Martin Johns
Email: mj at martinjohns dot com
Tel: +49 40 42883 - 2654
Fax: +49 40 42883 - 2086
Office Addresses
SAP Research Karlsruhe
Vincenz-Priessnitz-Str. 1
D-76131 Karlsruhe, Germany
[web]
Universität Passau
Innstr. 43
D-94032 Passau, Germany
[web]
Links
Research Interests
- Web Application Security
- Software Security
- Static Code Checking
- Dynamic Code Securing
- Marek Jawurek, Martin Johns, Florian Kerschbaum: Plug-in privacy for Smart Metering billing, in 11th Privacy Enhancing Technologies Symposium (PETS 2011), July, 2011
- Martin Johns, Sebastian Lekies: Biting the Hand That Serves You: A closer look at client-side Flash proxies for cross-domain requests , in Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2011), July, 2011
- Sebastian Lekies, Martin Johns, Walter Tighzert: The State of the Cross-domain Nation, in 5th workshop on Web 2.0 Security and Privacy (W2SP 2011), May, 2011
- Nick Nikiforakis, Wouter Joosen, Martin Johns: Abusing Locality in Shared Web Hosting, in 4th European Workshop on System Security (EUROSEC'11), April 2011 (to appear).
- Martin Johns, Moritz Jodeit: Scanstud: A Methodology for Systematic, Fine-grained Evaluation of Static Analysis Tools, in Second International Workshop on Security Testing (SECTEST'11), March 2011 (pdf).
- Martin Johns, Bastian Braun, Michael Schrank, Joachim Posegga: Reliable Protection Against Session Fixation Attacks, 26th ACM Symposium on Applied Computing (SAC 2011), Security Track, March 2011 (pdf).
- Nick Nikiforakis, Wannes Meert, Yves Younan, Martin Johns, Wouter Joosen: SessionShield: Lightweight Protection against Session Hijacking, in 3rd International Symposium on Engineering Secure Software and Systems (ESSoS '11), February 2011 (pdf)
- Moritz Jodeit, Martin Johns: USB Device Drivers: A Stepping Stone into your Kernel, in 6th European Conference on Computer Network Defense (EC2ND 2010), October 2010 (pdf)
- Marek Jawurek, Martin Johns: Security Challenges of a Changing Energy Landscape. in Information Security Solutions Europe (ISSE 2010), Vieweg Verlag, October 2010 (pdf)
- Michael Schrank, Bastian Braun, Martin Johns, Joachim Posegga: Session Fixation - the Forgotten Vulnerability?, in 5th conference on "Sicherheit, Schutz und Zuverlässigkeit" (GI Sicherheit 2010), Lecture Notes in Informatics (LNI), October 2010 (pdf).
- Martin Johns, Christian Beyerlein, Rosemaria Giesecke, Joachim Posegga: Secure Code Generation for Web Applications, in 2nd International Symposium on Engineering Secure Software and Systems (ESSoS '10), LNCS 5965, Seiten 96 - 113, Springer, February 2010 (pdf).
- Martin Johns, Bjoern Engelmann, Joachim Posegga: XSSDS: Server-side detection of cross-site scripting attacks, in 24th Annual Computer Security Applications Conference (ACSAC '08), pp. 335 - 344, IEEE Computer Society, December 2008 (pdf).
- Martin Johns: On JavaScript Malware and related threats - Web page based attacks revisited, in Journal in Computer Virology, Volume 4, Number 3, pp. 161 - 178, Springer Paris, August 2008 (doi, pdf).
- Malko Steinorth, Martin Johns: Zeitverläufe bei automatisierten Penetrationstests, 15. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2008 (pdf).
- Martin Johns, Daniel Schreckling: Automatisierter Code-Audit - Sicherheitsanalyse von Source Code in Theorie und Praxis, in Datenschutz und Datensicherheit - DuD, Volume 31, Number 12, Vieweg Verlag, pp. 888-893, December 2007 (doi).
- Martin Johns, Justus Winter: Protecting the Intranet Against "JavaScript Malware" and Related Attacks, in Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2007), B. M. Hämmerli and R. Sommer (ed.), Springer, LNCS 4579, pp. 40-59, July 2007 (pdf).
- Martin Johns, Christian Beyerlein: SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation, 22nd ACM Symposium on Applied Computing (SAC 2007), Security Track, Seoul, Korea, March 2007 (pdf).
- Daniel Schreckling, Martin Johns, SVS Sectoolers: CISAT: Integration von sicherheitszentrierter statischer Analyse in den Enwicklungsprozess, 14. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2007 (pdf)
- Martin Johns: A First Approach to Counter "JavaScript Malware" In Proceedings of the 23rd Chaos Communication Congress, Verlag Art d'Ameublement, Bielefeld, ISBN 978-3-934-63605-7, pages 160 - 167, December 2006 (pdf)
- Martin Johns: SessionSafe: Implementing XSS Immune Session Handling in in European Symposium on Research in Computer Security (ESORICS 2006), Gollmann, D.; Meier, J. & Sabelfeld, A. (ed.), Springer, LNCS 4189, pp. 444-460, September 2006 (pdf).
- Martin Johns, Justus Winter: RequestRodeo: Client Side Protection against Session Riding in Proceedings of the OWASP Europe 2006 Conference by Piessens, F. (ed.), Report CW448, Departement Computerwetenschappen, Katholieke Universiteit Leuven, Belgium, May 2006 (pdf).
- Martin Johns: Pseudonyme Biometrik - Ein signaturbasierter Ansatz in "BIOSIG 2003 - Biometrics and Electronic Signatures" by A. Brömme and C. Busch (Eds.), Lecture Notes in Informatics (LNI) P-31, Bonner Köllen Verlag, Darmstadt, Germany, July 2003 (paper, sildes)
- Dan Boneh, Ulfar Erlingsson, Martin Johns, and Benjamin Livshits: Dagstuhl Seminar 09141: Web Application Security (Executive summary), Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany, 2010
- Martin Johns: Code-injection Verwundbarkeiten in Web Anwendungen am Beispiel von Cross-site Scripting, in Ausgezeichnete Informatikdissertationen 2010, Lecture Notes in Informatics (LNI), Bonner Köllen Verlag, Darmstadt, Germany, 2010
- Isabel Thomas, Anke Weidlich, Martin Johns: IT-Gestützte Geschäftsprozesse in zukünftigen E-Mobility Szenarien, VDE Kongress 2010 - E-Mobility, ISBN 978-3-8007-3304-0, Germany, 2010
- "Biting the Hand That Serves You: A closer look at client-side Flash proxies for cross-domain requests", talk at the Gothenborg OWASP Kick-off, April 14th 2011, Gothenborg, Sweden
- "The Mess We Are In - the Past, Present, and Future of Web Security", Keynote at the 6th Workshop on Security and Trust Management (STM 2010), September 24th, Athens, Greece
- "Session Fixation - the Forgotten Vulnerability?" (with Henrich C. Poehls, Michael Schrank, and Bastian Braun), OWASP Research 2010, June 23rd 2010, Stockholm, Sweden
- "Cross-site requests - One mechanism, many attacks", talk given at the RUB Hackerpraktikum, June 18th 2010, Bochum, Germany
- "Cross-site requests and other offenders... " (slides) and "Secure Code Generation for Web Applications" (slides), both held at the Dagstuhl Seminar on Web Application Security, March/April 2009, Dagstuhl, Germany
- "Secure Code Generation for Web Applications", talk given at Microsoft Research, December 15th 2008, Redmond, USA (slides)
- "XSSDS und noXSS - Server- und Browser-basierte XSS Erkennung" (with Jeremias Reith), OWASP Germany Conference, November 25th 2008, Frankfurt, Germany (slides)
- "Scanstud - Evaluating static analysis tools" (with Moritz Jodeit, Wolfgang Koeppl, and Martin Wimmer), OWASP AppSec 2008, May 22nd, 2008, Ghent, Belgium (slides)
- "The three faces of CSRF", talk at the DeepSec2007 conference, November 23th 2007, Vienna, Austria (slides, video)
- "Exploiting the Intranet with a Webpage", talk at the HITBSecConf2007 conference, September 3-6 2007, Kuala Lumpur, Malaysia (slides, video).
- "Towards vulnerability prevention in web applications via data/code separation", talk at the Fraunhofer First Kolloquium, June 20th 2007, Berlin, Germany (slides)
- "Cross Site Scripting (XSS) und Session Riding (CSRF): Angriffe auf Web-Session Management - Ursachen, Konsequenzen, Gegenmaßnahmen", talk at the IICO-Congress, May 9-11 2007, Berlin, Germany
- "CSRF, the Intranet and You" (with Justus Winter), talk at the 23C3, December 27-30 2006, Berlin, Germany (video)
- "On CSRF and why you should care", talk at the PacSec 2006 conference, November 27-30 2006, Tokio, Japan (slides english/japanese).
- "Using the same-origin policy to disarm XSS vulnerabilities", talk at ph-neutral 0x7d6, 27th May 2006, Berlin, Germany (slides)
- "Softwaresicherheit - Eine Forschungsperspektive" (with Joachim Posegga), talk at the Frühjahrstreffen der GI-Fachgruppe Datenbanken, 06.04.2006
- "Finding and Preventing Buffer Overflows - An overview of static and dynamic approaches", talk at the 22C3, 27.12.2005, Berlin, Germany (slides, video)
- Marek Jawurek, Martin Johns, Florian Kerschbaum: Plug-in privacy for Smart Metering billing, Technical Report, The Computing Research Repository: Report 1012.2248, 2010 (pdf)
- Martin Johns: Towards Practical Prevention of Code Injection Vulnerabilities on the Programming Language Level, Technical Report, number 279-07, University of Hamburg, May 2007 (pdf).
Professional Activities
- Member of organizing committees: ESORICS 2006 (workshop chair), Dagstuhl Seminar on Web Application Security (co-organizer), OWASP AppSec Germany 2010
- Member of program committees: OWASP Europe 2007, NordSec 2007, OWASP Europe 2008, DIMVA 2008, OWASP Research 2010, W2SP 2010, EC2ND 2010, STM 2010, ESSoS 2011, DIMVA 2011, STM 2011, EC2ND 2011, W2SP 2011, ESSoS 2012.
- Reviewer for program committees/journals: sOc-EUSAI 2005, CARDIS 2006, SEC 2006, ISAS 2006, SEC 2007, WISTP 2007, International Journal of Information Security, WISTP 2008, CARDIS 2008, SECRYPT 2008, TrustBus 2009, NTMS 2009, INC 2010, IOT 2010.
- Member of the CEPS Task Force on Critical Infrastructure Protection in the EU