@article{48946, abstract = {{inhalt Der verlässliche Betrieb von technischen Produkten wird zunehmend durch bewusste Angriffe bedroht. Vollständige Sicherheit ist dabei nicht möglich, durchschlagende Angriffe sind unvermeidbar (Assume Breach). Dies erfordert einen Paradigmenwechsel in der sicherheitsgerechten Entwicklung mechatronischer und cyber-physischer Systeme hin zu Defense-in-Depth. Systeme müssen so ausgelegt werden, dass sie auch bei gezielten Angriffen möglichst hohe Zuverlässigkeit und Sicherheit gewährleisten. Der hier beschriebene Lösungsansatz erweitert das Systemmodell um Angriffsszenarien und Verteidigungslinien. Diese werden am Beispiel eines industriellen Schließsystems zur Anlagensicherheit erläutert. Entwickler werden sensibilisiert, Angriffe systematisch zu berücksichtigen und interdisziplinär Verteidigungselemente gegenüber Bedrohungen und Angriffen zu spezifizieren.}}, author = {{Gräßler, Iris and Bodden, Eric and Wiechel, Dominik and Pottebaum, Jens}}, issn = {{0720-5953}}, journal = {{Konstruktion}}, keywords = {{Mechanical Engineering, Mechanics of Materials, General Materials Science, Theoretical Computer Science}}, number = {{11-12}}, pages = {{60--65}}, publisher = {{VDI Fachmedien GmbH and Co. KG}}, title = {{{Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security}}}, doi = {{10.37544/0720-5953-2023-11-12-60}}, volume = {{75}}, year = {{2023}}, } @inproceedings{46500, abstract = {{The security of Industrial Control Systems is relevant both for reliable production system operations and for high-quality throughput in terms of manufactured products. Security measures are designed, operated and maintained by different roles along product and production system lifecycles. Defense-in-Depth as a paradigm builds upon the assumption that breaches are unavoidable. The paper at hand provides an analysis of roles, corresponding Human Factors and their relevance for data theft and sabotage attacks. The resulting taxonomy is reflected by an example related to Additive Manufacturing. The results assist in both designing and redesigning Industrial Control System as part of an entire production system so that Defense-in-Depth with regard to Human Factors is built in by design.}}, author = {{Pottebaum, Jens and Rossel, Jost and Somorovsky, Juraj and Acar, Yasemin and Fahr, René and Arias Cabarcos, Patricia and Bodden, Eric and Gräßler, Iris}}, booktitle = {{2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)}}, keywords = {{Defense-in-Depth, Human Factors, Production Engineering, Product Design, Systems Engineering}}, location = {{Delft, Netherlands}}, pages = {{379--385}}, publisher = {{IEEE}}, title = {{{Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth}}}, doi = {{10.1109/eurospw59978.2023.00048}}, year = {{2023}}, } @inproceedings{44146, abstract = {{Many Android applications collect data from users. When they do, they must protect this collected data according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). App developers have limited tool support to reason about data protection throughout their app development process. Although many Android applications state a privacy policy, privacy policy compliance checks are currently manual, expensive, and prone to error. One of the major challenges in privacy audits is the significant gap between legal privacy statements (in English text) and technical measures that Android apps use to protect their user's privacy. In this thesis, we will explore to what extent we can use static analysis to answer important questions regarding data protection. Our main goal is to design a tool based approach that aids app developers and auditors in ensuring data protection in Android applications, based on automated static program analysis.}}, author = {{Khedkar, Mugdha}}, booktitle = {{Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23)}}, keywords = {{static analysis, data protection and privacy, GDPR compliance}}, title = {{{Static Analysis for Android GDPR Compliance Assurance}}}, doi = {{10.1109/ICSE-Companion58688.2023.00054}}, year = {{2023}}, } @inbook{52662, abstract = {{Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research emphasizes technical challenges of such tools but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and user dissatisfaction may even lead to tool abandonment. To comprehensively assess the state of the art, we present the first systematic usability evaluation of a wide range of static analysis tools. We derived a set of 36 relevant criteria from the literature and used them to evaluate a total of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. The evaluation against the usability criteria in a multiple-raters approach shows that two thirds of the considered tools off er poor warning messages, while about three-quarters provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for instance, to improve handling of false positives. Finally, issues regarding workflow integration and specialized user interfaces are revealed. These findings should prove useful in guiding and focusing further research and development in user experience for static code analyses.}}, author = {{Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}}, booktitle = {{Software Engineering 2023}}, isbn = {{978-3-88579-726-5}}, keywords = {{Automated static analysis, Software usability}}, pages = {{95–96}}, publisher = {{Gesellschaft für Informatik e.V.}}, title = {{{Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale}}}, year = {{2023}}, } @inbook{52660, abstract = {{Application Programming Interfaces (APIs) are the primary mechanism developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and how they are caused, is important to prevent them, eg, with API misuse detectors. However, definitions for API misuses and related terms in literature vary. This paper presents a systematic literature review to clarify these terms and introduces FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To address this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detector’s capabilities, we performed a case study on the state-of the-art misuse detection tool CogniCrypt. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements.}}, author = {{Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}}, booktitle = {{Software Engineering 2023}}, isbn = {{978-3-88579-726-5}}, keywords = {{API misuses API usage constraints, classification framework, API misuse detection, static analysis}}, pages = {{105–106}}, publisher = {{Gesellschaft für Informatik e.V.}}, title = {{{Introducing FUM: A Framework for API Usage Constraint and Misuse Classification}}}, year = {{2023}}, } @article{31844, abstract = {{Encrypting data before sending it to the cloud ensures data confidentiality but requires the cloud to compute on encrypted data. Trusted execution environments, such as Intel SGX enclaves, promise to provide a secure environment in which data can be decrypted and then processed. However, vulnerabilities in the executed program give attackers ample opportunities to execute arbitrary code inside the enclave. This code can modify the dataflow of the program and leak secrets via SGX side channels. Fully homomorphic encryption would be an alternative to compute on encrypted data without data leaks. However, due to its high computational complexity, its applicability to general-purpose computing remains limited. Researchers have made several proposals for transforming programs to perform encrypted computations on less powerful encryption schemes. Yet current approaches do not support programs making control-flow decisions based on encrypted data. We introduce the concept of dataflow authentication (DFAuth) to enable such programs. DFAuth prevents an adversary from arbitrarily deviating from the dataflow of a program. Our technique hence offers protections against the side-channel attacks described previously. We implemented two flavors of DFAuth, a Java bytecode-to-bytecode compiler, and an SGX enclave running a small and program-independent trusted code base. We applied DFAuth to a neural network performing machine learning on sensitive medical data and a smart charging scheduler for electric vehicles. Our transformation yields a neural network with encrypted weights, which can be evaluated on encrypted inputs in \( 12.55 \,\mathrm{m}\mathrm{s} \) . Our protected scheduler is capable of updating the encrypted charging plan in approximately 1.06 seconds. }}, author = {{Fischer, Andreas and Fuhry, Benny and Kußmaul, Jörn and Janneck, Jonas and Kerschbaum, Florian and Bodden, Eric}}, issn = {{2471-2566}}, journal = {{ACM Transactions on Privacy and Security}}, keywords = {{Safety, Risk, Reliability and Quality, General Computer Science}}, number = {{3}}, pages = {{1--36}}, publisher = {{Association for Computing Machinery (ACM)}}, title = {{{Computation on Encrypted Data Using Dataflow Authentication}}}, doi = {{10.1145/3513005}}, volume = {{25}}, year = {{2022}}, } @misc{32409, abstract = {{Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection Tool Benchmark Suite". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain.}}, author = {{Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and Bodden, Eric and Mezini, Mira}}, keywords = {{cryptography, benchmark, API misuse, static analysis}}, title = {{{CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite}}}, doi = {{10.48550/ARXIV.2204.06447}}, year = {{2022}}, } @inproceedings{32410, abstract = {{Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment. To comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria. The evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further. These findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses.}}, author = {{Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}}, booktitle = {{Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis}}, isbn = {{9781450393799}}, keywords = {{Automated static analysis, Software usability}}, pages = {{532 -- 543}}, publisher = {{ACM}}, title = {{{A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools}}}, doi = {{10.1145/3533767}}, year = {{2022}}, } @inproceedings{31133, abstract = {{Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools.}}, author = {{Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}}, booktitle = {{2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}}, keywords = {{API misuses, API usage constraints, classification framework, API misuse detection, static analysis}}, pages = {{673 -- 684}}, title = {{{FUM - A Framework for API Usage constraint and Misuse Classification}}}, doi = {{https://doi.org/10.1109/SANER53432.2022.00085}}, year = {{2022}}, } @inproceedings{34057, author = {{Pasic, Faruk and Becker, Matthias}}, booktitle = {{2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA)}}, publisher = {{IEEE}}, title = {{{Domain-specific Language for Condition Monitoring Software Development}}}, doi = {{10.1109/etfa52439.2022.9921730}}, year = {{2022}}, } @article{30511, abstract = {{AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems.}}, author = {{Schubert, Philipp and Gazzillo, Paul and Patterson, Zach and Braha, Julian and Schiebel, Fabian and Hermann, Ben and Wei, Shiyi and Bodden, Eric}}, issn = {{0928-8910}}, journal = {{Automated Software Engineering}}, keywords = {{inter-procedural static analysis, software product lines, preprocessor, LLVM, C/C++}}, number = {{1}}, publisher = {{Springer Science and Business Media LLC}}, title = {{{Static data-flow analysis for software product lines in C}}}, doi = {{10.1007/s10515-022-00333-1}}, volume = {{29}}, year = {{2022}}, } @article{33835, abstract = {{ Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of gadgets present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it public – can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks. For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.}}, author = {{Sayar, Imen and Bartel, Alexandre and Bodden, Eric and Le Traon, Yves}}, issn = {{1049-331X}}, journal = {{ACM Transactions on Software Engineering and Methodology}}, keywords = {{Software}}, publisher = {{Association for Computing Machinery (ACM)}}, title = {{{An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities}}}, doi = {{10.1145/3554732}}, year = {{2022}}, } @article{33836, author = {{Piskachev, Goran and Späth, Johannes and Budde, Ingo and Bodden, Eric}}, journal = {{Empirical Software Engineering}}, number = {{5}}, pages = {{1–33}}, publisher = {{Springer}}, title = {{{Fluently specifying taint-flow queries with fluentTQL}}}, volume = {{27}}, year = {{2022}}, } @inproceedings{33838, author = {{Krishnamurthy, Ranjith and Piskachev, Goran and Bodden, Eric}}, title = {{{To what extent can we analyze Kotlin programs using existing Java taint analysis tools?}}}, year = {{2022}}, } @inproceedings{33837, author = {{Piskachev, Goran and Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven and Bodden, Eric}}, title = {{{How far are German companies in improving security through static program analysis tools?}}}, year = {{2022}}, } @misc{33959, abstract = {{Recent studies have revealed that 87 % to 96 % of the Android apps using cryptographic APIs have a misuse which may cause security vulnerabilities. As previous studies did not conduct a qualitative examination of the validity and severity of the findings, our objective was to understand the findings in more depth. We analyzed a set of 936 open-source Java applications for cryptographic misuses. Our study reveals that 88.10 % of the analyzed applications fail to use cryptographic APIs securely. Through our manual analysis of a random sample, we gained new insights into effective false positives. For example, every fourth misuse of the frequently misused JCA class MessageDigest is an effective false positive due to its occurrence in a non-security context. As we wanted to gain deeper insights into the security implications of these misuses, we created an extensive vulnerability model for cryptographic API misuses. Our model includes previously undiscussed attacks in the context of cryptographic APIs such as DoS attacks. This model reveals that nearly half of the misuses are of high severity, e.g., hard-coded credentials and potential Man-in-the-Middle attacks.}}, author = {{Wickert, Anna-Katharina and Baumgärtner, Lars and Schlichtig, Michael and Mezini, Mira}}, title = {{{To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild}}}, doi = {{10.48550/ARXIV.2209.11103}}, year = {{2022}}, } @article{27045, abstract = {{Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.}}, author = {{Luo, Linghui and Pauck, Felix and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and Bodden, Eric and Hermann, Ben and Massacci, Fabio}}, issn = {{1382-3256}}, journal = {{Empirical Software Engineering}}, title = {{{TaintBench: Automatic real-world malware benchmarking of Android taint analyses}}}, doi = {{10.1007/s10664-021-10013-5}}, year = {{2021}}, } @phdthesis{27158, author = {{Luo, Linghui}}, publisher = {{Universität Paderborn}}, title = {{{Improving Real-World Applicability of Static Taint Analysis}}}, year = {{2021}}, } @article{21595, author = {{Stockmann, Lars and Laux, Sven and Bodden, Eric}}, issn = {{2589-2258}}, journal = {{Journal of Automotive Software Engineering}}, title = {{{Using Architectural Runtime Verification for Offline Data Analysis}}}, doi = {{10.2991/jase.d.210205.001}}, year = {{2021}}, } @phdthesis{21596, author = {{Fischer, Andreas}}, publisher = {{Universität Paderborn}}, title = {{{Computing on Encrypted Data using Trusted Execution Environments}}}, year = {{2021}}, } @article{21597, author = {{Holzinger, Philipp and Bodden, Eric}}, journal = {{International Symposium on Advanced Security on Software and Systems (ASSS)}}, title = {{{A Systematic Hardening of Java's Information Hiding}}}, year = {{2021}}, } @article{21599, author = {{Bonifacio, Rodrigo and Krüger, Stefan and Narasimhan, Krishna and Bodden, Eric and Mezini, Mira}}, journal = {{European Conference on Object-Oriented Programming (ECOOP)}}, title = {{{Dealing with Variability in API Misuse Specification}}}, year = {{2021}}, } @inproceedings{22462, author = {{Shivarpatna Venkatesh, Ashwin Prasad and Bodden, Eric}}, booktitle = {{International Workshop on AI and Software Testing/Analysis (AISTA)}}, title = {{{Automated Cell Header Generator for Jupyter Notebooks}}}, doi = {{10.1145/3464968.3468410}}, year = {{2021}}, } @inproceedings{23374, author = {{Kummita, Sriteja and Piskachev, Goran and Spath, Johannes and Bodden, Eric}}, booktitle = {{2021 International Conference on Code Quality (ICCQ)}}, title = {{{Qualitative and Quantitative Analysis of Callgraph Algorithms for Python}}}, doi = {{10.1109/iccq51190.2021.9392986}}, year = {{2021}}, } @inproceedings{30084, author = {{Karakaya, Kadiray and Bodden, Eric}}, booktitle = {{2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}}, publisher = {{IEEE}}, title = {{{SootFX: A Static Code Feature Extraction Tool for Java and Android}}}, doi = {{10.1109/scam52516.2021.00030}}, year = {{2021}}, } @inproceedings{21598, abstract = {{Static analysis is used to automatically detect bugs and security breaches, and aids compileroptimization. Whole-program analysis (WPA) can yield high precision, however causes long analysistimes and thus does not match common software-development workflows, making it often impracticalto use for large, real-world applications.This paper thus presents the design and implementation ofModAlyzer, a novel static-analysisapproach that aims at accelerating whole-program analysis by making the analysis modular andcompositional. It shows how to computelossless, persisted summaries for callgraph, points-to anddata-flow information, and it reports under which circumstances this function-level compositionalanalysis outperforms WPA.We implementedModAlyzeras an extension to LLVM and PhASAR, and applied it to 12 real-world C and C++ applications. At analysis time,ModAlyzermodularly and losslessly summarizesthe analysis effect of the library code those applications share, hence avoiding its repeated re-analysis.The experimental results show that the reuse of these summaries can save, on average, 72% ofanalysis time over WPA. Moreover, because it is lossless, the module-wise analysis fully retainsprecision and recall. Surprisingly, as our results show, it sometimes even yields precision superior toWPA. The initial summary generation, on average, takes about 3.67 times as long as WPA.}}, author = {{Schubert, Philipp and Hermann, Ben and Bodden, Eric}}, booktitle = {{European Conference on Object-Oriented Programming (ECOOP)}}, title = {{{Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis}}}, year = {{2021}}, } @article{31132, author = {{Dann, Andreas Peter and Plate, Henrik and Hermann, Ben and Ponta, Serena Elisa and Bodden, Eric}}, issn = {{0098-5589}}, journal = {{IEEE Transactions on Software Engineering}}, keywords = {{Software}}, pages = {{1--1}}, publisher = {{Institute of Electrical and Electronics Engineers (IEEE)}}, title = {{{Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite}}}, doi = {{10.1109/tse.2021.3101739}}, year = {{2021}}, } @inproceedings{26407, author = {{Piskachev, Goran and Krishnamurthy, Ranjith and Bodden, Eric}}, booktitle = {{2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}}, title = {{{SecuCheck: Engineering configurable taint analysis for software developers}}}, year = {{2021}}, } @inproceedings{22463, author = {{Luo, Linghui and Schäf, Martin and Sanchez, Daniel and Bodden, Eric}}, booktitle = {{Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering}}, title = {{{IDE Support for Cloud-Based Static Analyses}}}, year = {{2021}}, } @inproceedings{33840, author = {{Karakaya, Kadiray and Bodden, Eric}}, booktitle = {{2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}}, pages = {{181–186}}, title = {{{SootFX: A Static Code Feature Extraction Tool for Java and Android}}}, year = {{2021}}, } @inproceedings{26406, author = {{Schubert, Philipp and Hermann, Ben and Bodden, Eric and Leer, Richard}}, booktitle = {{SCAM '21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track)}}, title = {{{Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++}}}, year = {{2021}}, } @inproceedings{26405, author = {{Schubert, Philipp and Sattler, Florian and Schiebel, Fabian and Hermann, Ben and Bodden, Eric}}, booktitle = {{2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}}, title = {{{Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++}}}, year = {{2021}}, } @article{20507, author = {{Geismann, Johannes and Bodden, Eric}}, issn = {{0164-1212}}, journal = {{Journal of Systems and Software}}, pages = {{110697}}, title = {{{A systematic literature review of model-driven security engineering for cyber–physical systems}}}, doi = {{https://doi.org/10.1016/j.jss.2020.110697}}, volume = {{169}}, year = {{2020}}, } @article{20508, author = {{Nguyen Quang Do, Lisa and Bodden, Eric}}, journal = {{IEEE Transactions on Software Engineering}}, title = {{{Explaining Static Analysis with Rule Graphs}}}, year = {{2020}}, } @inproceedings{20509, author = {{Fischer, Andreas and Janneck, Jonas and Kussmaul, Jörn and Krätzschmar, Nikolas and Kerschbaum, Florian and Bodden, Eric}}, booktitle = {{2020 IEEE Computer Security Foundations Symposium (CSF)}}, title = {{{PASAPTO: Policy-aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage}}}, year = {{2020}}, } @inproceedings{20510, author = {{Benz, Manuel and Krogh Kristensen, Erik and Luo, Linghui and P. Borges Jr., Nataniel and Bodden, Eric and Zeller, Andreas}}, booktitle = {{International Conference for Software Engineering (ICSE)}}, title = {{{Heaps'n Leaks: How Heap Snapshots Improve Android Taint Analysis}}}, year = {{2020}}, } @inproceedings{20511, author = {{Fischer, Andreas and Fuhry, Benny and Kerschbaum, Florian and Bodden, Eric}}, booktitle = {{Privacy Enhancing Technologies Symposium (PETS/PoPETS)}}, title = {{{Computation on Encrypted Data using Dataflow Authentication}}}, year = {{2020}}, } @inproceedings{20512, author = {{Krüger, Stefan and Ali, Karim and Bodden, Eric}}, booktitle = {{International Symposium on Code Generation and Optimization (CGO)}}, pages = {{185--198}}, title = {{{CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs}}}, year = {{2020}}, } @phdthesis{20513, abstract = {{Frühere Studien haben empirisch offenbart, dass Fehlbenutzungen von kryptographischen APIs in Softwareanwendungen weitverbreitet sind. Dies geschieht vor allem, weil Software-Entwickler_innen aufgrund schlechten API-Designs und fehlenden Kryptographiewissens Probleme bekommen, wenn sie versuchen kryptographische Features zu implementieren. Die Literatur liefert mehrere Ansätze und Vorschläge diese Probleme zu lösen, aber alle scheitern schlussendlich auf die eine oder andere Weise daran die Anforderungen der Entwickler_innenzu erfüllen. Das Resultat ist eine insgesamt lückenhafte Landschaft verschiedener nur wenigkomplementärer Ansätze.In dieser Arbeit adressieren wir das Problem kryptographischer Fehlbenutzungen systematischer durch CogniCrypt. CogniCrypt integriert verschiedene Arten von Tool Supportin einen gemeinsamen Ansatz, der Entwickler_innen davon befreit wissen zu müssen, wie diese APIs benutzt werden müssen. Zentral für unseren Ansatz ist CrySL, eine Beschreibungssprache,die die kognitive Lücke zwischen Kryptographie-Expert_innen und Software-Entwickler_innenüberbrückt. CrySL ermöglicht es Kryptographie-Expert_innen zu spezifizeren, wie die APIs,die sie bereitstellen, richtig benutzt werden. Wir haben einen Compiler für CrySL implementiert, der es erlaubt auf CrySL-Spezifikationen aufbauenden Tool Support zu entwickeln. Wir haben weiterhin die statische Analyse CogniCrypt_SAST und den Code-Generator CogniCrypt_GEN entwickelt. Schlussendlich haben wir CogniCrypt prototypisch implementiert und diesen Prototyp in einem kontrollierten Experiment evaluiert. }}, author = {{Krüger, Stefan}}, publisher = {{Universitaetsbibliothek Paderborn}}, title = {{{CogniCrypt -- The Secure Integration of Cryptographic Software}}}, year = {{2020}}, } @inproceedings{20518, author = {{Koch, Thorsten and Dziwok, Stefan and Holtmann, Jörg and Bodden, Eric}}, booktitle = {{ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20)}}, publisher = {{ACM}}, title = {{{Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers}}}, doi = {{10.1145/3365438.3410946}}, year = {{2020}}, } @phdthesis{20521, author = {{Gerking, Christopher}}, publisher = {{Paderborn University}}, title = {{{Model-Driven Information Flow Security Engineering for Cyber-Physical Systems}}}, doi = {{10.17619/UNIPB/1-1033}}, year = {{2020}}, } @techreport{20712, author = {{Schubert, Philipp and Bodden, Eric and Hermann, Ben}}, title = {{{Accelerating Static Call-Graph, Points-to and Data-Flow Analysis Through Persisted Summaries}}}, year = {{2020}}, } @inbook{20891, abstract = {{Today, software systems are rarely developed monolithically, but may be composed of numerous individually developed features. Their modularization facilitates independent development and verification. While feature-based strategies to verify features in isolation have existed for years, they cannot address interactions between features. The problem with feature interactions is that they are typically unknown and may involve any subset of the features. Contrary, a family-based verification strategy captures feature interactions, but does not scale well when features evolve frequently. To the best of our knowledge, there currently exists no approach with focus on evolving features that combines both strategies and aims at eliminating their respective drawbacks. To fill this gap, we introduce Fefalution, a feature-family-based verification approach based on abstract contracts to verify evolving features and their interactions. Fefalution builds partial proofs for each evolving feature and then reuses the resulting partial proofs in verifying feature interactions, yielding a full verification of the complete software system. Moreover, to investigate whether a combination of both strategies is fruitful, we present the first empirical study for the verification of evolving features implemented by means of feature-oriented programming and by comparing Fefalution with another five family-based approaches varying in a set of optimizations. Our results indicate that partial proofs based on abstract contracts exhibit huge reuse potential, but also come with a substantial overhead for smaller evolution scenarios. }}, author = {{Knüppel, Alexander and Krüger, Stefan and Thüm, Thomas and Bubel, Richard and Krieter, Sebastian and Bodden, Eric and Schaefer, Ina}}, booktitle = {{Lecture Notes in Computer Science}}, isbn = {{9783030643539}}, issn = {{0302-9743}}, title = {{{Using Abstract Contracts for Verifying Evolving Features and Their Interactions}}}, doi = {{10.1007/978-3-030-64354-6_5}}, year = {{2020}}, } @inproceedings{23376, author = {{Piskachev, Goran and Nguyen Quang Do, Lisa and Johnson, Oshando and Bodden, Eric}}, booktitle = {{2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)}}, title = {{{SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods}}}, doi = {{10.1109/ase.2019.00110}}, year = {{2020}}, } @inbook{23377, author = {{Piskachev, Goran and Petrasch, Tobias and Späth, Johannes and Bodden, Eric}}, booktitle = {{Lecture Notes in Computer Science}}, issn = {{0302-9743}}, title = {{{AuthCheck: Program-State Analysis for Access-Control Vulnerabilities}}}, doi = {{10.1007/978-3-030-54997-8_34}}, year = {{2020}}, } @phdthesis{20522, author = {{Holzinger, Philipp}}, publisher = {{Universität Paderborn}}, title = {{{A Systematic Analysis and Hardening of the Java Security Architecture}}}, year = {{2019}}, } @phdthesis{20524, author = {{Nguyen Quang Do, Lisa}}, publisher = {{Universität Paderborn}}, title = {{{User-Centered Tool Design for Data-Flow Analysis}}}, year = {{2019}}, } @inproceedings{20525, author = {{Stockmann, Lars and Laux, Sven and Bodden, Eric}}, booktitle = {{2019 IEEE International Conference on Software Architecture Companion (ICSA-C)}}, pages = {{77--84}}, title = {{{Architectural Runtime Verification}}}, doi = {{10.1109/ICSA-C.2019.00021}}, year = {{2019}}, } @inproceedings{20527, author = {{Hazhirpasand, Mohammadreza and Ghafari, Mohammad and Krüger, Stefan and Bodden, Eric and Nierstrasz, Oskar}}, booktitle = {{2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)}}, issn = {{1949-3770}}, pages = {{1--6}}, title = {{{The Impact of Developer Experience in Using Java Cryptography}}}, doi = {{10.1109/ESEM.2019.8870184}}, year = {{2019}}, } @inproceedings{20528, author = {{Piskachev, Goran and Petrasch, Tobias and Späth, Johannes and Bodden, Eric}}, booktitle = {{10th Workshop on Tools for Automatic Program Analysis (TAPAS)}}, title = {{{AuthCheck: Program-state Analysis for Access-control Vulnerabilities}}}, year = {{2019}}, } @inproceedings{20529, author = {{Nachtigall, Marcus and Nguyen Quang Do, Lisa and Bodden, Eric}}, booktitle = {{1st International Workshop on Explainable Software (EXPLAIN) at ASE}}, title = {{{Explaining Static Analysis -- A Perspective}}}, year = {{2019}}, } @inproceedings{20531, author = {{Luo, Linghui and Bodden, Eric and Späth, Johannes}}, booktitle = {{IEEE/ACM International Conference on Automated Software Engineering (ASE 2019)}}, title = {{{A Qualitative Analysis of Android Taint-Analysis Results}}}, year = {{2019}}, } @inproceedings{20532, author = {{Piskachev, Goran and Nguyen Quang Do, Lisa and Johnson, Oshando and Bodden, Eric}}, booktitle = {{IEEE/ACM International Conference on Automated Software Engineering (ASE 2019), Tool Demo Track}}, title = {{{SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods}}}, year = {{2019}}, } @article{20533, author = {{Krüger, Stefan and Späth, Johannes and Ali, Karim and Bodden, Eric and Mezini, Mira}}, issn = {{2326-3881}}, journal = {{IEEE Transactions on Software Engineering}}, keywords = {{Java, Encryption, Static analysis, Tools, Ciphers, Semantics, cryptography, domain-specific language, static analysis}}, pages = {{1--1}}, title = {{{CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs}}}, doi = {{10.1109/TSE.2019.2948910}}, year = {{2019}}, } @inproceedings{20534, author = {{Piskachev, Goran and Nguyen Quang Do, Lisa and Bodden, Eric}}, booktitle = {{ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)}}, title = {{{Codebase-Adaptive Detection of Security-Relevant Methods}}}, year = {{2019}}, } @inproceedings{20535, author = {{Luo, Linghui and Dolby, Julian and Bodden, Eric}}, booktitle = {{European Conference on Object-Oriented Programming (ECOOP)}}, title = {{{MagpieBridge: A General Approach to Integrating Static Analyses into IDEs and Editors}}}, year = {{2019}}, } @phdthesis{20536, author = {{Späth, Johannes}}, publisher = {{Universität Paderborn}}, title = {{{Synchronized Pushdown Systems for Pointer and Data-Flow Analysis}}}, year = {{2019}}, } @techreport{20537, author = {{Piskachev, Goran and Nguyen, Lisa and Bodden, Eric}}, title = {{{Codebase-Adaptive Detection of Security-Relevant Methods}}}, year = {{2019}}, } @inproceedings{20538, author = {{Albert Gorski Iii, Sigmund and Andow, Benjamin and Nadkarni, Adwait and Manandhar, Sunil and Enck, William and Bodden, Eric and Bartel, Alexandre}}, booktitle = {{ACM Conference on Data and Application Security and Privacy (CODASPY 2019)}}, keywords = {{ITSECWEBSITE, CROSSING}}, title = {{{ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware}}}, year = {{2019}}, } @article{20539, author = {{Späth, Johannes and Ali, Karim and Bodden, Eric}}, issn = {{2475-1421}}, journal = {{Proceedings of the ACM SIGPLAN Symposium on Principles of Programming Languages}}, keywords = {{ATTRACT, ITSECWEBSITE, CROSSING}}, number = {{POPL}}, pages = {{48:1--48:29}}, publisher = {{ACM}}, title = {{{Context-, Flow-, and Field-sensitive Data-flow Analysis Using Synchronized Pushdown Systems}}}, doi = {{10.1145/3290361}}, volume = {{3}}, year = {{2019}}, } @inproceedings{20759, author = {{Gerking, Christopher and Schubert, David}}, booktitle = {{International Conference on Software Architecture (ICSA 2019)}}, title = {{{Component-Based Refinement and Verification of Information-Flow Security Policies for Cyber-Physical Microservice Architectures}}}, year = {{2019}}, } @inproceedings{23378, author = {{Piskachev, Goran and Do, Lisa Nguyen Quang and Bodden, Eric}}, booktitle = {{Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis}}, title = {{{Codebase-adaptive detection of security-relevant methods}}}, doi = {{10.1145/3293882.3330556}}, year = {{2019}}, } @misc{7628, author = {{Selbach, Nils}}, publisher = {{Universität Paderborn}}, title = {{{Modeling Crypto API usages in OpenSSL's EVP library}}}, year = {{2019}}, } @article{14896, author = {{Dann, Andreas and Hermann, Ben and Bodden, Eric}}, issn = {{0098-5589}}, journal = {{IEEE Transactions on Software Engineering}}, pages = {{1--1}}, title = {{{ModGuard: Identifying Integrity &Confidentiality Violations in Java Modules}}}, doi = {{10.1109/tse.2019.2931331}}, year = {{2019}}, } @inproceedings{14897, author = {{Dann, Andreas and Hermann, Ben and Bodden, Eric}}, booktitle = {{Proceedings of the 8th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2019}}, isbn = {{9781450367202}}, title = {{{SootDiff: bytecode comparison across different Java compilers}}}, doi = {{10.1145/3315568.3329966}}, year = {{2019}}, } @inproceedings{14899, author = {{Kruger, Stefan and Hermann, Ben}}, booktitle = {{2019 IEEE/ACM 2nd International Workshop on Gender Equality in Software Engineering (GE)}}, isbn = {{9781728122458}}, title = {{{Can an Online Service Predict Gender? On the State-of-the-Art in Gender Identification from Texts}}}, doi = {{10.1109/ge.2019.00012}}, year = {{2019}}, } @inproceedings{7626, author = {{Schubert, Philipp and Hermann, Ben and Bodden, Eric}}, booktitle = {{Proceedings of the 25th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2019), Held as Part of the European Joint Conferences on Theory and Practice of Software (ETAPS 2019)}}, location = {{Prague, Czech Republic}}, pages = {{393--410}}, title = {{{PhASAR: An Inter-Procedural Static Analysis Framework for C/C++}}}, doi = {{10.1007/978-3-030-17465-1_22}}, volume = {{II}}, year = {{2019}}, } @inproceedings{14898, author = {{Schubert, Philipp and Leer, Richard and Hermann, Ben and Bodden, Eric}}, booktitle = {{Proceedings of the 8th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2019}}, isbn = {{9781450367202}}, title = {{{Know your analysis: how instrumentation aids understanding static analysis}}}, doi = {{10.1145/3315568.3329965}}, year = {{2019}}, } @unpublished{2711, abstract = {{In recent years, researchers have developed a number of tools to conduct taint analysis of Android applications. While all the respective papers aim at providing a thorough empirical evaluation, comparability is hindered by varying or unclear evaluation targets. Sometimes, the apps used for evaluation are not precisely described. In other cases, authors use an established benchmark but cover it only partially. In yet other cases, the evaluations differ in terms of the data leaks searched for, or lack a ground truth to compare against. All those limitations make it impossible to truly compare the tools based on those published evaluations. We thus present ReproDroid, a framework allowing the accurate comparison of Android taint analysis tools. ReproDroid supports researchers in inferring the ground truth for data leaks in apps, in automatically applying tools to benchmarks, and in evaluating the obtained results. We use ReproDroid to comparatively evaluate on equal grounds the six prominent taint analysis tools Amandroid, DIALDroid, DidFail, DroidSafe, FlowDroid and IccTA. The results are largely positive although four tools violate some promises concerning features and accuracy. Finally, we contribute to the area of unbiased benchmarking with a new and improved version of the open test suite DroidBench.}}, author = {{Pauck, Felix and Bodden, Eric and Wehrheim, Heike}}, booktitle = {{arXiv:1804.02903}}, title = {{{Do Android Taint Analysis Tools Keep their Promises?}}}, year = {{2018}}, } @inproceedings{20530, author = {{Bodden, Eric and Nguyen Quang Do, Lisa}}, booktitle = {{Software Engineering und Software Management 2018, Fachtagung des GI-Fachbereichs Softwaretechnik, {SE} 2018, 5.-9. M{\"{a}}rz 2018, Ulm, Germany.}}, isbn = {{978-3-88579-673-2}}, pages = {{205--208}}, title = {{{Explainable Static Analysis}}}, year = {{2018}}, } @article{20543, author = {{Nguyen Quang Do, Lisa and Krüger, Stefan and Hill, Patrick and Ali, Karim and Bodden, Eric}}, issn = {{2326-3881}}, journal = {{IEEE Transactions on Software Engineering}}, keywords = {{Debugging, Static analysis, Tools, Computer bugs, Standards, Writing, Encoding, Testing and Debugging, Program analysis, Development tools, Integrated environments, Graphical environments, Usability testing}}, pages = {{1--1}}, title = {{{Debugging Static Analysis}}}, doi = {{10.1109/TSE.2018.2868349}}, year = {{2018}}, } @proceedings{20544, editor = {{Tichy, Matthias and Bodden, Eric and Kuhrmann, Marco and Wagner, Stefan and Steghöfer, Jan-Philipp}}, isbn = {{978-3-88579-673-2}}, publisher = {{Gesellschaft für Informatik}}, title = {{{Software Engineering und Software Management 2018, Fachtagung des GI-Fachbereichs Softwaretechnik, SE 2018, 5.-9. März 2018, Ulm, Germany}}}, volume = {{{P-279}}}, year = {{2018}}, } @proceedings{20545, editor = {{Tip, Frank and Bodden, Eric}}, publisher = {{ACM}}, title = {{{Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018, Amsterdam, The Netherlands, July 16-21, 2018}}}, year = {{2018}}, } @inproceedings{20546, author = {{Gerking, Christopher and Schubert, David and Bodden, Eric}}, booktitle = {{Engineering Secure Software and Systems}}, editor = {{Payer, Mathias and Rashid, Awais and Such, Jose M.}}, pages = {{27--43}}, publisher = {{Springer International Publishing}}, title = {{{Model Checking the Information Flow Security of Real-Time Systems}}}, year = {{2018}}, } @inproceedings{20547, author = {{Nguyen Quang Do, Lisa and Bodden, Eric}}, booktitle = {{Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering}}, isbn = {{978-1-4503-5573-5}}, keywords = {{Gamification, Integrated Environments, Program analysis}}, pages = {{714--718}}, publisher = {{ACM}}, title = {{{Gamifying Static Analysis}}}, doi = {{10.1145/3236024.3264830}}, year = {{2018}}, } @inproceedings{20548, author = {{Bodden, Eric}}, booktitle = {{ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis (SOAP 2018)}}, isbn = {{978-1-4503-5939-9}}, keywords = {{ATTRACT, ITSECWEBSITE}}, pages = {{85--93}}, publisher = {{ACM}}, title = {{{The Secret Sauce in Efficient and Precise Static Analysis: The Beauty of Distributive, Summary-based Static Analyses (and How to Master Them)}}}, doi = {{10.1145/3236454.3236500}}, year = {{2018}}, } @inproceedings{20549, author = {{Geismann, Johannes and Gerking, Christopher and Bodden, Eric}}, booktitle = {{International Conference on Software and System Processes (ICSSP)}}, keywords = {{ITSECWEBSITE}}, title = {{{Towards Ensuring Security by Design in Cyber-Physical Systems Engineering Processes}}}, year = {{2018}}, } @inproceedings{20550, author = {{Bodden, Eric}}, booktitle = {{Proceedings of the 40th International Conference on Software Engineering: New Ideas and Emerging Results}}, isbn = {{978-1-4503-5662-6}}, keywords = {{ATTRACT, ITSECWEBSITE}}, pages = {{45--48}}, publisher = {{ACM}}, title = {{{Self-adaptive Static Analysis}}}, doi = {{10.1145/3183399.3183401}}, year = {{2018}}, } @inproceedings{20551, author = {{Nguyen Quang Do, Lisa and Krüger, Stefan and Hill, Patrick and Ali, Karim and Bodden, Eric}}, booktitle = {{International Conference for Software Engineering (ICSE), Tool Demonstrations Track}}, keywords = {{ATTRACT, ITSECWEBSITE}}, title = {{{VISUFLOW, a Debugging Environment for Static Analyses}}}, year = {{2018}}, } @phdthesis{20779, abstract = {{Der hohe Grad an Innovation in mechatronischen Systemen führt zu sogenannten Cyber-Physical Systems (CPS). Diese haben eine komplexe Funktionalität und Kommunikation. Wie sicherheitskritisch solche Systeme sind, wird durch sogenannte Sicherheits-Integritätslevel (SIL) kategorisiert, die durch Normen wie der ISO 26262 definiert werden. Ein bestimmter SIL beschreibt nicht nur die Höhe des Gefährdungsrisikos, sondern diktiert auch den erforderlichen Grad an Sorgfalt bei der Entwicklung des Systems. Ein hoher SIL erfordert die Anwendung von Safety-Maßnahmen mit einem hohen Sorgfaltsgrad in allen Phasen der Entwicklung und impliziert daher einen hohen Safety-Aufwand. SIL-Tailoring ist ein Mittel um den Safety-Aufwand zu reduzieren, indem man Subsystemen geringere SILs zuordnet, falls sie von kritischeren Subsystemen getrennt sind oder redundante Safety-Anforderungen erfüllen. Um den nötigen Safety-Aufwand zu planen, sollten Möglichkeiten für SIL-Tailoring so früh wie möglich identifiziert werden - d.h. bereits in der Anforderungsanalyse. Durch die Komplexität von CPS, ist es schwierig valide SIL-Tailorings zu finden. Die Validität von SIL-Tailorings muss durch Analyse von Fehlerpropagierungspfaden geprüft und durch Argumente im Safety Case begründet werden. Der Beitrag dieser Dissertation ist ein systematischer, tool-unterstützter SIL-Tailoring-Prozess, der im Safety Requirements Engineering angewendet wird. Der Prozess nutzt eine modell-basierte, formale Anforderungsspezifikation und stellt einen Katalog von Anforderungsmustern bereit. Basierend auf diesen Anforderungen werden Fehlerpropagierungsmodelle generiert und Subsystemen automatisch SILs zugeordnet. Das minimiert den Sicherheitsanalyseaufwand. Aus den generierten Ergebnissen wird automatisch ein Safety Case mit Argumenten für die SIL-Tailoring-Validität abgeleitet.}}, author = {{Fockel, Markus}}, publisher = {{Fakultät für Elektrotechnik, Informatik und Mathematik, Universität Paderborn}}, title = {{{Safety Requirements Engineering for Early SIL Tailoring}}}, doi = {{10.17619/UNIPB/1-490}}, year = {{2018}}, } @inproceedings{20781, author = {{Gerking, Christopher and Schubert, David}}, booktitle = {{European Conference on Software Architecture (ECSA 2018)}}, number = {{11048}}, pages = {{147--155}}, publisher = {{Springer}}, title = {{{Towards Preserving Information Flow Security on Architectural Composition of Cyber-Physical Systems}}}, doi = {{10.1007/978-3-030-00761-4_10}}, year = {{2018}}, } @inproceedings{20784, author = {{Geismann, Johannes}}, booktitle = {{IEEE International Conference on Software Architecture Companion (ICSA-C 2018) }}, pages = {{41--42}}, publisher = {{IEEE}}, title = {{{Traceable Threat Modeling for Safety-critical Systems}}}, doi = {{10.1109/ICSA-C.2018.00017}}, year = {{2018}}, } @inproceedings{20785, abstract = {{Cyber-physical Systems are distributed, embedded systems that interact with their physical environment. Typically, these systems consist of several Electronic Control Units using multiple processing cores for the execution. Many systems are applied in safety-critical contexts and have to fulfill hard real-time requirements. The model-driven engineering paradigm enables system developers to consider all requirements in a systematical manner. In the software design phase, they prove the fulfillment of the requirements using model checking. When deploying the software to the executing platform, one important task is to ensure that the runtime scheduling does not violate the verified requirements by neglecting the model checking assumptions. Current model-driven approaches do not consider the problem of deriving feasible execution schedules for embedded multi-core platforms respecting hard real-time requirements. This paper extends the previous work on providing an approach for a semi-automatic synthesis of behavioral models into a deterministic real-time scheduling. We add an approach for the partitioning and mapping development tasks. This extended approach enables the utilization of parallel resources within a single ECU considering the verification assumptions by extending the open tool platform App4mc. We evaluate our approach using an example of a distributed automotive system with hard real-time requirements specified with the MechatronicUML method. }}, author = {{Geismann, Johannes and Höttger, Robert and Krawczyk, Lukas and Pohlmann, Uwe and Schmelter, David}}, booktitle = {{Model-Driven Engineering and Software Development}}, editor = {{Pires, Luís Ferreira and Hammoudi, Slimane and Selic, Bran}}, pages = {{72--93}}, publisher = {{Springer International Publishing}}, title = {{{Automated Synthesis of a Real-Time Scheduling for Cyber-Physical Multi-core Systems}}}, doi = {{10.1007/978-3-319-94764-8_4}}, volume = {{1}}, year = {{2018}}, } @phdthesis{20789, author = {{Pohlmann, Uwe}}, publisher = {{Universität Paderborn, Heinz Nixdorf Institut, Softwaretechnik}}, title = {{{A Model-driven Software Construction Approach for Cyber-physical Systems}}}, year = {{2018}}, } @inproceedings{4999, author = {{Pauck, Felix and Bodden, Eric and Wehrheim, Heike}}, booktitle = {{Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering - ESEC/FSE 2018}}, isbn = {{9781450355735}}, publisher = {{ACM Press}}, title = {{{Do Android taint analysis tools keep their promises?}}}, doi = {{10.1145/3236024.3236029}}, year = {{2018}}, } @inproceedings{5203, author = {{Krüger, Stefan and Späth, Johannes and Ali, Karim and Bodden, Eric and Mezini, Mira}}, booktitle = {{European Conference on Object-Oriented Programming (ECOOP)}}, keywords = {{ITSECWEBSITE, CROSSING}}, pages = {{10:1--10:27}}, title = {{{CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs}}}, year = {{2018}}, } @misc{1044, author = {{Leer, Richard}}, publisher = {{Universität Paderborn}}, title = {{{Measuring Performance of a Static Analysis Framework with an application to Immutability Analysis}}}, year = {{2018}}, } @misc{1045, author = {{Strüwer, Jan Niclas}}, publisher = {{Universität Paderborn}}, title = {{{Interactive Data Visualization for Exploded Supergraphs}}}, year = {{2018}}, } @inbook{20552, abstract = {{Das Zukunftsszenario der Industrie 4.0 ist gepr{\"a}gt durch einen massiven Anstieg der unternehmens{\"u}bergreifenden Vernetzung. Um einer Bedrohung durch unautorisierte Weitergabe oder Sabotage vertraulicher Daten entgegenzuwirken, muss der Informationssicherheit bereits im Entwurf der cyber-physischen Produktionssysteme ein hoher Stellenwert einger{\"a}umt werden. Dieses Paradigma wird als Security by Design bezeichnet. {\"U}ber den gesamten Entstehungsprozess hinweg muss nachverfolgt werden k{\"o}nnen, ob die Systeme spezifische Anforderungen an die Informationssicherheit erf{\"u}llen und damit die Eigenschaft der Industrial Security gew{\"a}hrleisten. Dieser Beitrag stellt einen Entwurfsansatz zur Nachverfolgung der Informationssicherheit vor, der durch Integration softwaretechnischer Methoden in das Systems Engineering eine Entwicklung nach dem Paradigma Security by Design erm{\"o}glicht.}}, author = {{Gerking, Christopher and Bodden, Eric and Schäfer, Wilhelm}}, booktitle = {{Handbuch Gestaltung digitaler und vernetzter Arbeitswelten}}, editor = {{Maier, Günter W. and Engels, Gregor and Steffen, Eckhard}}, isbn = {{978-3-662-52903-4}}, keywords = {{ITSECWEBSITE}}, pages = {{1--24}}, publisher = {{Springer Berlin Heidelberg}}, title = {{{Industrial Security by Design}}}, doi = {{10.1007/978-3-662-52903-4_8-1}}, year = {{2017}}, } @article{20553, abstract = {{Finding and fixing software vulnerabilities have become a major struggle for most software development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP's secure development process, and we show how the issue fix time could be used to monitor the fixing process. We use three machine learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that vulnerability type has less dominant impact on issue fix time than previously believed. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. The development teams at SAP develop different types of software, adopt different internal development processes, use different programming languages and platforms, and are located in different cities and countries. Other organizations, may use the results---with precaution---and be learning organizations.}}, author = {{Ben Othmane, Lotfi and Chehrazi, Golriz and Bodden, Eric and Tsalovski, Petar and Brucker, Achim D.}}, issn = {{2364-1541}}, journal = {{Data Science and Engineering}}, number = {{2}}, pages = {{107--124}}, title = {{{Time for Addressing Software Security Issues: Prediction Models and Impacting Factors}}}, doi = {{https://doi.org/10.1007/s41019-016-0019-8}}, volume = {{2}}, year = {{2017}}, } @techreport{20554, author = {{Bodden, Eric}}, title = {{{Self-adaptive static analysis}}}, year = {{2017}}, } @techreport{20555, author = {{Krüger, Stefan and Späth, Johannes and Ali, Karim and Bodden, Eric and Mezini, Mira}}, keywords = {{ITSECWEBSITE}}, pages = {{arXiv:1710.00564}}, title = {{{CrySL: Validating Correct Usage of Cryptographic APIs}}}, year = {{2017}}, } @article{20557, author = {{Lillack, Max and Kästner, Christian and Bodden, Eric}}, issn = {{0098-5589}}, journal = {{IEEE Transactions on Software Engineering}}, keywords = {{Androids, Bluetooth, Humanoid robots, Java, Software, Tools, Configuration options, Static analysis, Variability mining}}, number = {{99}}, pages = {{1--1}}, title = {{{Tracking Load-time Configuration Options}}}, doi = {{10.1109/TSE.2017.2756048}}, volume = {{PP}}, year = {{2017}}, } @inproceedings{20558, author = {{Krüger, Stefan and Nadi, Sarah and Reif, Michael and Ali, Karim and Mezini, Mira and Bodden, Eric and Göpfert, Florian and Günther, Felix and Weinert, Christian and Demmler, Daniel and Kamath, Ram}}, booktitle = {{International Conference on Automated Software Engineering (ASE 2017), Tool Demo Track}}, keywords = {{ITSECWEBSITE, CROSSING}}, title = {{{CogniCrypt: Supporting Developers in using Cryptography}}}, year = {{2017}}, } @inproceedings{20559, author = {{Do, Lisa Nguyen Quang and Ali, Karim and Livshits, Benjamin and Bodden, Eric and Smith, Justin and Murphy-Hill, Emerson}}, booktitle = {{Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis}}, isbn = {{978-1-4503-5076-1}}, keywords = {{Just-in-Time, Layered analysis, Static analysis}}, pages = {{307--317}}, publisher = {{ACM}}, title = {{{Just-in-time Static Analysis}}}, doi = {{10.1145/3092703.3092705}}, year = {{2017}}, } @inproceedings{20715, author = {{Nguyen Quang Do, Lisa and Ali, Karim and Livshits, Benjamin and Bodden, Eric and Smith, Justin and Murphy-Hill, Emerson}}, booktitle = {{International Conference for Software Engineering (ICSE), Tool Demonstrations Track}}, keywords = {{ATTRACT, ITSECWEBSITE}}, title = {{{Cheetah: Just-in-Time Taint Analysis for Android Apps}}}, year = {{2017}}, } @inproceedings{20792, author = {{Schivo, Stefano and Yildiz., Bugra M. and Ruijters, Enno and Gerking, Christopher and Kumar, Rajesh and Dziwok, Stefan and Rensink, Arend and Stoelinga, Mariëlle}}, booktitle = {{Dependable Software Engineering, 3rd International Symposium (SETTA 2017)}}, editor = {{Larsen, Kim G. and Sokolsky, Oleg and Wang, Ji}}, number = {{10606}}, pages = {{319--336}}, publisher = {{Springer}}, title = {{{How to Efficiently Build a Front-End Tool for UPPAAL: A Model-Driven Approach}}}, doi = {{10.1007/978-3-319-69483-2_19}}, year = {{2017}}, } @phdthesis{20794, abstract = {{Cyber-physische Systeme (CPSs) sind die nächste Generation von eingebetteten Systemen, die fortwährend ihre Zusammenarbeit koordinieren, um anspruchsvolle Funktionen zu erfüllen. Die Koordination zwischen ihnen kann in Software mittels asynchroner Nachrichtenkommunikation realisiert werden. Um die funktionale Korrektheit der Software zu gewährleisten, ist aufgrund der Kritikalität dieser Systeme eine formale Verifikation wie z.B. Model Checking notwendig. Die Eingabesprache eines Model Checkers unterstützt jedoch domänenspezifische Aspekte wie asynchrone Kommunikation nicht direkt, wodurch diese vom Softwareingenieur mittels zahlreicher Modellelemente spezifiziert werden müssen. Dies ist hochgradig komplex und somit fehleranfällig. Im Rahmen dieser Arbeit wird eine modellgetriebene Methode zur domänenspezifischen Spezifikation und vollautomatischen Verifikation der nachrichtenbasierten Koordination von CPSs präsentiert. Mit Hilfe dieser Methode kann der Softwareingenieur die Koordination kompakt modellieren und muss nicht länger verstehen, wie seine Spezifikation auf der Ebene des Model Checkers ausgedrückt wird. Insgesamt wird die Komplexität für den Softwareingenieur somit deutlich handhabbarer. Bezüglich der Spezifikation einer solchen Koordination definiert die Arbeit eine domänenspezifische Sprache namens Real-Time Coordination Protocols (RTCPs). Darüber hinaus wird eine domänenspezifische Sprache zur Spezifikation von Verifikationseigenschaften eingeführt und Entwurfsmuster für RTCPs präsentiert, um die Anzahl der Modellierungsfehler zu senken.}}, author = {{Dziwok, Stefan}}, publisher = {{Paderborn University}}, title = {{{Specification and Verification for Real-Time Coordination Protocols of Cyber-physical Systems}}}, year = {{2017}}, } @inproceedings{20797, author = {{Gerking, Christopher and Schubert, David and Budde, Ingo}}, booktitle = {{Theory and Practice of Model Transformation, 10th International Conference (ICMT 2017)}}, editor = {{Guerra, Esther and van den Brand, Mark}}, number = {{10374}}, pages = {{19--34}}, publisher = {{Springer}}, title = {{{Reducing the Verbosity of Imperative Model Refinements by using General-Purpose Language Facilities}}}, year = {{2017}}, } @inproceedings{20804, abstract = {{Modern Cyber-physical Systems are executed in physical environments and distributed over several Electronic Control Units using multiple cores for execution. These systems perform safety-critical tasks and, therefore, have to fulfill hard real-time requirements. To face these requirements systematically, system engineers de- velop these systems model-driven and prove the fulfillment of these requirements via model checking. It is important to ensure that the runtime scheduling does not violate the verified requirements by neglecting the model checking assumptions. Currently, there is a gap in the process for model-driven approaches to derive a feasible runtime scheduling that respects these assumptions. In this paper, we present an approach for a semi- automatic synthesis of behavioral models into a deterministic scheduling that respects real-time requirements at runtime. We evaluate our approach using an example of a distributed automotive system with hard real-time requirements specified with the MechatronicUML method.}}, author = {{Geismann, Johannes and Pohlmann, Uwe and Schmelter, David}}, booktitle = {{Proceedings of the 5th International Conference on Model-Driven Engineering and Software Development}}, title = {{{Towards an Automated Synthesis of a Real-time Scheduling for Cyber-physical Multi-core Systems}}}, year = {{2017}}, }