Munich Computer Systems Research Lab

Logo

Opportunities

If getting a PhD sounds interesting, and you're interested in our research papers and topics, please get in touch with us! Email address is u c s r l at unibw dot de

No Army Affiliation needed!

Because students keep asking us: Our PhD researchers are not in any way affiliated with Germany’s armed forces but normal, civilian PhD students that have obtained their Master’s degrees from other universities (TU Munich, TU Wien, and HHU, to be precise). Although most of our Bachelor and Masters students are, in fact, officers in the German Bundeswehr, most of them continue in their military career after graduation.

If you have an accredited Master’s degree from a European university, you are welcome to join μCSRL! (And you will also not have to perform any military duties.)

Welcome to the official online presence of μCSRL!

The Munich Computer Systems Research Laboratory, μCSRL for short, is a research lab at the National Cyber Defense Research Institute CODE at the Universität der Bundeswehr, München, directed by Stefan Brunthaler. This web page hosts all public artifacts of the research group, including blog posts, essays, source code, and tools.

Research

As of Q1 2026, μCSRL conducts the following research projects. Our publication pipeline is still filled to the brim and we expect to publish multiple papers in 2026.

Fuzzing: μ-fuzz

Bundles our research activities in automated vulnerability identification via fuzzing. Our objective for this project is the investigation of combinatorial optimization of fuzzing on clusters. To support this project, we have a state-of-the-art fuzzing cluster with 1,200+ CPUs. In 2025, we extended this cluster such that we have even more compute available, and we also received a distinguished paper award for our work on Tephra.

Language-based Security – Software Diversity: μ-proteus

Bundles our research activities in software diversification. Our recent milestones include:

Leakage-resilient Diversity

The goal of this line of research is to mitigate advanced code-reuse attacks, such as both direct and indirect JIT-ROP, COOP, AOCR, and PIROP. Broadly speaking, the idea is to combine software diversity with so-called, execute-only memory (XOM). Prof. Brunthaler co-authored one of the most highly cited articles in this area, called Readcator, which used the first hardware-supported XOM with advanced code diversification, including code-pointer hiding. Due to emergent security problems of code-pointer hiding, which resulted in the Address-Oblivious Code Reuse (AOCR) attack, our research group continued improving diversification techniques to mitigate even the most-advanced code reuse attacks. In 2023, we were able to publish this defense, R2C - Reactive and Reflective Camouflage, which to the best of our knowledge, is the only effective and efficient defense to date.

Versatile Diversity

Besides code-reuse attacks, we published the first paper aimed at preventing Rowhammer attacks with principles underlying software diversity. Similarly, we published a defense against timing-based cache side-channels through our discovery of a new defense called control-flow diversity.

Supply-Chain Attacks: μ-c

We are actively investigating how to address supply-chain attacks at compile time through developing our own compiler infrastructure. This compiler combines our state-of-the-art software diversification techniques.

Decompilation: μ-dc

We examine novel techniques in decompiling programs, i.e., the process of producing source code from programs in binary form.

Interpreter Optimization: μ-python

Bundles our research activities in interpreter optimization. Our present research efforts deal with purely-interpretative optimizations, i.e., trying to avoid dynamic code generation altogether. The key insight of Prof. Brunthaler’s work from 2010 until 2014 was that an interpreter can do pretty much the same things as a JIT compiler. A series of optimizations addressed various shortcomings in isolation, such as providing type feedback via inline caching, or eliminating reference count operations. Later on, these techniques were combined to also eliminate the overhead of operating on boxed objects (see Multi-Level Quickening). Multi-level quickening provided substantial speedups of up to 5.5x, but did not convince the reviewers in 2012, 2013, and 2014. In 2024, Felix Berlakovich and myself presented a way to optimize across separately compiled C extensions in Python using quickening, aptly named Cross Module Quickening.

We are also actively researching novel optimization methods for WASM, and expect to publish our recent results in 2026.

At present, Python adopted the former optimization techniques, i.e., the quickening-based inline caching, since version 3.10, and will adopt the latter technique in future versions. As a result, this line of research, although academically unsuccessful, is used by millions of people on a daily basis.

Recent Publications

Full list of publications

Presentations

Essays

The following essays are available: