@inproceedings{35083, author = {{Dann, Andreas Peter and Hermann, Ben and Bodden, Eric}}, title = {{{UpCy: Safely Updating Outdated Dependencies}}}, year = {{2023}}, } @article{30511, abstract = {{AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems.}}, author = {{Schubert, Philipp and Gazzillo, Paul and Patterson, Zach and Braha, Julian and Schiebel, Fabian and Hermann, Ben and Wei, Shiyi and Bodden, Eric}}, issn = {{0928-8910}}, journal = {{Automated Software Engineering}}, keywords = {{inter-procedural static analysis, software product lines, preprocessor, LLVM, C/C++}}, number = {{1}}, publisher = {{Springer Science and Business Media LLC}}, title = {{{Static data-flow analysis for software product lines in C}}}, doi = {{10.1007/s10515-022-00333-1}}, volume = {{29}}, year = {{2022}}, } @article{27045, abstract = {{Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.}}, author = {{Luo, Linghui and Pauck, Felix and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and Bodden, Eric and Hermann, Ben and Massacci, Fabio}}, issn = {{1382-3256}}, journal = {{Empirical Software Engineering}}, title = {{{TaintBench: Automatic real-world malware benchmarking of Android taint analyses}}}, doi = {{10.1007/s10664-021-10013-5}}, year = {{2021}}, } @inproceedings{21598, abstract = {{Static analysis is used to automatically detect bugs and security breaches, and aids compileroptimization. Whole-program analysis (WPA) can yield high precision, however causes long analysistimes and thus does not match common software-development workflows, making it often impracticalto use for large, real-world applications.This paper thus presents the design and implementation ofModAlyzer, a novel static-analysisapproach that aims at accelerating whole-program analysis by making the analysis modular andcompositional. It shows how to computelossless, persisted summaries for callgraph, points-to anddata-flow information, and it reports under which circumstances this function-level compositionalanalysis outperforms WPA.We implementedModAlyzeras an extension to LLVM and PhASAR, and applied it to 12 real-world C and C++ applications. At analysis time,ModAlyzermodularly and losslessly summarizesthe analysis effect of the library code those applications share, hence avoiding its repeated re-analysis.The experimental results show that the reuse of these summaries can save, on average, 72% ofanalysis time over WPA. Moreover, because it is lossless, the module-wise analysis fully retainsprecision and recall. Surprisingly, as our results show, it sometimes even yields precision superior toWPA. The initial summary generation, on average, takes about 3.67 times as long as WPA.}}, author = {{Schubert, Philipp and Hermann, Ben and Bodden, Eric}}, booktitle = {{European Conference on Object-Oriented Programming (ECOOP)}}, title = {{{Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis}}}, year = {{2021}}, } @article{31132, author = {{Dann, Andreas Peter and Plate, Henrik and Hermann, Ben and Ponta, Serena Elisa and Bodden, Eric}}, issn = {{0098-5589}}, journal = {{IEEE Transactions on Software Engineering}}, keywords = {{Software}}, pages = {{1--1}}, publisher = {{Institute of Electrical and Electronics Engineers (IEEE)}}, title = {{{Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite}}}, doi = {{10.1109/tse.2021.3101739}}, year = {{2021}}, } @inproceedings{26406, author = {{Schubert, Philipp and Hermann, Ben and Bodden, Eric and Leer, Richard}}, booktitle = {{SCAM '21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track)}}, title = {{{Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++}}}, year = {{2021}}, } @inproceedings{26405, author = {{Schubert, Philipp and Sattler, Florian and Schiebel, Fabian and Hermann, Ben and Bodden, Eric}}, booktitle = {{2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}}, title = {{{Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++}}}, year = {{2021}}, } @techreport{20712, author = {{Schubert, Philipp and Bodden, Eric and Hermann, Ben}}, title = {{{Accelerating Static Call-Graph, Points-to and Data-Flow Analysis Through Persisted Summaries}}}, year = {{2020}}, } @article{14896, author = {{Dann, Andreas and Hermann, Ben and Bodden, Eric}}, issn = {{0098-5589}}, journal = {{IEEE Transactions on Software Engineering}}, pages = {{1--1}}, title = {{{ModGuard: Identifying Integrity &Confidentiality Violations in Java Modules}}}, doi = {{10.1109/tse.2019.2931331}}, year = {{2019}}, } @inproceedings{14897, author = {{Dann, Andreas and Hermann, Ben and Bodden, Eric}}, booktitle = {{Proceedings of the 8th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2019}}, isbn = {{9781450367202}}, title = {{{SootDiff: bytecode comparison across different Java compilers}}}, doi = {{10.1145/3315568.3329966}}, year = {{2019}}, } @inproceedings{14899, author = {{Kruger, Stefan and Hermann, Ben}}, booktitle = {{2019 IEEE/ACM 2nd International Workshop on Gender Equality in Software Engineering (GE)}}, isbn = {{9781728122458}}, title = {{{Can an Online Service Predict Gender? On the State-of-the-Art in Gender Identification from Texts}}}, doi = {{10.1109/ge.2019.00012}}, year = {{2019}}, } @inproceedings{7626, author = {{Schubert, Philipp and Hermann, Ben and Bodden, Eric}}, booktitle = {{Proceedings of the 25th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2019), Held as Part of the European Joint Conferences on Theory and Practice of Software (ETAPS 2019)}}, location = {{Prague, Czech Republic}}, pages = {{393--410}}, title = {{{PhASAR: An Inter-Procedural Static Analysis Framework for C/C++}}}, doi = {{10.1007/978-3-030-17465-1_22}}, volume = {{II}}, year = {{2019}}, } @inproceedings{14898, author = {{Schubert, Philipp and Leer, Richard and Hermann, Ben and Bodden, Eric}}, booktitle = {{Proceedings of the 8th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2019}}, isbn = {{9781450367202}}, title = {{{Know your analysis: how instrumentation aids understanding static analysis}}}, doi = {{10.1145/3315568.3329965}}, year = {{2019}}, } @inproceedings{5725, author = {{Holzinger, Philipp and Hermann, Ben and Lerch, Johannes and Bodden, Eric and Mezini, Mira}}, booktitle = {{2017 IEEE Symposium on Security and Privacy (SP)}}, isbn = {{9781509055333}}, publisher = {{IEEE}}, title = {{{Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation}}}, doi = {{10.1109/sp.2017.16}}, year = {{2017}}, } @inproceedings{5726, author = {{Reif, Michael and Eichberg, Michael and Hermann, Ben and Mezini, Mira}}, booktitle = {{Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2017}}, isbn = {{9781450350723}}, publisher = {{ACM Press}}, title = {{{Hermes: assessment and creation of effective test corpora}}}, doi = {{10.1145/3088515.3088523}}, year = {{2017}}, } @inproceedings{5727, author = {{Kübler, Florian and Müller, Patrick and Hermann, Ben}}, booktitle = {{Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2017}}, isbn = {{9781450350723}}, publisher = {{ACM Press}}, title = {{{SootKeeper: runtime reusability for modular static analysis}}}, doi = {{10.1145/3088515.3088518}}, year = {{2017}}, } @inproceedings{5728, author = {{Reif, Michael and Eichberg, Michael and Hermann, Ben and Lerch, Johannes and Mezini, Mira}}, booktitle = {{Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering - FSE 2016}}, isbn = {{9781450342186}}, publisher = {{ACM Press}}, title = {{{Call graph construction for Java libraries}}}, doi = {{10.1145/2950290.2950312}}, year = {{2016}}, } @inproceedings{5729, author = {{Glanz, Leonid and Schmidt, Sebastian and Wollny, Sebastian and Hermann, Ben}}, booktitle = {{Proceedings of the 15th International Conference on Knowledge Technologies and Data-driven Business - i-KNOW '15}}, isbn = {{9781450337212}}, publisher = {{ACM Press}}, title = {{{A vulnerability's lifetime}}}, doi = {{10.1145/2809563.2809612}}, year = {{2015}}, } @inproceedings{5730, author = {{Lerch, Johannes and Hermann, Ben}}, booktitle = {{Proceedings of the 4th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2015}}, isbn = {{9781450335850}}, publisher = {{ACM Press}}, title = {{{Design your analysis: a case study on implementation reusability of data-flow functions}}}, doi = {{10.1145/2771284.2771289}}, year = {{2015}}, } @inproceedings{5731, author = {{Hermann, Ben and Reif, Michael and Eichberg, Michael and Mezini, Mira}}, booktitle = {{Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering - ESEC/FSE 2015}}, isbn = {{9781450336758}}, publisher = {{ACM Press}}, title = {{{Getting to know you: towards a capability model for Java}}}, doi = {{10.1145/2786805.2786829}}, year = {{2015}}, } @inproceedings{5732, author = {{Eichberg, Michael and Hermann, Ben and Mezini, Mira and Glanz, Leonid}}, booktitle = {{Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering - ESEC/FSE 2015}}, isbn = {{9781450336758}}, publisher = {{ACM Press}}, title = {{{Hidden truths in dead software paths}}}, doi = {{10.1145/2786805.2786865}}, year = {{2015}}, } @inproceedings{5733, author = {{Eichberg, Michael and Hermann, Ben}}, booktitle = {{Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis - SOAP '14}}, isbn = {{9781450329194}}, publisher = {{ACM Press}}, title = {{{A software product line for static analyses: The OPAL framework}}}, doi = {{10.1145/2614628.2614630}}, year = {{2014}}, } @inproceedings{5734, author = {{Lerch, Johannes and Hermann, Ben and Bodden, Eric and Mezini, Mira}}, booktitle = {{Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering - FSE 2014}}, isbn = {{9781450330565}}, publisher = {{ACM Press}}, title = {{{FlowTwist: efficient context-sensitive inside-out taint analysis for large codebases}}}, doi = {{10.1145/2635868.2635878}}, year = {{2014}}, }