Making complex systems more trustworthy: Systems security expert Thorsten Holz joins MPI-SP as Scientific Director

Systems security expert Thorsten Holz joins the Max Planck Institute for Security and Privacy in July. His research focuses on improving the resilience of complex software systems against emerging threats, enabling the development of robust and secure architectures that are essential for building trustworthy digital systems. Holz is widely recognized not only for his work on software security but also for applying his research to solve real-world problems, such as improving memory safety or understanding how humans interact with systems.

Holz and his team specialize in systems security, addressing a wide range of challenges that include analyzing, modeling, designing, implementing, and thoroughly validating complex software systems. A primary goal of his work is to develop innovative methods to help software developers and security analysts to test and build trustworthy systems in an efficient and scalable way. As advanced ML-based systems become integral to diverse applications, ensuring their security and privacy has emerged as a critical and complex challenge that he also tries to tackle.

One of the current research topics is fuzzing, an automated software testing method that involves providing a program with large amounts of random input data to uncover vulnerabilities. If the program crashes or behaves unexpectedly, this indicates the presence of a security flaw. This method is particularly effective at discovering subtle bugs that are difficult to detect with traditional testing approaches. By applying fuzzing at scale, the team has successfully identified hundreds of security-critical flaws in widely-used software such as web browsers and operating systems. “A key objective of my work is to bridge the gap between theoretical security models and their practical applications in real-world systems.”, says Holz. The resulting tools are released under open-source licenses, making them freely available to the research community and industry. The team also closely collaborates with companies to evaluate the practical impact of their work. For example, major tech companies like Google, Mozilla, and Intel use the team’s testing techniques to help identify and fix vulnerabilities in their software, contributing to safer web browsing and computing for billions of users.

The practical applicability of Holz’s research is also found in space. Together with colleagues from Ruhr University Bochum, Holz and his team conducted an experimental security evaluation of firmware from three real-world low-Earth orbit satellites. They identified several security vulnerabilities, including unprotected command interfaces and missing access controls, which allowed them to fully compromise two out of the three satellites examined. Based on an anonymous survey of 19 employees from the satellite industry and space agencies, the team found a widespread reliance on “security by obscurity,” with most systems lacking basic protections such as encryption and authentication. The team warns about the risks of this approach and aims to bring together all the stakeholders to develop better security standards for the space sector.

Apart from technical aspects, Holz is also interested in understanding how people interact with systems and the threats posed by artificially generated media. For example, his work focused on the algorithmic detection of media generated by machine learning-based models and the human perception of such content. As part of this research, the team performed a large‑scale, cross‑country survey of human ability to distinguish artificially generated audio, image, and text content, involving about 3,000 participants from the USA, Germany, and China. The findings reveal that state‑of‑the‑art synthetic media is nearly indistinguishable from real content, with most participants essentially guessing whether it was human‑ or machine‑generated. The results provide important insights into the general public’s ability to distinguish authentic media from artificially generated content. This knowledge serves as a basis for the development of more effective detection tools and educational strategies.

Thorsten Holz will join the Max Planck Institute for Security and Privacy in July, where he will lead the System Security Department. “I am thrilled to be part of MPI-SP and to contribute to the vibrant research ecosystem in Bochum and across the Max Planck Society," says Holz. "Collaborating with leading experts in security and privacy will open up many exciting opportunities. I look forward to advancing foundational research in systems security and to helping build more trustworthy computing systems capable of withstanding the complex threats of today and tomorrow.”