| | |
Marcel Böhme is a faculty member at the Max Planck Institute for Security
and Privacy (MPI-SP) in Germany where he leads the Software Security research group.
His group has made foundational contributions to fuzzing which has become one of the
most successful techniques for the automatic discovery of security flaws in practice. In 2024,
Marcel was awarded an
ERC Consolidator grant for his project on in-vivo software security analysis at
scale which will develop the empirical foundations of program analysis.
To find out more about the research in our group, head over to https://mpi-softsec.github.io
Marcel is a Guest Editor-in-Chief and Associate Editor for the ACM TOSEM, the flagship
journal in software engineering, an Area Chair for ICSE'24, the flagship conference
in software engineering, and a PC Chair for two major conferences, ASE'25 and ISSTA'26.
He served on the program committees and organizational committees of all premier international
conferences in software engineering. Marcel received his PhD from the National
University of Singapore where, 10 years later, he received an Outstanding Young Computing Alumni Award.
| [Textbook] |
 |
The Fuzzing Book |
 |
Andreas Zeller, Rahul Gopinath, Marcel Böhme, Gordon Fraser, and Christian Holler |
|
(One-line Abstract) Interactive, Jupyter-style textbook on fuzzing and automated test generation. |
|
Digital textbook available at https://www.fuzzingbook.org |
| | |
| [TOSEM'25] |
|
Software Security Analysis in 2030 and Beyond: A Research Roadmap |
|
Marcel Böhme, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, and Giuseppe Scanniello |
|
(One-line Abstract) Challenges and opportunities for the security analysis of our software systems of the future. |
|
ACM Transactions on Software Engineering and Methodology (Invited Paper). |
| | |
| [ICLR'25] |
|
How Much is Unseen Depends Chiefly on Information About the Seen |
|
Seongmin Lee and Marcel Böhme |
|
(One-line Abstract) Significant progress on a beautiful statistical riddle. For instance, estimates training data representativeness. |
|
International Conference on Learning Representations (ICLR'25), 24 pages. |
| 🏆 |
Award: Our paper was selected as ICLR'25 Spotlight (Top 5%)! Congrats Seongmin! |
| | |
| [ICSE'25] |
|
Invivo Fuzzing by Amplifying Actual Executions |
|
Octavio Galland and Marcel Böhme |
|
(One-line Abstract) Don't attach a fuzzer using fuzz drivers! Inject a fuzzer and amplify any state. |
|
IEEE/ACM International Conference on Software Engineering 2025 (ICSE'25), 13 pages. |
| | |
| [ICSE'25] |
|
Accounting for Missing Events in Statistical Information Leakage Analysis |
|
Seongmin Lee, Shreyas Minocha, and Marcel Böhme |
|
(One-line Abstract) Estimating software privacy in the small sample regime. |
|
IEEE/ACM International Conference on Software Engineering 2025 (ICSE'25), 12 pages. |
| | |
| [FSE'25] |
|
MendelFuzz: The Return of the Deterministic Stage |
|
Han Zheng, Flavio Toffalini, Marcel Böhme, and Mathias Payer |
|
(One-line Abstract) Can a fuzzer cover more code with minimal corruption of the initial seed? |
|
ACM International Conference on the Foundations of Software Engineering 2025 (FSE'25), 21 pages. |
| | |
| [TSE'25] |
|
AFLNet Five Years Later: On Coverage-Guided Protocol Fuzzing |
|
Ruijie Meng, Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury |
|
(One-line Abstract) State- and code-coverage-guided greybox fuzzing (Extended version of our ICSE'20 Tool Demo). |
|
IEEE Transactions on Software Engineering. |
| | |
| [USENIX Sec'24] |
|
Uncovering the Limits of Machine Learning for Automatic Vulnerability Detection |
|
Niklas Risse and Marcel Böhme |
|
(One-line Abstract) Are machine learning models for vulnerability discovery as good as they seem? |
|
USENIX Security Symposium 2024 (USENIX Sec'24), 19 pages. |
| | |
| [CCS'24] |
|
Testing Side-Channel Security of Crypto. Implementations Against Future Microarchitectures |
|
G. Barthe, M. Böhme, S. Cauligi, C. Chuengsatiansup, D. Genkin, M. Guarnieri, D. Romero, P. Schwabe, D. Wu, and Y. Yarom |
|
(Two-line Abstract) Turns out all tested crypto impl. are vulnerable in the presence of recently proposed microarchitectures. |
|
--- even despite of (and sometimes because of) coding idioms meant to mitigate side channels at the source code level. |
|
ACM Conference on Computer and Communications Security 2024 (CCS'24), 16 pages. |
| 🏆 |
Award: Our paper received the ACM SIGSAC Distinguished Paper Award. Congrats all! |
| | |
| [ICSE'24] |
|
Extrapolating Coverage Rate in Greybox Fuzzing |
|
Danushka Liyanage, Seongmin Lee, Chakkrit Tantithamthavorn, and Marcel Böhme |
|
(One-line Abstract) How to *predict* the coverage rate of a greybox fuzzer in the future. |
|
IEEE/ACM International Conference on Software Engineering 2024 (ICSE'24), 13 pages. |
| | |
| [NDSS'24] |
|
Large Language Model guided Protocol Fuzzing |
|
Ruijie Meng, Martin Mirchev, Marcel Böhme, and Abhik Roychoudhury |
|
(One-line Abstract) How to make a fuzzer ask ChatGPT about the correct structure and order of messages as specified in 100+ pages of RFC. |
|
Network and Distributed System Security Symposium (NDSS) 2024, 15 pages. |
|
Note: We published tools, data, and analysis at Zenodo (DOI 10.5281/zenodo.8373804) and https://github.com/ChatAFLndss/ChatAFL. |
|
Note: Inaugural NDSS Artifact Evaluation Committee evaluated our artifact as Available, Functional, and Reproduced! |
| | |
| [TSE'24] |
|
Human-in-the-loop Automatic Program Repair |
|
Charaka Geethal, Marcel Böhme, and Van-Thuan Pham |
|
(One-line Abstract) Learn2fix automatically "negotiates" with the user the condition under which the bug is observed before it repairs the bug. |
|
IEEE Transactions on Software Engineering (TSE), 2024, 24 pages. |
|
Note: Journal extension of our homonymous ICST'20 paper. |
|
Note: We publish our implementation, data, and scripts available at: https://github.com/charakageethal/learn2fix-journal-ext/. |
| | |
| [CACM'23] |
|
Boosting Fuzzer Efficiency: An Information Theoretic Perspective |
|
Marcel Böhme, Valentin Manès, Sang Kil Cha |
|
(One-line Abstract) Every generated input reveals some information about the program. Maximizing information maximizes efficiency.. |
|
Communications of the ACM (Vol. 66, No. 11) |
| 🏆 |
Award: CACM Research Highlight for the month of November. CACM is the monthly journal sent to all members of the ACM. Congrats all! |
|
Note: CACM Technical Perspective: "What's all the fuss about fuzzing?" by the amazing Gordon Fraser! |
| | |
| [ASE'23] |
|
Precise Data-Driven Approximation for Program Analysis via Fuzzing |
|
Nikhil Parasaram, Earl T. Barr, Sergey Mechtaev, and Marcel Böhme |
|
(One-line Abstract) Marry static analysis to over-/under-approx. the valid state space and fuzzing + stats to estimate the degree of validity. |
|
IEEE/ACM International Conference on Automated Software Engineering (ASE) 2023, 12 pages. |
|
Note: We published tools, data, and analysis at Zenodo (DOI 10.5281/zenodo.7902214). |
| | |
| [ESEC/FSE'23] |
|
Statistical Reachability Analysis |
|
Seongmin Lee and Marcel Böhme |
|
(One-line Abstract) Quantiative program analysis using a statistical rather than an analytical approach. |
|
ACM European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE) 2023, 12 pages |
|
Note: We published tools, data, and analysis at Zenodo (DOI 10.5281/zenodo.7612964). |
|
Note: Artifact Evaluation Committee evaluated our artifact as Functional and Reusable! |
| | |
| [ICSE'23] |
|
Reachable Coverage: Estimating Saturation in Fuzzing |
|
Danushka Liyanage, Marcel Böhme, Chakkrit Tantithamthavorn, and Stephan Lipp |
|
(One-line Abstract) Estimating the maximum achievable coverage by automatic test input generation. |
|
IEEE/ACM International Conference on Software Engineering 2023 (ICSE'23), 13 pages |
|
Note: We published data, analysis, and figures at Zenodo (DOI 10.5281/zenodo.7571359). |
|
Note: Featured in the Fuzzing Weekly Newsletter (CW5). |
| | |
| [ICSE'23] |
|
Evaluating the Impact of Experimental Assumptions in Automated Fault Localization |
|
Ezekiel Soremekun, Lukas Kirschner, Marcel Böhme, and Mike Papadakis |
|
(One-line Abstract) Evaluating the assumptions that researchers make during debugging tool evaluations. |
|
IEEE International Conference on Software Engineering 2023 (ICSE'23), 13 pages |
|
Website: https://debugging-assumptions.github.io/ |
| | |
| [ISSTA'23] |
|
Green Fuzzing: A Saturation-based Stopping Criterion using Vulnerability Prediction |
|
Stephan Lipp, Daniel Elsner, Severin Kacianka, Alexander Pretschner, Marcel Böhme, Sebastian Banescu |
|
(One-line Abstract) We suggest to stop a fuzzing campaign when the coverage of potentially vulnerable code saturates. |
|
ACM SIGSOFT International Symposium on Software Testing and Analysis 2023 (ISSTA'23), 13 pages |
|
Note: We published data, analysis, and figures at Zenodo (DOI 10.5281/zenodo.7944722) and Github (https://github.com/tum-i4/green-fuzzing-artifacts). |
| | |
| [USENIX SEC'22] |
|
Stateful Greybox Fuzzing |
|
Jinsheng Ba, Marcel Böhme, Zahra Mirzamomen, Abhik Roychoudhury |
|
(One-line Abstract) Navigating an unknown state space by identifying and monitoring state variables values. |
|
USENIX Security Symposium (USENIX SEC) 2022, 18 pages |
|
Note: SGFuzz is available on Github: https://github.com/bajinsheng/SGFuzz |
| | |
| [ISSTA'22] |
|
Human-in-the-loop Oracle Learning for Semantic Bugs in String Processing Programs |
|
Charaka Geethal, Van-Thuan Pham, Aldeida Aleti, and Marcel Böhme |
|
(One-line Abstract) Learning to identify semantic bugs for string processing programs |
|
ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'22), 11 pages |
| | |
| [ICSE'22] |
|
On the Reliability of Coverage-Based Fuzzer Benchmarking |
|
Marcel Böhme, Laszlo Szekeres, Jonathan Metzman |
|
(One-line Abstract) We find a strong correlation but no strong agreement on fuzzer superiority in terms of coverage versus bugs. |
|
IEEE/ACM International Conference on Software Engineering 2022 (ICSE'22), 11 pages |
|
Note: We published data, analysis, and figures at Zenodo (DOI 10.5281/zenodo.6045830) and Github (https://github.com/icse22data/). |
|
Slides @Slideshare |
| | |
| [ICSE'22-NIER] |
|
Statistical Reasoning about Programs |
|
Marcel Böhme |
|
(One-line Abstract) Open challenges and new research directions for automated program analysis at scale. |
|
IEEE International Conference on Software Engineering 2022: New Ideas and Emerging Results (ICSE'22 NIER), 5 pages |
|
Slides @Slideshare |
| | |
| [IEEE TSE'22] |
|
An Experimental Assessment of Using Theoretical Defect Predictors to Guide Search-Based Software Testing |
|
Anjana Perera, Aldeida Aleti, Burak Turhan, Marcel Böhme |
|
(One-line Abstract) What is the impact of defect predictor accuracy on defectiveness-guided test generation? |
|
IEEE Transactions on Software Engineering (TSE), 16 pages |
| | |
[Older publications]
© Above are the author's versions of the works. They are posted here for your personal use. Not for redistribution.
The definitive versions were published in the referenced conferences.
- Editorial Board
- ACM Transactions on Software Engineering and Methodology (TOSEM)
- Organisation
- Committee Member
- 2025: ICSE
- 2024: ICSE, FSE, ISSTA
- 2023: CCS, ICSE, ISSTA
- 2022: CCS, ESEC/FSE, ICSE SEIP, ICST
- 2021: CCS, ICSE, ISSTA, ASE, ICST
- 2020: ICSE, ISSTA, ASE, ICST, ICSE-NIER
- 2019: ICSE, ASE, TAP
- 2018: ICECCS, SBST, ASWEC, ISSTA AEC, ICSE SRC, ASE Demo, MSR MC
- 2016: FSE Demo, ISSTA Artifact Evaluation
- 2015: ICSE NIER (session chair), ISSTA Artifact Evaluation
Our tools have found several security-critical vulnerabilities in widely used open-source projects and libraries,
such as php (4), valgrind, gdb, coreutils (13), binutils (56), libiberty (8), libdwarf (7), libxml2 (4), ffmpeg (10), wavepac (4), Live555 Media Server (2), libming, and libav.
Our tools have been discussed in the news @Security Week, @The Register, @Nacked Security, @Hackernews, and by the coreutils package maintainer Pádraig Brady. Google Security awarded USD 2,000 for hardening of security-critical open-source libraries.
Most vulnerabilities were detected and analyzed during experiments of Van-Thuan Pham and myself.
In 2023, we issued the following security advisory for OpenSSL (secure communication) CVE-2023-0215, for Live555 (streaming) CVE-2023-37117, and for ProFTPD (file transfer) CVE-2023-51713. Great work Ruijie and Octavio!
In 2021, we issued the following security advisories. Great work Jinsheng!
CVE-2021-38380,
CVE-2021-38381,
CVE-2021-38382,
CVE-2021-38383,
CVE-2021-39282,
CVE-2021-39283,
CVE-2021-41396,
CVE-2021-41397,
CVE-2021-41687,
CVE-2021-41688,
CVE-2021-41689,
CVE-2021-41690
In 2019, we issued the following security advisories. Great work Thuan!
CVE-2019-7314,
CVE-2019-15232
(Your web-streaming baby monitor or security camera could be vulnerable)
In 2018, we issued the following security advisories. Great work Thuan, Alex, and Andrew!
CVE-2018-10372,
CVE-2018-10373,
CVE-2018-10536,
CVE-2018-10537,
CVE-2018-10538,
CVE-2018-10539,
CVE-2018-10540,
CVE-2018-12458,
CVE-2018-12459,
CVE-2018-12460,
CVE-2018-13300,
CVE-2018-13301,
CVE-2018-13302,
CVE-2018-13303,
CVE-2018-13304,
CVE-2018-13305,
CVE-2018-13785,
CVE-2018-19539,
CVE-2018-19540,
CVE-2018-19541,
CVE-2018-19542,
CVE-2018-19543,
CVE-2018-19543
In 2016 and 2017, we issued the following security advisories. Credit also goes to Thuan Pham!
CVE-2016-2226,
CVE-2016-4487,
CVE-2016-4488,
CVE-2016-4489,
CVE-2016-4490,
CVE-2016-4491,
CVE-2016-4492,
CVE-2016-4493,
CVE-2016-6131,
CVE-2017-6965,
CVE-2017-6966,
CVE-2017-6969,
CVE-2017-7209,
CVE-2017-7210,
CVE-2017-7223,
CVE-2017-7224,
CVE-2017-7225,
CVE-2017-7226,
CVE-2017-7227,
CVE-2017-7299,
CVE-2017-7300,
CVE-2017-7301,
CVE-2017-7302,
CVE-2017-7303,
CVE-2017-7304,
CVE-2017-7578,
CVE-2017-8392,
CVE-2017-8393,
CVE-2017-8394,
CVE-2017-8395,
CVE-2017-8396,
CVE-2017-8397,
CVE-2017-8398,
CVE-2017-9047,
CVE-2017-9048,
CVE-2017-9049,
CVE-2017-9050,
CVE-2017-9051,
CVE-2017-9052,
CVE-2017-9053,
CVE-2017-9054,
CVE-2017-9055
I am trying to lead my research group according to a consistent reproducibility policy. Read more at https://mboehme.github.io/manifesto.
- I will educate my graduate students about sound empirical analysis and reproducibility.
- We will implement our techniques directly into the baseline and avoid unrelated changes.
- We will make all our source code publicly available upon acceptance (as far as funder allows).
- We will make all our papers available by Green Open Access (as far as publisher allows).
- We will share data, scripts, and figures for the main results under CC-BY.
- We will add a "Reproducibility" declaration at the end of each paper.
My last name is properly written with an umlaut (i.e, Böhme).
The letter ö is pronounced like 'u' in fur or 'e' in earn.
| Latex/Bibtex | B{\"o}hme |
| HTML | Böhme |
| UTF8 | Böhme |
Latex supports umlauts natively using \usepackage[utf8]{inputenc} among the imports.
The correct english transliteration spells: Boehme.
Marcel Böhme
<>
· mboehme.github.io · Updated: 2021-08-11 14:05
|
|---|
