-Han and Tagliaro, Carlotta and Lindorfer, Martina and Borgolte, Kevin and van der Ham-de Vos, Jeroen},
  booktitle = {Proceedings of the 9th International Workshop on Traffic Measurements for Cybersecurity (WTMC)},
  date      = {2024-07-08},
  doi       = {10.1109/EuroSPW61312.2024.00039},
  edition   = {9},
  location  = {Vienna, Austria},
  publisher = {Institute of Electrical and Electronics Engineers (IEEE)},
  url       = {https://doi.org/10.1109/EuroSPW61312.2024.00039}
}

IoTFlow: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis

David Schmidt, Carlotta Tagliaro, Kevin Borgolte, Martina Lindorfer

Proceedings of the 30th ACM SIGSAC Conference on Computer and Communications Security (CCS), November 2023

@inproceedings{ccs2023-iotflow,
  title     = {{IoTFlow: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis}},
  author    = {Schmidt, David and Tagliaro, Carlotta and Borgolte, Kevin and Lindorfer, Martina},
  booktitle = {Proceedings of the 30th ACM SIGSAC Conference on Computer and Communications Security (CCS)},
  date      = {2023-11},
  doi       = {10.1145/3576915.3623211},
  edition   = {30},
  editor    = {Cremers, Cas and Kirda, Engin},
  location  = {Copenhagen, Denmark},
  publisher = {Association for Computing Machinery (ACM)},
  url       = {https://doi.org/10.1145/3576915.3623211}
}

Cyber Grand Shellphish

Antonio Bianchi, Kevin Borgolte, Jacopo Corbetta, Francesco Disperati, Andrew Dutcher, John Grosen, Paul Grosen, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Nick Stephens, Giovanni Vigna, Ruoyu Wang

Phrack (Volume 15, Issue 70), October 2021

Authors listed alphabetically.

@article{phrack2021-cyber-grand-shellphish,
  title     = {{Cyber Grand Shellphish}},
  author    = {Bianchi, Antonio and Borgolte, Kevin and Corbetta, Jacopo and Disperati, Francesco and Dutcher, Andrew and Grosen, John and Grosen, Paul and Machiry, Aravind and Salls, Christopher and Shoshitaishvili, Yan and Stephens, Nick and Vigna, Giovanni and Wang, Ruoyu},
  date      = {2021-10-05},
  journal   = {Phrack},
  number    = {70},
  publisher = {The Phrack Staff},
  url       = {http://phrack.org/papers/cyber_grand_shellphish.html},
  volume    = {15}
}

Mechanical Phish: Resilient Autonomous Hacking

Yan Shoshitaishvili, Antonio Bianchi, Kevin Borgolte, Amat Cama, Jacopo Corbetta, Francesco Disperati, Andrew Dutcher, John Grosen, Paul Grosen, Aravind Machiry, Christopher Salls, Nick Stephens, Ruoyu Wang, Giovanni Vigna

IEEE Security & Privacy, March 2018

@article{spm2018-mechanical-phish,
  title     = {{Mechanical Phish: Resilient Autonomous Hacking}},
  author    = {Shoshitaishvili, Yan and Bianchi, Antonio and Borgolte, Kevin and Cama, Amat and Corbetta, Jacopo and Disperati, Francesco and Dutcher, Andrew and Grosen, John and Grosen, Paul and Machiry, Aravind and Salls, Christopher and Stephens, Nick and Wang, Ruoyu and Vigna, Giovanni},
  date      = {2018-03/2018-04},
  doi       = {10.1109/MSP.2018.1870858},
  issn      = {1558-4046},
  journal   = {IEEE Security \& Privacy},
  number    = {2},
  pages     = {12--22},
  publisher = {Institute of Electrical and Electronics Engineers (IEEE)},
  url       = {https://doi.org/10.1109/MSP.2018.1870858},
  volume    = {16}
}

Ten Years of iCTF: The Good, The Bad, and The Ugly

Giovanni Vigna, Kevin Borgolte, Jacopo Corbetta, Adam Doupé, Yanick Fratantonio, Luca Invernizzi, Dhilung Kirat, Yan Shoshitaishvili

Proceedings of the 1st USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE), August 2014

@inproceedings{3gse2014-10-years-of-ictf,
  title     = {{Ten Years of iCTF: The Good, The Bad, and The Ugly}},
  author    = {Vigna, Giovanni and Borgolte, Kevin and Corbetta, Jacopo and Doupé, Adam and Fratantonio, Yanick and Invernizzi, Luca and Kirat, Dhilung and Shoshitaishvili, Yan},
  booktitle = {Proceedings of the 1st USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE)},
  date      = {2014-08},
  edition   = {1},
  editor    = {Peterson, Zachary N. J.},
  location  = {San Diego, CA},
  publisher = {USENIX Association},
  url       = {https://www.usenix.org/conference/3gse14/summit-program/presentation/vigna}
}