TY - CONF AB - Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis. AU - Khedkar, Mugdha AU - Bodden, Eric ID - 52235 KW - static program analysis KW - data protection and privacy KW - GDPR compliance T2 - Proceedings of the 9th International Conference on Mobile Software Engineering and Systems TI - Toward an Android Static Analysis Approach for Data Protection ER - TY - JOUR AU - Bodden, Eric AU - Pottebaum, Jens AU - Fockel, Markus AU - Gräßler, Iris ID - 52587 IS - 1 JF - IEEE Security & Privacy KW - Law KW - Electrical and Electronic Engineering KW - Computer Networks and Communications SN - 1540-7993 TI - Evaluating Security Through Isolation and Defense in Depth VL - 22 ER - TY - GEN AB - Context Static analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results. Method To address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview. Result We found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis. Conclusion Our results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains. AU - Wickert, Anna-Katharina AU - Schlichtig, Michael AU - Vogel, Marvin AU - Winter, Lukas AU - Mezini, Mira AU - Bodden, Eric ID - 52663 KW - Static analysis KW - error chains KW - false positive re- duction KW - empirical studies TI - Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability ER - TY - CONF AU - Dann, Andreas Peter AU - Hermann, Ben AU - Bodden, Eric ID - 35083 TI - UpCy: Safely Updating Outdated Dependencies ER - TY - CONF AU - Luo, Linghui AU - Piskachev, Goran AU - Krishnamurthy, Ranjith AU - Dolby, Julian AU - Schäf, Martin AU - Bodden, Eric ID - 41812 T2 - IEEE International Conference on Software Testing, Verification and Validation (ICST) TI - Model Generation For Java Frameworks ER - TY - CONF AU - Shivarpatna Venkatesh, Ashwin Prasad AU - Wang, Jiawei AU - Li, Li AU - Bodden, Eric ID - 41813 T2 - IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) TI - Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis ER - TY - CONF AU - Karakaya, Kadiray AU - Bodden, Eric ID - 45312 T2 - 2023 IEEE Conference on Software Testing, Verification and Validation (ICST) TI - Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis ER - TY - JOUR AU - Torres, Adriano AU - Costa, Pedro AU - Amaral, Luis AU - Pastro, Jonata AU - Bonifácio, Rodrigo AU - d'Amorim, Marcelo AU - Legunsen, Owolabi AU - Bodden, Eric AU - Dias Canedo, Edna ID - 46816 IS - 10 JF - IEEE Transactions on Software Engineering KW - Software SN - 0098-5589 TI - Runtime Verification of Crypto APIs: An Empirical Study VL - 49 ER - TY - JOUR AB - AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope. AU - Piskachev, Goran AU - Becker, Matthias AU - Bodden, Eric ID - 49439 IS - 5 JF - Empirical Software Engineering KW - Software SN - 1382-3256 TI - Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study VL - 28 ER - TY - CONF AU - Krüger, Stefan AU - Reif, Michael AU - Wickert, Anna-Katharina AU - Nadi, Sarah AU - Ali, Karim AU - Bodden, Eric AU - Acar, Yasemin AU - Mezini, Mira AU - Fahl, Sascha ID - 49438 T2 - 2023 IEEE Secure Development Conference (SecDev) TI - Securing Your Crypto-API Usage Through Tool Support - A Usability Study ER -