[{"date_updated":"2024-03-06T13:00:38Z","language":[{"iso":"eng"}],"title":"Toward an Android Static Analysis Approach for Data Protection","external_id":{"arxiv":["2402.07889"]},"department":[{"_id":"76"}],"conference":{"end_date":"2024-04-15","start_date":"2024-04-14","name":"9th International Conference on Mobile Software Engineering and Systems 2024","location":"Lisbon, Portugal"},"_id":"52235","year":"2024","type":"conference","citation":{"short":"M. Khedkar, E. Bodden, in: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024.","ieee":"M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for Data Protection,” presented at the 9th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal, 2024.","ama":"Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection. In: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems. ; 2024.","apa":"Khedkar, M., & Bodden, E. (2024). Toward an Android Static Analysis Approach for Data Protection. Proceedings of the 9th International Conference on Mobile Software Engineering and Systems. 9th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal.","chicago":"Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” In Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024.","bibtex":"@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis Approach for Data Protection}, booktitle={Proceedings of the 9th International Conference on Mobile Software Engineering and Systems}, author={Khedkar, Mugdha and Bodden, Eric}, year={2024} }","mla":"Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024."},"ddc":["006"],"user_id":"88024","abstract":[{"lang":"eng","text":"Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process.\r\nThis paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis. "}],"date_created":"2024-03-03T14:37:53Z","has_accepted_license":"1","status":"public","keyword":["static program analysis","data protection and privacy","GDPR compliance"],"file_date_updated":"2024-03-03T14:39:08Z","publication":"Proceedings of the 9th International Conference on Mobile Software Engineering and Systems","author":[{"first_name":"Mugdha","full_name":"Khedkar, Mugdha","last_name":"Khedkar","id":"88024"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"file":[{"access_level":"closed","date_created":"2024-03-03T14:39:08Z","file_name":"2402.07889v1.pdf","content_type":"application/pdf","date_updated":"2024-03-03T14:39:08Z","relation":"main_file","success":1,"file_size":530812,"file_id":"52236","creator":"khedkarm"}]},{"doi":"10.1109/msec.2023.3336028","date_updated":"2024-03-15T20:25:13Z","language":[{"iso":"eng"}],"title":"Evaluating Security Through Isolation and Defense in Depth","publication_identifier":{"issn":["1540-7993","1558-4046"]},"publication_status":"published","department":[{"_id":"152"},{"_id":"76"},{"_id":"241"}],"issue":"1","intvolume":" 22","_id":"52587","page":"69-72","year":"2024","type":"journal_article","citation":{"short":"E. Bodden, J. Pottebaum, M. Fockel, I. Gräßler, IEEE Security & Privacy 22 (2024) 69–72.","ieee":"E. Bodden, J. Pottebaum, M. Fockel, and I. Gräßler, “Evaluating Security Through Isolation and Defense in Depth,” IEEE Security & Privacy, vol. 22, no. 1, pp. 69–72, 2024, doi: 10.1109/msec.2023.3336028.","apa":"Bodden, E., Pottebaum, J., Fockel, M., & Gräßler, I. (2024). Evaluating Security Through Isolation and Defense in Depth. IEEE Security & Privacy, 22(1), 69–72. https://doi.org/10.1109/msec.2023.3336028","ama":"Bodden E, Pottebaum J, Fockel M, Gräßler I. Evaluating Security Through Isolation and Defense in Depth. IEEE Security & Privacy. 2024;22(1):69-72. doi:10.1109/msec.2023.3336028","chicago":"Bodden, Eric, Jens Pottebaum, Markus Fockel, and Iris Gräßler. “Evaluating Security Through Isolation and Defense in Depth.” IEEE Security & Privacy 22, no. 1 (2024): 69–72. https://doi.org/10.1109/msec.2023.3336028.","bibtex":"@article{Bodden_Pottebaum_Fockel_Gräßler_2024, title={Evaluating Security Through Isolation and Defense in Depth}, volume={22}, DOI={10.1109/msec.2023.3336028}, number={1}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Bodden, Eric and Pottebaum, Jens and Fockel, Markus and Gräßler, Iris}, year={2024}, pages={69–72} }","mla":"Bodden, Eric, et al. “Evaluating Security Through Isolation and Defense in Depth.” IEEE Security & Privacy, vol. 22, no. 1, Institute of Electrical and Electronics Engineers (IEEE), 2024, pp. 69–72, doi:10.1109/msec.2023.3336028."},"user_id":"405","volume":22,"date_created":"2024-03-15T20:16:18Z","status":"public","keyword":["Law","Electrical and Electronic Engineering","Computer Networks and Communications"],"publication":"IEEE Security & Privacy","quality_controlled":"1","author":[{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"},{"first_name":"Jens","full_name":"Pottebaum, Jens","orcid":"http://orcid.org/0000-0001-8778-2989","last_name":"Pottebaum","id":"405"},{"full_name":"Fockel, Markus","first_name":"Markus","last_name":"Fockel"},{"last_name":"Gräßler","id":"47565","first_name":"Iris","orcid":"0000-0001-5765-971X","full_name":"Gräßler, Iris"}],"publisher":"Institute of Electrical and Electronics Engineers (IEEE)"},{"title":"Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability","user_id":"32312","abstract":[{"lang":"eng","text":"Context\r\nStatic analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results.\r\nMethod\r\nTo address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains."}],"status":"public","date_created":"2024-03-20T09:28:36Z","author":[{"first_name":"Anna-Katharina","full_name":"Wickert, Anna-Katharina","last_name":"Wickert"},{"first_name":"Michael","orcid":"0000-0001-6600-6171","full_name":"Schlichtig, Michael","last_name":"Schlichtig","id":"32312"},{"last_name":"Vogel","full_name":"Vogel, Marvin","first_name":"Marvin"},{"last_name":"Winter","first_name":"Lukas","full_name":"Winter, Lukas"},{"last_name":"Mezini","full_name":"Mezini, Mira","first_name":"Mira"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"}],"keyword":["Static analysis","error chains","false positive re- duction","empirical studies"],"department":[{"_id":"76"}],"_id":"52663","date_updated":"2024-03-20T09:32:29Z","year":"2024","type":"misc","citation":{"ieee":"A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024.","short":"A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024.","mla":"Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024.","bibtex":"@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability}, author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }","apa":"Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden, E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.","ama":"Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.; 2024.","chicago":"Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter, Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024."},"language":[{"iso":"eng"}],"main_file_link":[{"url":"https://arxiv.org/abs/2403.07808"}]},{"series_title":"International Conference on Software Engineering (ICSE)","citation":{"ieee":"A. P. Dann, B. Hermann, and E. Bodden, “UpCy: Safely Updating Outdated Dependencies.” 2023.","short":"A.P. Dann, B. Hermann, E. Bodden, (2023).","mla":"Dann, Andreas Peter, et al. UpCy: Safely Updating Outdated Dependencies. 2023.","bibtex":"@article{Dann_Hermann_Bodden_2023, series={International Conference on Software Engineering (ICSE)}, title={UpCy: Safely Updating Outdated Dependencies}, author={Dann, Andreas Peter and Hermann, Ben and Bodden, Eric}, year={2023}, collection={International Conference on Software Engineering (ICSE)} }","apa":"Dann, A. P., Hermann, B., & Bodden, E. (2023). UpCy: Safely Updating Outdated Dependencies.","ama":"Dann AP, Hermann B, Bodden E. UpCy: Safely Updating Outdated Dependencies. Published online 2023.","chicago":"Dann, Andreas Peter, Ben Hermann, and Eric Bodden. “UpCy: Safely Updating Outdated Dependencies.” International Conference on Software Engineering (ICSE), 2023."},"type":"conference","year":"2023","language":[{"iso":"eng"}],"_id":"35083","date_updated":"2023-01-02T09:28:32Z","author":[{"first_name":"Andreas Peter","full_name":"Dann, Andreas Peter","last_name":"Dann","id":"26886"},{"id":"66173","last_name":"Hermann","full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017","first_name":"Ben"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"}],"department":[{"_id":"76"}],"status":"public","date_created":"2023-01-02T09:26:50Z","title":"UpCy: Safely Updating Outdated Dependencies","user_id":"15249"},{"department":[{"_id":"76"},{"_id":"662"}],"publication":"IEEE International Conference on Software Testing, Verification and Validation (ICST)","author":[{"full_name":"Luo, Linghui","first_name":"Linghui","last_name":"Luo"},{"last_name":"Piskachev","id":"41936","first_name":"Goran","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838"},{"first_name":"Ranjith","full_name":"Krishnamurthy, Ranjith","orcid":"0000-0002-0906-5463","last_name":"Krishnamurthy","id":"78060"},{"first_name":"Julian","full_name":"Dolby, Julian","last_name":"Dolby"},{"first_name":"Martin","full_name":"Schäf, Martin","last_name":"Schäf"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"date_created":"2023-02-06T10:37:23Z","status":"public","title":"Model Generation For Java Frameworks","user_id":"15249","type":"conference","citation":{"chicago":"Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.","ama":"Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation For Java Frameworks. In: IEEE International Conference on Software Testing, Verification and Validation (ICST). ; 2023.","apa":"Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden, E. (2023). Model Generation For Java Frameworks. IEEE International Conference on Software Testing, Verification and Validation (ICST).","mla":"Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.","bibtex":"@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model Generation For Java Frameworks}, booktitle={IEEE International Conference on Software Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev, Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden, Eric}, year={2023} }","short":"L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in: IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.","ieee":"L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden, “Model Generation For Java Frameworks,” 2023."},"year":"2023","language":[{"iso":"eng"}],"_id":"41812","date_updated":"2023-02-06T10:42:29Z"},{"year":"2023","citation":{"mla":"Shivarpatna Venkatesh, Ashwin Prasad, et al. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.","bibtex":"@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, booktitle={IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden, Eric}, year={2023} }","chicago":"Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” In IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.","ama":"Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2023.","apa":"Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER).","ieee":"A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis,” 2023.","short":"A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023."},"type":"conference","language":[{"iso":"eng"}],"_id":"41813","date_updated":"2023-02-06T10:46:00Z","status":"public","date_created":"2023-02-06T10:44:08Z","author":[{"id":"66637","last_name":"Shivarpatna Venkatesh","full_name":"Shivarpatna Venkatesh, Ashwin Prasad","first_name":"Ashwin Prasad"},{"full_name":"Wang, Jiawei","first_name":"Jiawei","last_name":"Wang"},{"last_name":"Li","first_name":"Li","full_name":"Li, Li"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"}],"publication":"IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","department":[{"_id":"76"}],"title":"Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis","user_id":"15249"},{"publication_status":"published","date_created":"2023-05-29T12:09:43Z","status":"public","publication":"2023 IEEE Conference on Software Testing, Verification and Validation (ICST)","department":[{"_id":"76"}],"publisher":"IEEE","author":[{"full_name":"Karakaya, Kadiray","first_name":"Kadiray","last_name":"Karakaya"},{"last_name":"Bodden","first_name":"Eric","full_name":"Bodden, Eric"}],"title":"Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis","user_id":"70410","year":"2023","citation":{"chicago":"Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis.” In 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE, 2023. https://doi.org/10.1109/icst57152.2023.00036.","apa":"Karakaya, K., & Bodden, E. (2023). Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis. 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). https://doi.org/10.1109/icst57152.2023.00036","ama":"Karakaya K, Bodden E. Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis. In: 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE; 2023. doi:10.1109/icst57152.2023.00036","bibtex":"@inproceedings{Karakaya_Bodden_2023, title={Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis}, DOI={10.1109/icst57152.2023.00036}, booktitle={2023 IEEE Conference on Software Testing, Verification and Validation (ICST)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden, Eric}, year={2023} }","mla":"Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis.” 2023 IEEE Conference on Software Testing, Verification and Validation (ICST), IEEE, 2023, doi:10.1109/icst57152.2023.00036.","short":"K. Karakaya, E. Bodden, in: 2023 IEEE Conference on Software Testing, Verification and Validation (ICST), IEEE, 2023.","ieee":"K. Karakaya and E. Bodden, “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis,” 2023, doi: 10.1109/icst57152.2023.00036."},"type":"conference","doi":"10.1109/icst57152.2023.00036","_id":"45312","date_updated":"2023-05-29T12:12:17Z"},{"page":"4510 - 4525","type":"journal_article","citation":{"ieee":"A. Torres et al., “Runtime Verification of Crypto APIs: An Empirical Study,” IEEE Transactions on Software Engineering, vol. 49, no. 10, pp. 4510–4525, 2023, doi: 10.1109/tse.2023.3301660.","short":"A. Torres, P. Costa, L. Amaral, J. Pastro, R. Bonifácio, M. d’Amorim, O. Legunsen, E. Bodden, E. Dias Canedo, IEEE Transactions on Software Engineering 49 (2023) 4510–4525.","bibtex":"@article{Torres_Costa_Amaral_Pastro_Bonifácio_d’Amorim_Legunsen_Bodden_Dias Canedo_2023, title={Runtime Verification of Crypto APIs: An Empirical Study}, volume={49}, DOI={10.1109/tse.2023.3301660}, number={10}, journal={IEEE Transactions on Software Engineering}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Torres, Adriano and Costa, Pedro and Amaral, Luis and Pastro, Jonata and Bonifácio, Rodrigo and d’Amorim, Marcelo and Legunsen, Owolabi and Bodden, Eric and Dias Canedo, Edna}, year={2023}, pages={4510–4525} }","mla":"Torres, Adriano, et al. “Runtime Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software Engineering, vol. 49, no. 10, Institute of Electrical and Electronics Engineers (IEEE), 2023, pp. 4510–25, doi:10.1109/tse.2023.3301660.","apa":"Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M., Legunsen, O., Bodden, E., & Dias Canedo, E. (2023). Runtime Verification of Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering, 49(10), 4510–4525. https://doi.org/10.1109/tse.2023.3301660","ama":"Torres A, Costa P, Amaral L, et al. Runtime Verification of Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering. 2023;49(10):4510-4525. doi:10.1109/tse.2023.3301660","chicago":"Torres, Adriano, Pedro Costa, Luis Amaral, Jonata Pastro, Rodrigo Bonifácio, Marcelo d’Amorim, Owolabi Legunsen, Eric Bodden, and Edna Dias Canedo. “Runtime Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software Engineering 49, no. 10 (2023): 4510–25. https://doi.org/10.1109/tse.2023.3301660."},"year":"2023","issue":"10","_id":"46816","intvolume":" 49","volume":49,"date_created":"2023-09-06T07:42:40Z","status":"public","keyword":["Software"],"publication":"IEEE Transactions on Software Engineering","author":[{"last_name":"Torres","full_name":"Torres, Adriano","first_name":"Adriano"},{"full_name":"Costa, Pedro","first_name":"Pedro","last_name":"Costa"},{"last_name":"Amaral","full_name":"Amaral, Luis","first_name":"Luis"},{"full_name":"Pastro, Jonata","first_name":"Jonata","last_name":"Pastro"},{"last_name":"Bonifácio","full_name":"Bonifácio, Rodrigo","first_name":"Rodrigo"},{"first_name":"Marcelo","full_name":"d'Amorim, Marcelo","last_name":"d'Amorim"},{"first_name":"Owolabi","full_name":"Legunsen, Owolabi","last_name":"Legunsen"},{"full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric","id":"59256","last_name":"Bodden"},{"first_name":"Edna","full_name":"Dias Canedo, Edna","last_name":"Dias Canedo"}],"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","user_id":"15249","language":[{"iso":"eng"}],"doi":"10.1109/tse.2023.3301660","date_updated":"2023-12-04T11:05:26Z","publication_status":"published","publication_identifier":{"issn":["0098-5589","1939-3520","2326-3881"]},"department":[{"_id":"76"}],"title":"Runtime Verification of Crypto APIs: An Empirical Study"},{"title":"Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study","department":[{"_id":"76"},{"_id":"662"}],"publication_identifier":{"issn":["1382-3256","1573-7616"]},"publication_status":"published","date_updated":"2023-12-04T11:29:49Z","doi":"10.1007/s10664-023-10354-3","language":[{"iso":"eng"}],"abstract":[{"lang":"eng","text":"AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope."}],"user_id":"15249","author":[{"last_name":"Piskachev","id":"41936","first_name":"Goran","orcid":"0000-0003-4424-5838","full_name":"Piskachev, Goran"},{"id":"4870","last_name":"Becker","orcid":"https://orcid.org/0000-0003-2465-9347","full_name":"Becker, Matthias","first_name":"Matthias"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"publisher":"Springer Science and Business Media LLC","publication":"Empirical Software Engineering","keyword":["Software"],"status":"public","date_created":"2023-12-04T11:14:34Z","volume":28,"intvolume":" 28","_id":"49439","issue":"5","article_number":"118","citation":{"ieee":"G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study,” Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi: 10.1007/s10664-023-10354-3.","short":"G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023).","bibtex":"@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study}, volume={28}, DOI={10.1007/s10664-023-10354-3}, number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden, Eric}, year={2023} }","mla":"Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC, 2023, doi:10.1007/s10664-023-10354-3.","chicago":"Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3.","ama":"Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3","apa":"Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3"},"year":"2023","type":"journal_article"},{"doi":"10.1109/secdev56634.2023.00015","_id":"49438","date_updated":"2023-12-04T11:14:10Z","language":[{"iso":"eng"}],"citation":{"ieee":"S. Krüger et al., “Securing Your Crypto-API Usage Through Tool Support - A Usability Study,” 2023, doi: 10.1109/secdev56634.2023.00015.","short":"S. Krüger, M. Reif, A.-K. Wickert, S. Nadi, K. Ali, E. Bodden, Y. Acar, M. Mezini, S. Fahl, in: 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023.","bibtex":"@inproceedings{Krüger_Reif_Wickert_Nadi_Ali_Bodden_Acar_Mezini_Fahl_2023, title={Securing Your Crypto-API Usage Through Tool Support - A Usability Study}, DOI={10.1109/secdev56634.2023.00015}, booktitle={2023 IEEE Secure Development Conference (SecDev)}, publisher={IEEE}, author={Krüger, Stefan and Reif, Michael and Wickert, Anna-Katharina and Nadi, Sarah and Ali, Karim and Bodden, Eric and Acar, Yasemin and Mezini, Mira and Fahl, Sascha}, year={2023} }","mla":"Krüger, Stefan, et al. “Securing Your Crypto-API Usage Through Tool Support - A Usability Study.” 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023, doi:10.1109/secdev56634.2023.00015.","chicago":"Krüger, Stefan, Michael Reif, Anna-Katharina Wickert, Sarah Nadi, Karim Ali, Eric Bodden, Yasemin Acar, Mira Mezini, and Sascha Fahl. “Securing Your Crypto-API Usage Through Tool Support - A Usability Study.” In 2023 IEEE Secure Development Conference (SecDev). IEEE, 2023. https://doi.org/10.1109/secdev56634.2023.00015.","apa":"Krüger, S., Reif, M., Wickert, A.-K., Nadi, S., Ali, K., Bodden, E., Acar, Y., Mezini, M., & Fahl, S. (2023). Securing Your Crypto-API Usage Through Tool Support - A Usability Study. 2023 IEEE Secure Development Conference (SecDev). https://doi.org/10.1109/secdev56634.2023.00015","ama":"Krüger S, Reif M, Wickert A-K, et al. Securing Your Crypto-API Usage Through Tool Support - A Usability Study. In: 2023 IEEE Secure Development Conference (SecDev). IEEE; 2023. doi:10.1109/secdev56634.2023.00015"},"year":"2023","type":"conference","user_id":"15249","title":"Securing Your Crypto-API Usage Through Tool Support - A Usability Study","status":"public","date_created":"2023-12-04T11:07:08Z","publication_status":"published","publisher":"IEEE","author":[{"full_name":"Krüger, Stefan","first_name":"Stefan","last_name":"Krüger"},{"last_name":"Reif","first_name":"Michael","full_name":"Reif, Michael"},{"last_name":"Wickert","full_name":"Wickert, Anna-Katharina","first_name":"Anna-Katharina"},{"full_name":"Nadi, Sarah","first_name":"Sarah","last_name":"Nadi"},{"full_name":"Ali, Karim","first_name":"Karim","last_name":"Ali"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"},{"first_name":"Yasemin","full_name":"Acar, Yasemin","last_name":"Acar","id":"94636"},{"full_name":"Mezini, Mira","first_name":"Mira","last_name":"Mezini"},{"full_name":"Fahl, Sascha","first_name":"Sascha","last_name":"Fahl"}],"publication":"2023 IEEE Secure Development Conference (SecDev)","department":[{"_id":"76"},{"_id":"740"}]},{"date_updated":"2023-12-20T14:10:51Z","doi":"10.37544/0720-5953-2023-11-12-60","language":[{"iso":"ger"}],"title":"Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security","department":[{"_id":"152"},{"_id":"76"}],"publication_status":"published","publication_identifier":{"issn":["0720-5953"]},"_id":"48946","intvolume":" 75","issue":"11-12","page":"60-65","type":"journal_article","year":"2023","citation":{"short":"I. Gräßler, E. Bodden, D. Wiechel, J. Pottebaum, Konstruktion 75 (2023) 60–65.","ieee":"I. Gräßler, E. Bodden, D. Wiechel, and J. Pottebaum, “Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security,” Konstruktion, vol. 75, no. 11–12, pp. 60–65, 2023, doi: 10.37544/0720-5953-2023-11-12-60.","chicago":"Gräßler, Iris, Eric Bodden, Dominik Wiechel, and Jens Pottebaum. “Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security.” Konstruktion 75, no. 11–12 (2023): 60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60.","apa":"Gräßler, I., Bodden, E., Wiechel, D., & Pottebaum, J. (2023). Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security. Konstruktion, 75(11–12), 60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60","ama":"Gräßler I, Bodden E, Wiechel D, Pottebaum J. Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security. Konstruktion. 2023;75(11-12):60-65. doi:10.37544/0720-5953-2023-11-12-60","mla":"Gräßler, Iris, et al. “Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security.” Konstruktion, vol. 75, no. 11–12, VDI Fachmedien GmbH and Co. KG, 2023, pp. 60–65, doi:10.37544/0720-5953-2023-11-12-60.","bibtex":"@article{Gräßler_Bodden_Wiechel_Pottebaum_2023, title={Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security}, volume={75}, DOI={10.37544/0720-5953-2023-11-12-60}, number={11–12}, journal={Konstruktion}, publisher={VDI Fachmedien GmbH and Co. KG}, author={Gräßler, Iris and Bodden, Eric and Wiechel, Dominik and Pottebaum, Jens}, year={2023}, pages={60–65} }"},"abstract":[{"text":"inhalt Der verlässliche Betrieb von technischen Produkten wird zunehmend durch bewusste Angriffe bedroht. Vollständige Sicherheit ist dabei nicht möglich, durchschlagende Angriffe sind unvermeidbar (Assume Breach). Dies erfordert einen Paradigmenwechsel in der sicherheitsgerechten Entwicklung mechatronischer und cyber-physischer Systeme hin zu Defense-in-Depth. Systeme müssen so ausgelegt werden, dass sie auch bei gezielten Angriffen möglichst hohe Zuverlässigkeit und Sicherheit gewährleisten. Der hier beschriebene Lösungsansatz erweitert das Systemmodell um Angriffsszenarien und Verteidigungslinien. Diese werden am Beispiel eines industriellen Schließsystems zur Anlagensicherheit erläutert. Entwickler werden sensibilisiert, Angriffe systematisch zu berücksichtigen und interdisziplinär Verteidigungselemente gegenüber Bedrohungen und Angriffen zu spezifizieren.","lang":"ger"},{"text":"The reliable operation of technical products is increasingly threatened by deliberate attacks. Complete security is not possible, striking attacks are unavoidable (assume breach). This requires a paradigm shift in security-oriented engineering of mechatronic and cyber-physical systems towards Defense-in-Depth. Systems need to be engineered in a way that full reliability and security are ensured even in case of targeted attacks. The solution approach described here expands the system model to include attack scenarios and lines of defence. It is applied to an industrial locking system for plant security as an example. Developers are sensitised to systematically consider attacks and to specify interdisciplinary defence elements against threats and attacks.","lang":"eng"}],"article_type":"original","user_id":"405","publication":"Konstruktion","keyword":["Mechanical Engineering","Mechanics of Materials","General Materials Science","Theoretical Computer Science"],"publisher":"VDI Fachmedien GmbH and Co. KG","quality_controlled":"1","author":[{"first_name":"Iris","full_name":"Gräßler, Iris","orcid":"0000-0001-5765-971X","last_name":"Gräßler","id":"47565"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"},{"last_name":"Wiechel","id":"67161","first_name":"Dominik","full_name":"Wiechel, Dominik"},{"id":"405","last_name":"Pottebaum","full_name":"Pottebaum, Jens","orcid":"http://orcid.org/0000-0001-8778-2989","first_name":"Jens"}],"volume":75,"date_created":"2023-11-16T08:23:12Z","status":"public"},{"doi":"10.1109/eurospw59978.2023.00048","date_updated":"2023-12-20T14:12:25Z","language":[{"iso":"eng"}],"title":"Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth","publication_status":"published","department":[{"_id":"34"},{"_id":"740"},{"_id":"152"},{"_id":"76"}],"_id":"46500","conference":{"location":"Delft, Netherlands","start_date":"2023-07-03","name":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","end_date":"2023-07-07"},"type":"conference","year":"2023","citation":{"ieee":"J. Pottebaum et al., “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth,” in 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Delft, Netherlands, 2023, pp. 379–385, doi: 10.1109/eurospw59978.2023.00048.","short":"J. Pottebaum, J. Rossel, J. Somorovsky, Y. Acar, R. Fahr, P. Arias Cabarcos, E. Bodden, I. Gräßler, in: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE, 2023, pp. 379–385.","mla":"Pottebaum, Jens, et al. “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.” 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE, 2023, pp. 379–85, doi:10.1109/eurospw59978.2023.00048.","bibtex":"@inproceedings{Pottebaum_Rossel_Somorovsky_Acar_Fahr_Arias Cabarcos_Bodden_Gräßler_2023, title={Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth}, DOI={10.1109/eurospw59978.2023.00048}, booktitle={2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)}, publisher={IEEE}, author={Pottebaum, Jens and Rossel, Jost and Somorovsky, Juraj and Acar, Yasemin and Fahr, René and Arias Cabarcos, Patricia and Bodden, Eric and Gräßler, Iris}, year={2023}, pages={379–385} }","chicago":"Pottebaum, Jens, Jost Rossel, Juraj Somorovsky, Yasemin Acar, René Fahr, Patricia Arias Cabarcos, Eric Bodden, and Iris Gräßler. “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.” In 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 379–85. IEEE, 2023. https://doi.org/10.1109/eurospw59978.2023.00048.","ama":"Pottebaum J, Rossel J, Somorovsky J, et al. Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth. In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE; 2023:379-385. doi:10.1109/eurospw59978.2023.00048","apa":"Pottebaum, J., Rossel, J., Somorovsky, J., Acar, Y., Fahr, R., Arias Cabarcos, P., Bodden, E., & Gräßler, I. (2023). Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth. 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 379–385. https://doi.org/10.1109/eurospw59978.2023.00048"},"page":"379-385","main_file_link":[{"url":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10190647"}],"user_id":"405","abstract":[{"text":"The security of Industrial Control Systems is relevant both for reliable production system operations and for high-quality throughput in terms of manufactured products. Security measures are designed, operated and maintained by different roles along product and production system lifecycles. Defense-in-Depth as a paradigm builds upon the assumption that breaches are unavoidable. The paper at hand provides an analysis of roles, corresponding Human Factors and their relevance for data theft and sabotage attacks. The resulting taxonomy is reflected by an example related to Additive Manufacturing. The results assist in both designing and redesigning Industrial Control System as part of an entire production system so that Defense-in-Depth with regard to Human Factors is built in by design.","lang":"eng"}],"status":"public","date_created":"2023-08-15T12:21:05Z","quality_controlled":"1","publisher":"IEEE","author":[{"id":"405","last_name":"Pottebaum","orcid":"http://orcid.org/0000-0001-8778-2989","full_name":"Pottebaum, Jens","first_name":"Jens"},{"full_name":"Rossel, Jost","orcid":"0000-0002-3182-4059","first_name":"Jost","id":"58331","last_name":"Rossel"},{"id":"83504","last_name":"Somorovsky","full_name":"Somorovsky, Juraj","orcid":"0000-0002-3593-7720","first_name":"Juraj"},{"id":"94636","last_name":"Acar","full_name":"Acar, Yasemin","first_name":"Yasemin"},{"full_name":"Fahr, René","first_name":"René","id":"111","last_name":"Fahr"},{"full_name":"Arias Cabarcos, Patricia","first_name":"Patricia","id":"92804","last_name":"Arias Cabarcos"},{"full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric","id":"59256","last_name":"Bodden"},{"full_name":"Gräßler, Iris","orcid":"0000-0001-5765-971X","first_name":"Iris","id":"47565","last_name":"Gräßler"}],"publication":"2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","keyword":["Defense-in-Depth","Human Factors","Production Engineering","Product Design","Systems Engineering"]},{"date_updated":"2024-03-03T14:45:09Z","doi":"10.1109/ICSE-Companion58688.2023.00054","language":[{"iso":"eng"}],"external_id":{"arxiv":["2303.09606"]},"title":"Static Analysis for Android GDPR Compliance Assurance","department":[{"_id":"76"}],"publication_status":"accepted","_id":"44146","type":"conference","citation":{"ieee":"M. Khedkar, “Static Analysis for Android GDPR Compliance Assurance,” doi: 10.1109/ICSE-Companion58688.2023.00054.","short":"M. Khedkar, in: Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23), n.d.","mla":"Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.” Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23), doi:10.1109/ICSE-Companion58688.2023.00054.","bibtex":"@inproceedings{Khedkar, title={Static Analysis for Android GDPR Compliance Assurance}, DOI={10.1109/ICSE-Companion58688.2023.00054}, booktitle={Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23)}, author={Khedkar, Mugdha} }","chicago":"Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.” In Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23), n.d. https://doi.org/10.1109/ICSE-Companion58688.2023.00054.","ama":"Khedkar M. Static Analysis for Android GDPR Compliance Assurance. In: Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23). doi:10.1109/ICSE-Companion58688.2023.00054","apa":"Khedkar, M. (n.d.). Static Analysis for Android GDPR Compliance Assurance. Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23). https://doi.org/10.1109/ICSE-Companion58688.2023.00054"},"year":"2023","abstract":[{"text":"Many Android applications collect data from users. When they do, they must\r\nprotect this collected data according to the current legal frameworks. Such\r\ndata protection has become even more important since the European Union rolled\r\nout the General Data Protection Regulation (GDPR). App developers have limited\r\ntool support to reason about data protection throughout their app development\r\nprocess. Although many Android applications state a privacy policy, privacy\r\npolicy compliance checks are currently manual, expensive, and prone to error.\r\nOne of the major challenges in privacy audits is the significant gap between\r\nlegal privacy statements (in English text) and technical measures that Android\r\napps use to protect their user's privacy. In this thesis, we will explore to\r\nwhat extent we can use static analysis to answer important questions regarding\r\ndata protection. Our main goal is to design a tool based approach that aids app\r\ndevelopers and auditors in ensuring data protection in Android applications,\r\nbased on automated static program analysis.","lang":"eng"}],"ddc":["004"],"user_id":"88024","file_date_updated":"2023-04-24T12:15:27Z","keyword":["static analysis","data protection and privacy","GDPR compliance"],"publication":"Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23)","author":[{"id":"88024","last_name":"Khedkar","full_name":"Khedkar, Mugdha","first_name":"Mugdha"}],"file":[{"file_name":"2023047614.pdf","date_created":"2023-04-24T12:15:27Z","access_level":"closed","creator":"khedkarm","file_id":"44147","file_size":85313,"success":1,"relation":"main_file","date_updated":"2023-04-24T12:15:27Z","content_type":"application/pdf"}],"date_created":"2023-04-24T12:14:17Z","status":"public","has_accepted_license":"1"},{"_id":"52662","date_updated":"2024-03-20T09:27:41Z","language":[{"iso":"eng"}],"page":"95–96","year":"2023","citation":{"bibtex":"@inbook{Nachtigall_Schlichtig_Bodden_2023, place={Bonn}, title={Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale}, booktitle={Software Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}, year={2023}, pages={95–96} }","mla":"Nachtigall, Marcus, et al. “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” Software Engineering 2023, Gesellschaft für Informatik e.V., 2023, pp. 95–96.","ama":"Nachtigall M, Schlichtig M, Bodden E. Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale. In: Software Engineering 2023. Gesellschaft für Informatik e.V.; 2023:95–96.","apa":"Nachtigall, M., Schlichtig, M., & Bodden, E. (2023). Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale. In Software Engineering 2023 (pp. 95–96). Gesellschaft für Informatik e.V.","chicago":"Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” In Software Engineering 2023, 95–96. Bonn: Gesellschaft für Informatik e.V., 2023.","ieee":"M. Nachtigall, M. Schlichtig, and E. Bodden, “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale,” in Software Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 95–96.","short":"M. Nachtigall, M. Schlichtig, E. Bodden, in: Software Engineering 2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 95–96."},"type":"book_chapter","main_file_link":[{"url":"https://dl.gi.de/items/5afe477f-2f6a-4b3d-b391-f024baf0b7a5"}],"user_id":"32312","title":"Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale","abstract":[{"lang":"eng","text":"Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research emphasizes technical challenges of such tools but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and user dissatisfaction may even lead to tool abandonment. To comprehensively assess the state of the art, we present the first systematic usability evaluation of a wide range of static analysis tools. We derived a set of 36 relevant criteria from the literature and used them to evaluate a total of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. The evaluation against the usability criteria in a multiple-raters approach shows that two thirds of the considered tools off er poor warning messages, while about three-quarters provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for instance, to improve handling of false positives. Finally, issues regarding workflow integration and specialized user interfaces are revealed. These findings should prove useful in guiding and focusing further research and development in user experience for static code analyses."}],"place":"Bonn","date_created":"2024-03-20T09:26:29Z","status":"public","publication_identifier":{"isbn":["978-3-88579-726-5"]},"keyword":["Automated static analysis","Software usability"],"department":[{"_id":"76"}],"publication":"Software Engineering 2023","author":[{"first_name":"Marcus","full_name":"Nachtigall, Marcus","last_name":"Nachtigall","id":"41213"},{"orcid":"0000-0001-6600-6171","full_name":"Schlichtig, Michael","first_name":"Michael","id":"32312","last_name":"Schlichtig"},{"last_name":"Bodden","id":"59256","first_name":"Eric","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647"}],"publisher":"Gesellschaft für Informatik e.V."},{"_id":"52660","date_updated":"2024-03-20T09:25:46Z","main_file_link":[{"url":"https://dl.gi.de/items/c4825557-cf3d-4038-933a-d8f95fd324a2"}],"language":[{"iso":"eng"}],"citation":{"bibtex":"@inbook{Schlichtig_Sassalla_Narasimhan_Bodden_2023, place={Bonn}, title={Introducing FUM: A Framework for API Usage Constraint and Misuse Classification}, booktitle={Software Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2023}, pages={105–106} }","mla":"Schlichtig, Michael, et al. “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.” Software Engineering 2023, Gesellschaft für Informatik e.V., 2023, pp. 105–106.","chicago":"Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.” In Software Engineering 2023, 105–106. Bonn: Gesellschaft für Informatik e.V., 2023.","apa":"Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2023). Introducing FUM: A Framework for API Usage Constraint and Misuse Classification. In Software Engineering 2023 (pp. 105–106). Gesellschaft für Informatik e.V.","ama":"Schlichtig M, Sassalla S, Narasimhan K, Bodden E. Introducing FUM: A Framework for API Usage Constraint and Misuse Classification. In: Software Engineering 2023. Gesellschaft für Informatik e.V.; 2023:105–106.","ieee":"M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification,” in Software Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 105–106.","short":"M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: Software Engineering 2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 105–106."},"type":"book_chapter","year":"2023","page":"105–106","place":"Bonn","abstract":[{"lang":"eng","text":"Application Programming Interfaces (APIs) are the primary mechanism developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and how they are caused, is important to prevent them, eg, with API misuse detectors. However, definitions for API misuses and related terms in literature vary. This paper presents a systematic literature review to clarify these terms and introduces FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To address this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detector’s capabilities, we performed a case study on the state-of the-art misuse detection tool CogniCrypt. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements."}],"user_id":"32312","title":"Introducing FUM: A Framework for API Usage Constraint and Misuse Classification","publisher":"Gesellschaft für Informatik e.V.","author":[{"full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","first_name":"Michael","id":"32312","last_name":"Schlichtig"},{"last_name":"Sassalla","first_name":"Steffen","full_name":"Sassalla, Steffen"},{"first_name":"Krishna","full_name":"Narasimhan, Krishna","last_name":"Narasimhan"},{"full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric","id":"59256","last_name":"Bodden"}],"department":[{"_id":"76"}],"keyword":["API misuses API usage constraints","classification framework","API misuse detection","static analysis"],"publication":"Software Engineering 2023","status":"public","date_created":"2024-03-20T09:22:27Z","publication_identifier":{"isbn":["978-3-88579-726-5"]}},{"date_created":"2022-06-09T10:28:03Z","status":"public","volume":25,"keyword":["Safety","Risk","Reliability and Quality","General Computer Science"],"publication":"ACM Transactions on Privacy and Security","publisher":"Association for Computing Machinery (ACM)","author":[{"last_name":"Fischer","full_name":"Fischer, Andreas","first_name":"Andreas"},{"last_name":"Fuhry","full_name":"Fuhry, Benny","first_name":"Benny"},{"last_name":"Kußmaul","first_name":"Jörn","full_name":"Kußmaul, Jörn"},{"last_name":"Janneck","first_name":"Jonas","full_name":"Janneck, Jonas"},{"last_name":"Kerschbaum","first_name":"Florian","full_name":"Kerschbaum, Florian"},{"id":"59256","last_name":"Bodden","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"user_id":"15249","abstract":[{"lang":"eng","text":"Encrypting data before sending it to the cloud ensures data confidentiality but requires the cloud to compute on encrypted data. Trusted execution environments, such as Intel SGX enclaves, promise to provide a secure environment in which data can be decrypted and then processed. However, vulnerabilities in the executed program give attackers ample opportunities to execute arbitrary code inside the enclave. This code can modify the dataflow of the program and leak secrets via SGX side channels. Fully homomorphic encryption would be an alternative to compute on encrypted data without data leaks. However, due to its high computational complexity, its applicability to general-purpose computing remains limited. Researchers have made several proposals for transforming programs to perform encrypted computations on less powerful encryption schemes. Yet current approaches do not support programs making control-flow decisions based on encrypted data.\r\n \r\n We introduce the concept of\r\n dataflow authentication\r\n (DFAuth) to enable such programs. DFAuth prevents an adversary from arbitrarily deviating from the dataflow of a program. Our technique hence offers protections against the side-channel attacks described previously. We implemented two flavors of DFAuth, a Java bytecode-to-bytecode compiler, and an SGX enclave running a small and program-independent trusted code base. We applied DFAuth to a neural network performing machine learning on sensitive medical data and a smart charging scheduler for electric vehicles. Our transformation yields a neural network with encrypted weights, which can be evaluated on encrypted inputs in\r\n \r\n \\( 12.55 \\,\\mathrm{m}\\mathrm{s} \\)\r\n \r\n . Our protected scheduler is capable of updating the encrypted charging plan in approximately 1.06 seconds.\r\n "}],"page":"1-36","citation":{"ieee":"A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, and E. Bodden, “Computation on Encrypted Data Using Dataflow Authentication,” ACM Transactions on Privacy and Security, vol. 25, no. 3, pp. 1–36, 2022, doi: 10.1145/3513005.","short":"A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, E. Bodden, ACM Transactions on Privacy and Security 25 (2022) 1–36.","mla":"Fischer, Andreas, et al. “Computation on Encrypted Data Using Dataflow Authentication.” ACM Transactions on Privacy and Security, vol. 25, no. 3, Association for Computing Machinery (ACM), 2022, pp. 1–36, doi:10.1145/3513005.","bibtex":"@article{Fischer_Fuhry_Kußmaul_Janneck_Kerschbaum_Bodden_2022, title={Computation on Encrypted Data Using Dataflow Authentication}, volume={25}, DOI={10.1145/3513005}, number={3}, journal={ACM Transactions on Privacy and Security}, publisher={Association for Computing Machinery (ACM)}, author={Fischer, Andreas and Fuhry, Benny and Kußmaul, Jörn and Janneck, Jonas and Kerschbaum, Florian and Bodden, Eric}, year={2022}, pages={1–36} }","chicago":"Fischer, Andreas, Benny Fuhry, Jörn Kußmaul, Jonas Janneck, Florian Kerschbaum, and Eric Bodden. “Computation on Encrypted Data Using Dataflow Authentication.” ACM Transactions on Privacy and Security 25, no. 3 (2022): 1–36. https://doi.org/10.1145/3513005.","apa":"Fischer, A., Fuhry, B., Kußmaul, J., Janneck, J., Kerschbaum, F., & Bodden, E. (2022). Computation on Encrypted Data Using Dataflow Authentication. ACM Transactions on Privacy and Security, 25(3), 1–36. https://doi.org/10.1145/3513005","ama":"Fischer A, Fuhry B, Kußmaul J, Janneck J, Kerschbaum F, Bodden E. Computation on Encrypted Data Using Dataflow Authentication. ACM Transactions on Privacy and Security. 2022;25(3):1-36. doi:10.1145/3513005"},"year":"2022","type":"journal_article","issue":"3","intvolume":" 25","_id":"31844","publication_status":"published","publication_identifier":{"issn":["2471-2566","2471-2574"]},"department":[{"_id":"76"}],"title":"Computation on Encrypted Data Using Dataflow Authentication","language":[{"iso":"eng"}],"doi":"10.1145/3513005","date_updated":"2022-06-09T10:29:19Z"},{"language":[{"iso":"eng"}],"citation":{"ieee":"M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022.","short":"M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022.","mla":"Schlichtig, Michael, et al. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022, doi:10.48550/ARXIV.2204.06447.","bibtex":"@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={10.48550/ARXIV.2204.06447}, author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and Bodden, Eric and Mezini, Mira}, year={2022} }","chicago":"Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden, and Mira Mezini. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022. https://doi.org/10.48550/ARXIV.2204.06447.","ama":"Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite.; 2022. doi:10.48550/ARXIV.2204.06447","apa":"Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., & Mezini, M. (2022). CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. https://doi.org/10.48550/ARXIV.2204.06447"},"type":"misc","year":"2022","date_updated":"2022-07-25T10:23:44Z","_id":"32409","doi":"10.48550/ARXIV.2204.06447","author":[{"first_name":"Michael","orcid":"0000-0001-6600-6171","full_name":"Schlichtig, Michael","last_name":"Schlichtig","id":"32312"},{"last_name":"Wickert","full_name":"Wickert, Anna-Katharina","first_name":"Anna-Katharina"},{"first_name":"Stefan","full_name":"Krüger, Stefan","last_name":"Krüger"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"},{"first_name":"Mira","full_name":"Mezini, Mira","last_name":"Mezini"}],"department":[{"_id":"76"}],"keyword":["cryptography","benchmark","API misuse","static analysis"],"status":"public","date_created":"2022-07-25T07:56:59Z","abstract":[{"text":"Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair \"Cryptographic API Misuse Detection Tool Benchmark Suite\". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain.","lang":"eng"}],"related_material":{"link":[{"relation":"confirmation","url":"https://arxiv.org/abs/2204.06447"}]},"user_id":"32312","title":"CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite"},{"type":"conference","citation":{"ieee":"M. Nachtigall, M. Schlichtig, and E. Bodden, “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools,” in Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp. 532–543, doi: 10.1145/3533767.","short":"M. Nachtigall, M. Schlichtig, E. Bodden, in: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–543.","bibtex":"@inproceedings{Nachtigall_Schlichtig_Bodden_2022, title={A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools}, DOI={10.1145/3533767}, booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis}, publisher={ACM}, author={Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}, year={2022}, pages={532–543} }","mla":"Nachtigall, Marcus, et al. “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools.” Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–43, doi:10.1145/3533767.","apa":"Nachtigall, M., Schlichtig, M., & Bodden, E. (2022). A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 532–543. https://doi.org/10.1145/3533767","ama":"Nachtigall M, Schlichtig M, Bodden E. A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM; 2022:532-543. doi:10.1145/3533767","chicago":"Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools.” In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 532–43. ACM, 2022. https://doi.org/10.1145/3533767."},"year":"2022","page":"532 - 543","_id":"32410","quality_controlled":"1","publisher":"ACM","author":[{"id":"41213","last_name":"Nachtigall","full_name":"Nachtigall, Marcus","first_name":"Marcus"},{"full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","first_name":"Michael","id":"32312","last_name":"Schlichtig"},{"id":"59256","last_name":"Bodden","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"publication":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","keyword":["Automated static analysis","Software usability"],"status":"public","date_created":"2022-07-25T08:02:36Z","abstract":[{"lang":"eng","text":"Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment.\r\nTo comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria.\r\nThe evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further.\r\nThese findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses."}],"user_id":"32312","language":[{"iso":"eng"}],"date_updated":"2022-07-26T11:42:23Z","doi":"10.1145/3533767","department":[{"_id":"76"}],"publication_status":"published","publication_identifier":{"isbn":["9781450393799"]},"related_material":{"link":[{"url":"https://dl.acm.org/doi/10.1145/3533767.3534374","relation":"confirmation"}]},"title":"A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools"},{"status":"public","date_created":"2022-05-09T13:04:10Z","author":[{"first_name":"Michael","orcid":"0000-0001-6600-6171","full_name":"Schlichtig, Michael","last_name":"Schlichtig","id":"32312"},{"full_name":"Sassalla, Steffen","first_name":"Steffen","last_name":"Sassalla"},{"first_name":"Krishna","full_name":"Narasimhan, Krishna","last_name":"Narasimhan"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"quality_controlled":"1","keyword":["API misuses","API usage constraints","classification framework","API misuse detection","static analysis"],"department":[{"_id":"76"}],"publication":"2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","title":"FUM - A Framework for API Usage constraint and Misuse Classification","user_id":"32312","related_material":{"link":[{"url":"https://ieeexplore.ieee.org/document/9825763","relation":"confirmation"}]},"abstract":[{"text":"Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools.","lang":"eng"}],"citation":{"ieee":"M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework for API Usage constraint and Misuse Classification,” in 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684, doi: https://doi.org/10.1109/SANER53432.2022.00085.","short":"M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684.","mla":"Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and Misuse Classification.” 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–84, doi:https://doi.org/10.1109/SANER53432.2022.00085.","bibtex":"@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM - A Framework for API Usage constraint and Misuse Classification}, DOI={https://doi.org/10.1109/SANER53432.2022.00085}, booktitle={2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }","ama":"Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API Usage constraint and Misuse Classification. In: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2022:673-684. doi:https://doi.org/10.1109/SANER53432.2022.00085","apa":"Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2022). FUM - A Framework for API Usage constraint and Misuse Classification. 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 673–684. https://doi.org/10.1109/SANER53432.2022.00085","chicago":"Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “FUM - A Framework for API Usage Constraint and Misuse Classification.” In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 673–84, 2022. https://doi.org/10.1109/SANER53432.2022.00085."},"year":"2022","type":"conference","page":"673 - 684","language":[{"iso":"eng"}],"doi":"https://doi.org/10.1109/SANER53432.2022.00085","date_updated":"2022-07-26T11:42:30Z","_id":"31133"},{"title":"Domain-specific Language for Condition Monitoring Software Development","user_id":"49576","publication_status":"published","date_created":"2022-11-10T14:30:16Z","status":"public","publication":"2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA)","department":[{"_id":"241"},{"_id":"76"}],"author":[{"last_name":"Pasic","full_name":"Pasic, Faruk","first_name":"Faruk"},{"last_name":"Becker","first_name":"Matthias","full_name":"Becker, Matthias"}],"publisher":"IEEE","doi":"10.1109/etfa52439.2022.9921730","_id":"34057","date_updated":"2022-11-10T14:30:42Z","year":"2022","citation":{"ieee":"F. Pasic and M. Becker, “Domain-specific Language for Condition Monitoring Software Development,” 2022, doi: 10.1109/etfa52439.2022.9921730.","short":"F. Pasic, M. Becker, in: 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA), IEEE, 2022.","mla":"Pasic, Faruk, and Matthias Becker. “Domain-Specific Language for Condition Monitoring Software Development.” 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA), IEEE, 2022, doi:10.1109/etfa52439.2022.9921730.","bibtex":"@inproceedings{Pasic_Becker_2022, title={Domain-specific Language for Condition Monitoring Software Development}, DOI={10.1109/etfa52439.2022.9921730}, booktitle={2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA)}, publisher={IEEE}, author={Pasic, Faruk and Becker, Matthias}, year={2022} }","chicago":"Pasic, Faruk, and Matthias Becker. “Domain-Specific Language for Condition Monitoring Software Development.” In 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA). IEEE, 2022. https://doi.org/10.1109/etfa52439.2022.9921730.","ama":"Pasic F, Becker M. Domain-specific Language for Condition Monitoring Software Development. In: 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA). IEEE; 2022. doi:10.1109/etfa52439.2022.9921730","apa":"Pasic, F., & Becker, M. (2022). Domain-specific Language for Condition Monitoring Software Development. 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA). https://doi.org/10.1109/etfa52439.2022.9921730"},"type":"conference"},{"article_type":"original","abstract":[{"text":"AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems.","lang":"eng"}],"user_id":"477","publisher":"Springer Science and Business Media LLC","author":[{"last_name":"Schubert","id":"60543","first_name":"Philipp","orcid":"0000-0002-8674-1859","full_name":"Schubert, Philipp"},{"last_name":"Gazzillo","full_name":"Gazzillo, Paul","first_name":"Paul"},{"last_name":"Patterson","full_name":"Patterson, Zach","first_name":"Zach"},{"last_name":"Braha","full_name":"Braha, Julian","first_name":"Julian"},{"last_name":"Schiebel","first_name":"Fabian","full_name":"Schiebel, Fabian"},{"last_name":"Hermann","id":"66173","first_name":"Ben","full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017"},{"first_name":"Shiyi","full_name":"Wei, Shiyi","last_name":"Wei"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"keyword":["inter-procedural static analysis","software product lines","preprocessor","LLVM","C/C++"],"publication":"Automated Software Engineering","alternative_title":["Revoking the preprocessor’s special role"],"volume":29,"status":"public","date_created":"2022-03-25T07:41:26Z","_id":"30511","intvolume":" 29","article_number":"35","issue":"1","main_file_link":[{"open_access":"1","url":"https://link.springer.com/article/10.1007/s10515-022-00333-1"}],"type":"journal_article","citation":{"short":"P. Schubert, P. Gazzillo, Z. Patterson, J. Braha, F. Schiebel, B. Hermann, S. Wei, E. Bodden, Automated Software Engineering 29 (2022).","ieee":"P. Schubert et al., “Static data-flow analysis for software product lines in C,” Automated Software Engineering, vol. 29, no. 1, Art. no. 35, 2022, doi: 10.1007/s10515-022-00333-1.","chicago":"Schubert, Philipp, Paul Gazzillo, Zach Patterson, Julian Braha, Fabian Schiebel, Ben Hermann, Shiyi Wei, and Eric Bodden. “Static Data-Flow Analysis for Software Product Lines in C.” Automated Software Engineering 29, no. 1 (2022). https://doi.org/10.1007/s10515-022-00333-1.","ama":"Schubert P, Gazzillo P, Patterson Z, et al. Static data-flow analysis for software product lines in C. Automated Software Engineering. 2022;29(1). doi:10.1007/s10515-022-00333-1","apa":"Schubert, P., Gazzillo, P., Patterson, Z., Braha, J., Schiebel, F., Hermann, B., Wei, S., & Bodden, E. (2022). Static data-flow analysis for software product lines in C. Automated Software Engineering, 29(1), Article 35. https://doi.org/10.1007/s10515-022-00333-1","bibtex":"@article{Schubert_Gazzillo_Patterson_Braha_Schiebel_Hermann_Wei_Bodden_2022, title={Static data-flow analysis for software product lines in C}, volume={29}, DOI={10.1007/s10515-022-00333-1}, number={135}, journal={Automated Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Schubert, Philipp and Gazzillo, Paul and Patterson, Zach and Braha, Julian and Schiebel, Fabian and Hermann, Ben and Wei, Shiyi and Bodden, Eric}, year={2022} }","mla":"Schubert, Philipp, et al. “Static Data-Flow Analysis for Software Product Lines in C.” Automated Software Engineering, vol. 29, no. 1, 35, Springer Science and Business Media LLC, 2022, doi:10.1007/s10515-022-00333-1."},"year":"2022","title":"Static data-flow analysis for software product lines in C","department":[{"_id":"76"}],"publication_status":"published","publication_identifier":{"issn":["0928-8910","1573-7535"]},"project":[{"name":"SFB 901 - B4: SFB 901 - Subproject B4","_id":"12"},{"_id":"3","name":"SFB 901 - B: SFB 901 - Project Area B"},{"name":"SFB 901: SFB 901","_id":"1"}],"date_updated":"2022-11-17T14:22:38Z","doi":"10.1007/s10515-022-00333-1","oa":"1","language":[{"iso":"eng"}]},{"title":"An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities","user_id":"15249","abstract":[{"text":"\r\n Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of\r\n gadgets\r\n present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it\r\n public\r\n – can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.\r\n \r\n For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.","lang":"eng"}],"publication_status":"published","publication_identifier":{"issn":["1049-331X","1557-7392"]},"date_created":"2022-10-20T12:31:49Z","status":"public","keyword":["Software"],"department":[{"_id":"76"}],"publication":"ACM Transactions on Software Engineering and Methodology","publisher":"Association for Computing Machinery (ACM)","author":[{"full_name":"Sayar, Imen","first_name":"Imen","last_name":"Sayar"},{"last_name":"Bartel","full_name":"Bartel, Alexandre","first_name":"Alexandre"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"},{"last_name":"Le Traon","first_name":"Yves","full_name":"Le Traon, Yves"}],"doi":"10.1145/3554732","date_updated":"2022-10-20T12:32:31Z","_id":"33835","year":"2022","type":"journal_article","citation":{"short":"I. Sayar, A. Bartel, E. Bodden, Y. Le Traon, ACM Transactions on Software Engineering and Methodology (2022).","ieee":"I. Sayar, A. Bartel, E. Bodden, and Y. Le Traon, “An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities,” ACM Transactions on Software Engineering and Methodology, 2022, doi: 10.1145/3554732.","chicago":"Sayar, Imen, Alexandre Bartel, Eric Bodden, and Yves Le Traon. “An In-Depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities.” ACM Transactions on Software Engineering and Methodology, 2022. https://doi.org/10.1145/3554732.","apa":"Sayar, I., Bartel, A., Bodden, E., & Le Traon, Y. (2022). An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. ACM Transactions on Software Engineering and Methodology. https://doi.org/10.1145/3554732","ama":"Sayar I, Bartel A, Bodden E, Le Traon Y. An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. ACM Transactions on Software Engineering and Methodology. Published online 2022. doi:10.1145/3554732","mla":"Sayar, Imen, et al. “An In-Depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities.” ACM Transactions on Software Engineering and Methodology, Association for Computing Machinery (ACM), 2022, doi:10.1145/3554732.","bibtex":"@article{Sayar_Bartel_Bodden_Le Traon_2022, title={An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities}, DOI={10.1145/3554732}, journal={ACM Transactions on Software Engineering and Methodology}, publisher={Association for Computing Machinery (ACM)}, author={Sayar, Imen and Bartel, Alexandre and Bodden, Eric and Le Traon, Yves}, year={2022} }"},"language":[{"iso":"eng"}]},{"publication":"Empirical Software Engineering","department":[{"_id":"76"},{"_id":"662"}],"author":[{"first_name":"Goran","orcid":"0000-0003-4424-5838","full_name":"Piskachev, Goran","last_name":"Piskachev","id":"41936"},{"first_name":"Johannes","full_name":"Späth, Johannes","last_name":"Späth"},{"orcid":"https://orcid.org/0000-0003-0124-6291","full_name":"Budde, Ingo","first_name":"Ingo","id":"13693","last_name":"Budde"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"}],"publisher":"Springer","volume":27,"date_created":"2022-10-20T12:34:04Z","status":"public","title":"Fluently specifying taint-flow queries with fluentTQL","user_id":"15249","page":"1–33","type":"journal_article","citation":{"ieee":"G. Piskachev, J. Späth, I. Budde, and E. Bodden, “Fluently specifying taint-flow queries with fluentTQL,” Empirical Software Engineering, vol. 27, no. 5, pp. 1–33, 2022.","short":"G. Piskachev, J. Späth, I. Budde, E. Bodden, Empirical Software Engineering 27 (2022) 1–33.","mla":"Piskachev, Goran, et al. “Fluently Specifying Taint-Flow Queries with FluentTQL.” Empirical Software Engineering, vol. 27, no. 5, Springer, 2022, pp. 1–33.","bibtex":"@article{Piskachev_Späth_Budde_Bodden_2022, title={Fluently specifying taint-flow queries with fluentTQL}, volume={27}, number={5}, journal={Empirical Software Engineering}, publisher={Springer}, author={Piskachev, Goran and Späth, Johannes and Budde, Ingo and Bodden, Eric}, year={2022}, pages={1–33} }","chicago":"Piskachev, Goran, Johannes Späth, Ingo Budde, and Eric Bodden. “Fluently Specifying Taint-Flow Queries with FluentTQL.” Empirical Software Engineering 27, no. 5 (2022): 1–33.","ama":"Piskachev G, Späth J, Budde I, Bodden E. Fluently specifying taint-flow queries with fluentTQL. Empirical Software Engineering. 2022;27(5):1–33.","apa":"Piskachev, G., Späth, J., Budde, I., & Bodden, E. (2022). Fluently specifying taint-flow queries with fluentTQL. Empirical Software Engineering, 27(5), 1–33."},"year":"2022","language":[{"iso":"eng"}],"date_updated":"2022-10-20T12:36:23Z","_id":"33836","intvolume":" 27","issue":"5"},{"title":"To what extent can we analyze Kotlin programs using existing Java taint analysis tools?","user_id":"15249","date_created":"2022-10-20T12:38:09Z","status":"public","department":[{"_id":"76"},{"_id":"662"}],"author":[{"last_name":"Krishnamurthy","id":"78060","first_name":"Ranjith","orcid":"0000-0002-0906-5463","full_name":"Krishnamurthy, Ranjith"},{"id":"41936","last_name":"Piskachev","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838","first_name":"Goran"},{"id":"59256","last_name":"Bodden","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"_id":"33838","date_updated":"2022-10-20T12:38:32Z","type":"conference","citation":{"ieee":"R. Krishnamurthy, G. Piskachev, and E. Bodden, “To what extent can we analyze Kotlin programs using existing Java taint analysis tools?” 2022.","short":"R. Krishnamurthy, G. Piskachev, E. Bodden, (2022).","bibtex":"@article{Krishnamurthy_Piskachev_Bodden_2022, series={IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)}, title={To what extent can we analyze Kotlin programs using existing Java taint analysis tools?}, author={Krishnamurthy, Ranjith and Piskachev, Goran and Bodden, Eric}, year={2022}, collection={IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)} }","mla":"Krishnamurthy, Ranjith, et al. To What Extent Can We Analyze Kotlin Programs Using Existing Java Taint Analysis Tools? 2022.","chicago":"Krishnamurthy, Ranjith, Goran Piskachev, and Eric Bodden. “To What Extent Can We Analyze Kotlin Programs Using Existing Java Taint Analysis Tools?” IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), 2022.","ama":"Krishnamurthy R, Piskachev G, Bodden E. To what extent can we analyze Kotlin programs using existing Java taint analysis tools? Published online 2022.","apa":"Krishnamurthy, R., Piskachev, G., & Bodden, E. (2022). To what extent can we analyze Kotlin programs using existing Java taint analysis tools?"},"year":"2022","language":[{"iso":"eng"}],"series_title":"IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM)"},{"series_title":"IEEE Secure Development Conference (SecDev)","type":"conference","citation":{"chicago":"Piskachev, Goran, Stefan Dziwok, Thorsten Koch, Sven Merschjohann, and Eric Bodden. “How Far Are German Companies in Improving Security through Static Program Analysis Tools?” IEEE Secure Development Conference (SecDev), 2022.","ama":"Piskachev G, Dziwok S, Koch T, Merschjohann S, Bodden E. How far are German companies in improving security through static program analysis tools? Published online 2022.","apa":"Piskachev, G., Dziwok, S., Koch, T., Merschjohann, S., & Bodden, E. (2022). How far are German companies in improving security through static program analysis tools?","bibtex":"@article{Piskachev_Dziwok_Koch_Merschjohann_Bodden_2022, series={IEEE Secure Development Conference (SecDev)}, title={How far are German companies in improving security through static program analysis tools?}, author={Piskachev, Goran and Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven and Bodden, Eric}, year={2022}, collection={IEEE Secure Development Conference (SecDev)} }","mla":"Piskachev, Goran, et al. How Far Are German Companies in Improving Security through Static Program Analysis Tools? 2022.","short":"G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, E. Bodden, (2022).","ieee":"G. Piskachev, S. Dziwok, T. Koch, S. Merschjohann, and E. Bodden, “How far are German companies in improving security through static program analysis tools?” 2022."},"year":"2022","language":[{"iso":"eng"}],"date_updated":"2022-10-20T12:37:44Z","_id":"33837","author":[{"id":"41936","last_name":"Piskachev","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838","first_name":"Goran"},{"full_name":"Dziwok, Stefan","orcid":"http://orcid.org/0000-0002-8679-6673","first_name":"Stefan","id":"3901","last_name":"Dziwok"},{"last_name":"Koch","id":"13616","first_name":"Thorsten","full_name":"Koch, Thorsten"},{"first_name":"Sven","full_name":"Merschjohann, Sven","last_name":"Merschjohann","id":"11394"},{"last_name":"Bodden","id":"59256","first_name":"Eric","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647"}],"department":[{"_id":"76"},{"_id":"662"}],"status":"public","date_created":"2022-10-20T12:37:14Z","title":"How far are German companies in improving security through static program analysis tools?","user_id":"15249"},{"date_created":"2022-10-28T13:21:05Z","status":"public","department":[{"_id":"76"}],"author":[{"last_name":"Wickert","full_name":"Wickert, Anna-Katharina","first_name":"Anna-Katharina"},{"last_name":"Baumgärtner","full_name":"Baumgärtner, Lars","first_name":"Lars"},{"id":"32312","last_name":"Schlichtig","full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","first_name":"Michael"},{"first_name":"Mira","full_name":"Mezini, Mira","last_name":"Mezini"}],"related_material":{"link":[{"relation":"confirmation","url":"https://arxiv.org/abs/2209.11103"}]},"user_id":"32312","title":"To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild","abstract":[{"lang":"eng","text":"Recent studies have revealed that 87 % to 96 % of the Android apps using cryptographic APIs have a misuse which may cause security vulnerabilities. As previous studies did not conduct a qualitative examination of the validity and severity of the findings, our objective was to understand the findings in more depth. We analyzed a set of 936 open-source Java applications for cryptographic misuses. Our study reveals that 88.10 % of the analyzed applications fail to use cryptographic APIs securely. Through our manual analysis of a random sample, we gained new insights into effective false positives. For example, every fourth misuse of the frequently misused JCA class MessageDigest is an effective false positive due to its occurrence in a non-security context. As we wanted to gain deeper insights into the security implications of these misuses, we created an extensive vulnerability model for cryptographic API misuses. Our model includes previously undiscussed attacks in the context of cryptographic APIs such as DoS attacks. This model reveals that nearly half of the misuses are of high severity, e.g., hard-coded credentials and potential Man-in-the-Middle attacks."}],"language":[{"iso":"eng"}],"citation":{"apa":"Wickert, A.-K., Baumgärtner, L., Schlichtig, M., & Mezini, M. (2022). To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild. https://doi.org/10.48550/ARXIV.2209.11103","ama":"Wickert A-K, Baumgärtner L, Schlichtig M, Mezini M. To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild.; 2022. doi:10.48550/ARXIV.2209.11103","chicago":"Wickert, Anna-Katharina, Lars Baumgärtner, Michael Schlichtig, and Mira Mezini. To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild, 2022. https://doi.org/10.48550/ARXIV.2209.11103.","mla":"Wickert, Anna-Katharina, et al. To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild. 2022, doi:10.48550/ARXIV.2209.11103.","bibtex":"@book{Wickert_Baumgärtner_Schlichtig_Mezini_2022, title={To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild}, DOI={10.48550/ARXIV.2209.11103}, author={Wickert, Anna-Katharina and Baumgärtner, Lars and Schlichtig, Michael and Mezini, Mira}, year={2022} }","short":"A.-K. Wickert, L. Baumgärtner, M. Schlichtig, M. Mezini, To Fix or Not to Fix: A Critical Study of Crypto-Misuses in the Wild, 2022.","ieee":"A.-K. Wickert, L. Baumgärtner, M. Schlichtig, and M. Mezini, To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild. 2022."},"year":"2022","type":"misc","doi":"10.48550/ARXIV.2209.11103","_id":"33959","date_updated":"2022-10-28T13:26:39Z"},{"abstract":[{"lang":"eng","text":"Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors."}],"ddc":["000"],"user_id":"15249","author":[{"last_name":"Luo","first_name":"Linghui","full_name":"Luo, Linghui"},{"first_name":"Felix","full_name":"Pauck, Felix","last_name":"Pauck","id":"22398"},{"last_name":"Piskachev","id":"41936","first_name":"Goran","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838"},{"last_name":"Benz","full_name":"Benz, Manuel","first_name":"Manuel"},{"last_name":"Pashchenko","first_name":"Ivan","full_name":"Pashchenko, Ivan"},{"last_name":"Mory","id":"65667","first_name":"Martin","orcid":"0000-0001-5609-0031","full_name":"Mory, Martin"},{"first_name":"Eric","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256"},{"last_name":"Hermann","id":"66173","first_name":"Ben","full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017"},{"full_name":"Massacci, Fabio","first_name":"Fabio","last_name":"Massacci"}],"publication":"Empirical Software Engineering","status":"public","date_created":"2021-11-02T05:13:49Z","_id":"27045","main_file_link":[{"open_access":"1","url":"https://link.springer.com/content/pdf/10.1007/s10664-021-10013-5.pdf"}],"year":"2021","type":"journal_article","citation":{"short":"L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden, B. Hermann, F. Massacci, Empirical Software Engineering (2021).","ieee":"L. Luo et al., “TaintBench: Automatic real-world malware benchmarking of Android taint analyses,” Empirical Software Engineering, 2021, doi: 10.1007/s10664-021-10013-5.","chicago":"Luo, Linghui, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko, Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software Engineering, 2021. https://doi.org/10.1007/s10664-021-10013-5.","ama":"Luo L, Pauck F, Piskachev G, et al. TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering. Published online 2021. doi:10.1007/s10664-021-10013-5","apa":"Luo, L., Pauck, F., Piskachev, G., Benz, M., Pashchenko, I., Mory, M., Bodden, E., Hermann, B., & Massacci, F. (2021). TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering. https://doi.org/10.1007/s10664-021-10013-5","mla":"Luo, Linghui, et al. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software Engineering, 2021, doi:10.1007/s10664-021-10013-5.","bibtex":"@article{Luo_Pauck_Piskachev_Benz_Pashchenko_Mory_Bodden_Hermann_Massacci_2021, title={TaintBench: Automatic real-world malware benchmarking of Android taint analyses}, DOI={10.1007/s10664-021-10013-5}, journal={Empirical Software Engineering}, author={Luo, Linghui and Pauck, Felix and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and Bodden, Eric and Hermann, Ben and Massacci, Fabio}, year={2021} }"},"title":"TaintBench: Automatic real-world malware benchmarking of Android taint analyses","department":[{"_id":"77"},{"_id":"76"}],"publication_identifier":{"issn":["1382-3256","1573-7616"]},"publication_status":"published","project":[{"name":"SFB 901","_id":"1"},{"name":"SFB 901 - Project Area B","_id":"3"},{"name":"SFB 901 - Subproject B4","_id":"12"}],"date_updated":"2022-01-06T06:57:32Z","doi":"10.1007/s10664-021-10013-5","oa":"1","language":[{"iso":"eng"}]},{"status":"public","date_created":"2021-11-04T13:58:35Z","author":[{"first_name":"Linghui","full_name":"Luo, Linghui","last_name":"Luo"}],"publisher":"Universität Paderborn","department":[{"_id":"76"}],"title":"Improving Real-World Applicability of Static Taint Analysis","user_id":"15249","related_material":{"link":[{"url":"https://www.bodden.de/pubs/phdLuo.pdf","relation":"confirmation"}]},"year":"2021","citation":{"mla":"Luo, Linghui. Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn, 2021.","bibtex":"@book{Luo_2021, title={Improving Real-World Applicability of Static Taint Analysis}, publisher={Universität Paderborn}, author={Luo, Linghui}, year={2021} }","apa":"Luo, L. (2021). Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn.","ama":"Luo L. Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn; 2021.","chicago":"Luo, Linghui. Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn, 2021.","ieee":"L. Luo, Improving Real-World Applicability of Static Taint Analysis. Universität Paderborn, 2021.","short":"L. Luo, Improving Real-World Applicability of Static Taint Analysis, Universität Paderborn, 2021."},"type":"dissertation","language":[{"iso":"eng"}],"date_updated":"2022-01-06T06:57:35Z","_id":"27158"},{"_id":"21595","date_updated":"2022-01-06T06:55:06Z","doi":"10.2991/jase.d.210205.001","main_file_link":[{"url":"https://www.bodden.de/pubs/sb21architectural.pdf"}],"language":[{"iso":"eng"}],"year":"2021","type":"journal_article","citation":{"mla":"Stockmann, Lars, et al. “Using Architectural Runtime Verification for Offline Data Analysis.” Journal of Automotive Software Engineering, 2021, doi:10.2991/jase.d.210205.001.","bibtex":"@article{Stockmann_Laux_Bodden_2021, title={Using Architectural Runtime Verification for Offline Data Analysis}, DOI={10.2991/jase.d.210205.001}, journal={Journal of Automotive Software Engineering}, author={Stockmann, Lars and Laux, Sven and Bodden, Eric}, year={2021} }","chicago":"Stockmann, Lars, Sven Laux, and Eric Bodden. “Using Architectural Runtime Verification for Offline Data Analysis.” Journal of Automotive Software Engineering, 2021. https://doi.org/10.2991/jase.d.210205.001.","ama":"Stockmann L, Laux S, Bodden E. Using Architectural Runtime Verification for Offline Data Analysis. Journal of Automotive Software Engineering. Published online 2021. doi:10.2991/jase.d.210205.001","apa":"Stockmann, L., Laux, S., & Bodden, E. (2021). Using Architectural Runtime Verification for Offline Data Analysis. Journal of Automotive Software Engineering. https://doi.org/10.2991/jase.d.210205.001","ieee":"L. Stockmann, S. Laux, and E. Bodden, “Using Architectural Runtime Verification for Offline Data Analysis,” Journal of Automotive Software Engineering, 2021, doi: 10.2991/jase.d.210205.001.","short":"L. Stockmann, S. Laux, E. Bodden, Journal of Automotive Software Engineering (2021)."},"user_id":"5786","title":"Using Architectural Runtime Verification for Offline Data Analysis","publication":"Journal of Automotive Software Engineering","department":[{"_id":"76"}],"author":[{"first_name":"Lars","full_name":"Stockmann, Lars","last_name":"Stockmann","id":"48144"},{"last_name":"Laux","full_name":"Laux, Sven","first_name":"Sven"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"}],"date_created":"2021-04-08T11:21:32Z","status":"public","publication_status":"published","publication_identifier":{"issn":["2589-2258"]}},{"main_file_link":[{"url":"https://www.bodden.de/pubs/phdFischer.pdf"}],"language":[{"iso":"eng"}],"year":"2021","citation":{"ieee":"A. Fischer, Computing on Encrypted Data using Trusted Execution Environments. Universität Paderborn, 2021.","short":"A. Fischer, Computing on Encrypted Data Using Trusted Execution Environments, Universität Paderborn, 2021.","mla":"Fischer, Andreas. Computing on Encrypted Data Using Trusted Execution Environments. Universität Paderborn, 2021.","bibtex":"@book{Fischer_2021, title={Computing on Encrypted Data using Trusted Execution Environments}, publisher={Universität Paderborn}, author={Fischer, Andreas}, year={2021} }","chicago":"Fischer, Andreas. Computing on Encrypted Data Using Trusted Execution Environments. Universität Paderborn, 2021.","ama":"Fischer A. Computing on Encrypted Data Using Trusted Execution Environments. Universität Paderborn; 2021.","apa":"Fischer, A. (2021). Computing on Encrypted Data using Trusted Execution Environments. Universität Paderborn."},"type":"dissertation","_id":"21596","date_updated":"2022-01-06T06:55:06Z","department":[{"_id":"76"}],"publisher":"Universität Paderborn","author":[{"full_name":"Fischer, Andreas","first_name":"Andreas","last_name":"Fischer"}],"date_created":"2021-04-08T11:23:13Z","status":"public","user_id":"5786","title":"Computing on Encrypted Data using Trusted Execution Environments"},{"_id":"21597","date_updated":"2022-01-06T06:55:06Z","language":[{"iso":"eng"}],"type":"journal_article","year":"2021","citation":{"ama":"Holzinger P, Bodden E. A Systematic Hardening of Java’s Information Hiding. International Symposium on Advanced Security on Software and Systems (ASSS). Published online 2021.","apa":"Holzinger, P., & Bodden, E. (2021). A Systematic Hardening of Java’s Information Hiding. International Symposium on Advanced Security on Software and Systems (ASSS).","chicago":"Holzinger, Philipp, and Eric Bodden. “A Systematic Hardening of Java’s Information Hiding.” International Symposium on Advanced Security on Software and Systems (ASSS), 2021.","bibtex":"@article{Holzinger_Bodden_2021, title={A Systematic Hardening of Java’s Information Hiding}, journal={International Symposium on Advanced Security on Software and Systems (ASSS)}, author={Holzinger, Philipp and Bodden, Eric}, year={2021} }","mla":"Holzinger, Philipp, and Eric Bodden. “A Systematic Hardening of Java’s Information Hiding.” International Symposium on Advanced Security on Software and Systems (ASSS), 2021.","short":"P. Holzinger, E. Bodden, International Symposium on Advanced Security on Software and Systems (ASSS) (2021).","ieee":"P. Holzinger and E. Bodden, “A Systematic Hardening of Java’s Information Hiding,” International Symposium on Advanced Security on Software and Systems (ASSS), 2021."},"main_file_link":[{"url":"https://www.bodden.de/pubs/hb21systematic.pdf"}],"user_id":"5786","title":"A Systematic Hardening of Java's Information Hiding","status":"public","date_created":"2021-04-08T11:24:06Z","author":[{"last_name":"Holzinger","first_name":"Philipp","full_name":"Holzinger, Philipp"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"publication":"International Symposium on Advanced Security on Software and Systems (ASSS)","department":[{"_id":"76"}]},{"author":[{"last_name":"Bonifacio","first_name":"Rodrigo","full_name":"Bonifacio, Rodrigo"},{"first_name":"Stefan","full_name":"Krüger, Stefan","last_name":"Krüger"},{"full_name":"Narasimhan, Krishna","first_name":"Krishna","last_name":"Narasimhan"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"},{"full_name":"Mezini, Mira","first_name":"Mira","last_name":"Mezini"}],"department":[{"_id":"76"}],"publication":"European Conference on Object-Oriented Programming (ECOOP)","status":"public","date_created":"2021-04-08T11:25:43Z","user_id":"5786","title":"Dealing with Variability in API Misuse Specification","language":[{"iso":"eng"}],"type":"journal_article","year":"2021","citation":{"ieee":"R. Bonifacio, S. Krüger, K. Narasimhan, E. Bodden, and M. Mezini, “Dealing with Variability in API Misuse Specification,” European Conference on Object-Oriented Programming (ECOOP), 2021.","short":"R. Bonifacio, S. Krüger, K. Narasimhan, E. Bodden, M. Mezini, European Conference on Object-Oriented Programming (ECOOP) (2021).","bibtex":"@article{Bonifacio_Krüger_Narasimhan_Bodden_Mezini_2021, title={Dealing with Variability in API Misuse Specification}, journal={European Conference on Object-Oriented Programming (ECOOP)}, author={Bonifacio, Rodrigo and Krüger, Stefan and Narasimhan, Krishna and Bodden, Eric and Mezini, Mira}, year={2021} }","mla":"Bonifacio, Rodrigo, et al. “Dealing with Variability in API Misuse Specification.” European Conference on Object-Oriented Programming (ECOOP), 2021.","chicago":"Bonifacio, Rodrigo, Stefan Krüger, Krishna Narasimhan, Eric Bodden, and Mira Mezini. “Dealing with Variability in API Misuse Specification.” European Conference on Object-Oriented Programming (ECOOP), 2021.","ama":"Bonifacio R, Krüger S, Narasimhan K, Bodden E, Mezini M. Dealing with Variability in API Misuse Specification. European Conference on Object-Oriented Programming (ECOOP). Published online 2021.","apa":"Bonifacio, R., Krüger, S., Narasimhan, K., Bodden, E., & Mezini, M. (2021). Dealing with Variability in API Misuse Specification. European Conference on Object-Oriented Programming (ECOOP)."},"_id":"21599","date_updated":"2022-01-06T06:55:06Z"},{"doi":"10.1145/3464968.3468410","date_updated":"2022-01-06T06:55:33Z","_id":"22462","type":"conference","year":"2021","citation":{"short":"A.P. Shivarpatna Venkatesh, E. Bodden, in: International Workshop on AI and Software Testing/Analysis (AISTA), 2021.","ieee":"A. P. Shivarpatna Venkatesh and E. Bodden, “Automated Cell Header Generator for Jupyter Notebooks,” 2021, doi: 10.1145/3464968.3468410.","apa":"Shivarpatna Venkatesh, A. P., & Bodden, E. (2021). Automated Cell Header Generator for Jupyter Notebooks. International Workshop on AI and Software Testing/Analysis (AISTA). https://doi.org/10.1145/3464968.3468410","ama":"Shivarpatna Venkatesh AP, Bodden E. Automated Cell Header Generator for Jupyter Notebooks. In: International Workshop on AI and Software Testing/Analysis (AISTA). ; 2021. doi:10.1145/3464968.3468410","chicago":"Shivarpatna Venkatesh, Ashwin Prasad, and Eric Bodden. “Automated Cell Header Generator for Jupyter Notebooks.” In International Workshop on AI and Software Testing/Analysis (AISTA), 2021. https://doi.org/10.1145/3464968.3468410.","bibtex":"@inproceedings{Shivarpatna Venkatesh_Bodden_2021, title={Automated Cell Header Generator for Jupyter Notebooks}, DOI={10.1145/3464968.3468410}, booktitle={International Workshop on AI and Software Testing/Analysis (AISTA)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Bodden, Eric}, year={2021} }","mla":"Shivarpatna Venkatesh, Ashwin Prasad, and Eric Bodden. “Automated Cell Header Generator for Jupyter Notebooks.” International Workshop on AI and Software Testing/Analysis (AISTA), 2021, doi:10.1145/3464968.3468410."},"language":[{"iso":"eng"}],"title":"Automated Cell Header Generator for Jupyter Notebooks","user_id":"5786","date_created":"2021-06-17T10:14:48Z","status":"public","department":[{"_id":"76"}],"publication":"International Workshop on AI and Software Testing/Analysis (AISTA)","author":[{"last_name":"Shivarpatna Venkatesh","id":"66637","first_name":"Ashwin Prasad","full_name":"Shivarpatna Venkatesh, Ashwin Prasad"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"}]},{"publication_status":"published","status":"public","date_created":"2021-08-09T12:01:11Z","author":[{"first_name":"Sriteja","full_name":"Kummita, Sriteja","last_name":"Kummita"},{"full_name":"Piskachev, Goran","first_name":"Goran","last_name":"Piskachev"},{"first_name":"Johannes","full_name":"Spath, Johannes","last_name":"Spath"},{"full_name":"Bodden, Eric","first_name":"Eric","last_name":"Bodden"}],"publication":"2021 International Conference on Code Quality (ICCQ)","department":[{"_id":"241"},{"_id":"662"},{"_id":"76"}],"title":"Qualitative and Quantitative Analysis of Callgraph Algorithms for Python","user_id":"5786","citation":{"ama":"Kummita S, Piskachev G, Spath J, Bodden E. Qualitative and Quantitative Analysis of Callgraph Algorithms for Python. In: 2021 International Conference on Code Quality (ICCQ). ; 2021. doi:10.1109/iccq51190.2021.9392986","apa":"Kummita, S., Piskachev, G., Spath, J., & Bodden, E. (2021). Qualitative and Quantitative Analysis of Callgraph Algorithms for Python. 2021 International Conference on Code Quality (ICCQ). https://doi.org/10.1109/iccq51190.2021.9392986","chicago":"Kummita, Sriteja, Goran Piskachev, Johannes Spath, and Eric Bodden. “Qualitative and Quantitative Analysis of Callgraph Algorithms for Python.” In 2021 International Conference on Code Quality (ICCQ), 2021. https://doi.org/10.1109/iccq51190.2021.9392986.","bibtex":"@inproceedings{Kummita_Piskachev_Spath_Bodden_2021, title={Qualitative and Quantitative Analysis of Callgraph Algorithms for Python}, DOI={10.1109/iccq51190.2021.9392986}, booktitle={2021 International Conference on Code Quality (ICCQ)}, author={Kummita, Sriteja and Piskachev, Goran and Spath, Johannes and Bodden, Eric}, year={2021} }","mla":"Kummita, Sriteja, et al. “Qualitative and Quantitative Analysis of Callgraph Algorithms for Python.” 2021 International Conference on Code Quality (ICCQ), 2021, doi:10.1109/iccq51190.2021.9392986.","short":"S. Kummita, G. Piskachev, J. Spath, E. Bodden, in: 2021 International Conference on Code Quality (ICCQ), 2021.","ieee":"S. Kummita, G. Piskachev, J. Spath, and E. Bodden, “Qualitative and Quantitative Analysis of Callgraph Algorithms for Python,” 2021, doi: 10.1109/iccq51190.2021.9392986."},"type":"conference","year":"2021","language":[{"iso":"eng"}],"doi":"10.1109/iccq51190.2021.9392986","date_updated":"2022-01-06T06:55:50Z","_id":"23374"},{"user_id":"70410","title":"SootFX: A Static Code Feature Extraction Tool for Java and Android","date_created":"2022-02-24T15:44:42Z","status":"public","publication_status":"published","department":[{"_id":"76"}],"publication":"2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)","author":[{"last_name":"Karakaya","full_name":"Karakaya, Kadiray","first_name":"Kadiray"},{"last_name":"Bodden","first_name":"Eric","full_name":"Bodden, Eric"}],"publisher":"IEEE","doi":"10.1109/scam52516.2021.00030","_id":"30084","date_updated":"2022-02-24T15:45:43Z","type":"conference","year":"2021","citation":{"bibtex":"@inproceedings{Karakaya_Bodden_2021, title={SootFX: A Static Code Feature Extraction Tool for Java and Android}, DOI={10.1109/scam52516.2021.00030}, booktitle={2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden, Eric}, year={2021} }","mla":"Karakaya, Kadiray, and Eric Bodden. “SootFX: A Static Code Feature Extraction Tool for Java and Android.” 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), IEEE, 2021, doi:10.1109/scam52516.2021.00030.","chicago":"Karakaya, Kadiray, and Eric Bodden. “SootFX: A Static Code Feature Extraction Tool for Java and Android.” In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, 2021. https://doi.org/10.1109/scam52516.2021.00030.","ama":"Karakaya K, Bodden E. SootFX: A Static Code Feature Extraction Tool for Java and Android. In: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE; 2021. doi:10.1109/scam52516.2021.00030","apa":"Karakaya, K., & Bodden, E. (2021). SootFX: A Static Code Feature Extraction Tool for Java and Android. 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). https://doi.org/10.1109/scam52516.2021.00030","ieee":"K. Karakaya and E. Bodden, “SootFX: A Static Code Feature Extraction Tool for Java and Android,” 2021, doi: 10.1109/scam52516.2021.00030.","short":"K. Karakaya, E. Bodden, in: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), IEEE, 2021."}},{"oa":"1","_id":"21598","date_updated":"2022-03-25T07:49:35Z","language":[{"iso":"eng"}],"year":"2021","type":"conference","citation":{"ama":"Schubert P, Hermann B, Bodden E. Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis. In: European Conference on Object-Oriented Programming (ECOOP). ; 2021.","apa":"Schubert, P., Hermann, B., & Bodden, E. (2021). Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis. European Conference on Object-Oriented Programming (ECOOP).","short":"P. Schubert, B. Hermann, E. Bodden, in: European Conference on Object-Oriented Programming (ECOOP), 2021.","chicago":"Schubert, Philipp, Ben Hermann, and Eric Bodden. “Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis.” In European Conference on Object-Oriented Programming (ECOOP), 2021.","ieee":"P. Schubert, B. Hermann, and E. Bodden, “Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis,” 2021.","mla":"Schubert, Philipp, et al. “Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis.” European Conference on Object-Oriented Programming (ECOOP), 2021.","bibtex":"@inproceedings{Schubert_Hermann_Bodden_2021, title={Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis}, booktitle={European Conference on Object-Oriented Programming (ECOOP)}, author={Schubert, Philipp and Hermann, Ben and Bodden, Eric}, year={2021} }"},"main_file_link":[{"open_access":"1","url":"https://drops.dagstuhl.de/opus/volltexte/2021/14045/"}],"user_id":"60543","title":"Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis","abstract":[{"lang":"eng","text":"Static analysis is used to automatically detect bugs and security breaches, and aids compileroptimization. Whole-program analysis (WPA) can yield high precision, however causes long analysistimes and thus does not match common software-development workflows, making it often impracticalto use for large, real-world applications.This paper thus presents the design and implementation ofModAlyzer, a novel static-analysisapproach that aims at accelerating whole-program analysis by making the analysis modular andcompositional. It shows how to computelossless, persisted summaries for callgraph, points-to anddata-flow information, and it reports under which circumstances this function-level compositionalanalysis outperforms WPA.We implementedModAlyzeras an extension to LLVM and PhASAR, and applied it to 12 real-world C and C++ applications. At analysis time,ModAlyzermodularly and losslessly summarizesthe analysis effect of the library code those applications share, hence avoiding its repeated re-analysis.The experimental results show that the reuse of these summaries can save, on average, 72% ofanalysis time over WPA. Moreover, because it is lossless, the module-wise analysis fully retainsprecision and recall. Surprisingly, as our results show, it sometimes even yields precision superior toWPA. The initial summary generation, on average, takes about 3.67 times as long as WPA."}],"status":"public","project":[{"name":"SFB 901 - Project Area B","_id":"3"},{"_id":"12","name":"SFB 901 - Subproject B4"},{"name":"SFB 901","_id":"1"}],"date_created":"2021-04-08T11:24:59Z","author":[{"id":"60543","last_name":"Schubert","full_name":"Schubert, Philipp","orcid":"0000-0002-8674-1859","first_name":"Philipp"},{"last_name":"Hermann","id":"66173","first_name":"Ben","full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017"},{"id":"59256","last_name":"Bodden","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"publication":"European Conference on Object-Oriented Programming (ECOOP)","department":[{"_id":"76"}]},{"date_updated":"2022-05-09T13:03:18Z","_id":"31132","doi":"10.1109/tse.2021.3101739","language":[{"iso":"eng"}],"page":"1-1","citation":{"short":"A.P. Dann, H. Plate, B. Hermann, S.E. Ponta, E. Bodden, IEEE Transactions on Software Engineering (2021) 1–1.","ieee":"A. P. Dann, H. Plate, B. Hermann, S. E. Ponta, and E. Bodden, “Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite,” IEEE Transactions on Software Engineering, pp. 1–1, 2021, doi: 10.1109/tse.2021.3101739.","chicago":"Dann, Andreas Peter, Henrik Plate, Ben Hermann, Serena Elisa Ponta, and Eric Bodden. “Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite.” IEEE Transactions on Software Engineering, 2021, 1–1. https://doi.org/10.1109/tse.2021.3101739.","ama":"Dann AP, Plate H, Hermann B, Ponta SE, Bodden E. Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite. IEEE Transactions on Software Engineering. Published online 2021:1-1. doi:10.1109/tse.2021.3101739","apa":"Dann, A. P., Plate, H., Hermann, B., Ponta, S. E., & Bodden, E. (2021). Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite. IEEE Transactions on Software Engineering, 1–1. https://doi.org/10.1109/tse.2021.3101739","bibtex":"@article{Dann_Plate_Hermann_Ponta_Bodden_2021, title={Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite}, DOI={10.1109/tse.2021.3101739}, journal={IEEE Transactions on Software Engineering}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Dann, Andreas Peter and Plate, Henrik and Hermann, Ben and Ponta, Serena Elisa and Bodden, Eric}, year={2021}, pages={1–1} }","mla":"Dann, Andreas Peter, et al. “Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite.” IEEE Transactions on Software Engineering, Institute of Electrical and Electronics Engineers (IEEE), 2021, pp. 1–1, doi:10.1109/tse.2021.3101739."},"type":"journal_article","year":"2021","user_id":"15249","title":"Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite","department":[{"_id":"76"}],"publication":"IEEE Transactions on Software Engineering","keyword":["Software"],"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","author":[{"full_name":"Dann, Andreas Peter","first_name":"Andreas Peter","id":"26886","last_name":"Dann"},{"full_name":"Plate, Henrik","first_name":"Henrik","last_name":"Plate"},{"id":"66173","last_name":"Hermann","full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017","first_name":"Ben"},{"first_name":"Serena Elisa","full_name":"Ponta, Serena Elisa","last_name":"Ponta"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"}],"date_created":"2022-05-09T13:02:35Z","status":"public","publication_identifier":{"issn":["0098-5589","1939-3520","2326-3881"]},"publication_status":"published"},{"status":"public","date_created":"2021-10-18T12:53:15Z","author":[{"full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838","first_name":"Goran","id":"41936","last_name":"Piskachev"},{"full_name":"Krishnamurthy, Ranjith","first_name":"Ranjith","last_name":"Krishnamurthy"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"publication":"2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)","department":[{"_id":"76"},{"_id":"662"}],"title":"SecuCheck: Engineering configurable taint analysis for software developers","user_id":"15249","year":"2021","citation":{"short":"G. Piskachev, R. Krishnamurthy, E. Bodden, in: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.","ieee":"G. Piskachev, R. Krishnamurthy, and E. Bodden, “SecuCheck: Engineering configurable taint analysis for software developers,” 2021.","chicago":"Piskachev, Goran, Ranjith Krishnamurthy, and Eric Bodden. “SecuCheck: Engineering Configurable Taint Analysis for Software Developers.” In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.","ama":"Piskachev G, Krishnamurthy R, Bodden E. SecuCheck: Engineering configurable taint analysis for software developers. In: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). ; 2021.","apa":"Piskachev, G., Krishnamurthy, R., & Bodden, E. (2021). SecuCheck: Engineering configurable taint analysis for software developers. 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM).","bibtex":"@inproceedings{Piskachev_Krishnamurthy_Bodden_2021, title={SecuCheck: Engineering configurable taint analysis for software developers}, booktitle={2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}, author={Piskachev, Goran and Krishnamurthy, Ranjith and Bodden, Eric}, year={2021} }","mla":"Piskachev, Goran, et al. “SecuCheck: Engineering Configurable Taint Analysis for Software Developers.” 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021."},"type":"conference","language":[{"iso":"eng"}],"_id":"26407","date_updated":"2022-10-20T12:44:31Z"},{"language":[{"iso":"eng"}],"citation":{"apa":"Luo, L., Schäf, M., Sanchez, D., & Bodden, E. (2021). IDE Support for Cloud-Based Static Analyses. Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.","ama":"Luo L, Schäf M, Sanchez D, Bodden E. IDE Support for Cloud-Based Static Analyses. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ; 2021.","chicago":"Luo, Linghui, Martin Schäf, Daniel Sanchez, and Eric Bodden. “IDE Support for Cloud-Based Static Analyses.” In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2021.","mla":"Luo, Linghui, et al. “IDE Support for Cloud-Based Static Analyses.” Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2021.","bibtex":"@inproceedings{Luo_Schäf_Sanchez_Bodden_2021, title={IDE Support for Cloud-Based Static Analyses}, booktitle={Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering}, author={Luo, Linghui and Schäf, Martin and Sanchez, Daniel and Bodden, Eric}, year={2021} }","short":"L. Luo, M. Schäf, D. Sanchez, E. Bodden, in: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2021.","ieee":"L. Luo, M. Schäf, D. Sanchez, and E. Bodden, “IDE Support for Cloud-Based Static Analyses,” 2021."},"type":"conference","year":"2021","date_updated":"2022-10-20T13:11:45Z","_id":"22463","department":[{"_id":"76"}],"publication":"Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering","author":[{"first_name":"Linghui","full_name":"Luo, Linghui","last_name":"Luo"},{"last_name":"Schäf","full_name":"Schäf, Martin","first_name":"Martin"},{"first_name":"Daniel","full_name":"Sanchez, Daniel","last_name":"Sanchez"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"date_created":"2021-06-17T10:18:05Z","status":"public","user_id":"15249","title":"IDE Support for Cloud-Based Static Analyses"},{"_id":"33840","date_updated":"2022-10-20T13:09:23Z","language":[{"iso":"eng"}],"page":"181–186","year":"2021","type":"conference","citation":{"apa":"Karakaya, K., & Bodden, E. (2021). SootFX: A Static Code Feature Extraction Tool for Java and Android. 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 181–186.","ama":"Karakaya K, Bodden E. SootFX: A Static Code Feature Extraction Tool for Java and Android. In: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). ; 2021:181–186.","chicago":"Karakaya, Kadiray, and Eric Bodden. “SootFX: A Static Code Feature Extraction Tool for Java and Android.” In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 181–186, 2021.","mla":"Karakaya, Kadiray, and Eric Bodden. “SootFX: A Static Code Feature Extraction Tool for Java and Android.” 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021, pp. 181–186.","bibtex":"@inproceedings{Karakaya_Bodden_2021, title={SootFX: A Static Code Feature Extraction Tool for Java and Android}, booktitle={2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}, author={Karakaya, Kadiray and Bodden, Eric}, year={2021}, pages={181–186} }","short":"K. Karakaya, E. Bodden, in: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021, pp. 181–186.","ieee":"K. Karakaya and E. Bodden, “SootFX: A Static Code Feature Extraction Tool for Java and Android,” in 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021, pp. 181–186."},"user_id":"15249","title":"SootFX: A Static Code Feature Extraction Tool for Java and Android","publication":"2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)","department":[{"_id":"76"}],"author":[{"orcid":"https://orcid.org/0000-0001-9266-2084","full_name":"Karakaya, Kadiray","first_name":"Kadiray","id":"70410","last_name":"Karakaya"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"}],"date_created":"2022-10-20T13:09:08Z","status":"public"},{"date_updated":"2023-06-15T08:39:55Z","_id":"26406","type":"conference","citation":{"short":"P. Schubert, B. Hermann, E. Bodden, R. Leer, in: SCAM ’21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track), 2021.","ieee":"P. Schubert, B. Hermann, E. Bodden, and R. Leer, “Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++,” 2021.","chicago":"Schubert, Philipp, Ben Hermann, Eric Bodden, and Richard Leer. “Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++.” In SCAM ’21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track), 2021.","apa":"Schubert, P., Hermann, B., Bodden, E., & Leer, R. (2021). Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++. SCAM ’21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track).","ama":"Schubert P, Hermann B, Bodden E, Leer R. Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++. In: SCAM ’21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track). ; 2021.","bibtex":"@inproceedings{Schubert_Hermann_Bodden_Leer_2021, title={Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++}, booktitle={SCAM ’21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track)}, author={Schubert, Philipp and Hermann, Ben and Bodden, Eric and Leer, Richard}, year={2021} }","mla":"Schubert, Philipp, et al. “Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++.” SCAM ’21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track), 2021."},"year":"2021","language":[{"iso":"eng"}],"title":"Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++","user_id":"15249","status":"public","project":[{"name":"SFB 901 - B: SFB 901 - Project Area B","_id":"3"},{"_id":"12","name":"SFB 901 - B4: SFB 901 - Subproject B4"},{"name":"SFB 901: SFB 901: On-The-Fly Computing - Individualisierte IT-Dienstleistungen in dynamischen Märkten ","grant_number":"160364472","_id":"1"}],"date_created":"2021-10-18T12:52:12Z","author":[{"id":"60543","last_name":"Schubert","orcid":"0000-0002-8674-1859","full_name":"Schubert, Philipp","first_name":"Philipp"},{"last_name":"Hermann","id":"66173","first_name":"Ben","orcid":"0000-0001-9848-2017","full_name":"Hermann, Ben"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"},{"last_name":"Leer","full_name":"Leer, Richard","first_name":"Richard"}],"department":[{"_id":"76"}],"publication":"SCAM '21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track)"},{"citation":{"ama":"Schubert P, Sattler F, Schiebel F, Hermann B, Bodden E. Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++. In: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). ; 2021.","apa":"Schubert, P., Sattler, F., Schiebel, F., Hermann, B., & Bodden, E. (2021). Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++. 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM).","chicago":"Schubert, Philipp, Florian Sattler, Fabian Schiebel, Ben Hermann, and Eric Bodden. “Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++.” In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.","mla":"Schubert, Philipp, et al. “Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++.” 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.","bibtex":"@inproceedings{Schubert_Sattler_Schiebel_Hermann_Bodden_2021, title={Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++}, booktitle={2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)}, author={Schubert, Philipp and Sattler, Florian and Schiebel, Fabian and Hermann, Ben and Bodden, Eric}, year={2021} }","short":"P. Schubert, F. Sattler, F. Schiebel, B. Hermann, E. Bodden, in: 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM), 2021.","ieee":"P. Schubert, F. Sattler, F. Schiebel, B. Hermann, and E. Bodden, “Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++,” 2021."},"type":"conference","year":"2021","language":[{"iso":"eng"}],"_id":"26405","date_updated":"2023-06-15T08:57:24Z","date_created":"2021-10-18T12:50:35Z","project":[{"_id":"12","name":"SFB 901 - B4: SFB 901 - Subproject B4"},{"_id":"3","name":"SFB 901 - B: SFB 901 - Project Area B"},{"grant_number":"160364472","name":"SFB 901: SFB 901: On-The-Fly Computing - Individualisierte IT-Dienstleistungen in dynamischen Märkten ","_id":"1"}],"status":"public","publication":"2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)","department":[{"_id":"76"}],"author":[{"id":"60543","last_name":"Schubert","full_name":"Schubert, Philipp","orcid":"0000-0002-8674-1859","first_name":"Philipp"},{"last_name":"Sattler","full_name":"Sattler, Florian","first_name":"Florian"},{"last_name":"Schiebel","full_name":"Schiebel, Fabian","first_name":"Fabian"},{"full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017","first_name":"Ben","id":"66173","last_name":"Hermann"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"}],"title":"Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++","user_id":"15249"},{"date_updated":"2022-01-06T06:54:29Z","_id":"20507","intvolume":" 169","doi":"https://doi.org/10.1016/j.jss.2020.110697","citation":{"short":"J. Geismann, E. Bodden, Journal of Systems and Software 169 (2020) 110697.","ieee":"J. Geismann and E. Bodden, “A systematic literature review of model-driven security engineering for cyber–physical systems,” Journal of Systems and Software, vol. 169, p. 110697, 2020, doi: https://doi.org/10.1016/j.jss.2020.110697.","ama":"Geismann J, Bodden E. A systematic literature review of model-driven security engineering for cyber–physical systems. Journal of Systems and Software. 2020;169:110697. doi:https://doi.org/10.1016/j.jss.2020.110697","apa":"Geismann, J., & Bodden, E. (2020). A systematic literature review of model-driven security engineering for cyber–physical systems. Journal of Systems and Software, 169, 110697. https://doi.org/10.1016/j.jss.2020.110697","chicago":"Geismann, Johannes, and Eric Bodden. “A Systematic Literature Review of Model-Driven Security Engineering for Cyber–Physical Systems.” Journal of Systems and Software 169 (2020): 110697. https://doi.org/10.1016/j.jss.2020.110697.","mla":"Geismann, Johannes, and Eric Bodden. “A Systematic Literature Review of Model-Driven Security Engineering for Cyber–Physical Systems.” Journal of Systems and Software, vol. 169, 2020, p. 110697, doi:https://doi.org/10.1016/j.jss.2020.110697.","bibtex":"@article{Geismann_Bodden_2020, title={A systematic literature review of model-driven security engineering for cyber–physical systems}, volume={169}, DOI={https://doi.org/10.1016/j.jss.2020.110697}, journal={Journal of Systems and Software}, author={Geismann, Johannes and Bodden, Eric}, year={2020}, pages={110697} }"},"type":"journal_article","year":"2020","page":"110697","language":[{"iso":"eng"}],"title":"A systematic literature review of model-driven security engineering for cyber–physical systems","user_id":"5786","author":[{"full_name":"Geismann, Johannes","orcid":"https://orcid.org/0000-0003-2015-2047","first_name":"Johannes","id":"20063","last_name":"Geismann"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"}],"department":[{"_id":"76"}],"publication":"Journal of Systems and Software","publication_identifier":{"issn":["0164-1212"]},"volume":169,"status":"public","date_created":"2020-11-26T08:32:56Z"},{"date_created":"2020-11-26T08:38:33Z","status":"public","department":[{"_id":"76"}],"publication":"IEEE Transactions on Software Engineering","author":[{"full_name":"Nguyen Quang Do, Lisa","first_name":"Lisa","last_name":"Nguyen Quang Do"},{"full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric","id":"59256","last_name":"Bodden"}],"user_id":"5786","title":"Explaining Static Analysis with Rule Graphs","language":[{"iso":"eng"}],"type":"journal_article","year":"2020","citation":{"ieee":"L. Nguyen Quang Do and E. Bodden, “Explaining Static Analysis with Rule Graphs,” IEEE Transactions on Software Engineering, 2020.","short":"L. Nguyen Quang Do, E. Bodden, IEEE Transactions on Software Engineering (2020).","bibtex":"@article{Nguyen Quang Do_Bodden_2020, title={Explaining Static Analysis with Rule Graphs}, journal={IEEE Transactions on Software Engineering}, author={Nguyen Quang Do, Lisa and Bodden, Eric}, year={2020} }","mla":"Nguyen Quang Do, Lisa, and Eric Bodden. “Explaining Static Analysis with Rule Graphs.” IEEE Transactions on Software Engineering, 2020.","chicago":"Nguyen Quang Do, Lisa, and Eric Bodden. “Explaining Static Analysis with Rule Graphs.” IEEE Transactions on Software Engineering, 2020.","apa":"Nguyen Quang Do, L., & Bodden, E. (2020). Explaining Static Analysis with Rule Graphs. IEEE Transactions on Software Engineering.","ama":"Nguyen Quang Do L, Bodden E. Explaining Static Analysis with Rule Graphs. IEEE Transactions on Software Engineering. Published online 2020."},"main_file_link":[{"url":"http://www.bodden.de/pubs/tse20ruleGraphs.pdf"}],"_id":"20508","date_updated":"2022-01-06T06:54:29Z"},{"_id":"20509","date_updated":"2022-01-06T06:54:29Z","main_file_link":[{"url":"http://www.bodden.de/pubs/fjk+20pasapto.pdf"}],"language":[{"iso":"eng"}],"type":"conference","citation":{"ieee":"A. Fischer, J. Janneck, J. Kussmaul, N. Krätzschmar, F. Kerschbaum, and E. Bodden, “PASAPTO: Policy-aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage,” 2020.","short":"A. Fischer, J. Janneck, J. Kussmaul, N. Krätzschmar, F. Kerschbaum, E. Bodden, in: 2020 IEEE Computer Security Foundations Symposium (CSF), 2020.","bibtex":"@inproceedings{Fischer_Janneck_Kussmaul_Krätzschmar_Kerschbaum_Bodden_2020, title={PASAPTO: Policy-aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage}, booktitle={2020 IEEE Computer Security Foundations Symposium (CSF)}, author={Fischer, Andreas and Janneck, Jonas and Kussmaul, Jörn and Krätzschmar, Nikolas and Kerschbaum, Florian and Bodden, Eric}, year={2020} }","mla":"Fischer, Andreas, et al. “PASAPTO: Policy-Aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage.” 2020 IEEE Computer Security Foundations Symposium (CSF), 2020.","ama":"Fischer A, Janneck J, Kussmaul J, Krätzschmar N, Kerschbaum F, Bodden E. PASAPTO: Policy-aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage. In: 2020 IEEE Computer Security Foundations Symposium (CSF). ; 2020.","apa":"Fischer, A., Janneck, J., Kussmaul, J., Krätzschmar, N., Kerschbaum, F., & Bodden, E. (2020). PASAPTO: Policy-aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage. 2020 IEEE Computer Security Foundations Symposium (CSF).","chicago":"Fischer, Andreas, Jonas Janneck, Jörn Kussmaul, Nikolas Krätzschmar, Florian Kerschbaum, and Eric Bodden. “PASAPTO: Policy-Aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage.” In 2020 IEEE Computer Security Foundations Symposium (CSF), 2020."},"year":"2020","user_id":"5786","title":"PASAPTO: Policy-aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage","department":[{"_id":"76"}],"publication":"2020 IEEE Computer Security Foundations Symposium (CSF)","author":[{"last_name":"Fischer","full_name":"Fischer, Andreas","first_name":"Andreas"},{"last_name":"Janneck","full_name":"Janneck, Jonas","first_name":"Jonas"},{"last_name":"Kussmaul","full_name":"Kussmaul, Jörn","first_name":"Jörn"},{"last_name":"Krätzschmar","first_name":"Nikolas","full_name":"Krätzschmar, Nikolas"},{"first_name":"Florian","full_name":"Kerschbaum, Florian","last_name":"Kerschbaum"},{"first_name":"Eric","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256"}],"date_created":"2020-11-26T08:40:08Z","status":"public"},{"title":"Heaps'n Leaks: How Heap Snapshots Improve Android Taint Analysis","user_id":"5786","author":[{"first_name":"Manuel","full_name":"Benz, Manuel","last_name":"Benz"},{"last_name":"Krogh Kristensen","full_name":"Krogh Kristensen, Erik","first_name":"Erik"},{"full_name":"Luo, Linghui","first_name":"Linghui","last_name":"Luo"},{"last_name":"P. Borges Jr.","full_name":"P. Borges Jr., Nataniel","first_name":"Nataniel"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"},{"first_name":"Andreas","full_name":"Zeller, Andreas","last_name":"Zeller"}],"publication":"International Conference for Software Engineering (ICSE)","department":[{"_id":"76"}],"status":"public","date_created":"2020-11-26T08:47:56Z","date_updated":"2022-01-06T06:54:29Z","_id":"20510","citation":{"ieee":"M. Benz, E. Krogh Kristensen, L. Luo, N. P. Borges Jr., E. Bodden, and A. Zeller, “Heaps’n Leaks: How Heap Snapshots Improve Android Taint Analysis,” 2020.","short":"M. Benz, E. Krogh Kristensen, L. Luo, N. P. Borges Jr., E. Bodden, A. Zeller, in: International Conference for Software Engineering (ICSE), 2020.","bibtex":"@inproceedings{Benz_Krogh Kristensen_Luo_P. Borges Jr._Bodden_Zeller_2020, title={Heaps’n Leaks: How Heap Snapshots Improve Android Taint Analysis}, booktitle={International Conference for Software Engineering (ICSE)}, author={Benz, Manuel and Krogh Kristensen, Erik and Luo, Linghui and P. Borges Jr., Nataniel and Bodden, Eric and Zeller, Andreas}, year={2020} }","mla":"Benz, Manuel, et al. “Heaps’n Leaks: How Heap Snapshots Improve Android Taint Analysis.” International Conference for Software Engineering (ICSE), 2020.","apa":"Benz, M., Krogh Kristensen, E., Luo, L., P. Borges Jr., N., Bodden, E., & Zeller, A. (2020). Heaps’n Leaks: How Heap Snapshots Improve Android Taint Analysis. International Conference for Software Engineering (ICSE).","ama":"Benz M, Krogh Kristensen E, Luo L, P. Borges Jr. N, Bodden E, Zeller A. Heaps’n Leaks: How Heap Snapshots Improve Android Taint Analysis. In: International Conference for Software Engineering (ICSE). ; 2020.","chicago":"Benz, Manuel, Erik Krogh Kristensen, Linghui Luo, Nataniel P. Borges Jr., Eric Bodden, and Andreas Zeller. “Heaps’n Leaks: How Heap Snapshots Improve Android Taint Analysis.” In International Conference for Software Engineering (ICSE), 2020."},"year":"2020","type":"conference","language":[{"iso":"eng"}]},{"_id":"20511","date_updated":"2022-01-06T06:54:29Z","citation":{"short":"A. Fischer, B. Fuhry, F. Kerschbaum, E. Bodden, in: Privacy Enhancing Technologies Symposium (PETS/PoPETS), 2020.","ieee":"A. Fischer, B. Fuhry, F. Kerschbaum, and E. Bodden, “Computation on Encrypted Data using Dataflow Authentication,” 2020.","chicago":"Fischer, Andreas, Benny Fuhry, Florian Kerschbaum, and Eric Bodden. “Computation on Encrypted Data Using Dataflow Authentication.” In Privacy Enhancing Technologies Symposium (PETS/PoPETS), 2020.","apa":"Fischer, A., Fuhry, B., Kerschbaum, F., & Bodden, E. (2020). Computation on Encrypted Data using Dataflow Authentication. Privacy Enhancing Technologies Symposium (PETS/PoPETS).","ama":"Fischer A, Fuhry B, Kerschbaum F, Bodden E. Computation on Encrypted Data using Dataflow Authentication. In: Privacy Enhancing Technologies Symposium (PETS/PoPETS). ; 2020.","mla":"Fischer, Andreas, et al. “Computation on Encrypted Data Using Dataflow Authentication.” Privacy Enhancing Technologies Symposium (PETS/PoPETS), 2020.","bibtex":"@inproceedings{Fischer_Fuhry_Kerschbaum_Bodden_2020, title={Computation on Encrypted Data using Dataflow Authentication}, booktitle={Privacy Enhancing Technologies Symposium (PETS/PoPETS)}, author={Fischer, Andreas and Fuhry, Benny and Kerschbaum, Florian and Bodden, Eric}, year={2020} }"},"type":"conference","year":"2020","language":[{"iso":"eng"}],"main_file_link":[{"url":"http://www.bodden.de/pubs/ffk+20computation.pdf"}],"title":"Computation on Encrypted Data using Dataflow Authentication","user_id":"5786","status":"public","date_created":"2020-11-26T08:50:59Z","author":[{"last_name":"Fischer","full_name":"Fischer, Andreas","first_name":"Andreas"},{"first_name":"Benny","full_name":"Fuhry, Benny","last_name":"Fuhry"},{"last_name":"Kerschbaum","first_name":"Florian","full_name":"Kerschbaum, Florian"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"}],"department":[{"_id":"76"}],"publication":"Privacy Enhancing Technologies Symposium (PETS/PoPETS)"},{"related_material":{"link":[{"url":"http://www.bodden.de/pubs/krueger20cognicryptgen.pdf","relation":"confirmation"}]},"user_id":"5786","title":"CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs","publication":"International Symposium on Code Generation and Optimization (CGO)","department":[{"_id":"76"}],"author":[{"last_name":"Krüger","full_name":"Krüger, Stefan","first_name":"Stefan"},{"full_name":"Ali, Karim","first_name":"Karim","last_name":"Ali"},{"last_name":"Bodden","full_name":"Bodden, Eric","first_name":"Eric"}],"date_created":"2020-11-26T08:51:01Z","status":"public","_id":"20512","date_updated":"2022-01-06T06:54:29Z","language":[{"iso":"eng"}],"page":"185-198","type":"conference","citation":{"chicago":"Krüger, Stefan, Karim Ali, and Eric Bodden. “CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs.” In International Symposium on Code Generation and Optimization (CGO), 185–98, 2020.","apa":"Krüger, S., Ali, K., & Bodden, E. (2020). CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs. International Symposium on Code Generation and Optimization (CGO), 185–198.","ama":"Krüger S, Ali K, Bodden E. CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs. In: International Symposium on Code Generation and Optimization (CGO). ; 2020:185-198.","mla":"Krüger, Stefan, et al. “CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs.” International Symposium on Code Generation and Optimization (CGO), 2020, pp. 185–98.","bibtex":"@inproceedings{Krüger_Ali_Bodden_2020, title={CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs}, booktitle={International Symposium on Code Generation and Optimization (CGO)}, author={Krüger, Stefan and Ali, Karim and Bodden, Eric}, year={2020}, pages={185–198} }","short":"S. Krüger, K. Ali, E. Bodden, in: International Symposium on Code Generation and Optimization (CGO), 2020, pp. 185–198.","ieee":"S. Krüger, K. Ali, and E. Bodden, “CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs,” in International Symposium on Code Generation and Optimization (CGO), 2020, pp. 185–198."},"year":"2020"},{"date_updated":"2022-01-06T06:54:29Z","_id":"20513","type":"dissertation","citation":{"ieee":"S. Krüger, CogniCrypt -- The Secure Integration of Cryptographic Software. Universitaetsbibliothek Paderborn, 2020.","short":"S. Krüger, CogniCrypt -- The Secure Integration of Cryptographic Software, Universitaetsbibliothek Paderborn, 2020.","mla":"Krüger, Stefan. CogniCrypt -- The Secure Integration of Cryptographic Software. Universitaetsbibliothek Paderborn, 2020.","bibtex":"@book{Krüger_2020, title={CogniCrypt -- The Secure Integration of Cryptographic Software}, publisher={Universitaetsbibliothek Paderborn}, author={Krüger, Stefan}, year={2020} }","ama":"Krüger S. CogniCrypt -- The Secure Integration of Cryptographic Software. Universitaetsbibliothek Paderborn; 2020.","apa":"Krüger, S. (2020). CogniCrypt -- The Secure Integration of Cryptographic Software. Universitaetsbibliothek Paderborn.","chicago":"Krüger, Stefan. CogniCrypt -- The Secure Integration of Cryptographic Software. Universitaetsbibliothek Paderborn, 2020."},"year":"2020","supervisor":[{"last_name":"Bodden","id":"59256","first_name":"Eric","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647"}],"language":[{"iso":"eng"}],"main_file_link":[{"url":"https://digital.ub.uni-paderborn.de/hs/document/preview/3500836"}],"title":"CogniCrypt -- The Secure Integration of Cryptographic Software","user_id":"5786","abstract":[{"lang":"ger","text":"Frühere Studien haben empirisch offenbart, dass Fehlbenutzungen von kryptographischen APIs in Softwareanwendungen weitverbreitet sind. Dies geschieht vor allem, weil Software-Entwickler_innen aufgrund schlechten API-Designs und fehlenden Kryptographiewissens Probleme bekommen, wenn sie versuchen kryptographische Features zu implementieren. Die Literatur liefert mehrere Ansätze und Vorschläge diese Probleme zu lösen, aber alle scheitern schlussendlich auf die eine oder andere Weise daran die Anforderungen der Entwickler_innenzu erfüllen. Das Resultat ist eine insgesamt lückenhafte Landschaft verschiedener nur wenigkomplementärer Ansätze.In dieser Arbeit adressieren wir das Problem kryptographischer Fehlbenutzungen systematischer durch CogniCrypt. CogniCrypt integriert verschiedene Arten von Tool Supportin einen gemeinsamen Ansatz, der Entwickler_innen davon befreit wissen zu müssen, wie diese APIs benutzt werden müssen. Zentral für unseren Ansatz ist CrySL, eine Beschreibungssprache,die die kognitive Lücke zwischen Kryptographie-Expert_innen und Software-Entwickler_innenüberbrückt. CrySL ermöglicht es Kryptographie-Expert_innen zu spezifizeren, wie die APIs,die sie bereitstellen, richtig benutzt werden. Wir haben einen Compiler für CrySL implementiert, der es erlaubt auf CrySL-Spezifikationen aufbauenden Tool Support zu entwickeln. Wir haben weiterhin die statische Analyse CogniCrypt_SAST und den Code-Generator CogniCrypt_GEN entwickelt. Schlussendlich haben wir CogniCrypt prototypisch implementiert und diesen Prototyp in einem kontrollierten Experiment evaluiert.\r\n"}],"date_created":"2020-11-26T09:02:19Z","status":"public","department":[{"_id":"76"}],"publisher":"Universitaetsbibliothek Paderborn","author":[{"last_name":"Krüger","first_name":"Stefan","full_name":"Krüger, Stefan"}]},{"_id":"20518","date_updated":"2022-01-06T06:54:29Z","doi":"10.1145/3365438.3410946","language":[{"iso":"eng"}],"citation":{"chicago":"Koch, Thorsten, Stefan Dziwok, Jörg Holtmann, and Eric Bodden. “Scenario-Based Specification of Security Protocols and Transformation to Security Model Checkers.” In ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20). ACM, 2020. https://doi.org/10.1145/3365438.3410946.","ama":"Koch T, Dziwok S, Holtmann J, Bodden E. Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers. In: ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20). ACM; 2020. doi:10.1145/3365438.3410946","apa":"Koch, T., Dziwok, S., Holtmann, J., & Bodden, E. (2020). Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers. ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20). https://doi.org/10.1145/3365438.3410946","mla":"Koch, Thorsten, et al. “Scenario-Based Specification of Security Protocols and Transformation to Security Model Checkers.” ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20), ACM, 2020, doi:10.1145/3365438.3410946.","bibtex":"@inproceedings{Koch_Dziwok_Holtmann_Bodden_2020, title={Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers}, DOI={10.1145/3365438.3410946}, booktitle={ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20)}, publisher={ACM}, author={Koch, Thorsten and Dziwok, Stefan and Holtmann, Jörg and Bodden, Eric}, year={2020} }","short":"T. Koch, S. Dziwok, J. Holtmann, E. Bodden, in: ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20), ACM, 2020.","ieee":"T. Koch, S. Dziwok, J. Holtmann, and E. Bodden, “Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers,” 2020, doi: 10.1145/3365438.3410946."},"type":"conference","year":"2020","user_id":"5786","title":"Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers","publication":"ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20)","department":[{"_id":"76"},{"_id":"241"},{"_id":"662"}],"author":[{"first_name":"Thorsten","full_name":"Koch, Thorsten","last_name":"Koch","id":"13616"},{"first_name":"Stefan","orcid":"http://orcid.org/0000-0002-8679-6673","full_name":"Dziwok, Stefan","last_name":"Dziwok","id":"3901"},{"first_name":"Jörg","full_name":"Holtmann, Jörg","orcid":"0000-0001-6141-4571","last_name":"Holtmann","id":"3875"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"}],"publisher":"ACM","date_created":"2020-11-26T10:19:54Z","status":"public"}]