Teaching

Summer 2025

Security Analysis of Apple's Private Cloud Compute (Master Project, 12 ECTS, MSc)

Joint Master Project with Prof. Anja Lehmann, you can preview the poster here – further details will be presented along with the other projects.

5G Security (Seminar, 3 ECTS, MSc)

Seminar together with Swantje Lange. Let's look into the latest 5G security research, write mini papers, and review and present them.

IoT Security (Lecture & Exercise, 6 ECTS, MSc)

In this new hands-on lecture, students will learn about IoT security on all layers. Students will be provided an embedded device and solve various challenges on a Raspberry Pi Pico 2 W. Lecture contents include:

• Why IoT security matters, what it has in common with other device classes like medical devices, and why it has real-world impact.
• Electrical engineering basics, such as wiring up external components to an IoT development board.
• Developing and debugging IoT applications.
• IoT-specific protocols and typical pitfalls when using these (e.g., MQTT).
• Security of wireless protocols (e.g., Bluetooth and Wi-Fi).
• Embedded firmware security and hardware-specific limitations (MMU vs. MPU, compiler settings).
• Reverse engineering low-level firmware.
• Hardware security (reading out flash chips, intercepting wired protocols, glitching).
• Firmware rehosting and emulation.

Digital Entomology: Tracking and Tackling Cyber Bugs (Seminar, 3 ECTS, MSc)

Cybersecurity attacks happen frequently and have severe impact. Bugs in digital systems make these attacks possible. In this seminar, we'll take a look into these bugs, why they happen, how they can be exploited, and what could be done to mitigate them. We're collecting and studying cyber bugs – and you'll all be digital entomologists!

The seminar follows a weekly schedule. Each week, we'll talk about recent, impactful bugs. The research talks will be split into bugs presented by the lecturer as well as bugs presented by students. We aim at covering highly diverse and recent bugs and bug classes, such as:

• web and browser security,
• internet-facing services including firewalls, mail, …,
• binary exploitation,
• real-world bugs in cryptographic implementations,
• hardware bugs,
• ...

Students can pick the bugs they present on their own, but there'll be some moderation to ensure no duplicate bugs and a high variety.

---

Mobile Security (Lecture Series, 6 ECTS, MSc)

This lecture covers mobile security on an application and system level, with many hands-on exercises. Students will learn state-of-the-art security concepts for both, iOS and Android, and will be able to perform security testing of mobile apps, mobile malware analysis, as well as testing security-critical components within mobile operating systems. Grading is based on exercises and the final exam. Course contents include:

• Threat modeling for mobile devices and apps,
• application security and testing,
• mobile malware capabilities and detection,
• operating system internals, such as inter-process communication, threads, ...,
• kernel and firmware security,
• mobile forensics.

• r00t cause analysis: the process of analyzing in-the-wild zero day iOS exploits
  • Ian Beer (@i41nbeer), Security Researcher at Google.
  • He finds bugs at Google.
  • Friday, April 19, 14:30-16:00, HS3
• Modern Malware Analysis
  • Alexander Druffel, Senior Security Researcher at CrowdStrike.
  • Monday, April 22, 15:15-16:45, HS2
• Telco Security - Bellheads vs. Netheads and the Evolution of a Critical Infrastructure
  • Jennifer Gabriel, Vodafone Group Service GmbH.
  • Monday, April 22, 17:00-18:30, HS2
• Something Something Decompilers, ILs, AI and an industry retrospective
  • Jordan Wiens (@psifertex), Binary Ninja.
  • Jordan's a hacker. He's played a lot of CTF, made a lot of CTF, written a lot of exploits, worked in offsec and network defense and even worked as a reporter back when print magazines were a thing. Now he makes Binary Ninja and likes to commentate live CTF matches.
  • A grab-bag of topics, this talk will cover a summary of a wide variety of area of the information security ecosystem, trends over the two and a half decades Jordan's been working in it (spoiler, no, the latest trend will NOT remove all vulnerabilities), as well as technical details of building a decompiler, designing purpose-build ILs, and applying AI to modern program analysis. Also, probably some funny CTF stories if there's time!
  • Friday, May 3, 14:30-16:00, HS3
• Applied Fault Injection – Hacking Chips by Zapping Them
  • Thomas Roth (stacksmashing).
  • Monday, May 13, 13:30-15:00, HS2
• Sweet QuaDreams or Nightmare Before Christmas? Dissecting an iOS 0-Day
  • Christine Fossaceca, Senior Mobile Security Researcher, Microsoft Corporation.
  • Monday, May 13, 15:15-16:45, HS2
• Using Forensic Analysis to Discover the Latest NSO Pegasus Spyware Exploit
  • Matthias Frielingsdorf, iVerify.
  • Monday, May 27, 15:15-16:45 HS2
• CPU Sidechannel Attacks
  • Alyssa Milburn, Intel.
  • Monday, June 3, 15:15-16:45, HS2
• Auf sicheren Schienen: Pentesting bei der DB
  • DB InfraGo AG.
  • Monday, June 10, 15:15-16:45, HS2
• Behind the Screens: Exploring Penetration Testing with Real-World Stories and Insights
  • Alexander Neumann, RedTeam Pentesting GmbH.
  • Alexander Neumann works at RedTeam Pentesting GmbH in Aachen and has 15 years of experience as a pentester.
  • Monday, June 17, 15:15-16:45, HS2
• Firmware Rehosting – Or: how to efficiently fuzz embedded systems at scale
  • Marius Muench, Assistant Professor at the University of Birmingham.
  • Marius Muench is an assistant professor at the University of Birmingham. His main research area is computer security with a special focus on embedded systems, fuzzing, binary analysis, and cellular security.
  • Monday, July 1, 15:15-16:45, HS2
• Breaking Barriers and Boundaries: Free, Global, and Stealthy SMS Communication via Satellite on iPhones
  • Jiska Classen
  • Friday, July 5, 14:30-16:00, HS3
• Fuzz Everything, Everywhere, All at Once
  • Advanced Fuzzing with LibAFL
  • Dominik Maier, Android Red Team, Google.
  • Monday, July 8, 15:15-16:45, HS2

Mobile Security (Lecture, 6 ECTS, MSc)

This lecture covers mobile security on an application and system level, with many hands-on exercises. Students will learn state-of-the-art security concepts for both, iOS and Android, and will be able to perform security testing of mobile apps, mobile malware analysis, as well as testing security-critical components within mobile operating systems. Grading is based on exercises and the final exam.

The course catalogue contains further details.

---

Reverse Engineering for Security Analysis (Project seminar, 6 ECTS, MSc)

In this project, Master students will get a short introduction on reverse engineering. From then on, they can work on individual projects in small groups with the goal to reverse engineer real-world software to uncover and report security vulneabilities. Safe harbour policies of leading vendors allow reverse engineering, enabling students to work on impactful projects.

The course catalogue contains further details.

---

Open-Source Fuzzing (Project seminar, 6 ECTS, BSc)

In this project, Bachelor students will get a short introduction to fuzzing. Similar to the reverse engineering project, they will work on individual projects in small groups. They can choose to fuzz a software that is already open-source — or join a reverse-engineering group to fuzz interesting interfaces that they discovered. Discovered vulnerabilities will be disclosed to the vendors, thereby improving security of open-source software projects.

The course catalogue contains further details.