Image of Marcel Böhme
https://mpi-softsec.github.io

Marcel Böhme (he/him)

Group Leader
Software Security

    • Marcel Böhme is a faculty member at the Max Planck Institute for Security and Privacy (MPI-SP) in Germany where he leads the Software Security research group. His group has made foundational contributions to automatic software testing, specifically fuzzing which has become one of the most successful techniques for automatic vulnerability discovery at scale: While conventional wisdom has that testing can only show the presence of bugs but never their absence, Marcel has developed the first statistical framework to make statements about a program's correctness after an error-less testing campaign. While testing is embarrassingly parallel, his probabilistic theory explains how the cost of bug finding is actually exponential in the number of machines, and when even the most effective systematic testing technique is outperformed by a simple, random approach. More recently, his group has been developing the statistical and causal foundations of empirical software security analysis at scale, supported by an ERC grant. To find out more about the research in our group, head over to https://mpi-softsec.github.io

    Marcel is the elected Spokesperson for Research Group Leaders at the Chemistry, Physics, and Technology Section of the Max Planck Society, a Guest Editor-in-Chief and Associate Editor for the ACM TOSEM, the flagship journal in software engineering and on the steering committees of ASE (1.2k submissions for his instance in 2025) and ISSTA, two of the largest, premier conferences in his area. He won a 2024 ERC Consolidator grant, a 2022 NUS Outstanding Young Computing Alumni Award, a 2019 ARC DECRA (Australia’s ERC Starting), a 2019 Google Faculty Research Award, and several ACM Distinguished Paper awards, spotlights, and highlights at the premier publication venues for security and software engineering. Marcel received his PhD at the National University of Singapore (NUS). 

    His current research concerns the automatic discovery of security flaws at the very large scale. One part of his group works on the foundations of automatic vulnerability discovery and program analysis in general. For instance, we seek to identify fundamental limitations of existing techniques, we study empirical methods (incl. statistical and causal reasoning) for program analysis, and we explore the assurances that software testing provides when no bugs are found. The other part of his group develops practical vulnerability discovery technology that is widely used in software security practice. For instance, Entropic is the default power schedule in LibFuzzer which powers the largest fuzzing platforms at Google and Microsoft, fuzzing hundreds of security-critical projects on 100k machines 24/7.

    Software Security Group

    Name
    Jing Liu
    Ardi Madadi
    Niklas Risse
    Gaetano Paolo Sapia
    Thomas Valentin

    Former Members

    Web-View
    Print Page
    Open in new window
    Estimated DIN-A4 page-width
    Go to Editor View