Zur Person:

Jens-Rene Giesen ist wissenschaftlicher Mitarbeiter am Lehrstuhl für Systemsicherheit an der Universität Duisburg-Essen.

Lebenslauf:

Seit 01/2020

Wissenschaftlicher Mitarbeiter am Lehrstuhl für Systemsicherheit (Syssec) an der Universität Duisburg-Essen

2016 - 2019

Masterstudium Software and Network Engineering an der Universität Duisburg-Essen (Abschluss mit M. Sc.)

2010 - 2016

Bachelorstudium Angewandte Informatik - Systems Engineering an der Universität Duisburg-Essen (Abschluss mit B. Sc.)

Ehrungen und Auszeichnungen:

• Finalist beim 9. Deutschen IT-Sicherheitspreis 2022

Publikationen:

• Winkler, Pascal; Giesen, Jens-Rene; Draissi, Oussama; Badaloni, Federico; Holler, Sebastian; Schneidewind, Clara; Davi, Lucas: $2B Lessons: Brigade as a Defense Against Real-World DeFi Bridge Exploits. In: Proc. of 24th International Conference on Applied Cryptography and Network Security (ACNS). Stony Brook, USA, 2026. Details BIB Download
• Cloosters, Tobias; Winkler, Pascal; Giesen, Jens-Rene; Karame, Ghassan; Davi, Lucas: SscRex: Practical Symbolic Execution of Solana Smart Contracts. In: Proc. of 23rd International Conference of Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Springer , Chania, Greece, 2026. Details BIB Download
• Giesen, Jens-Rene; Scholz, Christian; Davi, Lucas: Poster: Code HarvETHter: Corpus-Driven Decompilation of Ethereum Smart Contracts. In: Proc. of 32th Association for Computing and Machinery SIGSAC Conference on Computer & Communications Security (CCS). Association for Computing Machinery (ACM), Taipeh, Taiwan, 2025. doi:10.1145/3719027.3760714Kurzfassung Details BIB Download

  This poster introduces HarvETHter, a smart contract decompiler for EVM-based platforms such as Ethereum, Binance, and Polygon. We present the corpus completeness hypothesis, which we investigate through HarvETHter. Relying on our hypothesis, HarvETHter sources knowledge of the Ethereum blockchain and leverages it to decompile smart contracts to Solidity source code.

• Paaßen, David; Giesen, Jens-Rene; Davi, Lucas: Targeted Fuzzing for Unsafe Rust Code: Leveraging Selective Instrumentation. In: Proc. of 29th International Conference on Evaluation and Assessment in Software Engineering (EASE). Association for Computing Machinery (ACM), Istanbul, Turkiye , 2025. doi:10.1145/3756681.3756956Kurzfassung Details BIB Download

  Rust is a promising programming language that focuses on concurrency, usability, and security. It is used in production code by major industry players and got recommended by government bodies. Rust provides strong security guarantees achieved by design utilizing the concepts of ownership and borrowing. However, Rust allows programmers to write unsafe code which is not subject to the strict Rust security policy. Empirical studies show that security issues in practice always involve code written in unsafe Rust.

  In this paper, we present the first approach that utilizes selective code coverage feedback to focus the fuzzing efforts on unsafe Rust code. Our approach significantly improves the efficiency when fuzzing Rust programs and does not require additional computational resources while fuzz testing the target. To quantify the impact of partial code instrumentation, we implement our approach by extending the capabilities of the Rust compiler toolchain. We present an automated approach to detect unsafe and safe code components to decide which parts of the program a fuzzer should focus on when running a fuzzing campaign to find vulnerabilities in Rust programs. Our approach is fully compatible with existing fuzzing implementations and does not require complex manual work, thus retaining the existing high usability standard. Focusing on unsafe code, our implementation allows us to generate inputs that trigger more unsafe code locations with statistical significance and therefore is able to detect potential vulnerabilities in a shorter time span while imposing no performance overhead during fuzzing itself.

• Giesen, Jens-Rene; Andreina, Sebastien; Rodler, Michael; Karame, Ghassan; Davi, Lucas: HCC: A Language-Independent Hardening Contract Compiler for Smart Contracts. In: Proc. of 23rd International Conference on Applied Cryptography and Network Security (ACNS). Springer Cham, Munich, Germany, 2025. doi:10.1007/978-3-031-95761-1_5Kurzfassung Details BIB Download

  Developing secure smart contracts remains a challenging task. Existing approaches are either impractical or leave the burden to developers for fixing bugs. In this paper, we propose the first practical smart contract compiler, called HCC, which automatically inserts security hardening checks at the source-code level based on a novel and language-independent code property graph (CPG) notation. The high expressiveness of our developed CPG allows us to mitigate all of the most common smart contract vulnerabilities, namely reentrancy, integer bugs, suicidal smart contracts, improper use of tx.origin, untrusted delegate-calls, and unchecked low-level call bugs. Our large-scale evaluation on 10k real-world contracts and several sets of vulnerable contracts from related work demonstrates that HCC is highly practical, outperforms state-of-the-art contract hardening techniques, and effectively prevents all verified attack transactions without hampering functional correctness.

• Andreina, Sebastien; Cloosters, Tobias; Davi, Lucas; Giesen, Jens-Rene; Gutfleisch, Marco; Karame, Ghassan; Naiakshina, Alena; Naji, Houda: Defying the Odds: Solana’s Unexpected Resilience in Spite of the Security Challenges Faced by Developers. In: Proc. of 31th ACM SIGSAC Conference on Computer & Communications Security (CCS). Association for Computing Machinery (ACM), Salt Lake City, USA, 2024. doi:10.1145/3658644.3670333Kurzfassung Details BIB Download

  Solana gained considerable attention as one of the most popular blockchain platforms for deploying decentralized applications. Compared to Ethereum, however, we observe a lack of research on how Solana smart contract developers handle security, what challenges they encounter, and how this affects the overall security of the ecosystem.

  To address this, we conducted the first comprehensive study on the Solana platform. Our study shows, quite alarmingly, that none of the participants could detect all important security vulnerabilities in a code review task and that 83% of the participants are likely to release vulnerable smart contracts. Our study also sheds light on the root causes of developers' challenges with Solana smart contract development, suggesting the need for better security guidance and resources. In spite of these challenges, our automated analysis on currently deployed Solana smart contracts surprisingly suggests that the prevalence of vulnerabilities - especially those pointed out as the most challenging in our developer study - is below 0.3%. We explore the causes of this counter-intuitive resilience and show that frameworks, such as Anchor, are positively aiding Solana developers - even those unmindful of security - in deploying secure contracts.

• Smolka, Sven; Giesen, Jens-Rene; Winkler, Pascal; Draissi, Oussama; Davi, Lucas; Karame, Ghassan; Pohl, Klaus: Fuzz on the Beach: Fuzzing Solana Smart Contracts. In: Proc. of 30th ACM SIGSAC Conference on Computer & Communications Security (CCS). Association for Computing Machinery (ACM), Copenhagen, Denmark, 2023. doi:10.1145/3576915.3623178Kurzfassung Details BIB Download

  Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non- fungible tokens (NFTs). A key reason for its success are Solana’s low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the litera- ture features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Ma- chine. Unfortunately, the very stateless nature of Solana’s execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods. In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract’s binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol’s bug oracles finds impactful vulnerabilities with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.

• Giesen, Jens-Rene; Andreina, Sebastien; Rodler, Michael; Karame, Ghassan O.; Davi, Lucas: Tutorial: Analyzing, Exploiting, and Patching Smart Contracts in Ethereum. In: Proc. of 7th IEEE Secure Development Conference (SecDev). Institute of Electrical and Electronics Engineers (IEEE), Atlanta, GA, USA , 2022. doi:10.1109/SecDev53368.2022.00013KurzfassungPDF Details BIB Download

  Smart contracts are programs which encode business logic and execute on the blockchain. While Ethereum is the most popular blockchain platform for smart contracts, an increasing number of new blockchain platforms are also able to support smart contract execution (e.g., Solana or Cardano). Security vulnerabilities in Ethereum smart contracts have demonstrated that writing secure smart contracts is highly challenging. This is exacerbated by the fact that the exploitation of buggy smart contracts seems disproportionately easier compared to exploiting classic PC software.

  In this tutorial, we overview a number of smart contract vulnerabilities focusing on the Ethereum ecosystem. We also provide an introduction to the de-facto smart contract programming language Solidity and provide a comprehensive hands-on lab tutorial that involves analyzing vulnerable smart contracts, developing proof-of-concept exploits as well as introducing security analysis tools for testing smart contracts.

Vorträge:

• Giesen, Jens-Rene; Andreina, Sebastien; Rodler, Michael; Karame, Ghassan; Davi, Lucas: HCC: A Language-Independent Hardening Contract Compiler for Smart Contracts. International Conference on Applied Cryptography and Network Security (ACNS), 23. Jun. 2025, Munich, Germany.
• Smolka, Sven; Giesen, Jens-Rene; Winkler, Pascal; Draissi, Oussama; Davi, Lucas; Karame, Ghassan; Pohl, Klaus: Fuzz on the Beach: Fuzzing Solana Smart Contracts. ACM SIGSAC Conference on Computer & Communications Security (CCS), 28. Nov. 2023, Kopenhagen, Dänemark.
• Giesen, Jens-Rene; Andreina, Sebastien; Rodler, Michael; Karame, Ghassan; Davi, Lucas: Tutorial: Analyzing, Exploiting, and Patching Smart Contracts in Ethereum. IEEE Secure Development Conference 2022, 18. Oct. 2022, Atlanta, Georgia (USA).