---
_id: '32409'
abstract:
- lang: eng
text: 'Context: Cryptographic APIs are often misused in real-world applications.
Therefore, many cryptographic API misuse detection tools have been introduced.
However, there exists no established reference benchmark for a fair and comprehensive
comparison and evaluation of these tools. While there are benchmarks, they often
only address a subset of the domain or were only used to evaluate a subset of
existing misuse detection tools. Objective: To fairly compare cryptographic API
misuse detection tools and to drive future development in this domain, we will
devise such a benchmark. Openness and transparency in the generation process are
key factors to fairly generate and establish the needed benchmark. Method: We
propose an approach where we derive the benchmark generation methodology from
the literature which consists of general best practices in benchmarking and domain-specific
benchmark generation. A part of this methodology is transparency and openness
of the generation process, which is achieved by pre-registering this work. Based
on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection
Tool Benchmark Suite". We will implement the first version of CamBench limiting
the domain to Java, the JCA, and static analyses. Finally, we will use CamBench
to compare current misuse detection tools and compare CamBench to related benchmarks
of its domain.'
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
citation:
ama: Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. CamBench -- Cryptographic
API Misuse Detection Tool Benchmark Suite.; 2022. doi:10.48550/ARXIV.2204.06447
apa: Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., & Mezini, M. (2022).
CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. https://doi.org/10.48550/ARXIV.2204.06447
bibtex: '@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench --
Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={10.48550/ARXIV.2204.06447},
author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and
Bodden, Eric and Mezini, Mira}, year={2022} }'
chicago: Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden,
and Mira Mezini. CamBench -- Cryptographic API Misuse Detection Tool Benchmark
Suite, 2022. https://doi.org/10.48550/ARXIV.2204.06447.
ieee: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, CamBench
-- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022.
mla: Schlichtig, Michael, et al. CamBench -- Cryptographic API Misuse Detection
Tool Benchmark Suite. 2022, doi:10.48550/ARXIV.2204.06447.
short: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench --
Cryptographic API Misuse Detection Tool Benchmark Suite, 2022.
date_created: 2022-07-25T07:56:59Z
date_updated: 2022-07-25T10:23:44Z
department:
- _id: '76'
doi: 10.48550/ARXIV.2204.06447
keyword:
- cryptography
- benchmark
- API misuse
- static analysis
language:
- iso: eng
related_material:
link:
- relation: confirmation
url: https://arxiv.org/abs/2204.06447
status: public
title: CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite
type: misc
user_id: '32312'
year: '2022'
...
---
_id: '32410'
abstract:
- lang: eng
text: "Static analysis tools support developers in detecting potential coding issues,
such as bugs or vulnerabilities. Research on static analysis emphasizes its technical
challenges but also mentions severe usability shortcomings. These shortcomings
hinder the adoption of static analysis tools, and in some cases, user dissatisfaction
even leads to tool abandonment.\r\nTo comprehensively assess the current state
of the art, this paper presents the first systematic usability evaluation in a
wide range of static analysis tools. We derived a set of 36 relevant criteria
from the scientific literature and gathered a collection of 46 static analysis
tools complying with our inclusion and exclusion criteria - a representative set
of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill
the aforementioned criteria.\r\nThe evaluation shows that more than half of the
considered tools offer poor warning messages, while about three-quarters of the
tools provide hardly any fix support. Furthermore, the integration of user knowledge
is strongly neglected, which could be used for improved handling of false positives
and tuning the results for the corresponding developer. Finally, issues regarding
workflow integration and specialized user interfaces are proved further.\r\nThese
findings should prove useful in guiding and focusing further research and development
in the area of user experience for static code analyses."
author:
- first_name: Marcus
full_name: Nachtigall, Marcus
id: '41213'
last_name: Nachtigall
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Nachtigall M, Schlichtig M, Bodden E. A Large-Scale Study of Usability Criteria
Addressed by Static Analysis Tools. In: Proceedings of the 31st ACM SIGSOFT
International Symposium on Software Testing and Analysis. ACM; 2022:532-543.
doi:10.1145/3533767'
apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2022). A Large-Scale Study
of Usability Criteria Addressed by Static Analysis Tools. Proceedings of the
31st ACM SIGSOFT International Symposium on Software Testing and Analysis,
532–543. https://doi.org/10.1145/3533767
bibtex: '@inproceedings{Nachtigall_Schlichtig_Bodden_2022, title={A Large-Scale
Study of Usability Criteria Addressed by Static Analysis Tools}, DOI={10.1145/3533767},
booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software
Testing and Analysis}, publisher={ACM}, author={Nachtigall, Marcus and Schlichtig,
Michael and Bodden, Eric}, year={2022}, pages={532–543} }'
chicago: Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “A Large-Scale
Study of Usability Criteria Addressed by Static Analysis Tools.” In Proceedings
of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis,
532–43. ACM, 2022. https://doi.org/10.1145/3533767.
ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “A Large-Scale Study of Usability
Criteria Addressed by Static Analysis Tools,” in Proceedings of the 31st ACM
SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp.
532–543, doi: 10.1145/3533767.'
mla: Nachtigall, Marcus, et al. “A Large-Scale Study of Usability Criteria Addressed
by Static Analysis Tools.” Proceedings of the 31st ACM SIGSOFT International
Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–43, doi:10.1145/3533767.
short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Proceedings of the 31st ACM
SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp.
532–543.'
date_created: 2022-07-25T08:02:36Z
date_updated: 2022-07-26T11:42:23Z
department:
- _id: '76'
doi: 10.1145/3533767
keyword:
- Automated static analysis
- Software usability
language:
- iso: eng
page: 532 - 543
publication: Proceedings of the 31st ACM SIGSOFT International Symposium on Software
Testing and Analysis
publication_identifier:
isbn:
- '9781450393799'
publication_status: published
publisher: ACM
quality_controlled: '1'
related_material:
link:
- relation: confirmation
url: https://dl.acm.org/doi/10.1145/3533767.3534374
status: public
title: A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools
type: conference
user_id: '32312'
year: '2022'
...
---
_id: '31133'
abstract:
- lang: eng
text: Application Programming Interfaces (APIs) are the primary mechanism that developers
use to obtain access to third-party algorithms and services. Unfortunately, APIs
can be misused, which can have catastrophic consequences, especially if the APIs
provide security-critical functionalities like cryptography. Understanding what
API misuses are, and for what reasons they are caused, is important to prevent
them, e.g., with API misuse detectors. However, definitions and nominations for
API misuses and related terms in literature vary and are diverse. This paper addresses
the problem of scattered knowledge and definitions of API misuses by presenting
a systematic literature review on the subject and introducing FUM, a novel Framework
for API Usage constraint and Misuse classification. The literature review revealed
that API misuses are violations of API usage constraints. To capture this, we
provide unified definitions and use them to derive FUM. To assess the extent to
which FUM aids in determining and guiding the improvement of an API misuses detectors'
capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse
detector for cryptographic APIs. The study showed that FUM can be used to properly
assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations
and improvements. And it appears that also more generally FUM can aid the development
and improvement of misuse detection tools.
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Steffen
full_name: Sassalla, Steffen
last_name: Sassalla
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API
Usage constraint and Misuse Classification. In: 2022 IEEE International Conference
on Software Analysis, Evolution and Reengineering (SANER). ; 2022:673-684.
doi:https://doi.org/10.1109/SANER53432.2022.00085'
apa: Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2022). FUM
- A Framework for API Usage constraint and Misuse Classification. 2022 IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER),
673–684. https://doi.org/10.1109/SANER53432.2022.00085
bibtex: '@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM -
A Framework for API Usage constraint and Misuse Classification}, DOI={https://doi.org/10.1109/SANER53432.2022.00085},
booktitle={2022 IEEE International Conference on Software Analysis, Evolution
and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen
and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }'
chicago: Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden.
“FUM - A Framework for API Usage Constraint and Misuse Classification.” In 2022
IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER), 673–84, 2022. https://doi.org/10.1109/SANER53432.2022.00085.
ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework
for API Usage constraint and Misuse Classification,” in 2022 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2022,
pp. 673–684, doi: https://doi.org/10.1109/SANER53432.2022.00085.'
mla: Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and
Misuse Classification.” 2022 IEEE International Conference on Software Analysis,
Evolution and Reengineering (SANER), 2022, pp. 673–84, doi:https://doi.org/10.1109/SANER53432.2022.00085.
short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp.
673–684.'
date_created: 2022-05-09T13:04:10Z
date_updated: 2022-07-26T11:42:30Z
department:
- _id: '76'
doi: https://doi.org/10.1109/SANER53432.2022.00085
keyword:
- API misuses
- API usage constraints
- classification framework
- API misuse detection
- static analysis
language:
- iso: eng
page: 673 - 684
publication: 2022 IEEE International Conference on Software Analysis, Evolution and
Reengineering (SANER)
quality_controlled: '1'
related_material:
link:
- relation: confirmation
url: https://ieeexplore.ieee.org/document/9825763
status: public
title: FUM - A Framework for API Usage constraint and Misuse Classification
type: conference
user_id: '32312'
year: '2022'
...
---
_id: '34057'
author:
- first_name: Faruk
full_name: Pasic, Faruk
last_name: Pasic
- first_name: Matthias
full_name: Becker, Matthias
last_name: Becker
citation:
ama: 'Pasic F, Becker M. Domain-specific Language for Condition Monitoring Software
Development. In: 2022 IEEE 27th International Conference on Emerging Technologies
and Factory Automation (ETFA). IEEE; 2022. doi:10.1109/etfa52439.2022.9921730'
apa: Pasic, F., & Becker, M. (2022). Domain-specific Language for Condition
Monitoring Software Development. 2022 IEEE 27th International Conference on
Emerging Technologies and Factory Automation (ETFA). https://doi.org/10.1109/etfa52439.2022.9921730
bibtex: '@inproceedings{Pasic_Becker_2022, title={Domain-specific Language for Condition
Monitoring Software Development}, DOI={10.1109/etfa52439.2022.9921730},
booktitle={2022 IEEE 27th International Conference on Emerging Technologies and
Factory Automation (ETFA)}, publisher={IEEE}, author={Pasic, Faruk and Becker,
Matthias}, year={2022} }'
chicago: Pasic, Faruk, and Matthias Becker. “Domain-Specific Language for Condition
Monitoring Software Development.” In 2022 IEEE 27th International Conference
on Emerging Technologies and Factory Automation (ETFA). IEEE, 2022. https://doi.org/10.1109/etfa52439.2022.9921730.
ieee: 'F. Pasic and M. Becker, “Domain-specific Language for Condition Monitoring
Software Development,” 2022, doi: 10.1109/etfa52439.2022.9921730.'
mla: Pasic, Faruk, and Matthias Becker. “Domain-Specific Language for Condition
Monitoring Software Development.” 2022 IEEE 27th International Conference on
Emerging Technologies and Factory Automation (ETFA), IEEE, 2022, doi:10.1109/etfa52439.2022.9921730.
short: 'F. Pasic, M. Becker, in: 2022 IEEE 27th International Conference on Emerging
Technologies and Factory Automation (ETFA), IEEE, 2022.'
date_created: 2022-11-10T14:30:16Z
date_updated: 2022-11-10T14:30:42Z
department:
- _id: '241'
- _id: '76'
doi: 10.1109/etfa52439.2022.9921730
publication: 2022 IEEE 27th International Conference on Emerging Technologies and
Factory Automation (ETFA)
publication_status: published
publisher: IEEE
status: public
title: Domain-specific Language for Condition Monitoring Software Development
type: conference
user_id: '49576'
year: '2022'
...
---
_id: '33835'
abstract:
- lang: eng
text: "\r\n Nowadays, an increasing number of applications uses
deserialization. This technique, based on rebuilding the instance of objects from
serialized byte streams, can be dangerous since it can open the application to
attacks such as remote code execution (RCE) if the data to deserialize is originating
from an untrusted source. Deserialization vulnerabilities are so critical that
they are in OWASP’s list of top 10 security risks for web applications. This is
mainly caused by faults in the development process of applications and by flaws
in their dependencies, i.e., flaws in the libraries used by these applications.
No previous work has studied deserialization attacks in-depth: How are they performed?
How are weaknesses introduced and patched? And for how long are vulnerabilities
present in the codebase? To yield a deeper understanding of this important kind
of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable
pieces of code, present in Java libraries, and one on vulnerabilities present
in Java applications. For the first analysis, we conduct an exploratory large-scale
study by running 256 515 experiments in which we vary the versions of libraries
for each of the 19 publicly available exploits. Such attacks rely on a combination
of\r\n gadgets\r\n present in
one or multiple Java libraries. A gadget is a method which is using objects or
fields that can be attacker-controlled. Our goal is to precisely identify library
versions containing gadgets and to understand how gadgets have been introduced
and how they have been patched. We observe that the modification of one innocent-looking
detail in a class – such as making it\r\n public\r\n
\ – can already introduce a gadget. Furthermore, we noticed that among
the studied libraries, 37.5% are not patched, leaving gadgets available for future
attacks.\r\n \r\n For the second analysis,
we manually analyze 104 deserialization vulnerabilities CVEs to understand how
vulnerabilities are introduced and patched in real-life Java applications. Results
indicate that the vulnerabilities are not always completely patched or that a
workaround solution is proposed. With a workaround solution, applications are
still vulnerable since the code itself is unchanged."
author:
- first_name: Imen
full_name: Sayar, Imen
last_name: Sayar
- first_name: Alexandre
full_name: Bartel, Alexandre
last_name: Bartel
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Yves
full_name: Le Traon, Yves
last_name: Le Traon
citation:
ama: Sayar I, Bartel A, Bodden E, Le Traon Y. An In-depth Study of Java Deserialization
Remote-Code Execution Exploits and Vulnerabilities. ACM Transactions on Software
Engineering and Methodology. Published online 2022. doi:10.1145/3554732
apa: Sayar, I., Bartel, A., Bodden, E., & Le Traon, Y. (2022). An In-depth Study
of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. ACM
Transactions on Software Engineering and Methodology. https://doi.org/10.1145/3554732
bibtex: '@article{Sayar_Bartel_Bodden_Le Traon_2022, title={An In-depth Study of
Java Deserialization Remote-Code Execution Exploits and Vulnerabilities}, DOI={10.1145/3554732}, journal={ACM Transactions
on Software Engineering and Methodology}, publisher={Association for Computing
Machinery (ACM)}, author={Sayar, Imen and Bartel, Alexandre and Bodden, Eric and
Le Traon, Yves}, year={2022} }'
chicago: Sayar, Imen, Alexandre Bartel, Eric Bodden, and Yves Le Traon. “An In-Depth
Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities.”
ACM Transactions on Software Engineering and Methodology, 2022. https://doi.org/10.1145/3554732.
ieee: 'I. Sayar, A. Bartel, E. Bodden, and Y. Le Traon, “An In-depth Study of Java
Deserialization Remote-Code Execution Exploits and Vulnerabilities,” ACM Transactions
on Software Engineering and Methodology, 2022, doi: 10.1145/3554732.'
mla: Sayar, Imen, et al. “An In-Depth Study of Java Deserialization Remote-Code
Execution Exploits and Vulnerabilities.” ACM Transactions on Software Engineering
and Methodology, Association for Computing Machinery (ACM), 2022, doi:10.1145/3554732.
short: I. Sayar, A. Bartel, E. Bodden, Y. Le Traon, ACM Transactions on Software
Engineering and Methodology (2022).
date_created: 2022-10-20T12:31:49Z
date_updated: 2022-10-20T12:32:31Z
department:
- _id: '76'
doi: 10.1145/3554732
keyword:
- Software
language:
- iso: eng
publication: ACM Transactions on Software Engineering and Methodology
publication_identifier:
issn:
- 1049-331X
- 1557-7392
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: An In-depth Study of Java Deserialization Remote-Code Execution Exploits and
Vulnerabilities
type: journal_article
user_id: '15249'
year: '2022'
...
---
_id: '33836'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Johannes
full_name: Späth, Johannes
last_name: Späth
- first_name: Ingo
full_name: Budde, Ingo
id: '13693'
last_name: Budde
orcid: https://orcid.org/0000-0003-0124-6291
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Piskachev G, Späth J, Budde I, Bodden E. Fluently specifying taint-flow queries
with fluentTQL. Empirical Software Engineering. 2022;27(5):1–33.
apa: Piskachev, G., Späth, J., Budde, I., & Bodden, E. (2022). Fluently specifying
taint-flow queries with fluentTQL. Empirical Software Engineering, 27(5),
1–33.
bibtex: '@article{Piskachev_Späth_Budde_Bodden_2022, title={Fluently specifying
taint-flow queries with fluentTQL}, volume={27}, number={5}, journal={Empirical
Software Engineering}, publisher={Springer}, author={Piskachev, Goran and Späth,
Johannes and Budde, Ingo and Bodden, Eric}, year={2022}, pages={1–33} }'
chicago: 'Piskachev, Goran, Johannes Späth, Ingo Budde, and Eric Bodden. “Fluently
Specifying Taint-Flow Queries with FluentTQL.” Empirical Software Engineering
27, no. 5 (2022): 1–33.'
ieee: G. Piskachev, J. Späth, I. Budde, and E. Bodden, “Fluently specifying taint-flow
queries with fluentTQL,” Empirical Software Engineering, vol. 27, no. 5,
pp. 1–33, 2022.
mla: Piskachev, Goran, et al. “Fluently Specifying Taint-Flow Queries with FluentTQL.”
Empirical Software Engineering, vol. 27, no. 5, Springer, 2022, pp. 1–33.
short: G. Piskachev, J. Späth, I. Budde, E. Bodden, Empirical Software Engineering
27 (2022) 1–33.
date_created: 2022-10-20T12:34:04Z
date_updated: 2022-10-20T12:36:23Z
department:
- _id: '76'
- _id: '662'
intvolume: ' 27'
issue: '5'
language:
- iso: eng
page: 1–33
publication: Empirical Software Engineering
publisher: Springer
status: public
title: Fluently specifying taint-flow queries with fluentTQL
type: journal_article
user_id: '15249'
volume: 27
year: '2022'
...
---
_id: '33838'
author:
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
id: '78060'
last_name: Krishnamurthy
orcid: 0000-0002-0906-5463
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Krishnamurthy R, Piskachev G, Bodden E. To what extent can we analyze Kotlin
programs using existing Java taint analysis tools? Published online 2022.
apa: Krishnamurthy, R., Piskachev, G., & Bodden, E. (2022). To what extent
can we analyze Kotlin programs using existing Java taint analysis tools?
bibtex: '@article{Krishnamurthy_Piskachev_Bodden_2022, series={IEEE International
Working Conference on Source Code Analysis and Manipulation (SCAM)}, title={To
what extent can we analyze Kotlin programs using existing Java taint analysis
tools?}, author={Krishnamurthy, Ranjith and Piskachev, Goran and Bodden, Eric},
year={2022}, collection={IEEE International Working Conference on Source Code
Analysis and Manipulation (SCAM)} }'
chicago: Krishnamurthy, Ranjith, Goran Piskachev, and Eric Bodden. “To What Extent
Can We Analyze Kotlin Programs Using Existing Java Taint Analysis Tools?” IEEE
International Working Conference on Source Code Analysis and Manipulation (SCAM),
2022.
ieee: R. Krishnamurthy, G. Piskachev, and E. Bodden, “To what extent can we analyze
Kotlin programs using existing Java taint analysis tools?” 2022.
mla: Krishnamurthy, Ranjith, et al. To What Extent Can We Analyze Kotlin Programs
Using Existing Java Taint Analysis Tools? 2022.
short: R. Krishnamurthy, G. Piskachev, E. Bodden, (2022).
date_created: 2022-10-20T12:38:09Z
date_updated: 2022-10-20T12:38:32Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
series_title: IEEE International Working Conference on Source Code Analysis and Manipulation
(SCAM)
status: public
title: To what extent can we analyze Kotlin programs using existing Java taint analysis
tools?
type: conference
user_id: '15249'
year: '2022'
...
---
_id: '33837'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Stefan
full_name: Dziwok, Stefan
id: '3901'
last_name: Dziwok
orcid: http://orcid.org/0000-0002-8679-6673
- first_name: Thorsten
full_name: Koch, Thorsten
id: '13616'
last_name: Koch
- first_name: Sven
full_name: Merschjohann, Sven
id: '11394'
last_name: Merschjohann
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Piskachev G, Dziwok S, Koch T, Merschjohann S, Bodden E. How far are German
companies in improving security through static program analysis tools? Published
online 2022.
apa: Piskachev, G., Dziwok, S., Koch, T., Merschjohann, S., & Bodden, E. (2022).
How far are German companies in improving security through static program analysis
tools?
bibtex: '@article{Piskachev_Dziwok_Koch_Merschjohann_Bodden_2022, series={IEEE Secure
Development Conference (SecDev)}, title={How far are German companies in improving
security through static program analysis tools?}, author={Piskachev, Goran and
Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven and Bodden, Eric}, year={2022},
collection={IEEE Secure Development Conference (SecDev)} }'
chicago: Piskachev, Goran, Stefan Dziwok, Thorsten Koch, Sven Merschjohann, and
Eric Bodden. “How Far Are German Companies in Improving Security through Static
Program Analysis Tools?” IEEE Secure Development Conference (SecDev), 2022.
ieee: G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, and E. Bodden, “How far
are German companies in improving security through static program analysis tools?”
2022.
mla: Piskachev, Goran, et al. How Far Are German Companies in Improving Security
through Static Program Analysis Tools? 2022.
short: G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, E. Bodden, (2022).
date_created: 2022-10-20T12:37:14Z
date_updated: 2022-10-20T12:37:44Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
series_title: IEEE Secure Development Conference (SecDev)
status: public
title: How far are German companies in improving security through static program analysis
tools?
type: conference
user_id: '15249'
year: '2022'
...
---
_id: '33959'
abstract:
- lang: eng
text: Recent studies have revealed that 87 % to 96 % of the Android apps using cryptographic
APIs have a misuse which may cause security vulnerabilities. As previous studies
did not conduct a qualitative examination of the validity and severity of the
findings, our objective was to understand the findings in more depth. We analyzed
a set of 936 open-source Java applications for cryptographic misuses. Our study
reveals that 88.10 % of the analyzed applications fail to use cryptographic APIs
securely. Through our manual analysis of a random sample, we gained new insights
into effective false positives. For example, every fourth misuse of the frequently
misused JCA class MessageDigest is an effective false positive due to its occurrence
in a non-security context. As we wanted to gain deeper insights into the security
implications of these misuses, we created an extensive vulnerability model for
cryptographic API misuses. Our model includes previously undiscussed attacks in
the context of cryptographic APIs such as DoS attacks. This model reveals that
nearly half of the misuses are of high severity, e.g., hard-coded credentials
and potential Man-in-the-Middle attacks.
author:
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Lars
full_name: Baumgärtner, Lars
last_name: Baumgärtner
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
citation:
ama: 'Wickert A-K, Baumgärtner L, Schlichtig M, Mezini M. To Fix or Not to Fix:
A Critical Study of Crypto-Misuses in the Wild.; 2022. doi:10.48550/ARXIV.2209.11103'
apa: 'Wickert, A.-K., Baumgärtner, L., Schlichtig, M., & Mezini, M. (2022).
To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild. https://doi.org/10.48550/ARXIV.2209.11103'
bibtex: '@book{Wickert_Baumgärtner_Schlichtig_Mezini_2022, title={To Fix or Not
to Fix: A Critical Study of Crypto-misuses in the Wild}, DOI={10.48550/ARXIV.2209.11103},
author={Wickert, Anna-Katharina and Baumgärtner, Lars and Schlichtig, Michael
and Mezini, Mira}, year={2022} }'
chicago: 'Wickert, Anna-Katharina, Lars Baumgärtner, Michael Schlichtig, and Mira
Mezini. To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild,
2022. https://doi.org/10.48550/ARXIV.2209.11103.'
ieee: 'A.-K. Wickert, L. Baumgärtner, M. Schlichtig, and M. Mezini, To Fix or
Not to Fix: A Critical Study of Crypto-misuses in the Wild. 2022.'
mla: 'Wickert, Anna-Katharina, et al. To Fix or Not to Fix: A Critical Study
of Crypto-Misuses in the Wild. 2022, doi:10.48550/ARXIV.2209.11103.'
short: 'A.-K. Wickert, L. Baumgärtner, M. Schlichtig, M. Mezini, To Fix or Not to
Fix: A Critical Study of Crypto-Misuses in the Wild, 2022.'
date_created: 2022-10-28T13:21:05Z
date_updated: 2022-10-28T13:26:39Z
department:
- _id: '76'
doi: 10.48550/ARXIV.2209.11103
language:
- iso: eng
related_material:
link:
- relation: confirmation
url: https://arxiv.org/abs/2209.11103
status: public
title: 'To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild'
type: misc
user_id: '32312'
year: '2022'
...
---
_id: '53952'
author:
- first_name: Fabio
full_name: Massacci, Fabio
last_name: Massacci
- first_name: Antonino
full_name: Sabetta, Antonino
last_name: Sabetta
- first_name: Jelena
full_name: Mirkovic, Jelena
last_name: Mirkovic
- first_name: Toby
full_name: Murray, Toby
last_name: Murray
- first_name: Hamed
full_name: Okhravi, Hamed
last_name: Okhravi
- first_name: Mohammad
full_name: Mannan, Mohammad
last_name: Mannan
- first_name: Anderson
full_name: Rocha, Anderson
last_name: Rocha
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Daniel E.
full_name: Geer, Daniel E.
last_name: Geer
citation:
ama: Massacci F, Sabetta A, Mirkovic J, et al. “Free” as in Freedom to Protest?
IEEE Security & Privacy. 2022;20(5):16-21. doi:10.1109/msec.2022.3185845
apa: Massacci, F., Sabetta, A., Mirkovic, J., Murray, T., Okhravi, H., Mannan, M.,
Rocha, A., Bodden, E., & Geer, D. E. (2022). “Free” as in Freedom to Protest?
IEEE Security & Privacy, 20(5), 16–21. https://doi.org/10.1109/msec.2022.3185845
bibtex: '@article{Massacci_Sabetta_Mirkovic_Murray_Okhravi_Mannan_Rocha_Bodden_Geer_2022,
title={“Free” as in Freedom to Protest?}, volume={20}, DOI={10.1109/msec.2022.3185845},
number={5}, journal={IEEE Security & Privacy}, publisher={Institute of
Electrical and Electronics Engineers (IEEE)}, author={Massacci, Fabio and Sabetta,
Antonino and Mirkovic, Jelena and Murray, Toby and Okhravi, Hamed and Mannan,
Mohammad and Rocha, Anderson and Bodden, Eric and Geer, Daniel E.}, year={2022},
pages={16–21} }'
chicago: 'Massacci, Fabio, Antonino Sabetta, Jelena Mirkovic, Toby Murray, Hamed
Okhravi, Mohammad Mannan, Anderson Rocha, Eric Bodden, and Daniel E. Geer. “‘Free’
as in Freedom to Protest?” IEEE Security & Privacy 20, no. 5 (2022):
16–21. https://doi.org/10.1109/msec.2022.3185845.'
ieee: 'F. Massacci et al., “‘Free’ as in Freedom to Protest?,” IEEE Security
& Privacy, vol. 20, no. 5, pp. 16–21, 2022, doi: 10.1109/msec.2022.3185845.'
mla: Massacci, Fabio, et al. “‘Free’ as in Freedom to Protest?” IEEE Security
& Privacy, vol. 20, no. 5, Institute of Electrical and Electronics
Engineers (IEEE), 2022, pp. 16–21, doi:10.1109/msec.2022.3185845.
short: F. Massacci, A. Sabetta, J. Mirkovic, T. Murray, H. Okhravi, M. Mannan, A.
Rocha, E. Bodden, D.E. Geer, IEEE Security & Privacy 20 (2022) 16–21.
date_created: 2024-05-06T11:32:59Z
date_updated: 2024-05-06T11:33:14Z
department:
- _id: '76'
doi: 10.1109/msec.2022.3185845
intvolume: ' 20'
issue: '5'
language:
- iso: eng
page: 16-21
publication: IEEE Security & Privacy
publication_identifier:
issn:
- 1540-7993
- 1558-4046
publication_status: published
publisher: Institute of Electrical and Electronics Engineers (IEEE)
status: public
title: “Free” as in Freedom to Protest?
type: journal_article
user_id: '15249'
volume: 20
year: '2022'
...
---
_id: '30511'
abstract:
- lang: eng
text: AbstractMany critical codebases are written
in C, and most of them use preprocessor directives to encode variability, effectively
encoding software product lines. These preprocessor directives, however, challenge
any static code analysis. SPLlift, a previously presented approach for analyzing
software product lines, is limited to Java programs that use a rather simple feature
encoding and to analysis problems with a finite and ideally small domain. Other
approaches that allow the analysis of real-world C software product lines use
special-purpose analyses, preventing the reuse of existing analysis infrastructures
and ignoring the progress made by the static analysis community. This work presents
VarAlyzer, a novel static analysis approach for software product
lines. VarAlyzer first transforms preprocessor constructs to
plain C while preserving their variability and semantics. It then solves any given
distributive analysis problem on transformed product lines in a variability-aware
manner. VarAlyzer ’s analysis results are annotated with feature
constraints that encode in which configurations each result holds. Our experiments
with 95 compilation units of OpenSSL show that applying VarAlyzer
enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow
analyses on entire product lines for the first time, outperforming the product-based
approach for highly-configurable systems.
alternative_title:
- Revoking the preprocessor’s special role
article_number: '35'
article_type: original
author:
- first_name: Philipp
full_name: Schubert, Philipp
id: '60543'
last_name: Schubert
orcid: 0000-0002-8674-1859
- first_name: Paul
full_name: Gazzillo, Paul
last_name: Gazzillo
- first_name: Zach
full_name: Patterson, Zach
last_name: Patterson
- first_name: Julian
full_name: Braha, Julian
last_name: Braha
- first_name: Fabian Benedikt
full_name: Schiebel, Fabian Benedikt
id: '55745'
last_name: Schiebel
orcid: 0009-0008-6867-9802
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Shiyi
full_name: Wei, Shiyi
last_name: Wei
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Schubert P, Gazzillo P, Patterson Z, et al. Static data-flow analysis for software
product lines in C. Automated Software Engineering. 2022;29(1). doi:10.1007/s10515-022-00333-1
apa: Schubert, P., Gazzillo, P., Patterson, Z., Braha, J., Schiebel, F. B., Hermann,
B., Wei, S., & Bodden, E. (2022). Static data-flow analysis for software product
lines in C. Automated Software Engineering, 29(1), Article 35. https://doi.org/10.1007/s10515-022-00333-1
bibtex: '@article{Schubert_Gazzillo_Patterson_Braha_Schiebel_Hermann_Wei_Bodden_2022,
title={Static data-flow analysis for software product lines in C}, volume={29},
DOI={10.1007/s10515-022-00333-1},
number={135}, journal={Automated Software Engineering}, publisher={Springer Science
and Business Media LLC}, author={Schubert, Philipp and Gazzillo, Paul and Patterson,
Zach and Braha, Julian and Schiebel, Fabian Benedikt and Hermann, Ben and Wei,
Shiyi and Bodden, Eric}, year={2022} }'
chicago: Schubert, Philipp, Paul Gazzillo, Zach Patterson, Julian Braha, Fabian
Benedikt Schiebel, Ben Hermann, Shiyi Wei, and Eric Bodden. “Static Data-Flow
Analysis for Software Product Lines in C.” Automated Software Engineering
29, no. 1 (2022). https://doi.org/10.1007/s10515-022-00333-1.
ieee: 'P. Schubert et al., “Static data-flow analysis for software product
lines in C,” Automated Software Engineering, vol. 29, no. 1, Art. no. 35,
2022, doi: 10.1007/s10515-022-00333-1.'
mla: Schubert, Philipp, et al. “Static Data-Flow Analysis for Software Product Lines
in C.” Automated Software Engineering, vol. 29, no. 1, 35, Springer Science
and Business Media LLC, 2022, doi:10.1007/s10515-022-00333-1.
short: P. Schubert, P. Gazzillo, Z. Patterson, J. Braha, F.B. Schiebel, B. Hermann,
S. Wei, E. Bodden, Automated Software Engineering 29 (2022).
date_created: 2022-03-25T07:41:26Z
date_updated: 2025-12-04T10:42:38Z
department:
- _id: '76'
doi: 10.1007/s10515-022-00333-1
intvolume: ' 29'
issue: '1'
keyword:
- inter-procedural static analysis
- software product lines
- preprocessor
- LLVM
- C/C++
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://link.springer.com/article/10.1007/s10515-022-00333-1
oa: '1'
project:
- _id: '12'
name: 'SFB 901 - B4: SFB 901 - Subproject B4'
- _id: '3'
name: 'SFB 901 - B: SFB 901 - Project Area B'
- _id: '1'
name: 'SFB 901: SFB 901'
publication: Automated Software Engineering
publication_identifier:
issn:
- 0928-8910
- 1573-7535
publication_status: published
publisher: Springer Science and Business Media LLC
status: public
title: Static data-flow analysis for software product lines in C
type: journal_article
user_id: '15249'
volume: 29
year: '2022'
...
---
_id: '27045'
abstract:
- lang: eng
text: 'Due to the lack of established real-world benchmark suites for static taint
analyses of Android applications, evaluations of these analyses are often restricted
and hard to compare. Even in evaluations that do use real-world apps, details
about the ground truth in those apps are rarely documented, which makes it difficult
to compare and reproduce the results. To push Android taint analysis research
forward, this paper thus recommends criteria for constructing real-world benchmark
suites for this specific domain, and presents TaintBench, the first real-world
malware benchmark suite with documented taint flows. TaintBench benchmark apps
include taint flows with complex structures, and addresses static challenges that
are commonly agreed on by the community. Together with the TaintBench suite, we
introduce the TaintBench framework, whose goal is to simplify real-world benchmarking
of Android taint analyses. First, a usability test shows that the framework improves
experts’ performance and perceived usability when documenting and inspecting taint
flows. Second, experiments using TaintBench reveal new insights for the taint
analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world
malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources
and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions
of both tools are less accurate than their predecessors.'
author:
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
- first_name: Felix
full_name: Pauck, Felix
id: '22398'
last_name: Pauck
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Manuel
full_name: Benz, Manuel
last_name: Benz
- first_name: Ivan
full_name: Pashchenko, Ivan
last_name: Pashchenko
- first_name: Martin
full_name: Mory, Martin
id: '65667'
last_name: Mory
orcid: 0000-0001-5609-0031
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Fabio
full_name: Massacci, Fabio
last_name: Massacci
citation:
ama: 'Luo L, Pauck F, Piskachev G, et al. TaintBench: Automatic real-world malware
benchmarking of Android taint analyses. Empirical Software Engineering.
Published online 2021. doi:10.1007/s10664-021-10013-5'
apa: 'Luo, L., Pauck, F., Piskachev, G., Benz, M., Pashchenko, I., Mory, M., Bodden,
E., Hermann, B., & Massacci, F. (2021). TaintBench: Automatic real-world malware
benchmarking of Android taint analyses. Empirical Software Engineering.
https://doi.org/10.1007/s10664-021-10013-5'
bibtex: '@article{Luo_Pauck_Piskachev_Benz_Pashchenko_Mory_Bodden_Hermann_Massacci_2021,
title={TaintBench: Automatic real-world malware benchmarking of Android taint
analyses}, DOI={10.1007/s10664-021-10013-5},
journal={Empirical Software Engineering}, author={Luo, Linghui and Pauck, Felix
and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and
Bodden, Eric and Hermann, Ben and Massacci, Fabio}, year={2021} }'
chicago: 'Luo, Linghui, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko,
Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. “TaintBench: Automatic
Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software
Engineering, 2021. https://doi.org/10.1007/s10664-021-10013-5.'
ieee: 'L. Luo et al., “TaintBench: Automatic real-world malware benchmarking
of Android taint analyses,” Empirical Software Engineering, 2021, doi:
10.1007/s10664-021-10013-5.'
mla: 'Luo, Linghui, et al. “TaintBench: Automatic Real-World Malware Benchmarking
of Android Taint Analyses.” Empirical Software Engineering, 2021, doi:10.1007/s10664-021-10013-5.'
short: L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden,
B. Hermann, F. Massacci, Empirical Software Engineering (2021).
date_created: 2021-11-02T05:13:49Z
date_updated: 2022-01-06T06:57:32Z
ddc:
- '000'
department:
- _id: '77'
- _id: '76'
doi: 10.1007/s10664-021-10013-5
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://link.springer.com/content/pdf/10.1007/s10664-021-10013-5.pdf
oa: '1'
project:
- _id: '1'
name: SFB 901
- _id: '3'
name: SFB 901 - Project Area B
- _id: '12'
name: SFB 901 - Subproject B4
publication: Empirical Software Engineering
publication_identifier:
issn:
- 1382-3256
- 1573-7616
publication_status: published
status: public
title: 'TaintBench: Automatic real-world malware benchmarking of Android taint analyses'
type: journal_article
user_id: '15249'
year: '2021'
...
---
_id: '27158'
author:
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
citation:
ama: Luo L. Improving Real-World Applicability of Static Taint Analysis.
Universität Paderborn; 2021.
apa: Luo, L. (2021). Improving Real-World Applicability of Static Taint Analysis.
Universität Paderborn.
bibtex: '@book{Luo_2021, title={Improving Real-World Applicability of Static Taint
Analysis}, publisher={Universität Paderborn}, author={Luo, Linghui}, year={2021}
}'
chicago: Luo, Linghui. Improving Real-World Applicability of Static Taint Analysis.
Universität Paderborn, 2021.
ieee: L. Luo, Improving Real-World Applicability of Static Taint Analysis.
Universität Paderborn, 2021.
mla: Luo, Linghui. Improving Real-World Applicability of Static Taint Analysis.
Universität Paderborn, 2021.
short: L. Luo, Improving Real-World Applicability of Static Taint Analysis, Universität
Paderborn, 2021.
date_created: 2021-11-04T13:58:35Z
date_updated: 2022-01-06T06:57:35Z
department:
- _id: '76'
language:
- iso: eng
publisher: Universität Paderborn
related_material:
link:
- relation: confirmation
url: https://www.bodden.de/pubs/phdLuo.pdf
status: public
title: Improving Real-World Applicability of Static Taint Analysis
type: dissertation
user_id: '15249'
year: '2021'
...
---
_id: '21595'
author:
- first_name: Lars
full_name: Stockmann, Lars
id: '48144'
last_name: Stockmann
- first_name: Sven
full_name: Laux, Sven
last_name: Laux
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Stockmann L, Laux S, Bodden E. Using Architectural Runtime Verification for
Offline Data Analysis. Journal of Automotive Software Engineering. Published
online 2021. doi:10.2991/jase.d.210205.001
apa: Stockmann, L., Laux, S., & Bodden, E. (2021). Using Architectural Runtime
Verification for Offline Data Analysis. Journal of Automotive Software Engineering.
https://doi.org/10.2991/jase.d.210205.001
bibtex: '@article{Stockmann_Laux_Bodden_2021, title={Using Architectural Runtime
Verification for Offline Data Analysis}, DOI={10.2991/jase.d.210205.001},
journal={Journal of Automotive Software Engineering}, author={Stockmann, Lars
and Laux, Sven and Bodden, Eric}, year={2021} }'
chicago: Stockmann, Lars, Sven Laux, and Eric Bodden. “Using Architectural Runtime
Verification for Offline Data Analysis.” Journal of Automotive Software Engineering,
2021. https://doi.org/10.2991/jase.d.210205.001.
ieee: 'L. Stockmann, S. Laux, and E. Bodden, “Using Architectural Runtime Verification
for Offline Data Analysis,” Journal of Automotive Software Engineering,
2021, doi: 10.2991/jase.d.210205.001.'
mla: Stockmann, Lars, et al. “Using Architectural Runtime Verification for Offline
Data Analysis.” Journal of Automotive Software Engineering, 2021, doi:10.2991/jase.d.210205.001.
short: L. Stockmann, S. Laux, E. Bodden, Journal of Automotive Software Engineering
(2021).
date_created: 2021-04-08T11:21:32Z
date_updated: 2022-01-06T06:55:06Z
department:
- _id: '76'
doi: 10.2991/jase.d.210205.001
language:
- iso: eng
main_file_link:
- url: https://www.bodden.de/pubs/sb21architectural.pdf
publication: Journal of Automotive Software Engineering
publication_identifier:
issn:
- 2589-2258
publication_status: published
status: public
title: Using Architectural Runtime Verification for Offline Data Analysis
type: journal_article
user_id: '5786'
year: '2021'
...
---
_id: '21596'
author:
- first_name: Andreas
full_name: Fischer, Andreas
last_name: Fischer
citation:
ama: Fischer A. Computing on Encrypted Data Using Trusted Execution Environments.
Universität Paderborn; 2021.
apa: Fischer, A. (2021). Computing on Encrypted Data using Trusted Execution
Environments. Universität Paderborn.
bibtex: '@book{Fischer_2021, title={Computing on Encrypted Data using Trusted Execution
Environments}, publisher={Universität Paderborn}, author={Fischer, Andreas}, year={2021}
}'
chicago: Fischer, Andreas. Computing on Encrypted Data Using Trusted Execution
Environments. Universität Paderborn, 2021.
ieee: A. Fischer, Computing on Encrypted Data using Trusted Execution Environments.
Universität Paderborn, 2021.
mla: Fischer, Andreas. Computing on Encrypted Data Using Trusted Execution Environments.
Universität Paderborn, 2021.
short: A. Fischer, Computing on Encrypted Data Using Trusted Execution Environments,
Universität Paderborn, 2021.
date_created: 2021-04-08T11:23:13Z
date_updated: 2022-01-06T06:55:06Z
department:
- _id: '76'
language:
- iso: eng
main_file_link:
- url: https://www.bodden.de/pubs/phdFischer.pdf
publisher: Universität Paderborn
status: public
title: Computing on Encrypted Data using Trusted Execution Environments
type: dissertation
user_id: '5786'
year: '2021'
...
---
_id: '21597'
author:
- first_name: Philipp
full_name: Holzinger, Philipp
last_name: Holzinger
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Holzinger P, Bodden E. A Systematic Hardening of Java’s Information Hiding.
International Symposium on Advanced Security on Software and Systems (ASSS).
Published online 2021.
apa: Holzinger, P., & Bodden, E. (2021). A Systematic Hardening of Java’s Information
Hiding. International Symposium on Advanced Security on Software and Systems
(ASSS).
bibtex: '@article{Holzinger_Bodden_2021, title={A Systematic Hardening of Java’s
Information Hiding}, journal={International Symposium on Advanced Security on
Software and Systems (ASSS)}, author={Holzinger, Philipp and Bodden, Eric}, year={2021}
}'
chicago: Holzinger, Philipp, and Eric Bodden. “A Systematic Hardening of Java’s
Information Hiding.” International Symposium on Advanced Security on Software
and Systems (ASSS), 2021.
ieee: P. Holzinger and E. Bodden, “A Systematic Hardening of Java’s Information
Hiding,” International Symposium on Advanced Security on Software and Systems
(ASSS), 2021.
mla: Holzinger, Philipp, and Eric Bodden. “A Systematic Hardening of Java’s Information
Hiding.” International Symposium on Advanced Security on Software and Systems
(ASSS), 2021.
short: P. Holzinger, E. Bodden, International Symposium on Advanced Security on
Software and Systems (ASSS) (2021).
date_created: 2021-04-08T11:24:06Z
date_updated: 2022-01-06T06:55:06Z
department:
- _id: '76'
language:
- iso: eng
main_file_link:
- url: https://www.bodden.de/pubs/hb21systematic.pdf
publication: International Symposium on Advanced Security on Software and Systems
(ASSS)
status: public
title: A Systematic Hardening of Java's Information Hiding
type: journal_article
user_id: '5786'
year: '2021'
...
---
_id: '21599'
author:
- first_name: Rodrigo
full_name: Bonifacio, Rodrigo
last_name: Bonifacio
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
citation:
ama: Bonifacio R, Krüger S, Narasimhan K, Bodden E, Mezini M. Dealing with Variability
in API Misuse Specification. European Conference on Object-Oriented Programming
(ECOOP). Published online 2021.
apa: Bonifacio, R., Krüger, S., Narasimhan, K., Bodden, E., & Mezini, M. (2021).
Dealing with Variability in API Misuse Specification. European Conference on
Object-Oriented Programming (ECOOP).
bibtex: '@article{Bonifacio_Krüger_Narasimhan_Bodden_Mezini_2021, title={Dealing
with Variability in API Misuse Specification}, journal={European Conference on
Object-Oriented Programming (ECOOP)}, author={Bonifacio, Rodrigo and Krüger, Stefan
and Narasimhan, Krishna and Bodden, Eric and Mezini, Mira}, year={2021} }'
chicago: Bonifacio, Rodrigo, Stefan Krüger, Krishna Narasimhan, Eric Bodden, and
Mira Mezini. “Dealing with Variability in API Misuse Specification.” European
Conference on Object-Oriented Programming (ECOOP), 2021.
ieee: R. Bonifacio, S. Krüger, K. Narasimhan, E. Bodden, and M. Mezini, “Dealing
with Variability in API Misuse Specification,” European Conference on Object-Oriented
Programming (ECOOP), 2021.
mla: Bonifacio, Rodrigo, et al. “Dealing with Variability in API Misuse Specification.”
European Conference on Object-Oriented Programming (ECOOP), 2021.
short: R. Bonifacio, S. Krüger, K. Narasimhan, E. Bodden, M. Mezini, European Conference
on Object-Oriented Programming (ECOOP) (2021).
date_created: 2021-04-08T11:25:43Z
date_updated: 2022-01-06T06:55:06Z
department:
- _id: '76'
language:
- iso: eng
publication: European Conference on Object-Oriented Programming (ECOOP)
status: public
title: Dealing with Variability in API Misuse Specification
type: journal_article
user_id: '5786'
year: '2021'
...
---
_id: '23374'
author:
- first_name: Sriteja
full_name: Kummita, Sriteja
last_name: Kummita
- first_name: Goran
full_name: Piskachev, Goran
last_name: Piskachev
- first_name: Johannes
full_name: Spath, Johannes
last_name: Spath
- first_name: Eric
full_name: Bodden, Eric
last_name: Bodden
citation:
ama: 'Kummita S, Piskachev G, Spath J, Bodden E. Qualitative and Quantitative Analysis
of Callgraph Algorithms for Python. In: 2021 International Conference on Code
Quality (ICCQ). ; 2021. doi:10.1109/iccq51190.2021.9392986'
apa: Kummita, S., Piskachev, G., Spath, J., & Bodden, E. (2021). Qualitative
and Quantitative Analysis of Callgraph Algorithms for Python. 2021 International
Conference on Code Quality (ICCQ). https://doi.org/10.1109/iccq51190.2021.9392986
bibtex: '@inproceedings{Kummita_Piskachev_Spath_Bodden_2021, title={Qualitative
and Quantitative Analysis of Callgraph Algorithms for Python}, DOI={10.1109/iccq51190.2021.9392986},
booktitle={2021 International Conference on Code Quality (ICCQ)}, author={Kummita,
Sriteja and Piskachev, Goran and Spath, Johannes and Bodden, Eric}, year={2021}
}'
chicago: Kummita, Sriteja, Goran Piskachev, Johannes Spath, and Eric Bodden. “Qualitative
and Quantitative Analysis of Callgraph Algorithms for Python.” In 2021 International
Conference on Code Quality (ICCQ), 2021. https://doi.org/10.1109/iccq51190.2021.9392986.
ieee: 'S. Kummita, G. Piskachev, J. Spath, and E. Bodden, “Qualitative and Quantitative
Analysis of Callgraph Algorithms for Python,” 2021, doi: 10.1109/iccq51190.2021.9392986.'
mla: Kummita, Sriteja, et al. “Qualitative and Quantitative Analysis of Callgraph
Algorithms for Python.” 2021 International Conference on Code Quality (ICCQ),
2021, doi:10.1109/iccq51190.2021.9392986.
short: 'S. Kummita, G. Piskachev, J. Spath, E. Bodden, in: 2021 International Conference
on Code Quality (ICCQ), 2021.'
date_created: 2021-08-09T12:01:11Z
date_updated: 2022-01-06T06:55:50Z
department:
- _id: '241'
- _id: '662'
- _id: '76'
doi: 10.1109/iccq51190.2021.9392986
language:
- iso: eng
publication: 2021 International Conference on Code Quality (ICCQ)
publication_status: published
status: public
title: Qualitative and Quantitative Analysis of Callgraph Algorithms for Python
type: conference
user_id: '5786'
year: '2021'
...
---
_id: '30084'
author:
- first_name: Kadiray
full_name: Karakaya, Kadiray
last_name: Karakaya
- first_name: Eric
full_name: Bodden, Eric
last_name: Bodden
citation:
ama: 'Karakaya K, Bodden E. SootFX: A Static Code Feature Extraction Tool for Java
and Android. In: 2021 IEEE 21st International Working Conference on Source
Code Analysis and Manipulation (SCAM). IEEE; 2021. doi:10.1109/scam52516.2021.00030'
apa: 'Karakaya, K., & Bodden, E. (2021). SootFX: A Static Code Feature Extraction
Tool for Java and Android. 2021 IEEE 21st International Working Conference
on Source Code Analysis and Manipulation (SCAM). https://doi.org/10.1109/scam52516.2021.00030'
bibtex: '@inproceedings{Karakaya_Bodden_2021, title={SootFX: A Static Code Feature
Extraction Tool for Java and Android}, DOI={10.1109/scam52516.2021.00030},
booktitle={2021 IEEE 21st International Working Conference on Source Code Analysis
and Manipulation (SCAM)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden,
Eric}, year={2021} }'
chicago: 'Karakaya, Kadiray, and Eric Bodden. “SootFX: A Static Code Feature Extraction
Tool for Java and Android.” In 2021 IEEE 21st International Working Conference
on Source Code Analysis and Manipulation (SCAM). IEEE, 2021. https://doi.org/10.1109/scam52516.2021.00030.'
ieee: 'K. Karakaya and E. Bodden, “SootFX: A Static Code Feature Extraction Tool
for Java and Android,” 2021, doi: 10.1109/scam52516.2021.00030.'
mla: 'Karakaya, Kadiray, and Eric Bodden. “SootFX: A Static Code Feature Extraction
Tool for Java and Android.” 2021 IEEE 21st International Working Conference
on Source Code Analysis and Manipulation (SCAM), IEEE, 2021, doi:10.1109/scam52516.2021.00030.'
short: 'K. Karakaya, E. Bodden, in: 2021 IEEE 21st International Working Conference
on Source Code Analysis and Manipulation (SCAM), IEEE, 2021.'
date_created: 2022-02-24T15:44:42Z
date_updated: 2022-02-24T15:45:43Z
department:
- _id: '76'
doi: 10.1109/scam52516.2021.00030
publication: 2021 IEEE 21st International Working Conference on Source Code Analysis
and Manipulation (SCAM)
publication_status: published
publisher: IEEE
status: public
title: 'SootFX: A Static Code Feature Extraction Tool for Java and Android'
type: conference
user_id: '70410'
year: '2021'
...
---
_id: '21598'
abstract:
- lang: eng
text: Static analysis is used to automatically detect bugs and security breaches,
and aids compileroptimization. Whole-program analysis (WPA) can yield high precision,
however causes long analysistimes and thus does not match common software-development
workflows, making it often impracticalto use for large, real-world applications.This
paper thus presents the design and implementation ofModAlyzer, a novel static-analysisapproach
that aims at accelerating whole-program analysis by making the analysis modular
andcompositional. It shows how to computelossless, persisted summaries for callgraph,
points-to anddata-flow information, and it reports under which circumstances this
function-level compositionalanalysis outperforms WPA.We implementedModAlyzeras
an extension to LLVM and PhASAR, and applied it to 12 real-world C and C++ applications.
At analysis time,ModAlyzermodularly and losslessly summarizesthe analysis effect
of the library code those applications share, hence avoiding its repeated re-analysis.The
experimental results show that the reuse of these summaries can save, on average,
72% ofanalysis time over WPA. Moreover, because it is lossless, the module-wise
analysis fully retainsprecision and recall. Surprisingly, as our results show,
it sometimes even yields precision superior toWPA. The initial summary generation,
on average, takes about 3.67 times as long as WPA.
author:
- first_name: Philipp
full_name: Schubert, Philipp
id: '60543'
last_name: Schubert
orcid: 0000-0002-8674-1859
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schubert P, Hermann B, Bodden E. Lossless, Persisted Summarization of Static
Callgraph, Points-To and Data-Flow Analysis. In: European Conference on Object-Oriented
Programming (ECOOP). ; 2021.'
apa: Schubert, P., Hermann, B., & Bodden, E. (2021). Lossless, Persisted Summarization
of Static Callgraph, Points-To and Data-Flow Analysis. European Conference
on Object-Oriented Programming (ECOOP).
bibtex: '@inproceedings{Schubert_Hermann_Bodden_2021, title={Lossless, Persisted
Summarization of Static Callgraph, Points-To and Data-Flow Analysis}, booktitle={European
Conference on Object-Oriented Programming (ECOOP)}, author={Schubert, Philipp
and Hermann, Ben and Bodden, Eric}, year={2021} }'
chicago: Schubert, Philipp, Ben Hermann, and Eric Bodden. “Lossless, Persisted Summarization
of Static Callgraph, Points-To and Data-Flow Analysis.” In European Conference
on Object-Oriented Programming (ECOOP), 2021.
ieee: P. Schubert, B. Hermann, and E. Bodden, “Lossless, Persisted Summarization
of Static Callgraph, Points-To and Data-Flow Analysis,” 2021.
mla: Schubert, Philipp, et al. “Lossless, Persisted Summarization of Static Callgraph,
Points-To and Data-Flow Analysis.” European Conference on Object-Oriented Programming
(ECOOP), 2021.
short: 'P. Schubert, B. Hermann, E. Bodden, in: European Conference on Object-Oriented
Programming (ECOOP), 2021.'
date_created: 2021-04-08T11:24:59Z
date_updated: 2022-03-25T07:49:35Z
department:
- _id: '76'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://drops.dagstuhl.de/opus/volltexte/2021/14045/
oa: '1'
project:
- _id: '3'
name: SFB 901 - Project Area B
- _id: '12'
name: SFB 901 - Subproject B4
- _id: '1'
name: SFB 901
publication: European Conference on Object-Oriented Programming (ECOOP)
status: public
title: Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow
Analysis
type: conference
user_id: '60543'
year: '2021'
...