Portrait of Johannes Kinder

Johannes Kinder

Professor of Computer Science

Room 104, McCrea Building
E-Mail: first.last at rhul.ac.uk
Office phone: +44-1784-44-3525
Office hours: Tue 10:00–11:00, Wed 10:00–11:00

Research Interest

My research focuses on assessing and improving the reliability and security of software, in particular with the help of automated tools. This requires me to cross back and forth between the fields of programming languages, software engineering, and systems security. My principal interests lie in program analysis for real-world systems, runtime monitoring and instrumentation, and specification and detection of malware.

At Royal Holloway, I am affiliated with the Systems Security Research Lab and the Centre for Software Language Engineering.

Prospective PhD Students

I am looking for motivated and talented PhD students to work with me in the area of program analysis and security. My work is a mix of mathematical reasoning about programs and applied systems hacking – so ideally you should enjoy doing both. If you are interested, please write me an e-mail with your CV and a few lines about yourself. Currently open positions are advertised under vacancies, but additional funding opportunities can be found.


I am helping / have helped organizing the following events:

I am / have been serving on the program committees of the following conferences and workshops:

APLAS 2019, ESSoS 2017, SPRO 2016, RV 2016, PPREW-5, ESSoS 2016, SPRO 2015, SAS 2014, ICST 2014, PPREW-4, EUC 2014, ICST 2013, PPREW 2013, EDCC 2012, SOFSEM 2012, SEW 2012, SEW 2011

I am lucky to be working with the following PhD students:

MobSec: Malware and Security in the Mobile Age

Sponsored by EPSRC (EP/L022710/1) and a donation from Intel Security / McAfee Labs UK.

A main theme of the project will be mobile applications analyses to extract behavioral information necessary for effective policy enforcement and mobile malware mitigation techniques. To this end, we have recently presented CopperDroid, an approach to perform dynamic behavioral analysis of Android malware. CopperDroid presents a unified analysis to characterize low-level OS-specific and high-level Android-specific behaviors. A number of research questions including the automatic, comprehensive, and faithful reconstruction of Android apps behaviors, the reliable identification of behaviors triggered by malware embedded in benign applications, event-behavior attributions, and the simulation of complex UI interactions are still open and will be explored by MobSec.

We will further focus on detection of malicious mobile applications a particularly challenging task in the mobile landscape that largely sees malware repackaged (and embedded) in benign apps, and the enforcement of fine-grained security policies to contain malicious behaviors—abstracting away (or limiting) users involvement (as opposed to the state-of- the-art). Hardware-supported virtualization to provide efficient in-device mitigations against mobile threats.

Automated Security Testing of Webview Interfaces

Sponsored by a Google Faculty Research Award.

Many Android applications use an embedded webview, essentially a bare bones web browser, and expose an interface for JavaScript content in the webview to interact with the app. Since they typically control both the app and the JavaScript code, developers consider these interfaces to be private. However, malicious attackers may manipulate contents loaded through network connections and can thus interact with the interface almost arbitrarily. The goal of this project is to develop methods for assessing the impact of insecure interfaces: while many functions exposed through such interfaces are harmless, some can allow an attacker to obtain or manipulate sensitive information, or even to load additional privilege escalation exploits.

ExpoSE: Symbolic Execution for Real-World JavaScript

Sponsored by the Research Institute in Verified Trustworthy Software Systems and the Centre for Doctoral Training in Cyber Security.

JavaScript has evolved into a versatile ecosystem for not just the web, but also a wide range of server-side and client-side applications. With this increased scope, the potential impact of bugs increases. With ExpoSE, we are developing a dynamic symbolic execution engine for Node.js JavaScript applications. ExpoSE automatically generates test cases to find bugs and cover as many paths in the target program as possible. In this project, we address the specific challenges for symbolic execution arising in real-world JavaScript code, from regular expressions to asynchronous execution. ExpoSE is available on GitHub.

Here are the slides of my tutorial on Symbolic Execution given at MEMOCODE/FMCAD and IIT Kanpur.

Automated Exploit Generation

Sponsored by L3-TRL.

Vulnerabilities in software are a major security concern; when they are reported, they usually require immediate and expensive action by the affected software vendor. However, many vulnerabilities are not disclosed to the vendor but instead collected and traded by government agencies and cyber criminals alike. Even where developers may have seen warnings or bug reports by testing or static analysis, they may lack the specialized knowledge to determine whether a suspicious line of code is an exploitable vulnerability. The idea of automated exploit generation (AEG) systems promises to democratize the art of exploit writing. An AEG system can demonstrate the severity of a bug by generating a working targeted exploit, which takes control of the program and executes a payload, such as spawning a shell.

Jakstab: Static Analysis of x86 Executables

Jakstab allows to statically analyze binaries directly, without relying on any preprocessing. It integrates disassembly, control flow graph reconstruction, and abstract interpretation in a single process. Jakstab was successfully used to verify Windows device driver binaries and generate control flow graphs for Windows and Linux binaries. Because it avoids making assumptions about well-behavedness of code, its particularly good at working with unconventional and hand-written machine code. In ongoing work, Jakstab is being extended to remove obfuscation layers from malware by static analysis. Jakstab is open source and designed to be extensible by custom analysis and binary frontends. Check it out on jakstab.org.

By Train

The fastest way from central London is to take the Waterloo - Reading train and get off at Egham (37 min from Waterloo). Look up connections from anywhere in London.

From Egham station, you can either walk (20 min), take the shuttle bus (10 min, during term time), or take a taxi (5 min). Click here for a detailed map.

By Car

The college is two miles from Junction 13 of the M25. You can enter campus through the main gate at Founder's Building, but you will need to have a space reserved for you since parking is by permit only.

By Plane

The nearest airport to Royal Holloway is is London Heathrow. You can take a Taxi from there to reach campus in about 15 min, or take bus 71 from Terminal 5 or bus 441 from Heathrow Central Bus Station (30-40 min).

From London Gatwick, the fastest route is to take the train to Clapham Junction and change to a Waterloo-Reading train to Egham (about 1h10 total travel time).