Dr. Karsten Sohr

I am currently a researcher at the Center for Computing Technologies (TZI) at the Universität Bremen.
Here, I'm currently the coordinator for the development of the topic "Information Security".

Research Interests                                 

• Role-based access control (RBAC)
• Secure mobile applications, Java security
• Formal Methods and security

Publications

1. T. Mustafa, M. Drouineaud, K. Sohr. Towards Formal Specification and Verification of a Role-Based Authorization Engine using JML (Position Paper). In Proceedings of the 5^th ACM ICSE Workshop on Software Engineering for Secure Systems (SESS10), Cape Town, South Africa, May 2010. To appear.
2. K. Sohr, B. Berger. Towards Architecture-Centric Security Analysis of Software.  Proc. 2^nd International Symposium on Engineering Secure Software and Systems (ESSoS 2010). Pisa, Italy.
3. S. Edelkamp, C. Elfers, M. Horstmann, M.-S. Schröder, K. Sohr, T. Wagner. Early Warning and Intrusion Detection based on Combined AI Methods. First Workshop on Intelligent Security (SecArt 09), Thessaloniki, Greece, 2009.
4. C. Alm, M. Drouineaud, U. Faltin, K. Sohr, R. Wolf. A Classification Framework Designed for Advanced Role-based Access Control Models and Mechanisms, Technical Report No. 51, TZI at the Universität Bremen, 2009.
5. S. Bartsch, K. Sohr, C. Bormann. Supporting Agile Development of Authorisation Rules for SME Applications. Proc. of the 3^rd International Workshop on Trusted Collaboration (TrustCol-2008), Orlando, FL, USA, November 13 - 16, 2008.
6. T. Mustafa, K. Sohr, D.-H. Dang, M. Drouineaud, S. Kowski. Implementing Advanced RBAC Functionality with USE. Proc. of the 8^th OCL Workshop at the UML/MoDELS Conferences, Toulouse, Electronic Communications of the EASST, Volume 15, 2008.
7. K. Sohr, T. Mustafa, G.-J. Ahn, X. Bao. Enforcing Role-Based Access Control Policies in Web Services with UML and OCL, 24^th Annual Computer Security Applications Conference, Anaheim CA, December 2008. A slightly longer version can be found here.
8. S. Schäfer, K. Sohr. RFID-Authentisierung in der Lieferkette der Automobilindustrie, D-A-CH Security, Berlin, 2008.
9. K. Sohr, M. Drouineaud, G.-J. Ahn, M. Gogolla. Analyzing and Managing Role-Based Access Control Policies. IEEE Transactions on Knowledge and Data Engineering, Vol. 20, No. 7, 2008. Preprint available.
10. M. Kus, M. Lawo, M. Ronthaler, R. Sethmann, K. Sohr, K. Wind. Angepasste Benutzerschnittstellen für das Wearable Computing im Projekt SiWear. Workshop Nomadic & Wearable User Interfaces, Mensch und Computer 2007, Weimar, September 2-5, 2007.
11. T. Hollstein, M. Glesner, U. Waldmann, H. Birkholz, K. Sohr. Security challenges for RFID key applications. 3^rd Workshop on RFID Systems and Technologies, Duisburg, Germany, 2007.
12. U. Waldmann, T. Hollstein, K. Sohr. Technology-integrated Security for RFID Systems. Study funded by the Federal Ministry of Research and Education (BMBF), May 2007.
13. A. Schaad, K. Sohr, M. Drouineaud. A Workflow-based Model-checking Approach to Inter- and Intra-analysis of Organisational Controls in Service-oriented Business Processes, Journal of Information Assurance and Security, Volume 2, Issue 1, 2007.
14. A. Schaad, K. Sohr. A workflow instance-based model-checking approach to analysing organisational controls in a loan origination process. 1^st International Workshop on Secure Information Systems (SIS ’06). Wisla, Poland, 2006.
15. A. Schaad, V. Lotz, K. Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies, Lake Tahoe, CA, 2006.
16. K. Sohr, G.-J. Ahn, M. Gogolla, L. Migge. Specification and validation of authorisation constraints with UML and OCL. In Proceedings of 10th European Symposium on Research in Computer Security (ESORICS), LNCS 3679, Milan, Italy, September 12-14, 2005.
17. K. Sohr, G.-J. Ahn, L. Migge. Articulating and enforcing authorisation policies with UML and OCL. In Proceedings of ACM ICSE Workshop on Software Engineering for Secure Systems (SESS05), St. Louis, Missouri, May 15-16, 2005 and ACM SIGSOFT Software Engineering Notes.
18. K. Sohr, M. Drouineaud, G.-J. Ahn. Formal specification of role-based security policies for clinical information systems. In Proceedings of the 20th ACM Symposium on Applied Computing, Santa Fe, New Mexico, 2005.
19. M. Drouineaud, M. Bortin, P. Torrini, K. Sohr. A first step towards the formal verification of security policy properties of RBAC. In H.-D. Ehrich, K.-D. Schewe (Eds.), Proceedings of the 4th International Conference on Quality Software (QSIC), Braunschweig, Germany, 2004.
20. M. Drouineaud, A. Lüder, K. Sohr. A role-based access control model for agent-based control systems. In Proceedings of the 1st IEEE International Conference on Industrial Informatics, Banff,  Canada, 2003.
21. T. Mossakowski, M. Drouineaud, K. Sohr. A temporal-logic extension of role-based access control covering dynamic separation of duties. In Proceedings of the 4th International Conference on Temporal Logic, July 2003.
22. S. Deter, K. Sohr. Pini: A Jini-Like Plug&Play Technology for the KVM/CLDC. In Proceedings of the Innovative Internet Computing Systems, International Workshop IICS 2001, Ilmenau, Germany, June 21-22, 2001.
23. K. Sohr. Die Sicherheitsaspekte von mobilem Code. Dissertation, Universität Marburg, July 2001.
24. K. Sohr. Sandkastenspiele. c’t, No. 11, 226-232, 2000.
25. K. Sohr. Nicht verifizierter Code: eine Sicherheitslücke in Java. In C. Cap (Eds.), JIT ’99, Springer-Verlag, 171-181, September 1999.

Research Grants

• XMELD
• ForRBAC – Formal Specification, Verification and Enforcement of Role-Based Security Policies (funded by the DFG)
• ORKA – Organisational Control Architecture (funded by the BMBF)
• ITSec –  E-Learning Portal for IT-Security (Customer: Institut für Wissenstransfer)
• RFIDSec – Technology-centered RFID security (funded by the BMBF)
• SIMOIT – Secure Access of Mobile Employees to the IT Infrastructure of SMEs (funded by the German Federal State of Bremen)
• SiWear – Secure Wearable Computing (funded by the BMWI)
• Mobile Phone-Demonstrator – Demonstration of a security risks of  mobile phones (BSI)
• FIDeS – Intrusion Detection System Based on Combined Methods of Artificial Intelligence (funded by the BMBF)
• VOGUE – Trusted Mobile Access to Enterprise Networks (funded by the BMBF)

Master and Diploma Theses

1. Kim Schoen: Sichere Kommunikation in sporadischen Kundenbeziehungen, 2003
2. Daniela Bork: Sicherheitszertifizierung am Beispiel eines Marktplatzverbundes, 2003
3. Ersin Ürer: Untersuchung von WLAN-Sicherheitsprotokollen, 2005
4. Lars Migge: Spezifikation und Durchsetzung rollenbasierter Security Policies, 2005
5. Tanveer Mustafa: Design and Implementation of an Role-based Authorization Engine, 2006
6. Xinyu Bao, Yan Guo: Durchsetzung von organisatorischen Richtlinien in Web Services mit Hilfe von UML und OCL, 2007
7. Silke Schäfer: Konstruktion sicherer RFID-Anwendungen, 2007
8. Adrian Nowak: Sicherheitsaspekte mobiler Endgeräte, 2007
9. Stefanie Gerdes: Rollenbasiertes Sicherheitskonzept für Krankenhäuser unter Berücksichtigung der aktuellen Entwicklungen in der Gesundheitstelematik, 2007
10. Meike Klose: Grundzüge eines IT-Sicherheitskonzeptes für Apotheken unter der Berücksichtigung der Gesundheitstelematik, 2008
11. Marc Ebler: Eine Sicherheitsanalyse zum Einsatz von mobilen Endgeräten im Außendienst, 2008
12. Assoulian Mkliwa Tchamsi: Umsetzung von dynamischen RBAC Policies mit Hilfe von UML und OCL, 2009
13. Raffael Rittmeier: Grundzüge eines Sicherheitskonzepts für Arztpraxen unter Berücksichtigung der Gesundheitstelematik, 2009
14. Jan Oserms: Guidelines for high information security concerning mobile work, 2010

Teaching

• Spring 2005: Information security  (with Prof. Dr. Carsten Bormann)
• Spring 2007: Information security I (with Prof. Dr. Carsten Bormann)
• Fall 2008: Information security I (with Prof. Dr. Carsten Bormann)
• Fall 2009: Information security I (with Prof. Dr. Carsten Bormann)

Other Responsibilities

• BremSec-Forum (a network for security officers of organisations; co-organiser: Siemens Bremen and GDD)
• Health Solution Group

Contact