---
_id: '53942'
abstract:
- lang: eng
text: AbstractSince its inception two decades ago,
Soot has become one of the most widely used open-source static
analysis frameworks. Over time it has been extended with the contributions of
countless researchers. Yet, at the same time, the requirements for Soot
have changed over the years and become increasingly at odds with some of the major
design decisions that underlie it. In this work, we thus present SootUp,
a complete reimplementation of Soot that seeks to fulfill these
requirements with a novel design, while at the same time keeping elements that
Soot users have grown accustomed to.
author:
- first_name: Kadiray
full_name: Karakaya, Kadiray
id: '70410'
last_name: Karakaya
orcid: https://orcid.org/0000-0001-9266-2084
- first_name: Stefan
full_name: Schott, Stefan
id: '54847'
last_name: Schott
- first_name: Jonas
full_name: Klauke, Jonas
id: '40915'
last_name: Klauke
orcid: 0000-0001-9160-9636
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Markus
full_name: Schmidt, Markus
last_name: Schmidt
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
- first_name: Dongjie
full_name: He, Dongjie
last_name: He
citation:
ama: 'Karakaya K, Schott S, Klauke J, et al. SootUp: A Redesign of the Soot Static
Analysis Framework. In: Tools and Algorithms for the Construction and Analysis
of Systems. Springer Nature Switzerland; 2024. doi:10.1007/978-3-031-57246-3_13'
apa: 'Karakaya, K., Schott, S., Klauke, J., Bodden, E., Schmidt, M., Luo, L., &
He, D. (2024). SootUp: A Redesign of the Soot Static Analysis Framework. In Tools
and Algorithms for the Construction and Analysis of Systems. Springer Nature
Switzerland. https://doi.org/10.1007/978-3-031-57246-3_13'
bibtex: '@inbook{Karakaya_Schott_Klauke_Bodden_Schmidt_Luo_He_2024, place={Cham},
title={SootUp: A Redesign of the Soot Static Analysis Framework}, DOI={10.1007/978-3-031-57246-3_13},
booktitle={Tools and Algorithms for the Construction and Analysis of Systems},
publisher={Springer Nature Switzerland}, author={Karakaya, Kadiray and Schott,
Stefan and Klauke, Jonas and Bodden, Eric and Schmidt, Markus and Luo, Linghui
and He, Dongjie}, year={2024} }'
chicago: 'Karakaya, Kadiray, Stefan Schott, Jonas Klauke, Eric Bodden, Markus Schmidt,
Linghui Luo, and Dongjie He. “SootUp: A Redesign of the Soot Static Analysis Framework.”
In Tools and Algorithms for the Construction and Analysis of Systems. Cham:
Springer Nature Switzerland, 2024. https://doi.org/10.1007/978-3-031-57246-3_13.'
ieee: 'K. Karakaya et al., “SootUp: A Redesign of the Soot Static Analysis
Framework,” in Tools and Algorithms for the Construction and Analysis of Systems,
Cham: Springer Nature Switzerland, 2024.'
mla: 'Karakaya, Kadiray, et al. “SootUp: A Redesign of the Soot Static Analysis
Framework.” Tools and Algorithms for the Construction and Analysis of Systems,
Springer Nature Switzerland, 2024, doi:10.1007/978-3-031-57246-3_13.'
short: 'K. Karakaya, S. Schott, J. Klauke, E. Bodden, M. Schmidt, L. Luo, D. He,
in: Tools and Algorithms for the Construction and Analysis of Systems, Springer
Nature Switzerland, Cham, 2024.'
date_created: 2024-05-06T11:29:36Z
date_updated: 2025-11-11T14:26:52Z
department:
- _id: '76'
doi: 10.1007/978-3-031-57246-3_13
language:
- iso: eng
place: Cham
project:
- _id: '107'
name: 'Reaktor: SFB 901 - Automatisierte Risikoanalyse in Bezug auf Open-Source-Abhängigkeiten
(Hektor) (Transferproject T3)'
- _id: '668'
name: 'HEKTOR: Automatisierte Risikoanalyse unter Berücksichtigung von Open-Source-Abhängigkeiten'
- _id: '1'
name: 'SFB 901: On-The-Fly Computing - Individualisierte IT-Dienstleistungen in
dynamischen Märkten'
- _id: '82'
name: 'SFB 901; Projektbereich T: Transferprojekte des Sonderforschungsbereichs'
- _id: '107'
name: 'SFB 901; TP T3: Automatisierte Risikoanalyse in Bezug auf Open-Source-Abhängigkeiten
(Hektor)'
publication: Tools and Algorithms for the Construction and Analysis of Systems
publication_identifier:
isbn:
- '9783031572456'
- '9783031572463'
issn:
- 0302-9743
- 1611-3349
publication_status: published
publisher: Springer Nature Switzerland
status: public
title: 'SootUp: A Redesign of the Soot Static Analysis Framework'
type: book_chapter
user_id: '477'
year: '2024'
...
---
_id: '57550'
author:
- first_name: Stefan
full_name: Schott, Stefan
id: '54847'
last_name: Schott
- first_name: Serena Elisa
full_name: Ponta, Serena Elisa
last_name: Ponta
- first_name: Wolfram
full_name: Fischer, Wolfram
last_name: Fischer
- first_name: Jonas
full_name: Klauke, Jonas
id: '40915'
last_name: Klauke
orcid: 0000-0001-9160-9636
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schott S, Ponta SE, Fischer W, Klauke J, Bodden E. Java Bytecode Normalization
for Code Similarity Analysis. In: 38th European Conference on Object-Oriented
Programming (ECOOP 2024). ; 2024. doi:10.4230/LIPIcs.ECOOP.2024.37'
apa: Schott, S., Ponta, S. E., Fischer, W., Klauke, J., & Bodden, E. (2024).
Java Bytecode Normalization for Code Similarity Analysis. 38th European Conference
on Object-Oriented Programming (ECOOP 2024). 38th European Conference on Object-Oriented
Programming (ECOOP 2024), Vienna. https://doi.org/10.4230/LIPIcs.ECOOP.2024.37
bibtex: '@inproceedings{Schott_Ponta_Fischer_Klauke_Bodden_2024, title={Java Bytecode
Normalization for Code Similarity Analysis}, DOI={10.4230/LIPIcs.ECOOP.2024.37},
booktitle={38th European Conference on Object-Oriented Programming (ECOOP 2024)},
author={Schott, Stefan and Ponta, Serena Elisa and Fischer, Wolfram and Klauke,
Jonas and Bodden, Eric}, year={2024} }'
chicago: Schott, Stefan, Serena Elisa Ponta, Wolfram Fischer, Jonas Klauke, and
Eric Bodden. “Java Bytecode Normalization for Code Similarity Analysis.” In 38th
European Conference on Object-Oriented Programming (ECOOP 2024), 2024. https://doi.org/10.4230/LIPIcs.ECOOP.2024.37.
ieee: 'S. Schott, S. E. Ponta, W. Fischer, J. Klauke, and E. Bodden, “Java Bytecode
Normalization for Code Similarity Analysis,” presented at the 38th European Conference
on Object-Oriented Programming (ECOOP 2024), Vienna, 2024, doi: 10.4230/LIPIcs.ECOOP.2024.37.'
mla: Schott, Stefan, et al. “Java Bytecode Normalization for Code Similarity Analysis.”
38th European Conference on Object-Oriented Programming (ECOOP 2024), 2024,
doi:10.4230/LIPIcs.ECOOP.2024.37.
short: 'S. Schott, S.E. Ponta, W. Fischer, J. Klauke, E. Bodden, in: 38th European
Conference on Object-Oriented Programming (ECOOP 2024), 2024.'
conference:
location: Vienna
name: 38th European Conference on Object-Oriented Programming (ECOOP 2024)
date_created: 2024-12-03T08:15:07Z
date_updated: 2025-11-11T14:29:43Z
department:
- _id: '76'
doi: 10.4230/LIPIcs.ECOOP.2024.37
language:
- iso: eng
project:
- _id: '668'
name: 'HEKTOR: Automatisierte Risikoanalyse unter Berücksichtigung von Open-Source-Abhängigkeiten'
- _id: '107'
name: 'Reaktor: SFB 901 - Automatisierte Risikoanalyse in Bezug auf Open-Source-Abhängigkeiten
(Hektor) (Transferproject T3)'
- _id: '1'
name: 'SFB 901: On-The-Fly Computing - Individualisierte IT-Dienstleistungen in
dynamischen Märkten'
- _id: '82'
name: 'SFB 901; Projektbereich T: Transferprojekte des Sonderforschungsbereichs'
- _id: '107'
name: 'SFB 901; TP T3: Automatisierte Risikoanalyse in Bezug auf Open-Source-Abhängigkeiten
(Hektor)'
publication: 38th European Conference on Object-Oriented Programming (ECOOP 2024)
status: public
title: Java Bytecode Normalization for Code Similarity Analysis
type: conference
user_id: '477'
year: '2024'
...
---
_id: '58716'
author:
- first_name: Stefan
full_name: Schott, Stefan
id: '54847'
last_name: Schott
- first_name: Wolfram
full_name: Fischer, Wolfram
last_name: Fischer
- first_name: Serena Elisa
full_name: Ponta, Serena Elisa
last_name: Ponta
- first_name: Jonas
full_name: Klauke, Jonas
id: '40915'
last_name: Klauke
orcid: 0000-0001-9160-9636
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schott S, Fischer W, Ponta SE, Klauke J, Bodden E. Compilation of Commit Changes
Within Java Source Code Repositories. In: 2024 IEEE International Conference
on Software Maintenance and Evolution (ICSME). IEEE; 2024. doi:10.1109/icsme58944.2024.00038'
apa: Schott, S., Fischer, W., Ponta, S. E., Klauke, J., & Bodden, E. (2024).
Compilation of Commit Changes Within Java Source Code Repositories. 2024 IEEE
International Conference on Software Maintenance and Evolution (ICSME). https://doi.org/10.1109/icsme58944.2024.00038
bibtex: '@inproceedings{Schott_Fischer_Ponta_Klauke_Bodden_2024, title={Compilation
of Commit Changes Within Java Source Code Repositories}, DOI={10.1109/icsme58944.2024.00038},
booktitle={2024 IEEE International Conference on Software Maintenance and Evolution
(ICSME)}, publisher={IEEE}, author={Schott, Stefan and Fischer, Wolfram and Ponta,
Serena Elisa and Klauke, Jonas and Bodden, Eric}, year={2024} }'
chicago: Schott, Stefan, Wolfram Fischer, Serena Elisa Ponta, Jonas Klauke, and
Eric Bodden. “Compilation of Commit Changes Within Java Source Code Repositories.”
In 2024 IEEE International Conference on Software Maintenance and Evolution
(ICSME). IEEE, 2024. https://doi.org/10.1109/icsme58944.2024.00038.
ieee: 'S. Schott, W. Fischer, S. E. Ponta, J. Klauke, and E. Bodden, “Compilation
of Commit Changes Within Java Source Code Repositories,” 2024, doi: 10.1109/icsme58944.2024.00038.'
mla: Schott, Stefan, et al. “Compilation of Commit Changes Within Java Source Code
Repositories.” 2024 IEEE International Conference on Software Maintenance and
Evolution (ICSME), IEEE, 2024, doi:10.1109/icsme58944.2024.00038.
short: 'S. Schott, W. Fischer, S.E. Ponta, J. Klauke, E. Bodden, in: 2024 IEEE International
Conference on Software Maintenance and Evolution (ICSME), IEEE, 2024.'
date_created: 2025-02-19T15:47:18Z
date_updated: 2025-11-11T15:01:44Z
department:
- _id: '76'
doi: 10.1109/icsme58944.2024.00038
language:
- iso: eng
project:
- _id: '1072'
name: 'SFB 901; TP T5: Zuverlässige und automatisierte codebasierte Analyse von
Open-Source-Abhängigkeiten (Reaktor)'
publication: 2024 IEEE International Conference on Software Maintenance and Evolution
(ICSME)
publication_status: published
publisher: IEEE
status: public
title: Compilation of Commit Changes Within Java Source Code Repositories
type: conference
user_id: '54847'
year: '2024'
...
---
_id: '56863'
author:
- first_name: Fabian Benedikt
full_name: Schiebel, Fabian Benedikt
id: '55745'
last_name: Schiebel
orcid: 0009-0008-6867-9802
- first_name: Florian
full_name: Sattler, Florian
last_name: Sattler
- first_name: Philipp Dominik
full_name: Schubert, Philipp Dominik
last_name: Schubert
- first_name: Sven
full_name: Apel, Sven
last_name: Apel
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schiebel FB, Sattler F, Schubert PD, Apel S, Bodden E. Scaling Interprocedural
Static Data-Flow Analysis to Large C/C++ Applications: An Experience Report. In:
Aldrich J, Salvaneschi G, eds. 38th European Conference on Object-Oriented
Programming (ECOOP 2024). Vol 313. Leibniz International Proceedings in Informatics
(LIPIcs). Schloss Dagstuhl – Leibniz-Zentrum für Informatik; 2024:36:1–36:28.
doi:10.4230/LIPIcs.ECOOP.2024.36'
apa: 'Schiebel, F. B., Sattler, F., Schubert, P. D., Apel, S., & Bodden, E.
(2024). Scaling Interprocedural Static Data-Flow Analysis to Large C/C++ Applications:
An Experience Report. In J. Aldrich & G. Salvaneschi (Eds.), 38th European
Conference on Object-Oriented Programming (ECOOP 2024) (Vol. 313, p. 36:1–36:28).
Schloss Dagstuhl – Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.ECOOP.2024.36'
bibtex: '@inproceedings{Schiebel_Sattler_Schubert_Apel_Bodden_2024, place={Dagstuhl,
Germany}, series={Leibniz International Proceedings in Informatics (LIPIcs)},
title={Scaling Interprocedural Static Data-Flow Analysis to Large C/C++ Applications:
An Experience Report}, volume={313}, DOI={10.4230/LIPIcs.ECOOP.2024.36},
booktitle={38th European Conference on Object-Oriented Programming (ECOOP 2024)},
publisher={Schloss Dagstuhl – Leibniz-Zentrum für Informatik}, author={Schiebel,
Fabian Benedikt and Sattler, Florian and Schubert, Philipp Dominik and Apel, Sven
and Bodden, Eric}, editor={Aldrich, Jonathan and Salvaneschi, Guido}, year={2024},
pages={36:1–36:28}, collection={Leibniz International Proceedings in Informatics
(LIPIcs)} }'
chicago: 'Schiebel, Fabian Benedikt, Florian Sattler, Philipp Dominik Schubert,
Sven Apel, and Eric Bodden. “Scaling Interprocedural Static Data-Flow Analysis
to Large C/C++ Applications: An Experience Report.” In 38th European Conference
on Object-Oriented Programming (ECOOP 2024), edited by Jonathan Aldrich and
Guido Salvaneschi, 313:36:1–36:28. Leibniz International Proceedings in Informatics
(LIPIcs). Dagstuhl, Germany: Schloss Dagstuhl – Leibniz-Zentrum für Informatik,
2024. https://doi.org/10.4230/LIPIcs.ECOOP.2024.36.'
ieee: 'F. B. Schiebel, F. Sattler, P. D. Schubert, S. Apel, and E. Bodden, “Scaling
Interprocedural Static Data-Flow Analysis to Large C/C++ Applications: An Experience
Report,” in 38th European Conference on Object-Oriented Programming (ECOOP
2024), 2024, vol. 313, p. 36:1–36:28, doi: 10.4230/LIPIcs.ECOOP.2024.36.'
mla: 'Schiebel, Fabian Benedikt, et al. “Scaling Interprocedural Static Data-Flow
Analysis to Large C/C++ Applications: An Experience Report.” 38th European
Conference on Object-Oriented Programming (ECOOP 2024), edited by Jonathan
Aldrich and Guido Salvaneschi, vol. 313, Schloss Dagstuhl – Leibniz-Zentrum für
Informatik, 2024, p. 36:1–36:28, doi:10.4230/LIPIcs.ECOOP.2024.36.'
short: 'F.B. Schiebel, F. Sattler, P.D. Schubert, S. Apel, E. Bodden, in: J. Aldrich,
G. Salvaneschi (Eds.), 38th European Conference on Object-Oriented Programming
(ECOOP 2024), Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl, Germany,
2024, p. 36:1–36:28.'
date_created: 2024-11-04T13:37:23Z
date_updated: 2025-12-04T10:41:59Z
department:
- _id: '76'
- _id: '662'
doi: 10.4230/LIPIcs.ECOOP.2024.36
editor:
- first_name: Jonathan
full_name: Aldrich, Jonathan
last_name: Aldrich
- first_name: Guido
full_name: Salvaneschi, Guido
last_name: Salvaneschi
intvolume: ' 313'
language:
- iso: eng
page: 36:1–36:28
place: Dagstuhl, Germany
publication: 38th European Conference on Object-Oriented Programming (ECOOP 2024)
publication_identifier:
isbn:
- 978-3-95977-341-6
issn:
- 1868-8969
publisher: Schloss Dagstuhl – Leibniz-Zentrum für Informatik
series_title: Leibniz International Proceedings in Informatics (LIPIcs)
status: public
title: 'Scaling Interprocedural Static Data-Flow Analysis to Large C/C++ Applications:
An Experience Report'
type: conference
user_id: '15249'
volume: 313
year: '2024'
...
---
_id: '56140'
abstract:
- lang: eng
text: " Android apps collecting data from users must comply with legal frameworks
to ensure data protection. This requirement has become even more important since
the implementation of the General Data Protection Regulation (GDPR) by the European
Union in 2018. Moreover, with the proposed Cyber Resilience Act on the horizon,
stakeholders will soon need to assess software against even more stringent security
and privacy standards. Effective privacy assessments require collaboration among
groups with diverse expertise to function effectively as a cohesive unit.\r\n
\ This paper motivates the need for an automated approach that enhances understanding
of data protection in Android apps and improves communication between the various
parties involved in privacy assessments. We propose the Assessor View, a tool
designed to bridge the knowledge gap between these parties, facilitating more
effective privacy assessments of Android applications. "
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Khedkar M, Schlichtig M, Bodden E. Advancing Android Privacy Assessments with
Automation. In: In Proceedings of the 39th IEEE/ACM International Conference
on Automated Software Engineering Workshops (ASEW ’24). ; 2024. doi:10.1145/3691621.3694953'
apa: Khedkar, M., Schlichtig, M., & Bodden, E. (2024). Advancing Android Privacy
Assessments with Automation. In Proceedings of the 39th IEEE/ACM International
Conference on Automated Software Engineering Workshops (ASEW ’24). 39th IEEE/ACM
International Conference on Automated Software Engineering (ASE 2024), Sacramento,
California. https://doi.org/10.1145/3691621.3694953
bibtex: '@inproceedings{Khedkar_Schlichtig_Bodden_2024, title={Advancing Android
Privacy Assessments with Automation}, DOI={10.1145/3691621.3694953},
booktitle={In Proceedings of the 39th IEEE/ACM International Conference on Automated
Software Engineering Workshops (ASEW ’24)}, author={Khedkar, Mugdha and Schlichtig,
Michael and Bodden, Eric}, year={2024} }'
chicago: Khedkar, Mugdha, Michael Schlichtig, and Eric Bodden. “Advancing Android
Privacy Assessments with Automation.” In In Proceedings of the 39th IEEE/ACM
International Conference on Automated Software Engineering Workshops (ASEW ’24),
2024. https://doi.org/10.1145/3691621.3694953.
ieee: 'M. Khedkar, M. Schlichtig, and E. Bodden, “Advancing Android Privacy Assessments
with Automation,” presented at the 39th IEEE/ACM International Conference on Automated
Software Engineering (ASE 2024), Sacramento, California, 2024, doi: 10.1145/3691621.3694953.'
mla: Khedkar, Mugdha, et al. “Advancing Android Privacy Assessments with Automation.”
In Proceedings of the 39th IEEE/ACM International Conference on Automated Software
Engineering Workshops (ASEW ’24), 2024, doi:10.1145/3691621.3694953.
short: 'M. Khedkar, M. Schlichtig, E. Bodden, in: In Proceedings of the 39th IEEE/ACM
International Conference on Automated Software Engineering Workshops (ASEW ’24),
2024.'
conference:
end_date: 2024-11-01
location: Sacramento, California
name: 39th IEEE/ACM International Conference on Automated Software Engineering (ASE
2024)
start_date: 2024-10-27
date_created: 2024-09-16T08:55:34Z
date_updated: 2026-03-13T12:12:45Z
ddc:
- '000'
department:
- _id: '76'
doi: 10.1145/3691621.3694953
external_id:
arxiv:
- '2409.06564'
file:
- access_level: closed
content_type: application/pdf
creator: khedkarm
date_created: 2024-09-16T08:55:23Z
date_updated: 2024-09-16T08:55:23Z
file_id: '56141'
file_name: 2409.06564v1.pdf
file_size: 1207856
relation: main_file
success: 1
file_date_updated: 2024-09-16T08:55:23Z
has_accepted_license: '1'
language:
- iso: eng
publication: In Proceedings of the 39th IEEE/ACM International Conference on Automated
Software Engineering Workshops (ASEW ’24)
status: public
title: Advancing Android Privacy Assessments with Automation
type: conference
user_id: '32312'
year: '2024'
...
---
_id: '52587'
author:
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
- first_name: Markus
full_name: Fockel, Markus
id: '8472'
last_name: Fockel
orcid: 0000-0002-1269-0702
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
citation:
ama: Bodden E, Pottebaum J, Fockel M, Gräßler I. Evaluating Security Through Isolation
and Defense in Depth. IEEE Security & Privacy. 2024;22(1):69-72. doi:10.1109/msec.2023.3336028
apa: Bodden, E., Pottebaum, J., Fockel, M., & Gräßler, I. (2024). Evaluating
Security Through Isolation and Defense in Depth. IEEE Security & Privacy,
22(1), 69–72. https://doi.org/10.1109/msec.2023.3336028
bibtex: '@article{Bodden_Pottebaum_Fockel_Gräßler_2024, title={Evaluating Security
Through Isolation and Defense in Depth}, volume={22}, DOI={10.1109/msec.2023.3336028},
number={1}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical
and Electronics Engineers (IEEE)}, author={Bodden, Eric and Pottebaum, Jens and
Fockel, Markus and Gräßler, Iris}, year={2024}, pages={69–72} }'
chicago: 'Bodden, Eric, Jens Pottebaum, Markus Fockel, and Iris Gräßler. “Evaluating
Security Through Isolation and Defense in Depth.” IEEE Security & Privacy
22, no. 1 (2024): 69–72. https://doi.org/10.1109/msec.2023.3336028.'
ieee: 'E. Bodden, J. Pottebaum, M. Fockel, and I. Gräßler, “Evaluating Security
Through Isolation and Defense in Depth,” IEEE Security & Privacy, vol.
22, no. 1, pp. 69–72, 2024, doi: 10.1109/msec.2023.3336028.'
mla: Bodden, Eric, et al. “Evaluating Security Through Isolation and Defense in
Depth.” IEEE Security & Privacy, vol. 22, no. 1, Institute of Electrical
and Electronics Engineers (IEEE), 2024, pp. 69–72, doi:10.1109/msec.2023.3336028.
short: E. Bodden, J. Pottebaum, M. Fockel, I. Gräßler, IEEE Security & Privacy
22 (2024) 69–72.
date_created: 2024-03-15T20:16:18Z
date_updated: 2026-03-31T02:19:49Z
department:
- _id: '152'
- _id: '76'
- _id: '662'
doi: 10.1109/msec.2023.3336028
intvolume: ' 22'
issue: '1'
keyword:
- Law
- Electrical and Electronic Engineering
- Computer Networks and Communications
language:
- iso: eng
main_file_link:
- url: https://ieeexplore.ieee.org/document/10411721
page: 69-72
publication: IEEE Security & Privacy
publication_identifier:
issn:
- 1540-7993
- 1558-4046
publication_status: published
publisher: Institute of Electrical and Electronics Engineers (IEEE)
quality_controlled: '1'
status: public
title: Evaluating Security Through Isolation and Defense in Depth
type: journal_article
user_id: '405'
volume: 22
year: '2024'
...
---
_id: '46816'
author:
- first_name: Adriano
full_name: Torres, Adriano
last_name: Torres
- first_name: Pedro
full_name: Costa, Pedro
last_name: Costa
- first_name: Luis
full_name: Amaral, Luis
last_name: Amaral
- first_name: Jonata
full_name: Pastro, Jonata
last_name: Pastro
- first_name: Rodrigo
full_name: Bonifácio, Rodrigo
last_name: Bonifácio
- first_name: Marcelo
full_name: d'Amorim, Marcelo
last_name: d'Amorim
- first_name: Owolabi
full_name: Legunsen, Owolabi
last_name: Legunsen
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Edna
full_name: Dias Canedo, Edna
last_name: Dias Canedo
citation:
ama: 'Torres A, Costa P, Amaral L, et al. Runtime Verification of Crypto APIs: An
Empirical Study. IEEE Transactions on Software Engineering. 2023;49(10):4510-4525.
doi:10.1109/tse.2023.3301660'
apa: 'Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M.,
Legunsen, O., Bodden, E., & Dias Canedo, E. (2023). Runtime Verification of
Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering,
49(10), 4510–4525. https://doi.org/10.1109/tse.2023.3301660'
bibtex: '@article{Torres_Costa_Amaral_Pastro_Bonifácio_d’Amorim_Legunsen_Bodden_Dias
Canedo_2023, title={Runtime Verification of Crypto APIs: An Empirical Study},
volume={49}, DOI={10.1109/tse.2023.3301660},
number={10}, journal={IEEE Transactions on Software Engineering}, publisher={Institute
of Electrical and Electronics Engineers (IEEE)}, author={Torres, Adriano and Costa,
Pedro and Amaral, Luis and Pastro, Jonata and Bonifácio, Rodrigo and d’Amorim,
Marcelo and Legunsen, Owolabi and Bodden, Eric and Dias Canedo, Edna}, year={2023},
pages={4510–4525} }'
chicago: 'Torres, Adriano, Pedro Costa, Luis Amaral, Jonata Pastro, Rodrigo Bonifácio,
Marcelo d’Amorim, Owolabi Legunsen, Eric Bodden, and Edna Dias Canedo. “Runtime
Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software
Engineering 49, no. 10 (2023): 4510–25. https://doi.org/10.1109/tse.2023.3301660.'
ieee: 'A. Torres et al., “Runtime Verification of Crypto APIs: An Empirical
Study,” IEEE Transactions on Software Engineering, vol. 49, no. 10, pp.
4510–4525, 2023, doi: 10.1109/tse.2023.3301660.'
mla: 'Torres, Adriano, et al. “Runtime Verification of Crypto APIs: An Empirical
Study.” IEEE Transactions on Software Engineering, vol. 49, no. 10, Institute
of Electrical and Electronics Engineers (IEEE), 2023, pp. 4510–25, doi:10.1109/tse.2023.3301660.'
short: A. Torres, P. Costa, L. Amaral, J. Pastro, R. Bonifácio, M. d’Amorim, O.
Legunsen, E. Bodden, E. Dias Canedo, IEEE Transactions on Software Engineering
49 (2023) 4510–4525.
date_created: 2023-09-06T07:42:40Z
date_updated: 2023-12-04T11:05:26Z
department:
- _id: '76'
doi: 10.1109/tse.2023.3301660
intvolume: ' 49'
issue: '10'
keyword:
- Software
language:
- iso: eng
page: 4510 - 4525
publication: IEEE Transactions on Software Engineering
publication_identifier:
issn:
- 0098-5589
- 1939-3520
- 2326-3881
publication_status: published
publisher: Institute of Electrical and Electronics Engineers (IEEE)
status: public
title: 'Runtime Verification of Crypto APIs: An Empirical Study'
type: journal_article
user_id: '15249'
volume: 49
year: '2023'
...
---
_id: '49439'
abstract:
- lang: eng
text: AbstractThe use of static analysis security
testing (SAST) tools has been increasing in recent years. However, previous studies
have shown that, when shipped to end users such as development or security teams,
the findings of these tools are often unsatisfying. Users report high numbers
of false positives or long analysis times, making the tools unusable in the daily
workflow. To address this, SAST tool creators provide a wide range of configuration
options, such as customization of rules through domain-specific languages or specification
of the application-specific analysis scope. In this paper, we study the configuration
space of selected existing SAST tools when used within the integrated development
environment (IDE). We focus on the configuration options that impact three dimensions,
for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime.
We perform a between-subjects user study with 40 users from multiple development
and security teams - to our knowledge, the largest population for this kind of
user study in the software engineering community. The results show that users
who configure SAST tools are more effective in resolving security vulnerabilities
detected by the tools than those using the default configuration. Based on post-study
interviews, we identify common strategies that users have while configuring the
SAST tools to provide further insights for tool creators. Finally, an evaluation
of the configuration options of two commercial SAST tools, Fortify
and CheckMarx, reveals that a quarter of the users do not understand
the configuration options provided. The configuration options that are found most
useful relate to the analysis scope.
article_number: '118'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Matthias
full_name: Becker, Matthias
id: '4870'
last_name: Becker
orcid: https://orcid.org/0000-0003-2465-9347
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make
resolving security vulnerabilities more effective? - A user study. Empirical
Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3
apa: Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of
static analyses make resolving security vulnerabilities more effective? - A user
study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3
bibtex: '@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of
static analyses make resolving security vulnerabilities more effective? - A user
study}, volume={28}, DOI={10.1007/s10664-023-10354-3},
number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science
and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden,
Eric}, year={2023} }'
chicago: Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration
of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A
User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3.
ieee: 'G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static
analyses make resolving security vulnerabilities more effective? - A user study,”
Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi:
10.1007/s10664-023-10354-3.'
mla: Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving
Security Vulnerabilities More Effective? - A User Study.” Empirical Software
Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC,
2023, doi:10.1007/s10664-023-10354-3.
short: G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023).
date_created: 2023-12-04T11:14:34Z
date_updated: 2023-12-04T11:29:49Z
department:
- _id: '76'
- _id: '662'
doi: 10.1007/s10664-023-10354-3
intvolume: ' 28'
issue: '5'
keyword:
- Software
language:
- iso: eng
publication: Empirical Software Engineering
publication_identifier:
issn:
- 1382-3256
- 1573-7616
publication_status: published
publisher: Springer Science and Business Media LLC
status: public
title: Can the configuration of static analyses make resolving security vulnerabilities
more effective? - A user study
type: journal_article
user_id: '15249'
volume: 28
year: '2023'
...
---
_id: '48946'
abstract:
- lang: ger
text: inhalt Der verlässliche Betrieb von technischen Produkten wird zunehmend durch
bewusste Angriffe bedroht. Vollständige Sicherheit ist dabei nicht möglich, durchschlagende
Angriffe sind unvermeidbar (Assume Breach). Dies erfordert einen Paradigmenwechsel
in der sicherheitsgerechten Entwicklung mechatronischer und cyber-physischer Systeme
hin zu Defense-in-Depth. Systeme müssen so ausgelegt werden, dass sie auch bei
gezielten Angriffen möglichst hohe Zuverlässigkeit und Sicherheit gewährleisten.
Der hier beschriebene Lösungsansatz erweitert das Systemmodell um Angriffsszenarien
und Verteidigungslinien. Diese werden am Beispiel eines industriellen Schließsystems
zur Anlagensicherheit erläutert. Entwickler werden sensibilisiert, Angriffe systematisch
zu berücksichtigen und interdisziplinär Verteidigungselemente gegenüber Bedrohungen
und Angriffen zu spezifizieren.
- lang: eng
text: The reliable operation of technical products is increasingly threatened by
deliberate attacks. Complete security is not possible, striking attacks are unavoidable
(assume breach). This requires a paradigm shift in security-oriented engineering
of mechatronic and cyber-physical systems towards Defense-in-Depth. Systems need
to be engineered in a way that full reliability and security are ensured even
in case of targeted attacks. The solution approach described here expands the
system model to include attack scenarios and lines of defence. It is applied to
an industrial locking system for plant security as an example. Developers are
sensitised to systematically consider attacks and to specify interdisciplinary
defence elements against threats and attacks.
article_type: original
author:
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Dominik
full_name: Wiechel, Dominik
id: '67161'
last_name: Wiechel
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
citation:
ama: 'Gräßler I, Bodden E, Wiechel D, Pottebaum J. Defense-in-Depth als neues Paradigma
der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste
und lösungsorientierte Security. Konstruktion. 2023;75(11-12):60-65. doi:10.37544/0720-5953-2023-11-12-60'
apa: 'Gräßler, I., Bodden, E., Wiechel, D., & Pottebaum, J. (2023). Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security. Konstruktion, 75(11–12),
60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60'
bibtex: '@article{Gräßler_Bodden_Wiechel_Pottebaum_2023, title={Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security}, volume={75}, DOI={10.37544/0720-5953-2023-11-12-60},
number={11–12}, journal={Konstruktion}, publisher={VDI Fachmedien GmbH and Co.
KG}, author={Gräßler, Iris and Bodden, Eric and Wiechel, Dominik and Pottebaum,
Jens}, year={2023}, pages={60–65} }'
chicago: 'Gräßler, Iris, Eric Bodden, Dominik Wiechel, and Jens Pottebaum. “Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security.” Konstruktion 75, no.
11–12 (2023): 60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60.'
ieee: 'I. Gräßler, E. Bodden, D. Wiechel, and J. Pottebaum, “Defense-in-Depth als
neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security,” Konstruktion, vol.
75, no. 11–12, pp. 60–65, 2023, doi: 10.37544/0720-5953-2023-11-12-60.'
mla: 'Gräßler, Iris, et al. “Defense-in-Depth als neues Paradigma der sicherheitsgerechten
Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte
Security.” Konstruktion, vol. 75, no. 11–12, VDI Fachmedien GmbH and Co.
KG, 2023, pp. 60–65, doi:10.37544/0720-5953-2023-11-12-60.'
short: I. Gräßler, E. Bodden, D. Wiechel, J. Pottebaum, Konstruktion 75 (2023) 60–65.
date_created: 2023-11-16T08:23:12Z
date_updated: 2023-12-20T14:10:51Z
department:
- _id: '152'
- _id: '76'
doi: 10.37544/0720-5953-2023-11-12-60
intvolume: ' 75'
issue: 11-12
keyword:
- Mechanical Engineering
- Mechanics of Materials
- General Materials Science
- Theoretical Computer Science
language:
- iso: ger
page: 60-65
publication: Konstruktion
publication_identifier:
issn:
- 0720-5953
publication_status: published
publisher: VDI Fachmedien GmbH and Co. KG
quality_controlled: '1'
status: public
title: 'Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung:
interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security'
type: journal_article
user_id: '405'
volume: 75
year: '2023'
...
---
_id: '52662'
abstract:
- lang: eng
text: Static analysis tools support developers in detecting potential coding issues,
such as bugs or vulnerabilities. Research emphasizes technical challenges of such
tools but also mentions severe usability shortcomings. These shortcomings hinder
the adoption of static analysis tools, and user dissatisfaction may even lead
to tool abandonment. To comprehensively assess the state of the art, we present
the first systematic usability evaluation of a wide range of static analysis tools.
We derived a set of 36 relevant criteria from the literature and used them to
evaluate a total of 46 static analysis tools complying with our inclusion and
exclusion criteria - a representative set of mainly non-proprietary tools. The
evaluation against the usability criteria in a multiple-raters approach shows
that two thirds of the considered tools off er poor warning messages, while about
three-quarters provide hardly any fix support. Furthermore, the integration of
user knowledge is strongly neglected, which could be used for instance, to improve
handling of false positives. Finally, issues regarding workflow integration and
specialized user interfaces are revealed. These findings should prove useful in
guiding and focusing further research and development in user experience for static
code analyses.
author:
- first_name: Marcus
full_name: Nachtigall, Marcus
id: '41213'
last_name: Nachtigall
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Nachtigall M, Schlichtig M, Bodden E. Evaluation of Usability Criteria Addressed
by Static Analysis Tools on a Large Scale. In: Software Engineering 2023.
Gesellschaft für Informatik e.V.; 2023:95–96.'
apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2023). Evaluation of Usability
Criteria Addressed by Static Analysis Tools on a Large Scale. In Software Engineering
2023 (pp. 95–96). Gesellschaft für Informatik e.V.
bibtex: '@inbook{Nachtigall_Schlichtig_Bodden_2023, place={Bonn}, title={Evaluation
of Usability Criteria Addressed by Static Analysis Tools on a Large Scale}, booktitle={Software
Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Nachtigall,
Marcus and Schlichtig, Michael and Bodden, Eric}, year={2023}, pages={95–96} }'
chicago: 'Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “Evaluation of
Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” In Software
Engineering 2023, 95–96. Bonn: Gesellschaft für Informatik e.V., 2023.'
ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “Evaluation of Usability Criteria
Addressed by Static Analysis Tools on a Large Scale,” in Software Engineering
2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 95–96.'
mla: Nachtigall, Marcus, et al. “Evaluation of Usability Criteria Addressed by Static
Analysis Tools on a Large Scale.” Software Engineering 2023, Gesellschaft
für Informatik e.V., 2023, pp. 95–96.
short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Software Engineering 2023,
Gesellschaft für Informatik e.V., Bonn, 2023, pp. 95–96.'
date_created: 2024-03-20T09:26:29Z
date_updated: 2024-03-20T09:27:41Z
department:
- _id: '76'
keyword:
- Automated static analysis
- Software usability
language:
- iso: eng
main_file_link:
- url: https://dl.gi.de/items/5afe477f-2f6a-4b3d-b391-f024baf0b7a5
page: 95–96
place: Bonn
publication: Software Engineering 2023
publication_identifier:
isbn:
- 978-3-88579-726-5
publisher: Gesellschaft für Informatik e.V.
status: public
title: Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large
Scale
type: book_chapter
user_id: '32312'
year: '2023'
...
---
_id: '52660'
abstract:
- lang: eng
text: Application Programming Interfaces (APIs) are the primary mechanism developers
use to obtain access to third-party algorithms and services. Unfortunately, APIs
can be misused, which can have catastrophic consequences, especially if the APIs
provide security-critical functionalities like cryptography. Understanding what
API misuses are, and how they are caused, is important to prevent them, eg, with
API misuse detectors. However, definitions for API misuses and related terms in
literature vary. This paper presents a systematic literature review to clarify
these terms and introduces FUM, a novel Framework for API Usage constraint and
Misuse classification. The literature review revealed that API misuses are violations
of API usage constraints. To address this, we provide unified definitions and
use them to derive FUM. To assess the extent to which FUM aids in determining
and guiding the improvement of an API misuses detector’s capabilities, we performed
a case study on the state-of the-art misuse detection tool CogniCrypt. The study
showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify
weaknesses and assist in deriving mitigations and improvements.
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Steffen
full_name: Sassalla, Steffen
last_name: Sassalla
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. Introducing FUM: A Framework
for API Usage Constraint and Misuse Classification. In: Software Engineering
2023. Gesellschaft für Informatik e.V.; 2023:105–106.'
apa: 'Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2023). Introducing
FUM: A Framework for API Usage Constraint and Misuse Classification. In Software
Engineering 2023 (pp. 105–106). Gesellschaft für Informatik e.V.'
bibtex: '@inbook{Schlichtig_Sassalla_Narasimhan_Bodden_2023, place={Bonn}, title={Introducing
FUM: A Framework for API Usage Constraint and Misuse Classification}, booktitle={Software
Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Schlichtig,
Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2023},
pages={105–106} }'
chicago: 'Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden.
“Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.”
In Software Engineering 2023, 105–106. Bonn: Gesellschaft für Informatik
e.V., 2023.'
ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “Introducing FUM:
A Framework for API Usage Constraint and Misuse Classification,” in Software
Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 105–106.'
mla: 'Schlichtig, Michael, et al. “Introducing FUM: A Framework for API Usage Constraint
and Misuse Classification.” Software Engineering 2023, Gesellschaft für
Informatik e.V., 2023, pp. 105–106.'
short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: Software Engineering
2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 105–106.'
date_created: 2024-03-20T09:22:27Z
date_updated: 2024-03-20T09:25:46Z
department:
- _id: '76'
keyword:
- API misuses API usage constraints
- classification framework
- API misuse detection
- static analysis
language:
- iso: eng
main_file_link:
- url: https://dl.gi.de/items/c4825557-cf3d-4038-933a-d8f95fd324a2
page: 105–106
place: Bonn
publication: Software Engineering 2023
publication_identifier:
isbn:
- 978-3-88579-726-5
publisher: Gesellschaft für Informatik e.V.
status: public
title: 'Introducing FUM: A Framework for API Usage Constraint and Misuse Classification'
type: book_chapter
user_id: '32312'
year: '2023'
...
---
_id: '49438'
author:
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Michael
full_name: Reif, Michael
last_name: Reif
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Sarah
full_name: Nadi, Sarah
last_name: Nadi
- first_name: Karim
full_name: Ali, Karim
last_name: Ali
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Yasemin
full_name: Acar, Yasemin
id: '94636'
last_name: Acar
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
- first_name: Sascha
full_name: Fahl, Sascha
last_name: Fahl
citation:
ama: 'Krüger S, Reif M, Wickert A-K, et al. Securing Your Crypto-API Usage Through
Tool Support - A Usability Study. In: 2023 IEEE Secure Development Conference
(SecDev). IEEE; 2023. doi:10.1109/secdev56634.2023.00015'
apa: Krüger, S., Reif, M., Wickert, A.-K., Nadi, S., Ali, K., Bodden, E., Acar,
Y., Mezini, M., & Fahl, S. (2023). Securing Your Crypto-API Usage Through
Tool Support - A Usability Study. 2023 IEEE Secure Development Conference (SecDev).
https://doi.org/10.1109/secdev56634.2023.00015
bibtex: '@inproceedings{Krüger_Reif_Wickert_Nadi_Ali_Bodden_Acar_Mezini_Fahl_2023,
title={Securing Your Crypto-API Usage Through Tool Support - A Usability Study},
DOI={10.1109/secdev56634.2023.00015},
booktitle={2023 IEEE Secure Development Conference (SecDev)}, publisher={IEEE},
author={Krüger, Stefan and Reif, Michael and Wickert, Anna-Katharina and Nadi,
Sarah and Ali, Karim and Bodden, Eric and Acar, Yasemin and Mezini, Mira and Fahl,
Sascha}, year={2023} }'
chicago: Krüger, Stefan, Michael Reif, Anna-Katharina Wickert, Sarah Nadi, Karim
Ali, Eric Bodden, Yasemin Acar, Mira Mezini, and Sascha Fahl. “Securing Your Crypto-API
Usage Through Tool Support - A Usability Study.” In 2023 IEEE Secure Development
Conference (SecDev). IEEE, 2023. https://doi.org/10.1109/secdev56634.2023.00015.
ieee: 'S. Krüger et al., “Securing Your Crypto-API Usage Through Tool Support
- A Usability Study,” 2023, doi: 10.1109/secdev56634.2023.00015.'
mla: Krüger, Stefan, et al. “Securing Your Crypto-API Usage Through Tool Support
- A Usability Study.” 2023 IEEE Secure Development Conference (SecDev),
IEEE, 2023, doi:10.1109/secdev56634.2023.00015.
short: 'S. Krüger, M. Reif, A.-K. Wickert, S. Nadi, K. Ali, E. Bodden, Y. Acar,
M. Mezini, S. Fahl, in: 2023 IEEE Secure Development Conference (SecDev), IEEE,
2023.'
date_created: 2023-12-04T11:07:08Z
date_updated: 2024-06-05T13:51:00Z
department:
- _id: '76'
- _id: '858'
doi: 10.1109/secdev56634.2023.00015
language:
- iso: eng
publication: 2023 IEEE Secure Development Conference (SecDev)
publication_status: published
publisher: IEEE
status: public
title: Securing Your Crypto-API Usage Through Tool Support - A Usability Study
type: conference
user_id: '14931'
year: '2023'
...
---
_id: '41813'
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: Jiawei
full_name: Wang, Jiawei
last_name: Wang
- first_name: Li
full_name: Li, Li
last_name: Li
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2023.'
apa: Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER).
bibtex: '@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, booktitle={IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER)},
author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden,
Eric}, year={2023} }'
chicago: Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden.
“Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.”
In IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER), 2023.
ieee: A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis,” 2023.
mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. “Enhancing Comprehension and Navigation
in Jupyter Notebooks with Static Analysis.” IEEE International Conference on
Software Analysis, Evolution and Reengineering (SANER), 2023.
short: 'A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.'
date_created: 2023-02-06T10:44:08Z
date_updated: 2023-02-06T10:46:00Z
department:
- _id: '76'
language:
- iso: eng
publication: IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER)
status: public
title: Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '45312'
author:
- first_name: Kadiray
full_name: Karakaya, Kadiray
last_name: Karakaya
- first_name: Eric
full_name: Bodden, Eric
last_name: Bodden
citation:
ama: 'Karakaya K, Bodden E. Two Sparsification Strategies for Accelerating Demand-Driven
Pointer Analysis. In: 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST). IEEE; 2023. doi:10.1109/icst57152.2023.00036'
apa: Karakaya, K., & Bodden, E. (2023). Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis. 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST). https://doi.org/10.1109/icst57152.2023.00036
bibtex: '@inproceedings{Karakaya_Bodden_2023, title={Two Sparsification Strategies
for Accelerating Demand-Driven Pointer Analysis}, DOI={10.1109/icst57152.2023.00036},
booktitle={2023 IEEE Conference on Software Testing, Verification and Validation
(ICST)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden, Eric}, year={2023}
}'
chicago: Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for
Accelerating Demand-Driven Pointer Analysis.” In 2023 IEEE Conference on Software
Testing, Verification and Validation (ICST). IEEE, 2023. https://doi.org/10.1109/icst57152.2023.00036.
ieee: 'K. Karakaya and E. Bodden, “Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis,” 2023, doi: 10.1109/icst57152.2023.00036.'
mla: Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis.” 2023 IEEE Conference on Software Testing,
Verification and Validation (ICST), IEEE, 2023, doi:10.1109/icst57152.2023.00036.
short: 'K. Karakaya, E. Bodden, in: 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST), IEEE, 2023.'
date_created: 2023-05-29T12:09:43Z
date_updated: 2023-05-29T12:12:17Z
department:
- _id: '76'
doi: 10.1109/icst57152.2023.00036
publication: 2023 IEEE Conference on Software Testing, Verification and Validation
(ICST)
publication_status: published
publisher: IEEE
status: public
title: Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis
type: conference
user_id: '70410'
year: '2023'
...
---
_id: '44146'
abstract:
- lang: eng
text: "Many Android applications collect data from users. When they do, they must\r\nprotect
this collected data according to the current legal frameworks. Such\r\ndata protection
has become even more important since the European Union rolled\r\nout the General
Data Protection Regulation (GDPR). App developers have limited\r\ntool support
to reason about data protection throughout their app development\r\nprocess. Although
many Android applications state a privacy policy, privacy\r\npolicy compliance
checks are currently manual, expensive, and prone to error.\r\nOne of the major
challenges in privacy audits is the significant gap between\r\nlegal privacy statements
(in English text) and technical measures that Android\r\napps use to protect their
user's privacy. In this thesis, we will explore to\r\nwhat extent we can use static
analysis to answer important questions regarding\r\ndata protection. Our main
goal is to design a tool based approach that aids app\r\ndevelopers and auditors
in ensuring data protection in Android applications,\r\nbased on automated static
program analysis."
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
citation:
ama: 'Khedkar M. Static Analysis for Android GDPR Compliance Assurance. In: 2023
IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings
(ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199. doi:10.1109/ICSE-Companion58688.2023.00054'
apa: 'Khedkar, M. (n.d.). Static Analysis for Android GDPR Compliance Assurance.
2023 IEEE/ACM 45th International Conference on Software Engineering: Companion
Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199. https://doi.org/10.1109/ICSE-Companion58688.2023.00054'
bibtex: '@inproceedings{Khedkar, title={Static Analysis for Android GDPR Compliance
Assurance}, DOI={10.1109/ICSE-Companion58688.2023.00054},
booktitle={2023 IEEE/ACM 45th International Conference on Software Engineering:
Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, pp. 197-199},
author={Khedkar, Mugdha} }'
chicago: 'Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.”
In 2023 IEEE/ACM 45th International Conference on Software Engineering: Companion
Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199, n.d.
https://doi.org/10.1109/ICSE-Companion58688.2023.00054.'
ieee: 'M. Khedkar, “Static Analysis for Android GDPR Compliance Assurance,” doi:
10.1109/ICSE-Companion58688.2023.00054.'
mla: 'Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.”
2023 IEEE/ACM 45th International Conference on Software Engineering: Companion
Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199, doi:10.1109/ICSE-Companion58688.2023.00054.'
short: 'M. Khedkar, in: 2023 IEEE/ACM 45th International Conference on Software
Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023,
Pp. 197-199, n.d.'
date_created: 2023-04-24T12:14:17Z
date_updated: 2024-09-16T08:46:25Z
ddc:
- '004'
department:
- _id: '76'
doi: 10.1109/ICSE-Companion58688.2023.00054
external_id:
arxiv:
- '2303.09606'
file:
- access_level: closed
content_type: application/pdf
creator: khedkarm
date_created: 2023-04-24T12:15:27Z
date_updated: 2023-04-24T12:15:27Z
file_id: '44147'
file_name: 2023047614.pdf
file_size: 85313
relation: main_file
success: 1
file_date_updated: 2023-04-24T12:15:27Z
has_accepted_license: '1'
keyword:
- static analysis
- data protection and privacy
- GDPR compliance
language:
- iso: eng
publication: '2023 IEEE/ACM 45th International Conference on Software Engineering:
Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, pp. 197-199'
publication_status: accepted
status: public
title: Static Analysis for Android GDPR Compliance Assurance
type: conference
user_id: '88024'
year: '2023'
...
---
_id: '59412'
author:
- first_name: Kadiray
full_name: Karakaya, Kadiray
id: '70410'
last_name: Karakaya
orcid: https://orcid.org/0000-0001-9266-2084
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Karakaya K, Bodden E. Two Sparsification Strategies for Accelerating Demand-Driven
Pointer Analysis. In: 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST). IEEE; 2023. doi:10.1109/icst57152.2023.00036'
apa: Karakaya, K., & Bodden, E. (2023). Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis. 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST). https://doi.org/10.1109/icst57152.2023.00036
bibtex: '@inproceedings{Karakaya_Bodden_2023, title={Two Sparsification Strategies
for Accelerating Demand-Driven Pointer Analysis}, DOI={10.1109/icst57152.2023.00036},
booktitle={2023 IEEE Conference on Software Testing, Verification and Validation
(ICST)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden, Eric}, year={2023}
}'
chicago: Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for
Accelerating Demand-Driven Pointer Analysis.” In 2023 IEEE Conference on Software
Testing, Verification and Validation (ICST). IEEE, 2023. https://doi.org/10.1109/icst57152.2023.00036.
ieee: 'K. Karakaya and E. Bodden, “Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis,” 2023, doi: 10.1109/icst57152.2023.00036.'
mla: Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis.” 2023 IEEE Conference on Software Testing,
Verification and Validation (ICST), IEEE, 2023, doi:10.1109/icst57152.2023.00036.
short: 'K. Karakaya, E. Bodden, in: 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST), IEEE, 2023.'
date_created: 2025-04-07T10:10:36Z
date_updated: 2025-04-07T10:10:54Z
department:
- _id: '76'
doi: 10.1109/icst57152.2023.00036
language:
- iso: eng
publication: 2023 IEEE Conference on Software Testing, Verification and Validation
(ICST)
publication_status: published
publisher: IEEE
status: public
title: Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '41812'
author:
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
id: '78060'
last_name: Krishnamurthy
orcid: 0000-0002-0906-5463
- first_name: Julian
full_name: Dolby, Julian
last_name: Dolby
- first_name: Martin
full_name: Schäf, Martin
last_name: Schäf
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation
For Java Frameworks. In: IEEE International Conference on Software Testing,
Verification and Validation (ICST). ; 2023.'
apa: Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden,
E. (2023). Model Generation For Java Frameworks. IEEE International Conference
on Software Testing, Verification and Validation (ICST).
bibtex: '@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model
Generation For Java Frameworks}, booktitle={IEEE International Conference on Software
Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev,
Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden,
Eric}, year={2023} }'
chicago: Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin
Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International
Conference on Software Testing, Verification and Validation (ICST), 2023.
ieee: L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden,
“Model Generation For Java Frameworks,” 2023.
mla: Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International
Conference on Software Testing, Verification and Validation (ICST), 2023.
short: 'L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in:
IEEE International Conference on Software Testing, Verification and Validation
(ICST), 2023.'
date_created: 2023-02-06T10:37:23Z
date_updated: 2025-04-07T10:15:08Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
publication: IEEE International Conference on Software Testing, Verification and Validation
(ICST)
status: public
title: Model Generation For Java Frameworks
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '46500'
abstract:
- lang: eng
text: The security of Industrial Control Systems is relevant both for reliable production
system operations and for high-quality throughput in terms of manufactured products.
Security measures are designed, operated and maintained by different roles along
product and production system lifecycles. Defense-in-Depth as a paradigm builds
upon the assumption that breaches are unavoidable. The paper at hand provides
an analysis of roles, corresponding Human Factors and their relevance for data
theft and sabotage attacks. The resulting taxonomy is reflected by an example
related to Additive Manufacturing. The results assist in both designing and redesigning
Industrial Control System as part of an entire production system so that Defense-in-Depth
with regard to Human Factors is built in by design.
author:
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
- first_name: Jost
full_name: Rossel, Jost
id: '58331'
last_name: Rossel
orcid: 0000-0002-3182-4059
- first_name: Juraj
full_name: Somorovsky, Juraj
id: '83504'
last_name: Somorovsky
orcid: 0000-0002-3593-7720
- first_name: Yasemin
full_name: Acar, Yasemin
id: '94636'
last_name: Acar
- first_name: René
full_name: Fahr, René
id: '111'
last_name: Fahr
- first_name: Patricia
full_name: Arias Cabarcos, Patricia
id: '92804'
last_name: Arias Cabarcos
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
citation:
ama: 'Pottebaum J, Rossel J, Somorovsky J, et al. Re-Envisioning Industrial Control
Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.
In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).
IEEE; 2023:379-385. doi:10.1109/eurospw59978.2023.00048'
apa: Pottebaum, J., Rossel, J., Somorovsky, J., Acar, Y., Fahr, R., Arias Cabarcos,
P., Bodden, E., & Gräßler, I. (2023). Re-Envisioning Industrial Control Systems
Security by Considering Human Factors as a Core Element of Defense-in-Depth. 2023
IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
379–385. https://doi.org/10.1109/eurospw59978.2023.00048
bibtex: '@inproceedings{Pottebaum_Rossel_Somorovsky_Acar_Fahr_Arias Cabarcos_Bodden_Gräßler_2023,
title={Re-Envisioning Industrial Control Systems Security by Considering Human
Factors as a Core Element of Defense-in-Depth}, DOI={10.1109/eurospw59978.2023.00048},
booktitle={2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)},
publisher={IEEE}, author={Pottebaum, Jens and Rossel, Jost and Somorovsky, Juraj
and Acar, Yasemin and Fahr, René and Arias Cabarcos, Patricia and Bodden, Eric
and Gräßler, Iris}, year={2023}, pages={379–385} }'
chicago: Pottebaum, Jens, Jost Rossel, Juraj Somorovsky, Yasemin Acar, René Fahr,
Patricia Arias Cabarcos, Eric Bodden, and Iris Gräßler. “Re-Envisioning Industrial
Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.”
In 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
379–85. IEEE, 2023. https://doi.org/10.1109/eurospw59978.2023.00048.
ieee: 'J. Pottebaum et al., “Re-Envisioning Industrial Control Systems Security
by Considering Human Factors as a Core Element of Defense-in-Depth,” in 2023
IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
Delft, Netherlands, 2023, pp. 379–385, doi: 10.1109/eurospw59978.2023.00048.'
mla: Pottebaum, Jens, et al. “Re-Envisioning Industrial Control Systems Security
by Considering Human Factors as a Core Element of Defense-in-Depth.” 2023 IEEE
European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE,
2023, pp. 379–85, doi:10.1109/eurospw59978.2023.00048.
short: 'J. Pottebaum, J. Rossel, J. Somorovsky, Y. Acar, R. Fahr, P. Arias Cabarcos,
E. Bodden, I. Gräßler, in: 2023 IEEE European Symposium on Security and Privacy
Workshops (EuroS&PW), IEEE, 2023, pp. 379–385.'
conference:
end_date: 2023-07-07
location: Delft, Netherlands
name: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
start_date: 2023-07-03
date_created: 2023-08-15T12:21:05Z
date_updated: 2025-07-16T11:06:47Z
ddc:
- '000'
department:
- _id: '34'
- _id: '152'
- _id: '76'
- _id: '632'
- _id: '858'
doi: 10.1109/eurospw59978.2023.00048
file:
- access_level: closed
content_type: application/pdf
creator: jrossel
date_created: 2024-09-05T13:00:09Z
date_updated: 2024-09-05T13:00:09Z
file_id: '56077'
file_name: Re_envisioning_Industrial_Control_Systems_security.pdf
file_size: 197727
relation: main_file
file_date_updated: 2024-09-05T13:00:09Z
has_accepted_license: '1'
keyword:
- Defense-in-Depth
- Human Factors
- Production Engineering
- Product Design
- Systems Engineering
language:
- iso: eng
main_file_link:
- url: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10190647
page: 379-385
publication: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
publication_status: published
publisher: IEEE
quality_controlled: '1'
status: public
title: Re-Envisioning Industrial Control Systems Security by Considering Human Factors
as a Core Element of Defense-in-Depth
type: conference
user_id: '58331'
year: '2023'
...
---
_id: '35083'
author:
- first_name: Andreas Peter
full_name: Dann, Andreas Peter
id: '26886'
last_name: Dann
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Dann AP, Hermann B, Bodden E. UpCy: Safely Updating Outdated Dependencies.
Published online 2023.'
apa: 'Dann, A. P., Hermann, B., & Bodden, E. (2023). UpCy: Safely Updating
Outdated Dependencies.'
bibtex: '@article{Dann_Hermann_Bodden_2023, series={International Conference on
Software Engineering (ICSE)}, title={UpCy: Safely Updating Outdated Dependencies},
author={Dann, Andreas Peter and Hermann, Ben and Bodden, Eric}, year={2023}, collection={International
Conference on Software Engineering (ICSE)} }'
chicago: 'Dann, Andreas Peter, Ben Hermann, and Eric Bodden. “UpCy: Safely Updating
Outdated Dependencies.” International Conference on Software Engineering (ICSE),
2023.'
ieee: 'A. P. Dann, B. Hermann, and E. Bodden, “UpCy: Safely Updating Outdated Dependencies.”
2023.'
mla: 'Dann, Andreas Peter, et al. UpCy: Safely Updating Outdated Dependencies.
2023.'
short: A.P. Dann, B. Hermann, E. Bodden, (2023).
date_created: 2023-01-02T09:26:50Z
date_updated: 2025-11-11T14:27:58Z
department:
- _id: '76'
language:
- iso: eng
project:
- _id: '107'
name: 'Hektor: SFB 901 - Automatisierte Risikoanalyse in Bezug auf Open-Source-Abhängigkeiten
(Hektor) (Transferproject T3)'
- _id: '1'
name: 'SFB 901: On-The-Fly Computing - Individualisierte IT-Dienstleistungen in
dynamischen Märkten'
- _id: '82'
name: 'SFB 901; Projektbereich T: Transferprojekte des Sonderforschungsbereichs'
- _id: '107'
name: 'SFB 901; TP T3: Automatisierte Risikoanalyse in Bezug auf Open-Source-Abhängigkeiten
(Hektor)'
series_title: International Conference on Software Engineering (ICSE)
status: public
title: 'UpCy: Safely Updating Outdated Dependencies'
type: conference
user_id: '477'
year: '2023'
...
---
_id: '31844'
abstract:
- lang: eng
text: "Encrypting data before sending it to the cloud ensures data confidentiality
but requires the cloud to compute on encrypted data. Trusted execution environments,
such as Intel SGX enclaves, promise to provide a secure environment in which data
can be decrypted and then processed. However, vulnerabilities in the executed
program give attackers ample opportunities to execute arbitrary code inside the
enclave. This code can modify the dataflow of the program and leak secrets via
SGX side channels. Fully homomorphic encryption would be an alternative to compute
on encrypted data without data leaks. However, due to its high computational complexity,
its applicability to general-purpose computing remains limited. Researchers have
made several proposals for transforming programs to perform encrypted computations
on less powerful encryption schemes. Yet current approaches do not support programs
making control-flow decisions based on encrypted data.\r\n \r\n
\ We introduce the concept of\r\n dataflow authentication\r\n
\ (DFAuth) to enable such programs. DFAuth prevents an adversary from
arbitrarily deviating from the dataflow of a program. Our technique hence offers
protections against the side-channel attacks described previously. We implemented
two flavors of DFAuth, a Java bytecode-to-bytecode compiler, and an SGX enclave
running a small and program-independent trusted code base. We applied DFAuth to
a neural network performing machine learning on sensitive medical data and a smart
charging scheduler for electric vehicles. Our transformation yields a neural network
with encrypted weights, which can be evaluated on encrypted inputs in\r\n \r\n \\( 12.55 \\,\\mathrm{m}\\mathrm{s} \\)\r\n
\ \r\n . Our protected scheduler is
capable of updating the encrypted charging plan in approximately 1.06 seconds.\r\n
\ "
author:
- first_name: Andreas
full_name: Fischer, Andreas
last_name: Fischer
- first_name: Benny
full_name: Fuhry, Benny
last_name: Fuhry
- first_name: Jörn
full_name: Kußmaul, Jörn
last_name: Kußmaul
- first_name: Jonas
full_name: Janneck, Jonas
last_name: Janneck
- first_name: Florian
full_name: Kerschbaum, Florian
last_name: Kerschbaum
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Fischer A, Fuhry B, Kußmaul J, Janneck J, Kerschbaum F, Bodden E. Computation
on Encrypted Data Using Dataflow Authentication. ACM Transactions on Privacy
and Security. 2022;25(3):1-36. doi:10.1145/3513005
apa: Fischer, A., Fuhry, B., Kußmaul, J., Janneck, J., Kerschbaum, F., & Bodden,
E. (2022). Computation on Encrypted Data Using Dataflow Authentication. ACM
Transactions on Privacy and Security, 25(3), 1–36. https://doi.org/10.1145/3513005
bibtex: '@article{Fischer_Fuhry_Kußmaul_Janneck_Kerschbaum_Bodden_2022, title={Computation
on Encrypted Data Using Dataflow Authentication}, volume={25}, DOI={10.1145/3513005},
number={3}, journal={ACM Transactions on Privacy and Security}, publisher={Association
for Computing Machinery (ACM)}, author={Fischer, Andreas and Fuhry, Benny and
Kußmaul, Jörn and Janneck, Jonas and Kerschbaum, Florian and Bodden, Eric}, year={2022},
pages={1–36} }'
chicago: 'Fischer, Andreas, Benny Fuhry, Jörn Kußmaul, Jonas Janneck, Florian Kerschbaum,
and Eric Bodden. “Computation on Encrypted Data Using Dataflow Authentication.”
ACM Transactions on Privacy and Security 25, no. 3 (2022): 1–36. https://doi.org/10.1145/3513005.'
ieee: 'A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, and E. Bodden,
“Computation on Encrypted Data Using Dataflow Authentication,” ACM Transactions
on Privacy and Security, vol. 25, no. 3, pp. 1–36, 2022, doi: 10.1145/3513005.'
mla: Fischer, Andreas, et al. “Computation on Encrypted Data Using Dataflow Authentication.”
ACM Transactions on Privacy and Security, vol. 25, no. 3, Association for
Computing Machinery (ACM), 2022, pp. 1–36, doi:10.1145/3513005.
short: A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, E. Bodden, ACM
Transactions on Privacy and Security 25 (2022) 1–36.
date_created: 2022-06-09T10:28:03Z
date_updated: 2022-06-09T10:29:19Z
department:
- _id: '76'
doi: 10.1145/3513005
intvolume: ' 25'
issue: '3'
keyword:
- Safety
- Risk
- Reliability and Quality
- General Computer Science
language:
- iso: eng
page: 1-36
publication: ACM Transactions on Privacy and Security
publication_identifier:
issn:
- 2471-2566
- 2471-2574
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: Computation on Encrypted Data Using Dataflow Authentication
type: journal_article
user_id: '15249'
volume: 25
year: '2022'
...