[{"type":"misc","abstract":[{"lang":"eng","text":"Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair \"Cryptographic API Misuse Detection Tool Benchmark Suite\". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain."}],"status":"public","_id":"32409","department":[{"_id":"76"}],"user_id":"32312","keyword":["cryptography","benchmark","API misuse","static analysis"],"language":[{"iso":"eng"}],"related_material":{"link":[{"url":"https://arxiv.org/abs/2204.06447","relation":"confirmation"}]},"year":"2022","citation":{"apa":"Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., & Mezini, M. (2022). CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. https://doi.org/10.48550/ARXIV.2204.06447","bibtex":"@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={10.48550/ARXIV.2204.06447}, author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and Bodden, Eric and Mezini, Mira}, year={2022} }","short":"M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022.","mla":"Schlichtig, Michael, et al. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022, doi:10.48550/ARXIV.2204.06447.","ama":"Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite.; 2022. doi:10.48550/ARXIV.2204.06447","chicago":"Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden, and Mira Mezini. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022. https://doi.org/10.48550/ARXIV.2204.06447.","ieee":"M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022."},"date_updated":"2022-07-25T10:23:44Z","date_created":"2022-07-25T07:56:59Z","author":[{"orcid":"0000-0001-6600-6171","last_name":"Schlichtig","id":"32312","full_name":"Schlichtig, Michael","first_name":"Michael"},{"last_name":"Wickert","full_name":"Wickert, Anna-Katharina","first_name":"Anna-Katharina"},{"first_name":"Stefan","full_name":"Krüger, Stefan","last_name":"Krüger"},{"id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"},{"first_name":"Mira","full_name":"Mezini, Mira","last_name":"Mezini"}],"title":"CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite","doi":"10.48550/ARXIV.2204.06447"},{"publication_status":"published","quality_controlled":"1","publication_identifier":{"isbn":["9781450393799"]},"related_material":{"link":[{"url":"https://dl.acm.org/doi/10.1145/3533767.3534374","relation":"confirmation"}]},"year":"2022","citation":{"short":"M. Nachtigall, M. Schlichtig, E. Bodden, in: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–543.","mla":"Nachtigall, Marcus, et al. “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools.” Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–43, doi:10.1145/3533767.","bibtex":"@inproceedings{Nachtigall_Schlichtig_Bodden_2022, title={A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools}, DOI={10.1145/3533767}, booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis}, publisher={ACM}, author={Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}, year={2022}, pages={532–543} }","apa":"Nachtigall, M., Schlichtig, M., & Bodden, E. (2022). A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 532–543. https://doi.org/10.1145/3533767","ama":"Nachtigall M, Schlichtig M, Bodden E. A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM; 2022:532-543. doi:10.1145/3533767","ieee":"M. Nachtigall, M. Schlichtig, and E. Bodden, “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools,” in Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp. 532–543, doi: 10.1145/3533767.","chicago":"Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools.” In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 532–43. ACM, 2022. https://doi.org/10.1145/3533767."},"page":"532 - 543","publisher":"ACM","date_updated":"2022-07-26T11:42:23Z","author":[{"last_name":"Nachtigall","id":"41213","full_name":"Nachtigall, Marcus","first_name":"Marcus"},{"full_name":"Schlichtig, Michael","id":"32312","orcid":"0000-0001-6600-6171","last_name":"Schlichtig","first_name":"Michael"},{"id":"59256","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","first_name":"Eric"}],"date_created":"2022-07-25T08:02:36Z","title":"A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools","doi":"10.1145/3533767","type":"conference","publication":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","abstract":[{"lang":"eng","text":"Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment.\r\nTo comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria.\r\nThe evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further.\r\nThese findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses."}],"status":"public","_id":"32410","user_id":"32312","department":[{"_id":"76"}],"keyword":["Automated static analysis","Software usability"],"language":[{"iso":"eng"}]},{"related_material":{"link":[{"relation":"confirmation","url":"https://ieeexplore.ieee.org/document/9825763"}]},"quality_controlled":"1","citation":{"ama":"Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API Usage constraint and Misuse Classification. In: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2022:673-684. doi:https://doi.org/10.1109/SANER53432.2022.00085","chicago":"Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “FUM - A Framework for API Usage Constraint and Misuse Classification.” In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 673–84, 2022. https://doi.org/10.1109/SANER53432.2022.00085.","ieee":"M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework for API Usage constraint and Misuse Classification,” in 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684, doi: https://doi.org/10.1109/SANER53432.2022.00085.","apa":"Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2022). FUM - A Framework for API Usage constraint and Misuse Classification. 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 673–684. https://doi.org/10.1109/SANER53432.2022.00085","bibtex":"@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM - A Framework for API Usage constraint and Misuse Classification}, DOI={https://doi.org/10.1109/SANER53432.2022.00085}, booktitle={2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }","short":"M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684.","mla":"Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and Misuse Classification.” 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–84, doi:https://doi.org/10.1109/SANER53432.2022.00085."},"page":"673 - 684","year":"2022","author":[{"first_name":"Michael","id":"32312","full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","last_name":"Schlichtig"},{"first_name":"Steffen","last_name":"Sassalla","full_name":"Sassalla, Steffen"},{"full_name":"Narasimhan, Krishna","last_name":"Narasimhan","first_name":"Krishna"},{"full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden","first_name":"Eric"}],"date_created":"2022-05-09T13:04:10Z","date_updated":"2022-07-26T11:42:30Z","doi":"https://doi.org/10.1109/SANER53432.2022.00085","title":"FUM - A Framework for API Usage constraint and Misuse Classification","type":"conference","publication":"2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","status":"public","abstract":[{"lang":"eng","text":"Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools."}],"user_id":"32312","department":[{"_id":"76"}],"_id":"31133","language":[{"iso":"eng"}],"keyword":["API misuses","API usage constraints","classification framework","API misuse detection","static analysis"]},{"department":[{"_id":"241"},{"_id":"76"}],"user_id":"49576","_id":"34057","status":"public","publication":"2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA)","type":"conference","doi":"10.1109/etfa52439.2022.9921730","title":"Domain-specific Language for Condition Monitoring Software Development","date_created":"2022-11-10T14:30:16Z","author":[{"first_name":"Faruk","full_name":"Pasic, Faruk","last_name":"Pasic"},{"first_name":"Matthias","last_name":"Becker","full_name":"Becker, Matthias"}],"publisher":"IEEE","date_updated":"2022-11-10T14:30:42Z","citation":{"ama":"Pasic F, Becker M. Domain-specific Language for Condition Monitoring Software Development. In: 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA). IEEE; 2022. doi:10.1109/etfa52439.2022.9921730","chicago":"Pasic, Faruk, and Matthias Becker. “Domain-Specific Language for Condition Monitoring Software Development.” In 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA). IEEE, 2022. https://doi.org/10.1109/etfa52439.2022.9921730.","ieee":"F. Pasic and M. Becker, “Domain-specific Language for Condition Monitoring Software Development,” 2022, doi: 10.1109/etfa52439.2022.9921730.","short":"F. Pasic, M. Becker, in: 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA), IEEE, 2022.","bibtex":"@inproceedings{Pasic_Becker_2022, title={Domain-specific Language for Condition Monitoring Software Development}, DOI={10.1109/etfa52439.2022.9921730}, booktitle={2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA)}, publisher={IEEE}, author={Pasic, Faruk and Becker, Matthias}, year={2022} }","mla":"Pasic, Faruk, and Matthias Becker. “Domain-Specific Language for Condition Monitoring Software Development.” 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA), IEEE, 2022, doi:10.1109/etfa52439.2022.9921730.","apa":"Pasic, F., & Becker, M. (2022). Domain-specific Language for Condition Monitoring Software Development. 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA). https://doi.org/10.1109/etfa52439.2022.9921730"},"year":"2022","publication_status":"published"},{"type":"journal_article","publication":"ACM Transactions on Software Engineering and Methodology","status":"public","abstract":[{"text":"\r\n Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of\r\n gadgets\r\n present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it\r\n public\r\n – can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.\r\n \r\n For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.","lang":"eng"}],"user_id":"15249","department":[{"_id":"76"}],"_id":"33835","language":[{"iso":"eng"}],"keyword":["Software"],"publication_status":"published","publication_identifier":{"issn":["1049-331X","1557-7392"]},"citation":{"mla":"Sayar, Imen, et al. “An In-Depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities.” ACM Transactions on Software Engineering and Methodology, Association for Computing Machinery (ACM), 2022, doi:10.1145/3554732.","short":"I. Sayar, A. Bartel, E. Bodden, Y. Le Traon, ACM Transactions on Software Engineering and Methodology (2022).","bibtex":"@article{Sayar_Bartel_Bodden_Le Traon_2022, title={An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities}, DOI={10.1145/3554732}, journal={ACM Transactions on Software Engineering and Methodology}, publisher={Association for Computing Machinery (ACM)}, author={Sayar, Imen and Bartel, Alexandre and Bodden, Eric and Le Traon, Yves}, year={2022} }","apa":"Sayar, I., Bartel, A., Bodden, E., & Le Traon, Y. (2022). An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. ACM Transactions on Software Engineering and Methodology. https://doi.org/10.1145/3554732","ama":"Sayar I, Bartel A, Bodden E, Le Traon Y. An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. ACM Transactions on Software Engineering and Methodology. Published online 2022. doi:10.1145/3554732","ieee":"I. Sayar, A. Bartel, E. Bodden, and Y. Le Traon, “An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities,” ACM Transactions on Software Engineering and Methodology, 2022, doi: 10.1145/3554732.","chicago":"Sayar, Imen, Alexandre Bartel, Eric Bodden, and Yves Le Traon. “An In-Depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities.” ACM Transactions on Software Engineering and Methodology, 2022. https://doi.org/10.1145/3554732."},"year":"2022","date_created":"2022-10-20T12:31:49Z","author":[{"full_name":"Sayar, Imen","last_name":"Sayar","first_name":"Imen"},{"full_name":"Bartel, Alexandre","last_name":"Bartel","first_name":"Alexandre"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden"},{"first_name":"Yves","full_name":"Le Traon, Yves","last_name":"Le Traon"}],"date_updated":"2022-10-20T12:32:31Z","publisher":"Association for Computing Machinery (ACM)","doi":"10.1145/3554732","title":"An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities"},{"volume":27,"author":[{"first_name":"Goran","orcid":"0000-0003-4424-5838","last_name":"Piskachev","id":"41936","full_name":"Piskachev, Goran"},{"first_name":"Johannes","last_name":"Späth","full_name":"Späth, Johannes"},{"orcid":"https://orcid.org/0000-0003-0124-6291","last_name":"Budde","full_name":"Budde, Ingo","id":"13693","first_name":"Ingo"},{"id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"date_created":"2022-10-20T12:34:04Z","publisher":"Springer","date_updated":"2022-10-20T12:36:23Z","title":"Fluently specifying taint-flow queries with fluentTQL","issue":"5","intvolume":" 27","page":"1–33","citation":{"short":"G. Piskachev, J. Späth, I. Budde, E. Bodden, Empirical Software Engineering 27 (2022) 1–33.","bibtex":"@article{Piskachev_Späth_Budde_Bodden_2022, title={Fluently specifying taint-flow queries with fluentTQL}, volume={27}, number={5}, journal={Empirical Software Engineering}, publisher={Springer}, author={Piskachev, Goran and Späth, Johannes and Budde, Ingo and Bodden, Eric}, year={2022}, pages={1–33} }","mla":"Piskachev, Goran, et al. “Fluently Specifying Taint-Flow Queries with FluentTQL.” Empirical Software Engineering, vol. 27, no. 5, Springer, 2022, pp. 1–33.","apa":"Piskachev, G., Späth, J., Budde, I., & Bodden, E. (2022). Fluently specifying taint-flow queries with fluentTQL. Empirical Software Engineering, 27(5), 1–33.","ama":"Piskachev G, Späth J, Budde I, Bodden E. Fluently specifying taint-flow queries with fluentTQL. Empirical Software Engineering. 2022;27(5):1–33.","chicago":"Piskachev, Goran, Johannes Späth, Ingo Budde, and Eric Bodden. “Fluently Specifying Taint-Flow Queries with FluentTQL.” Empirical Software Engineering 27, no. 5 (2022): 1–33.","ieee":"G. Piskachev, J. Späth, I. Budde, and E. Bodden, “Fluently specifying taint-flow queries with fluentTQL,” Empirical Software Engineering, vol. 27, no. 5, pp. 1–33, 2022."},"year":"2022","department":[{"_id":"76"},{"_id":"662"}],"user_id":"15249","_id":"33836","language":[{"iso":"eng"}],"publication":"Empirical Software Engineering","type":"journal_article","status":"public"},{"citation":{"ieee":"R. Krishnamurthy, G. Piskachev, and E. Bodden, “To what extent can we analyze Kotlin programs using existing Java taint analysis tools?” 2022.","chicago":"Krishnamurthy, Ranjith, Goran Piskachev, and Eric Bodden. “To What Extent Can We Analyze Kotlin Programs Using Existing Java Taint Analysis Tools?” IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), 2022.","ama":"Krishnamurthy R, Piskachev G, Bodden E. To what extent can we analyze Kotlin programs using existing Java taint analysis tools? Published online 2022.","apa":"Krishnamurthy, R., Piskachev, G., & Bodden, E. (2022). To what extent can we analyze Kotlin programs using existing Java taint analysis tools?","bibtex":"@article{Krishnamurthy_Piskachev_Bodden_2022, series={IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)}, title={To what extent can we analyze Kotlin programs using existing Java taint analysis tools?}, author={Krishnamurthy, Ranjith and Piskachev, Goran and Bodden, Eric}, year={2022}, collection={IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)} }","mla":"Krishnamurthy, Ranjith, et al. To What Extent Can We Analyze Kotlin Programs Using Existing Java Taint Analysis Tools? 2022.","short":"R. Krishnamurthy, G. Piskachev, E. Bodden, (2022)."},"year":"2022","date_created":"2022-10-20T12:38:09Z","author":[{"orcid":"0000-0002-0906-5463","last_name":"Krishnamurthy","full_name":"Krishnamurthy, Ranjith","id":"78060","first_name":"Ranjith"},{"first_name":"Goran","id":"41936","full_name":"Piskachev, Goran","last_name":"Piskachev","orcid":"0000-0003-4424-5838"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric"}],"date_updated":"2022-10-20T12:38:32Z","title":"To what extent can we analyze Kotlin programs using existing Java taint analysis tools?","type":"conference","status":"public","department":[{"_id":"76"},{"_id":"662"}],"series_title":"IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)","user_id":"15249","_id":"33838","language":[{"iso":"eng"}]},{"status":"public","type":"conference","language":[{"iso":"eng"}],"department":[{"_id":"76"},{"_id":"662"}],"user_id":"15249","series_title":"IEEE Secure Development Conference (SecDev)","_id":"33837","citation":{"apa":"Piskachev, G., Dziwok, S., Koch, T., Merschjohann, S., & Bodden, E. (2022). How far are German companies in improving security through static program analysis tools?","bibtex":"@article{Piskachev_Dziwok_Koch_Merschjohann_Bodden_2022, series={IEEE Secure Development Conference (SecDev)}, title={How far are German companies in improving security through static program analysis tools?}, author={Piskachev, Goran and Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven and Bodden, Eric}, year={2022}, collection={IEEE Secure Development Conference (SecDev)} }","short":"G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, E. Bodden, (2022).","mla":"Piskachev, Goran, et al. How Far Are German Companies in Improving Security through Static Program Analysis Tools? 2022.","ama":"Piskachev G, Dziwok S, Koch T, Merschjohann S, Bodden E. How far are German companies in improving security through static program analysis tools? Published online 2022.","chicago":"Piskachev, Goran, Stefan Dziwok, Thorsten Koch, Sven Merschjohann, and Eric Bodden. “How Far Are German Companies in Improving Security through Static Program Analysis Tools?” IEEE Secure Development Conference (SecDev), 2022.","ieee":"G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, and E. Bodden, “How far are German companies in improving security through static program analysis tools?” 2022."},"year":"2022","title":"How far are German companies in improving security through static program analysis tools?","author":[{"first_name":"Goran","orcid":"0000-0003-4424-5838","last_name":"Piskachev","full_name":"Piskachev, Goran","id":"41936"},{"first_name":"Stefan","orcid":"http://orcid.org/0000-0002-8679-6673","last_name":"Dziwok","full_name":"Dziwok, Stefan","id":"3901"},{"id":"13616","full_name":"Koch, Thorsten","last_name":"Koch","first_name":"Thorsten"},{"last_name":"Merschjohann","id":"11394","full_name":"Merschjohann, Sven","first_name":"Sven"},{"first_name":"Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","id":"59256"}],"date_created":"2022-10-20T12:37:14Z","date_updated":"2022-10-20T12:37:44Z"},{"department":[{"_id":"76"}],"user_id":"32312","_id":"33959","language":[{"iso":"eng"}],"type":"misc","status":"public","abstract":[{"text":"Recent studies have revealed that 87 % to 96 % of the Android apps using cryptographic APIs have a misuse which may cause security vulnerabilities. As previous studies did not conduct a qualitative examination of the validity and severity of the findings, our objective was to understand the findings in more depth. We analyzed a set of 936 open-source Java applications for cryptographic misuses. Our study reveals that 88.10 % of the analyzed applications fail to use cryptographic APIs securely. Through our manual analysis of a random sample, we gained new insights into effective false positives. For example, every fourth misuse of the frequently misused JCA class MessageDigest is an effective false positive due to its occurrence in a non-security context. As we wanted to gain deeper insights into the security implications of these misuses, we created an extensive vulnerability model for cryptographic API misuses. Our model includes previously undiscussed attacks in the context of cryptographic APIs such as DoS attacks. This model reveals that nearly half of the misuses are of high severity, e.g., hard-coded credentials and potential Man-in-the-Middle attacks.","lang":"eng"}],"author":[{"full_name":"Wickert, Anna-Katharina","last_name":"Wickert","first_name":"Anna-Katharina"},{"last_name":"Baumgärtner","full_name":"Baumgärtner, Lars","first_name":"Lars"},{"full_name":"Schlichtig, Michael","id":"32312","orcid":"0000-0001-6600-6171","last_name":"Schlichtig","first_name":"Michael"},{"first_name":"Mira","last_name":"Mezini","full_name":"Mezini, Mira"}],"date_created":"2022-10-28T13:21:05Z","date_updated":"2022-10-28T13:26:39Z","doi":"10.48550/ARXIV.2209.11103","title":"To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild","related_material":{"link":[{"relation":"confirmation","url":"https://arxiv.org/abs/2209.11103"}]},"citation":{"short":"A.-K. Wickert, L. Baumgärtner, M. Schlichtig, M. Mezini, To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild, 2022.","mla":"Wickert, Anna-Katharina, et al. To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild. 2022, doi:10.48550/ARXIV.2209.11103.","bibtex":"@book{Wickert_Baumgärtner_Schlichtig_Mezini_2022, title={To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild}, DOI={10.48550/ARXIV.2209.11103}, author={Wickert, Anna-Katharina and Baumgärtner, Lars and Schlichtig, Michael and Mezini, Mira}, year={2022} }","apa":"Wickert, A.-K., Baumgärtner, L., Schlichtig, M., & Mezini, M. (2022). To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild. https://doi.org/10.48550/ARXIV.2209.11103","ieee":"A.-K. Wickert, L. Baumgärtner, M. Schlichtig, and M. Mezini, To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild. 2022.","chicago":"Wickert, Anna-Katharina, Lars Baumgärtner, Michael Schlichtig, and Mira Mezini. To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild, 2022. https://doi.org/10.48550/ARXIV.2209.11103.","ama":"Wickert A-K, Baumgärtner L, Schlichtig M, Mezini M. To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild.; 2022. doi:10.48550/ARXIV.2209.11103"},"year":"2022"},{"date_updated":"2024-05-06T11:33:14Z","publisher":"Institute of Electrical and Electronics Engineers (IEEE)","author":[{"last_name":"Massacci","full_name":"Massacci, Fabio","first_name":"Fabio"},{"first_name":"Antonino","last_name":"Sabetta","full_name":"Sabetta, Antonino"},{"full_name":"Mirkovic, Jelena","last_name":"Mirkovic","first_name":"Jelena"},{"full_name":"Murray, Toby","last_name":"Murray","first_name":"Toby"},{"full_name":"Okhravi, Hamed","last_name":"Okhravi","first_name":"Hamed"},{"full_name":"Mannan, Mohammad","last_name":"Mannan","first_name":"Mohammad"},{"first_name":"Anderson","full_name":"Rocha, Anderson","last_name":"Rocha"},{"id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"},{"full_name":"Geer, Daniel E.","last_name":"Geer","first_name":"Daniel E."}],"date_created":"2024-05-06T11:32:59Z","volume":20,"title":"“Free” as in Freedom to Protest?","doi":"10.1109/msec.2022.3185845","publication_status":"published","publication_identifier":{"issn":["1540-7993","1558-4046"]},"issue":"5","year":"2022","citation":{"apa":"Massacci, F., Sabetta, A., Mirkovic, J., Murray, T., Okhravi, H., Mannan, M., Rocha, A., Bodden, E., & Geer, D. E. (2022). “Free” as in Freedom to Protest? IEEE Security & Privacy, 20(5), 16–21. https://doi.org/10.1109/msec.2022.3185845","bibtex":"@article{Massacci_Sabetta_Mirkovic_Murray_Okhravi_Mannan_Rocha_Bodden_Geer_2022, title={“Free” as in Freedom to Protest?}, volume={20}, DOI={10.1109/msec.2022.3185845}, number={5}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Massacci, Fabio and Sabetta, Antonino and Mirkovic, Jelena and Murray, Toby and Okhravi, Hamed and Mannan, Mohammad and Rocha, Anderson and Bodden, Eric and Geer, Daniel E.}, year={2022}, pages={16–21} }","mla":"Massacci, Fabio, et al. “‘Free’ as in Freedom to Protest?” IEEE Security & Privacy, vol. 20, no. 5, Institute of Electrical and Electronics Engineers (IEEE), 2022, pp. 16–21, doi:10.1109/msec.2022.3185845.","short":"F. Massacci, A. Sabetta, J. Mirkovic, T. Murray, H. Okhravi, M. Mannan, A. Rocha, E. Bodden, D.E. Geer, IEEE Security & Privacy 20 (2022) 16–21.","ieee":"F. Massacci et al., “‘Free’ as in Freedom to Protest?,” IEEE Security & Privacy, vol. 20, no. 5, pp. 16–21, 2022, doi: 10.1109/msec.2022.3185845.","chicago":"Massacci, Fabio, Antonino Sabetta, Jelena Mirkovic, Toby Murray, Hamed Okhravi, Mohammad Mannan, Anderson Rocha, Eric Bodden, and Daniel E. Geer. “‘Free’ as in Freedom to Protest?” IEEE Security & Privacy 20, no. 5 (2022): 16–21. https://doi.org/10.1109/msec.2022.3185845.","ama":"Massacci F, Sabetta A, Mirkovic J, et al. “Free” as in Freedom to Protest? IEEE Security & Privacy. 2022;20(5):16-21. doi:10.1109/msec.2022.3185845"},"page":"16-21","intvolume":" 20","_id":"53952","user_id":"15249","department":[{"_id":"76"}],"language":[{"iso":"eng"}],"type":"journal_article","publication":"IEEE Security & Privacy","status":"public"},{"_id":"30511","project":[{"_id":"12","name":"SFB 901 - B4: SFB 901 - Subproject B4"},{"_id":"3","name":"SFB 901 - B: SFB 901 - Project Area B"},{"name":"SFB 901: SFB 901","_id":"1"}],"department":[{"_id":"76"}],"user_id":"15249","article_number":"35","article_type":"original","alternative_title":["Revoking the preprocessor’s special role"],"type":"journal_article","status":"public","date_updated":"2025-12-04T10:42:38Z","oa":"1","volume":29,"author":[{"first_name":"Philipp","last_name":"Schubert","orcid":"0000-0002-8674-1859","full_name":"Schubert, Philipp","id":"60543"},{"first_name":"Paul","full_name":"Gazzillo, Paul","last_name":"Gazzillo"},{"first_name":"Zach","full_name":"Patterson, Zach","last_name":"Patterson"},{"first_name":"Julian","full_name":"Braha, Julian","last_name":"Braha"},{"first_name":"Fabian Benedikt","id":"55745","full_name":"Schiebel, Fabian Benedikt","last_name":"Schiebel","orcid":"0009-0008-6867-9802"},{"last_name":"Hermann","orcid":"0000-0001-9848-2017","id":"66173","full_name":"Hermann, Ben","first_name":"Ben"},{"first_name":"Shiyi","full_name":"Wei, Shiyi","last_name":"Wei"},{"full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden","first_name":"Eric"}],"doi":"10.1007/s10515-022-00333-1","main_file_link":[{"open_access":"1","url":"https://link.springer.com/article/10.1007/s10515-022-00333-1"}],"publication_identifier":{"issn":["0928-8910","1573-7535"]},"publication_status":"published","intvolume":" 29","citation":{"short":"P. Schubert, P. Gazzillo, Z. Patterson, J. Braha, F.B. Schiebel, B. Hermann, S. Wei, E. Bodden, Automated Software Engineering 29 (2022).","mla":"Schubert, Philipp, et al. “Static Data-Flow Analysis for Software Product Lines in C.” Automated Software Engineering, vol. 29, no. 1, 35, Springer Science and Business Media LLC, 2022, doi:10.1007/s10515-022-00333-1.","bibtex":"@article{Schubert_Gazzillo_Patterson_Braha_Schiebel_Hermann_Wei_Bodden_2022, title={Static data-flow analysis for software product lines in C}, volume={29}, DOI={10.1007/s10515-022-00333-1}, number={135}, journal={Automated Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Schubert, Philipp and Gazzillo, Paul and Patterson, Zach and Braha, Julian and Schiebel, Fabian Benedikt and Hermann, Ben and Wei, Shiyi and Bodden, Eric}, year={2022} }","apa":"Schubert, P., Gazzillo, P., Patterson, Z., Braha, J., Schiebel, F. B., Hermann, B., Wei, S., & Bodden, E. (2022). Static data-flow analysis for software product lines in C. Automated Software Engineering, 29(1), Article 35. https://doi.org/10.1007/s10515-022-00333-1","ama":"Schubert P, Gazzillo P, Patterson Z, et al. Static data-flow analysis for software product lines in C. Automated Software Engineering. 2022;29(1). doi:10.1007/s10515-022-00333-1","ieee":"P. Schubert et al., “Static data-flow analysis for software product lines in C,” Automated Software Engineering, vol. 29, no. 1, Art. no. 35, 2022, doi: 10.1007/s10515-022-00333-1.","chicago":"Schubert, Philipp, Paul Gazzillo, Zach Patterson, Julian Braha, Fabian Benedikt Schiebel, Ben Hermann, Shiyi Wei, and Eric Bodden. “Static Data-Flow Analysis for Software Product Lines in C.” Automated Software Engineering 29, no. 1 (2022). https://doi.org/10.1007/s10515-022-00333-1."},"keyword":["inter-procedural static analysis","software product lines","preprocessor","LLVM","C/C++"],"language":[{"iso":"eng"}],"publication":"Automated Software Engineering","abstract":[{"lang":"eng","text":"AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems."}],"publisher":"Springer Science and Business Media LLC","date_created":"2022-03-25T07:41:26Z","title":"Static data-flow analysis for software product lines in C","issue":"1","year":"2022"},{"year":"2021","citation":{"ieee":"L. Luo et al., “TaintBench: Automatic real-world malware benchmarking of Android taint analyses,” Empirical Software Engineering, 2021, doi: 10.1007/s10664-021-10013-5.","chicago":"Luo, Linghui, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko, Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software Engineering, 2021. https://doi.org/10.1007/s10664-021-10013-5.","ama":"Luo L, Pauck F, Piskachev G, et al. TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering. Published online 2021. doi:10.1007/s10664-021-10013-5","apa":"Luo, L., Pauck, F., Piskachev, G., Benz, M., Pashchenko, I., Mory, M., Bodden, E., Hermann, B., & Massacci, F. (2021). TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering. https://doi.org/10.1007/s10664-021-10013-5","bibtex":"@article{Luo_Pauck_Piskachev_Benz_Pashchenko_Mory_Bodden_Hermann_Massacci_2021, title={TaintBench: Automatic real-world malware benchmarking of Android taint analyses}, DOI={10.1007/s10664-021-10013-5}, journal={Empirical Software Engineering}, author={Luo, Linghui and Pauck, Felix and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and Bodden, Eric and Hermann, Ben and Massacci, Fabio}, year={2021} }","short":"L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden, B. Hermann, F. Massacci, Empirical Software Engineering (2021).","mla":"Luo, Linghui, et al. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software Engineering, 2021, doi:10.1007/s10664-021-10013-5."},"publication_identifier":{"issn":["1382-3256","1573-7616"]},"publication_status":"published","title":"TaintBench: Automatic real-world malware benchmarking of Android taint analyses","doi":"10.1007/s10664-021-10013-5","main_file_link":[{"open_access":"1","url":"https://link.springer.com/content/pdf/10.1007/s10664-021-10013-5.pdf"}],"date_updated":"2022-01-06T06:57:32Z","oa":"1","date_created":"2021-11-02T05:13:49Z","author":[{"first_name":"Linghui","last_name":"Luo","full_name":"Luo, Linghui"},{"first_name":"Felix","last_name":"Pauck","id":"22398","full_name":"Pauck, Felix"},{"id":"41936","full_name":"Piskachev, Goran","last_name":"Piskachev","orcid":"0000-0003-4424-5838","first_name":"Goran"},{"first_name":"Manuel","last_name":"Benz","full_name":"Benz, Manuel"},{"full_name":"Pashchenko, Ivan","last_name":"Pashchenko","first_name":"Ivan"},{"id":"65667","full_name":"Mory, Martin","orcid":"0000-0001-5609-0031","last_name":"Mory","first_name":"Martin"},{"first_name":"Eric","id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647"},{"orcid":"0000-0001-9848-2017","last_name":"Hermann","id":"66173","full_name":"Hermann, Ben","first_name":"Ben"},{"first_name":"Fabio","full_name":"Massacci, Fabio","last_name":"Massacci"}],"abstract":[{"text":"Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.","lang":"eng"}],"status":"public","publication":"Empirical Software Engineering","type":"journal_article","ddc":["000"],"language":[{"iso":"eng"}],"_id":"27045","project":[{"_id":"1","name":"SFB 901"},{"name":"SFB 901 - Project Area B","_id":"3"},{"name":"SFB 901 - Subproject B4","_id":"12"}],"department":[{"_id":"77"},{"_id":"76"}],"user_id":"15249"},{"title":"Improving Real-World Applicability of Static Taint Analysis","publisher":"Universität Paderborn","date_updated":"2022-01-06T06:57:35Z","author":[{"last_name":"Luo","full_name":"Luo, Linghui","first_name":"Linghui"}],"date_created":"2021-11-04T13:58:35Z","year":"2021","citation":{"ama":"Luo L. Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn; 2021.","ieee":"L. Luo, Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn, 2021.","chicago":"Luo, Linghui. Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn, 2021.","bibtex":"@book{Luo_2021, title={Improving Real-World Applicability of Static Taint Analysis}, publisher={Universität Paderborn}, author={Luo, Linghui}, year={2021} }","mla":"Luo, Linghui. Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn, 2021.","short":"L. Luo, Improving Real-World Applicability of Static Taint Analysis, Universität Paderborn, 2021.","apa":"Luo, L. (2021). Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn."},"related_material":{"link":[{"relation":"confirmation","url":"https://www.bodden.de/pubs/phdLuo.pdf"}]},"language":[{"iso":"eng"}],"_id":"27158","department":[{"_id":"76"}],"user_id":"15249","status":"public","type":"dissertation"},{"status":"public","type":"journal_article","publication":"Journal of Automotive Software Engineering","language":[{"iso":"eng"}],"_id":"21595","user_id":"5786","department":[{"_id":"76"}],"year":"2021","citation":{"mla":"Stockmann, Lars, et al. “Using Architectural Runtime Verification for Offline Data Analysis.” Journal of Automotive Software Engineering, 2021, doi:10.2991/jase.d.210205.001.","bibtex":"@article{Stockmann_Laux_Bodden_2021, title={Using Architectural Runtime Verification for Offline Data Analysis}, DOI={10.2991/jase.d.210205.001}, journal={Journal of Automotive Software Engineering}, author={Stockmann, Lars and Laux, Sven and Bodden, Eric}, year={2021} }","short":"L. Stockmann, S. Laux, E. Bodden, Journal of Automotive Software Engineering (2021).","apa":"Stockmann, L., Laux, S., & Bodden, E. (2021). Using Architectural Runtime Verification for Offline Data Analysis. Journal of Automotive Software Engineering. https://doi.org/10.2991/jase.d.210205.001","chicago":"Stockmann, Lars, Sven Laux, and Eric Bodden. “Using Architectural Runtime Verification for Offline Data Analysis.” Journal of Automotive Software Engineering, 2021. https://doi.org/10.2991/jase.d.210205.001.","ieee":"L. Stockmann, S. Laux, and E. Bodden, “Using Architectural Runtime Verification for Offline Data Analysis,” Journal of Automotive Software Engineering, 2021, doi: 10.2991/jase.d.210205.001.","ama":"Stockmann L, Laux S, Bodden E. Using Architectural Runtime Verification for Offline Data Analysis. Journal of Automotive Software Engineering. Published online 2021. doi:10.2991/jase.d.210205.001"},"publication_status":"published","publication_identifier":{"issn":["2589-2258"]},"title":"Using Architectural Runtime Verification for Offline Data Analysis","main_file_link":[{"url":"https://www.bodden.de/pubs/sb21architectural.pdf"}],"doi":"10.2991/jase.d.210205.001","date_updated":"2022-01-06T06:55:06Z","date_created":"2021-04-08T11:21:32Z","author":[{"id":"48144","full_name":"Stockmann, Lars","last_name":"Stockmann","first_name":"Lars"},{"full_name":"Laux, Sven","last_name":"Laux","first_name":"Sven"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden"}]},{"year":"2021","citation":{"ama":"Fischer A. Computing on Encrypted Data Using Trusted Execution Environments. Universität Paderborn; 2021.","ieee":"A. Fischer, Computing on Encrypted Data using Trusted Execution Environments. Universität Paderborn, 2021.","chicago":"Fischer, Andreas. Computing on Encrypted Data Using Trusted Execution Environments. Universität Paderborn, 2021.","apa":"Fischer, A. (2021). Computing on Encrypted Data using Trusted Execution Environments. Universität Paderborn.","mla":"Fischer, Andreas. Computing on Encrypted Data Using Trusted Execution Environments. Universität Paderborn, 2021.","bibtex":"@book{Fischer_2021, title={Computing on Encrypted Data using Trusted Execution Environments}, publisher={Universität Paderborn}, author={Fischer, Andreas}, year={2021} }","short":"A. Fischer, Computing on Encrypted Data Using Trusted Execution Environments, Universität Paderborn, 2021."},"title":"Computing on Encrypted Data using Trusted Execution Environments","main_file_link":[{"url":"https://www.bodden.de/pubs/phdFischer.pdf"}],"publisher":"Universität Paderborn","date_updated":"2022-01-06T06:55:06Z","date_created":"2021-04-08T11:23:13Z","author":[{"full_name":"Fischer, Andreas","last_name":"Fischer","first_name":"Andreas"}],"status":"public","type":"dissertation","language":[{"iso":"eng"}],"_id":"21596","department":[{"_id":"76"}],"user_id":"5786"},{"date_updated":"2022-01-06T06:55:06Z","author":[{"first_name":"Philipp","full_name":"Holzinger, Philipp","last_name":"Holzinger"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","full_name":"Bodden, Eric","id":"59256"}],"date_created":"2021-04-08T11:24:06Z","title":"A Systematic Hardening of Java's Information Hiding","main_file_link":[{"url":"https://www.bodden.de/pubs/hb21systematic.pdf"}],"year":"2021","citation":{"chicago":"Holzinger, Philipp, and Eric Bodden. “A Systematic Hardening of Java’s Information Hiding.” International Symposium on Advanced Security on Software and Systems (ASSS), 2021.","ieee":"P. Holzinger and E. Bodden, “A Systematic Hardening of Java’s Information Hiding,” International Symposium on Advanced Security on Software and Systems (ASSS), 2021.","ama":"Holzinger P, Bodden E. A Systematic Hardening of Java’s Information Hiding. International Symposium on Advanced Security on Software and Systems (ASSS). Published online 2021.","apa":"Holzinger, P., & Bodden, E. (2021). A Systematic Hardening of Java’s Information Hiding. International Symposium on Advanced Security on Software and Systems (ASSS).","mla":"Holzinger, Philipp, and Eric Bodden. “A Systematic Hardening of Java’s Information Hiding.” International Symposium on Advanced Security on Software and Systems (ASSS), 2021.","short":"P. Holzinger, E. Bodden, International Symposium on Advanced Security on Software and Systems (ASSS) (2021).","bibtex":"@article{Holzinger_Bodden_2021, title={A Systematic Hardening of Java’s Information Hiding}, journal={International Symposium on Advanced Security on Software and Systems (ASSS)}, author={Holzinger, Philipp and Bodden, Eric}, year={2021} }"},"_id":"21597","department":[{"_id":"76"}],"user_id":"5786","language":[{"iso":"eng"}],"publication":"International Symposium on Advanced Security on Software and Systems (ASSS)","type":"journal_article","status":"public"},{"title":"Dealing with Variability in API Misuse Specification","date_created":"2021-04-08T11:25:43Z","author":[{"last_name":"Bonifacio","full_name":"Bonifacio, Rodrigo","first_name":"Rodrigo"},{"first_name":"Stefan","last_name":"Krüger","full_name":"Krüger, Stefan"},{"full_name":"Narasimhan, Krishna","last_name":"Narasimhan","first_name":"Krishna"},{"last_name":"Bodden","orcid":"0000-0003-3470-3647","id":"59256","full_name":"Bodden, Eric","first_name":"Eric"},{"full_name":"Mezini, Mira","last_name":"Mezini","first_name":"Mira"}],"date_updated":"2022-01-06T06:55:06Z","citation":{"ama":"Bonifacio R, Krüger S, Narasimhan K, Bodden E, Mezini M. Dealing with Variability in API Misuse Specification. European Conference on Object-Oriented Programming (ECOOP). Published online 2021.","ieee":"R. Bonifacio, S. Krüger, K. Narasimhan, E. Bodden, and M. Mezini, “Dealing with Variability in API Misuse Specification,” European Conference on Object-Oriented Programming (ECOOP), 2021.","chicago":"Bonifacio, Rodrigo, Stefan Krüger, Krishna Narasimhan, Eric Bodden, and Mira Mezini. “Dealing with Variability in API Misuse Specification.” European Conference on Object-Oriented Programming (ECOOP), 2021.","short":"R. Bonifacio, S. Krüger, K. Narasimhan, E. Bodden, M. Mezini, European Conference on Object-Oriented Programming (ECOOP) (2021).","bibtex":"@article{Bonifacio_Krüger_Narasimhan_Bodden_Mezini_2021, title={Dealing with Variability in API Misuse Specification}, journal={European Conference on Object-Oriented Programming (ECOOP)}, author={Bonifacio, Rodrigo and Krüger, Stefan and Narasimhan, Krishna and Bodden, Eric and Mezini, Mira}, year={2021} }","mla":"Bonifacio, Rodrigo, et al. “Dealing with Variability in API Misuse Specification.” European Conference on Object-Oriented Programming (ECOOP), 2021.","apa":"Bonifacio, R., Krüger, S., Narasimhan, K., Bodden, E., & Mezini, M. (2021). Dealing with Variability in API Misuse Specification. European Conference on Object-Oriented Programming (ECOOP)."},"year":"2021","language":[{"iso":"eng"}],"department":[{"_id":"76"}],"user_id":"5786","_id":"21599","status":"public","publication":"European Conference on Object-Oriented Programming (ECOOP)","type":"journal_article"},{"doi":"10.1109/iccq51190.2021.9392986","title":"Qualitative and Quantitative Analysis of Callgraph Algorithms for Python","author":[{"first_name":"Sriteja","full_name":"Kummita, Sriteja","last_name":"Kummita"},{"first_name":"Goran","full_name":"Piskachev, Goran","last_name":"Piskachev"},{"last_name":"Spath","full_name":"Spath, Johannes","first_name":"Johannes"},{"last_name":"Bodden","full_name":"Bodden, Eric","first_name":"Eric"}],"date_created":"2021-08-09T12:01:11Z","date_updated":"2022-01-06T06:55:50Z","citation":{"apa":"Kummita, S., Piskachev, G., Spath, J., & Bodden, E. (2021). Qualitative and Quantitative Analysis of Callgraph Algorithms for Python. 2021 International Conference on Code Quality (ICCQ). https://doi.org/10.1109/iccq51190.2021.9392986","bibtex":"@inproceedings{Kummita_Piskachev_Spath_Bodden_2021, title={Qualitative and Quantitative Analysis of Callgraph Algorithms for Python}, DOI={10.1109/iccq51190.2021.9392986}, booktitle={2021 International Conference on Code Quality (ICCQ)}, author={Kummita, Sriteja and Piskachev, Goran and Spath, Johannes and Bodden, Eric}, year={2021} }","mla":"Kummita, Sriteja, et al. “Qualitative and Quantitative Analysis of Callgraph Algorithms for Python.” 2021 International Conference on Code Quality (ICCQ), 2021, doi:10.1109/iccq51190.2021.9392986.","short":"S. Kummita, G. Piskachev, J. Spath, E. Bodden, in: 2021 International Conference on Code Quality (ICCQ), 2021.","chicago":"Kummita, Sriteja, Goran Piskachev, Johannes Spath, and Eric Bodden. “Qualitative and Quantitative Analysis of Callgraph Algorithms for Python.” In 2021 International Conference on Code Quality (ICCQ), 2021. https://doi.org/10.1109/iccq51190.2021.9392986.","ieee":"S. Kummita, G. Piskachev, J. Spath, and E. Bodden, “Qualitative and Quantitative Analysis of Callgraph Algorithms for Python,” 2021, doi: 10.1109/iccq51190.2021.9392986.","ama":"Kummita S, Piskachev G, Spath J, Bodden E. Qualitative and Quantitative Analysis of Callgraph Algorithms for Python. In: 2021 International Conference on Code Quality (ICCQ). ; 2021. doi:10.1109/iccq51190.2021.9392986"},"year":"2021","publication_status":"published","language":[{"iso":"eng"}],"user_id":"5786","department":[{"_id":"241"},{"_id":"662"},{"_id":"76"}],"_id":"23374","status":"public","type":"conference","publication":"2021 International Conference on Code Quality (ICCQ)"},{"citation":{"apa":"Karakaya, K., & Bodden, E. (2021). SootFX: A Static Code Feature Extraction Tool for Java and Android. 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). https://doi.org/10.1109/scam52516.2021.00030","bibtex":"@inproceedings{Karakaya_Bodden_2021, title={SootFX: A Static Code Feature Extraction Tool for Java and Android}, DOI={10.1109/scam52516.2021.00030}, booktitle={2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden, Eric}, year={2021} }","short":"K. Karakaya, E. Bodden, in: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), IEEE, 2021.","mla":"Karakaya, Kadiray, and Eric Bodden. “SootFX: A Static Code Feature Extraction Tool for Java and Android.” 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), IEEE, 2021, doi:10.1109/scam52516.2021.00030.","chicago":"Karakaya, Kadiray, and Eric Bodden. “SootFX: A Static Code Feature Extraction Tool for Java and Android.” In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, 2021. https://doi.org/10.1109/scam52516.2021.00030.","ieee":"K. Karakaya and E. Bodden, “SootFX: A Static Code Feature Extraction Tool for Java and Android,” 2021, doi: 10.1109/scam52516.2021.00030.","ama":"Karakaya K, Bodden E. SootFX: A Static Code Feature Extraction Tool for Java and Android. In: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE; 2021. doi:10.1109/scam52516.2021.00030"},"year":"2021","publication_status":"published","doi":"10.1109/scam52516.2021.00030","title":"SootFX: A Static Code Feature Extraction Tool for Java and Android","date_created":"2022-02-24T15:44:42Z","author":[{"first_name":"Kadiray","full_name":"Karakaya, Kadiray","last_name":"Karakaya"},{"full_name":"Bodden, Eric","last_name":"Bodden","first_name":"Eric"}],"date_updated":"2022-02-24T15:45:43Z","publisher":"IEEE","status":"public","publication":"2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)","type":"conference","department":[{"_id":"76"}],"user_id":"70410","_id":"30084"},{"citation":{"bibtex":"@inproceedings{Schubert_Hermann_Bodden_2021, title={Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis}, booktitle={European Conference on Object-Oriented Programming (ECOOP)}, author={Schubert, Philipp and Hermann, Ben and Bodden, Eric}, year={2021} }","mla":"Schubert, Philipp, et al. “Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis.” European Conference on Object-Oriented Programming (ECOOP), 2021.","short":"P. Schubert, B. Hermann, E. Bodden, in: European Conference on Object-Oriented Programming (ECOOP), 2021.","apa":"Schubert, P., Hermann, B., & Bodden, E. (2021). Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis. European Conference on Object-Oriented Programming (ECOOP).","ama":"Schubert P, Hermann B, Bodden E. Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis. In: European Conference on Object-Oriented Programming (ECOOP). ; 2021.","ieee":"P. Schubert, B. Hermann, and E. Bodden, “Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis,” 2021.","chicago":"Schubert, Philipp, Ben Hermann, and Eric Bodden. “Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis.” In European Conference on Object-Oriented Programming (ECOOP), 2021."},"year":"2021","main_file_link":[{"open_access":"1","url":"https://drops.dagstuhl.de/opus/volltexte/2021/14045/"}],"title":"Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis","author":[{"id":"60543","full_name":"Schubert, Philipp","orcid":"0000-0002-8674-1859","last_name":"Schubert","first_name":"Philipp"},{"last_name":"Hermann","orcid":"0000-0001-9848-2017","id":"66173","full_name":"Hermann, Ben","first_name":"Ben"},{"id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"date_created":"2021-04-08T11:24:59Z","oa":"1","date_updated":"2022-03-25T07:49:35Z","status":"public","abstract":[{"text":"Static analysis is used to automatically detect bugs and security breaches, and aids compileroptimization. Whole-program analysis (WPA) can yield high precision, however causes long analysistimes and thus does not match common software-development workflows, making it often impracticalto use for large, real-world applications.This paper thus presents the design and implementation ofModAlyzer, a novel static-analysisapproach that aims at accelerating whole-program analysis by making the analysis modular andcompositional. It shows how to computelossless, persisted summaries for callgraph, points-to anddata-flow information, and it reports under which circumstances this function-level compositionalanalysis outperforms WPA.We implementedModAlyzeras an extension to LLVM and PhASAR, and applied it to 12 real-world C and C++ applications. At analysis time,ModAlyzermodularly and losslessly summarizesthe analysis effect of the library code those applications share, hence avoiding its repeated re-analysis.The experimental results show that the reuse of these summaries can save, on average, 72% ofanalysis time over WPA. Moreover, because it is lossless, the module-wise analysis fully retainsprecision and recall. Surprisingly, as our results show, it sometimes even yields precision superior toWPA. The initial summary generation, on average, takes about 3.67 times as long as WPA.","lang":"eng"}],"type":"conference","publication":"European Conference on Object-Oriented Programming (ECOOP)","language":[{"iso":"eng"}],"user_id":"60543","department":[{"_id":"76"}],"project":[{"name":"SFB 901 - Project Area B","_id":"3"},{"_id":"12","name":"SFB 901 - Subproject B4"},{"name":"SFB 901","_id":"1"}],"_id":"21598"}]