Publications

Download BibTeX.

2025
TOSEM
Software Security Analysis in 2030 and Beyond: A Research Roadmap.
Marcel Böhme, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, and Giuseppe Scanniello.
ACM Transactions on Software Engineering and Methodology. 25pp.
Abstract: Challenges and opportunities for the security analysis of our software systems of the future.
[ pdf ] [ bib ]
Note: Invited article (Special Section: 2030 Software Engineering Roadmap).
ICSE'25
Invivo Fuzzing by Amplifying Actual Executions.
Octavio Galland and Marcel Böhme.
47th International Conference on Software Engineering (ICSE'25). 13pp.
Abstract: Don't attach a fuzzer using fuzz drivers! Inject a fuzzer and amplify any state.
[ pdf ] [ bib ]
ICSE'25
Accounting for Missing Events in Statistical Information Leakage Analysis.
Seongmin Lee, Shreyas Minocha, and Marcel Böhme.
47th International Conference on Software Engineering (ICSE'25). 12pp.
Abstract: Estimating software privacy in the small sample regime.
[ pdf ] [ bib ]
2024
TOSEM
On the Impact of Lower Recall and Precision in Defect Prediction for Guiding Search-based Software Testing.
Anjana Perera, Burak Turhan, Aldeida Aleti, and Marcel Böhme.
ACM Transactions on Software Engineering and Methodology 33(6). 27pp.
[ pdf ] [ bib ]
USENIX Sec'24
Uncovering the Limits of Machine Learning for Automatic Vulnerability Detection.
Niklas Risse and Marcel Böhme.
33rd USENIX Security Symposium (USENIX Sec'24). 19pp.
Abstract: Are machine learning models for vulnerability discovery as good as they seem?
[ pdf ] [ bib ]
CCS'24
Testing Side-Channel Security of Cryptographic Implementations Against Future Microarchitectures.
G. Barthe, M. Böhme, S. Cauligi, C. Chuengsatiansup, D. Genkin, M. Guarnieri, D. Romero, P. Schwabe, D. Wu, and Y. Yarom.
🧑‍💻 31st ACM Conference on Computer and Communications Security (CCS'24). 16pp.
Abstract: How to find side-channels in crypto implementations running on future microarchitectures.
[ pdf ] [ bib ] [🧑‍💻 artifact ]
 🏆 Award: Our paper won the ACM SIGSAC Distinguished Paper Award at CCS'24. Congrats all!
ICSE'24
Extrapolating Coverage Rate in Greybox Fuzzing.
Danushka Liyanage, Seongmin Lee, Chakkrit Tantithamthavorn, and Marcel Böhme.
🧑‍💻 46th International Conference on Software Engineering (ICSE'24). 13pp.
Abstract: How to *predict* the coverage rate of a greybox fuzzer in the future.
[ pdf ] [ bib ] [🧑‍💻 artifact ]
NDSS'24
Large Language Model guided Protocol Fuzzing.
Ruijie Meng, Martin Mirchev, Marcel Böhme, and Abhik Roychoudhury.
🧑‍💻 Network and Distributed System Security Symposium (NDSS'24). 15pp.
Abstract: How to make a fuzzer ask ChatGPT about the correct structure and order of messages as specified in 100+ pages of RFC.
[ pdf ] [ bib ] [🧑‍💻 artifact ] [ github ]
TSE
Human-In-The-Loop Automatic Program Repair.
Charaka Geethal Kapugama, Marcel Böhme, and Van-Thuan Pham.
🧑‍💻 IEEE Transactions on Software Engineering. 24pp.
Abstract: Learn2fix automatically negotiates with the user the condition under which the bug is observed before it repairs the bug.
[ pdf ] [ bib ] [🧑‍💻 artifact ]
Note: Journal extension of our homonymous ICST'20 paper.
2023
CACM
Boosting Fuzzer Efficiency: An Information Theoretic Perspective.
Marcel Böhme, Valentin J. M. Manès, and Sang Kil Cha.
🧑‍💻 Communcations of the ACM 66(11). 9pp.
Abstract: Every generated input reveals some information about the program. Maximizing information maximizes efficiency.
[ pdf ] [ bib ] [🧑‍💻 artifact ]
 🏆 Award: CACM Research Highlight for the month of November. CACM a journal sent to all members of the ACM.
Note: CACM Technical Perspective: "What's all the fuss about fuzzing?" by the amazing Gordon Fraser!
ESEC / FSE'23
Statistical Reachability Analysis.
Seongmin Lee and Marcel Böhme.
🧑‍💻 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC / FSE'23). 12pp.
Abstract: Quantiative program analysis using a statistical rather than an analytical approach.
[ pdf ] [ bib ] [🧑‍💻 artifact ]
ASE'23
Precise Data-Driven Approximation for Program Analysis via Fuzzing.
Nikhil Parasaram, Earl T. Barr, Sergey Mechtaev, and Marcel Böhme.
🧑‍💻 38th IEEE/ACM International Conference on Automated Software Engineering (ASE'23). 12pp.
Abstract: Marry static analysis to over-/under-approx. the valid state space and fuzzing + stats to estimate the degree of validity.
[ pdf ] [ bib ] [🧑‍💻 artifact ]
ICSE'23
Reachable Coverage: Estimating Saturation in Fuzzing.
Danushka Liyanage, Marcel Böhme, Chakkrit Tantithamthavorn, and Stephan Lipp.
🧑‍💻 45th International Conference on Software Engineering (ICSE'23). 13pp.
Abstract: Estimating the maximum achievable coverage by automatic test input generation.
[ pdf ] [ bib ] [🧑‍💻 artifact ]
Note: Featured in the Fuzzing Weekly Newsletter (CW5).
ICSE'23
Evaluating the Impact of Experimental Assumptions in Automated Fault Localization.
Ezekiel Soremekun, Lukas Kirschner, Marcel Böhme, and Mike Papadakis.
🧑‍💻 ACM/IEEE 45th International Conference on Software Engineering (ICSE'23). 13pp.
Abstract: Evaluating the assumptions that researchers make during debugging tool evaluations.
[ pdf ] [ bib ] [🧑‍💻 artifact ] [🔗 website ]
ISSTA'23
Green Fuzzing: A Saturation-based Stopping Criterion using Vulnerability Prediction.
Stephan Lipp, Daniel Elsner, Severin Kacianka, Alexander Pretschner, Marcel Böhme, and Sebastian Banescu.
🧑‍💻 32nd ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'23). 13pp.
Abstract: We suggest to stop a fuzzing campaign when the coverage of potentially vulnerable code saturates.
[ pdf ] [ bib ] [🧑‍💻 artifact ] [ github ]
ESEC / FSE'23 (SRC)
Detecting Overfitting of Machine Learning Techniques for Automatic Vulnerability Detection.
Niklas Risse.
Student Research Competition (SRC) at the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC / FSE'23 (SRC)). 3pp.

Website of the Böhme Research Group at the Max Planck Institute for Security and Privacy.