@inproceedings{5203, author = {{Krüger, Stefan and Späth, Johannes and Ali, Karim and Bodden, Eric and Mezini, Mira}}, booktitle = {{European Conference on Object-Oriented Programming (ECOOP)}}, keywords = {{ITSECWEBSITE, CROSSING}}, pages = {{10:1--10:27}}, title = {{{CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs}}}, year = {{2018}}, } @misc{1044, author = {{Leer, Richard}}, publisher = {{Universität Paderborn}}, title = {{{Measuring Performance of a Static Analysis Framework with an application to Immutability Analysis}}}, year = {{2018}}, } @misc{1045, author = {{Strüwer, Jan Niclas}}, publisher = {{Universität Paderborn}}, title = {{{Interactive Data Visualization for Exploded Supergraphs}}}, year = {{2018}}, } @inbook{20552, abstract = {{Das Zukunftsszenario der Industrie 4.0 ist gepr{\"a}gt durch einen massiven Anstieg der unternehmens{\"u}bergreifenden Vernetzung. Um einer Bedrohung durch unautorisierte Weitergabe oder Sabotage vertraulicher Daten entgegenzuwirken, muss der Informationssicherheit bereits im Entwurf der cyber-physischen Produktionssysteme ein hoher Stellenwert einger{\"a}umt werden. Dieses Paradigma wird als Security by Design bezeichnet. {\"U}ber den gesamten Entstehungsprozess hinweg muss nachverfolgt werden k{\"o}nnen, ob die Systeme spezifische Anforderungen an die Informationssicherheit erf{\"u}llen und damit die Eigenschaft der Industrial Security gew{\"a}hrleisten. Dieser Beitrag stellt einen Entwurfsansatz zur Nachverfolgung der Informationssicherheit vor, der durch Integration softwaretechnischer Methoden in das Systems Engineering eine Entwicklung nach dem Paradigma Security by Design erm{\"o}glicht.}}, author = {{Gerking, Christopher and Bodden, Eric and Schäfer, Wilhelm}}, booktitle = {{Handbuch Gestaltung digitaler und vernetzter Arbeitswelten}}, editor = {{Maier, Günter W. and Engels, Gregor and Steffen, Eckhard}}, isbn = {{978-3-662-52903-4}}, keywords = {{ITSECWEBSITE}}, pages = {{1--24}}, publisher = {{Springer Berlin Heidelberg}}, title = {{{Industrial Security by Design}}}, doi = {{10.1007/978-3-662-52903-4_8-1}}, year = {{2017}}, } @article{20553, abstract = {{Finding and fixing software vulnerabilities have become a major struggle for most software development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP's secure development process, and we show how the issue fix time could be used to monitor the fixing process. We use three machine learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that vulnerability type has less dominant impact on issue fix time than previously believed. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. The development teams at SAP develop different types of software, adopt different internal development processes, use different programming languages and platforms, and are located in different cities and countries. Other organizations, may use the results---with precaution---and be learning organizations.}}, author = {{Ben Othmane, Lotfi and Chehrazi, Golriz and Bodden, Eric and Tsalovski, Petar and Brucker, Achim D.}}, issn = {{2364-1541}}, journal = {{Data Science and Engineering}}, number = {{2}}, pages = {{107--124}}, title = {{{Time for Addressing Software Security Issues: Prediction Models and Impacting Factors}}}, doi = {{https://doi.org/10.1007/s41019-016-0019-8}}, volume = {{2}}, year = {{2017}}, } @techreport{20554, author = {{Bodden, Eric}}, title = {{{Self-adaptive static analysis}}}, year = {{2017}}, } @article{20557, author = {{Lillack, Max and Kästner, Christian and Bodden, Eric}}, issn = {{0098-5589}}, journal = {{IEEE Transactions on Software Engineering}}, keywords = {{Androids, Bluetooth, Humanoid robots, Java, Software, Tools, Configuration options, Static analysis, Variability mining}}, number = {{99}}, pages = {{1--1}}, title = {{{Tracking Load-time Configuration Options}}}, doi = {{10.1109/TSE.2017.2756048}}, volume = {{PP}}, year = {{2017}}, } @inproceedings{20558, author = {{Krüger, Stefan and Nadi, Sarah and Reif, Michael and Ali, Karim and Mezini, Mira and Bodden, Eric and Göpfert, Florian and Günther, Felix and Weinert, Christian and Demmler, Daniel and Kamath, Ram}}, booktitle = {{International Conference on Automated Software Engineering (ASE 2017), Tool Demo Track}}, keywords = {{ITSECWEBSITE, CROSSING}}, title = {{{CogniCrypt: Supporting Developers in using Cryptography}}}, year = {{2017}}, } @inproceedings{20559, author = {{Do, Lisa Nguyen Quang and Ali, Karim and Livshits, Benjamin and Bodden, Eric and Smith, Justin and Murphy-Hill, Emerson}}, booktitle = {{Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis}}, isbn = {{978-1-4503-5076-1}}, keywords = {{Just-in-Time, Layered analysis, Static analysis}}, pages = {{307--317}}, publisher = {{ACM}}, title = {{{Just-in-time Static Analysis}}}, doi = {{10.1145/3092703.3092705}}, year = {{2017}}, } @inproceedings{20715, author = {{Nguyen Quang Do, Lisa and Ali, Karim and Livshits, Benjamin and Bodden, Eric and Smith, Justin and Murphy-Hill, Emerson}}, booktitle = {{International Conference for Software Engineering (ICSE), Tool Demonstrations Track}}, keywords = {{ATTRACT, ITSECWEBSITE}}, title = {{{Cheetah: Just-in-Time Taint Analysis for Android Apps}}}, year = {{2017}}, } @inproceedings{20792, author = {{Schivo, Stefano and Yildiz., Bugra M. and Ruijters, Enno and Gerking, Christopher and Kumar, Rajesh and Dziwok, Stefan and Rensink, Arend and Stoelinga, Mariëlle}}, booktitle = {{Dependable Software Engineering, 3rd International Symposium (SETTA 2017)}}, editor = {{Larsen, Kim G. and Sokolsky, Oleg and Wang, Ji}}, number = {{10606}}, pages = {{319--336}}, publisher = {{Springer}}, title = {{{How to Efficiently Build a Front-End Tool for UPPAAL: A Model-Driven Approach}}}, doi = {{10.1007/978-3-319-69483-2_19}}, year = {{2017}}, } @phdthesis{20794, abstract = {{Cyber-physische Systeme (CPSs) sind die nächste Generation von eingebetteten Systemen, die fortwährend ihre Zusammenarbeit koordinieren, um anspruchsvolle Funktionen zu erfüllen. Die Koordination zwischen ihnen kann in Software mittels asynchroner Nachrichtenkommunikation realisiert werden. Um die funktionale Korrektheit der Software zu gewährleisten, ist aufgrund der Kritikalität dieser Systeme eine formale Verifikation wie z.B. Model Checking notwendig. Die Eingabesprache eines Model Checkers unterstützt jedoch domänenspezifische Aspekte wie asynchrone Kommunikation nicht direkt, wodurch diese vom Softwareingenieur mittels zahlreicher Modellelemente spezifiziert werden müssen. Dies ist hochgradig komplex und somit fehleranfällig. Im Rahmen dieser Arbeit wird eine modellgetriebene Methode zur domänenspezifischen Spezifikation und vollautomatischen Verifikation der nachrichtenbasierten Koordination von CPSs präsentiert. Mit Hilfe dieser Methode kann der Softwareingenieur die Koordination kompakt modellieren und muss nicht länger verstehen, wie seine Spezifikation auf der Ebene des Model Checkers ausgedrückt wird. Insgesamt wird die Komplexität für den Softwareingenieur somit deutlich handhabbarer. Bezüglich der Spezifikation einer solchen Koordination definiert die Arbeit eine domänenspezifische Sprache namens Real-Time Coordination Protocols (RTCPs). Darüber hinaus wird eine domänenspezifische Sprache zur Spezifikation von Verifikationseigenschaften eingeführt und Entwurfsmuster für RTCPs präsentiert, um die Anzahl der Modellierungsfehler zu senken.}}, author = {{Dziwok, Stefan}}, publisher = {{Paderborn University}}, title = {{{Specification and Verification for Real-Time Coordination Protocols of Cyber-physical Systems}}}, year = {{2017}}, } @inproceedings{20797, author = {{Gerking, Christopher and Schubert, David and Budde, Ingo}}, booktitle = {{Theory and Practice of Model Transformation, 10th International Conference (ICMT 2017)}}, editor = {{Guerra, Esther and van den Brand, Mark}}, number = {{10374}}, pages = {{19--34}}, publisher = {{Springer}}, title = {{{Reducing the Verbosity of Imperative Model Refinements by using General-Purpose Language Facilities}}}, year = {{2017}}, } @inproceedings{20804, abstract = {{Modern Cyber-physical Systems are executed in physical environments and distributed over several Electronic Control Units using multiple cores for execution. These systems perform safety-critical tasks and, therefore, have to fulfill hard real-time requirements. To face these requirements systematically, system engineers de- velop these systems model-driven and prove the fulfillment of these requirements via model checking. It is important to ensure that the runtime scheduling does not violate the verified requirements by neglecting the model checking assumptions. Currently, there is a gap in the process for model-driven approaches to derive a feasible runtime scheduling that respects these assumptions. In this paper, we present an approach for a semi- automatic synthesis of behavioral models into a deterministic scheduling that respects real-time requirements at runtime. We evaluate our approach using an example of a distributed automotive system with hard real-time requirements specified with the MechatronicUML method.}}, author = {{Geismann, Johannes and Pohlmann, Uwe and Schmelter, David}}, booktitle = {{Proceedings of the 5th International Conference on Model-Driven Engineering and Software Development}}, title = {{{Towards an Automated Synthesis of a Real-time Scheduling for Cyber-physical Multi-core Systems}}}, year = {{2017}}, } @phdthesis{20805, author = {{Becker, Matthias}}, publisher = {{Universität Paderborn, Heinz Nixdorf Institut, Softwaretechnik}}, title = {{{Engineering Self-Adaptive Systems with Simulation-Based Performance Prediction}}}, year = {{2017}}, } @inproceedings{5204, author = {{Späth, Johannes and Ali, Karim and Bodden, Eric}}, booktitle = {{2017 International Conference on Object-Oriented Programming, Languages and Applications (OOPSLA/SPLASH)}}, keywords = {{ATTRACT, ITSECWEBSITE, CROSSING}}, publisher = {{ACM Press}}, title = {{{IDEal: Efficient and Precise Alias-aware Dataflow Analysis}}}, year = {{2017}}, } @article{5209, author = {{Fischer, Andreas and Fuhry, Benny and Kerschbaum, Florian and Bodden, Eric}}, journal = {{CoRR}}, title = {{{Computation on Encrypted Data using Data Flow Authentication}}}, volume = {{abs/1710.00390}}, year = {{2017}}, } @phdthesis{102, author = {{Becker, Matthias}}, publisher = {{Universität Paderborn}}, title = {{{Engineering Self-Adaptive Systems with Simulation-Based Performence Prediction}}}, doi = {{10.17619/UNIPB/1-133}}, year = {{2017}}, } @techreport{20555, author = {{Krüger, Stefan and Späth, Johannes and Ali, Karim and Bodden, Eric and Mezini, Mira}}, keywords = {{ITSECWEBSITE}}, title = {{{CrySL: Validating Correct Usage of Cryptographic APIs}}}, year = {{2017}}, } @phdthesis{195, author = {{Platenius, Marie Christin}}, publisher = {{Universität Paderborn}}, title = {{{Fuzzy Matching of Comprehensive Service Specifications}}}, year = {{2016}}, }