Thesis or project ideas from my research


Send me mail if you are interested in a certain topic.


Smart City - a (serious) game for alternative and green energy scenarios

There exists already a prototype of this game, built on the canvas of HTML5, i.e. a browser based game. It has several levels and allows players to make decisions on alternative energy concepts. I have tons of ideas on how to enhance the game, e.g. use a real simulation engine, run a community to create local cells, introduce different business models and more roles and so on. Even a mobile version and hardware-in-the-loop (smart meter e.g.) would be possible.

A large company working in the energy sector would sponsor additional work on any level and provide energy sector expertise.

Time and Reliability of Distributed Algorithms

The paper on time in VMWare VMs made me kind of skeptical about the performance of distributed algorithms (e.g. failuer detection) in settings with instable time. The thesis would set up some VMs and test timing behavior of distributed algorithms for consensus or failure detection. Will jumps in time only affect liveness or even consistency?


Take the ideas behind object capabilities and integrate the analysis of authority into the Palladio simulation tool from Prof. Reussner (KIT Karlsruhe). Chapter 14 by Fred Spiessens in my book on "Sichere Systeme" will give you the idea.

Simulation and Visualization of complex dynamic systems

How to simulate distributed algorithms and their failure models to get a handle on complex protocols like Paxos. Or how to simulate a large scale site using components.

Socially Situated large-scale multi-touch devices

Social GUI construction and application integration for large-scale multi-touch installations. Social analysis of interaction patterns, technical design and implementation. The scale of those devices makes single user concepts useless and requires group interfaces.

Multi-Party Mobile Microphone

This has been a sore spot for quite a while: to enable discussions at events it is necessary that everybody has access to a microphone (this is also needed for streaming). Unfortunately the way this is done till now is through the use of long poles with microphones held by helpers into the public, by stationary microphones hanging from the ceiling in large numbers or by speakers leaving their seat and walking over to fixed microphones. This is all either too expensive or too clumsy given out narrow rows of seats and the need to hold events in different rooms each time.

My idea involved throwable microphones which can be centrally controlled and which are activated by pressing the ball. Most discussions involve only very few people and locations within a larger room and a small number of these ball-mics would be distributed across the room. Speakers can get access quickly. The following drawings might give you an idea: and a version that uses balloons hanging from the ceiling:

The article "the problem of many speakers" gives an explanation of the context.

Computer Linguistics, Translation Tools, Open Source

If you are interested in language processing, take a look at Forum Open Language Translation (FOLT). They are working on a translation support software on open source base called TMOSS (Translation Memory Open Source System). They are looking for participants and developers. You can download an expose of their ideas. .

EU-research projects with the data center of the University of Stuttgart

The RUS offers very interesting research projects and sometimes hiwi jobs. Take a look at research projects and job offers.

. The research topics cover almost everything related to large scale computing like federated security, clustering etc.

Security (WAF), Modeling of system environments, user attentional meta-data and analytics, large scale systems performance monitoring and analytics.

1. Security Evaluation of XML Firewalls and Web Application firewall products o create market overview o description of current technologies o description of upcoming technologies Prepare decision which product is feasible for the company requirements. The company is a large, global enterprise. The thesis includes theoretical parts as well as an integration of WAF technology into the infrastructure. The company could probably create two thesis jobs from this one.

2. Modeling of large scale system architectures -definition of a generic "Dictionary of elementary functions" and creation of a guide how to define and model a functional model. This thesis should create the "role model" of functional modeling within a company. No specific operating system knowledge is required.

4. User-Analytics Investigate methods to track user behavior not only in web applications. This includes generation of attentional meta-data from behavior data (log-files, clicks etc.) and the analytical methods behind. Application instrumentation etc. is also a topic. Classic tools like webtrends are too narrow in this case. Search applications are one example but the results should be also applied to other application types. Read "programming collective intelligence" to get an idea of the machine learning methods useful for tracking users. Read "findability" to get an idea of its application for search engines.

5. Performance Analytics, Reporting and Monitoring in a global Enterprise This work deals with the problem of performance in distributed environments with multiple communication protocols and architectures. Goal is to create a monitoring system that allows tracking of complete business processes and the generation of high-level events from the combination of several low-level events (complex event processing). Applicants should be familiar with J2EE and perhaps other types of middleware and have an interest and broad problem spaces. Analytics and reporting are also involved.

E-Voting for universities

Technical, legal and organizational aspects of e-voting in an university environment. Security analysis, policy etc. Evalutation of open source e-voting programs.

Security tests with fuzzer technology

Use random access methods to uncover security problems in applications and system software.

Massively Multi-Player Online Games

Test peer-to-peer gaming frameworks for reliability and performance. Investigate bottlenecks and design issues with MMOGs.

SysML with Ilogix Tools

Use the new language by OMG for system architecture modelling - together with some excellent simulators and generators from Ilogix.

High-Availability Platforms and Approaches

(1) High-Availability Infrastructures, small and embedded systems (together with Stephan Rupp, Kontron) (2) Software-Technik Praktikum: compare concepts like OSGi with middleware for high-availability (with Stephan Rupp, Kontron).

User Conceptual Models

Take Kevin Mitnicks book on "the art of deception" and create a classification of user errors which where exploited by Mitnick. Build a user conceptual model from those. Apply it to browser security. Does browser security work on the same semantic level? Is there a huge gap between resources the browser tries to protect and how people think and act? Speculate on better machine representations for user semantic models. This could be done together with a student from usability or information design faculties.

Fuzzing and new test methodologies

Develop new Fuzzing Tools and embed them into a new testing methodology.

Security in Firefox

Investigate security in Firefox. Javascript in the context of Web2.0: do we need new browser security models beyond "same origin"? Make Firefox Extensions and Plug-Ins remote: Architecture, Design, Prototype such an isolation approach. Do an investigation of Firefox security vulnerabilities - see any changes in type or frequency over time? Compare Firefox with the DARPA browser project by Combex.

Security Modelling of System Architectures with Eclipse Tools

Take the thesis from Mirko Bleyh on the modeling of operational aspects as a starting point to model security aspects.

Distributed Search

One day the bandwidth to the internet may not be large enough for search engine companies - too many new pages join the web every day. How could we use the distributed computing power of edge machines for a better search index? What if we combine the distributed hash table technology with a seti@home like approach? Take a look at grub or YACY . And don't forget the tradingcenter project by Ron Kutschke and Markus Block which implements a distributed auction platform and which could be used as a start for a distributed search engine.

Computer Linguistics - turn the pipeline approach into a fully parallel architecture

Use something like the UIMA framework (see IBM alphaworks) to design a system where "higher" modules (e.g. a semantic module) can give hints back to "lower" modules like word recognizers or taggers.

Remixing Secure Software

Enterprise level security is far from easy. Architectures like J2EE and .NET try to hide the complexity but still allow all the flexibility needed. Code access security, JAAS, identities and run-as modes, delegation and tracking, backend-access and registries. And tons of APIs to encrpyt, create secure sessions, declare or program calls and so on. Add interoperability to this with GSS-API or the webservices interfaces and developers are facing quite some challenges. One of the best books on J2EE 1.3 security that I found yet is - surprise - a book on mainframe security. The z/OS WebSphere Application Server V5 and J2EE 1.3 Security Handbook with its additional material . It shows how requests flow from the DMZ through web and application servers to backend services and databases on mainframes. And it gives a good explanation of how the identities, roles and privileges change during such a flow, based on the capabilities of J2EE and its declarative or programmatic features.

And the additional material is also very interesting. Some people at IBM tried to verify all security related interfaces with example programs - called SWIPE. The code is available for this and my idea was to turn this code into a learning facility for secure programming. It could start as a software-technik-praktikum at HDM where a group of students could try to improve the demo application(s) and learn a lot on security APIs and infrastructure. GO AND PORT IT TO JBOSS!!

Dennis Pilipchuk in the meantime is exploring Webservices Security and available frameworks which could go into the demonstration software as well.

Anand Raman wrote a nice piece on how to Create an anonymous authentication module and manages to explain basic J2EE security principles at the same time time.

The result would be a much improved understand of security infrastructure and programming.

Social Network Information Base

Not only universities live from establishing a network of partners, friends and ex-members. Joint projects, sponsoring etc. all need dependable data about contacts, interests and other information. The goal of this project would be to build an information base that is able to not only keep simple informations about persons but can store the relations between partners. Topic Maps could be one approach here. The frontend should be web based. Access control should allow some of the information to be public and other parts (strategic) to be available only to qualified persons. Students could use this base to find business partners for thesis works. University personnel can use it to raise funds or plan events.

Ad-hoc wireless networks

The idea is about using smartphones, generic UI devices and wireless headsets in helmets to provide groups of motorbikers with a cheap group communication feature based on bluetooth wireless networks. A more detailed description can be found here .


Investigate the technological and social mechanisms behind the new darknets - cryptographically closed environments for content swapping etc.

Domain Analysis - Defining the Requirements of a Software Production Line

For this thesis the student should perform a domain analysis with the goal of finding commonalities and variations within a certain domain. An existing application from this business domain should then be analysed for existing (or missing hot spots) and the results combined with the results of the domain analysis. How could a software production line in this business domain look like? What other types of applications in this domain would then be possible?

Interface design and security

I did a little analysis of a network of sites using 0190-dialers to rip off the unsuspecting. The truth behind "" . I noticed that the GUI designs tries everything to obscure the fact that those sites want you to download and use 0190-dialers without noticing it. In many cases price information is either missing or printed in silver, which is especially prone to being overlooked. Then I ran across an excellent article on user interaction design and security issues by Ka-Ping Yee User Interaction Design for Secure Systems and found lots of good ideas there.

Yee lists 10 principles of sound interaction design:

Explicit Authority

The users must understand when and what kind of authority they grant to other actors like programs. This is perhaps the most important point which seems to also require a concept of capabilities as a means to restrict the delegation of authority. In most systems users have few choices when they run a program because the program will automatically inherit all of the users rights. So there is an interesting architectural problem behind this as well. See our current work on capabilities .

The others are:

Path of Least Resistance
Expected Ability
Appropriate Boundaries
Trusted path (or why an NT login requires ctrl-alt-del to be pushed

Some examples that come to my mind: the typical dialog for establishing a SSL session does not convey the most important point: that SSL does NOT guarantee that the receiver is really who you THINK it is and that it is YOUR job to verify the identity. If you don't understand this point,go and read Eric Rescorlas wonderful book on SSL and TLS, designing secure systems or have a look at my lecture on web application security.

You could try to come up with a better dialog e.g.