TY - JOUR
AB - AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems.
AU - Schubert, Philipp
AU - Gazzillo, Paul
AU - Patterson, Zach
AU - Braha, Julian
AU - Schiebel, Fabian
AU - Hermann, Ben
AU - Wei, Shiyi
AU - Bodden, Eric
ID - 30511
IS - 1
JF - Automated Software Engineering
KW - inter-procedural static analysis
KW - software product lines
KW - preprocessor
KW - LLVM
KW - C/C++
SN - 0928-8910
TI - Static data-flow analysis for software product lines in C
VL - 29
ER -
TY - JOUR
AB -
Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of
gadgets
present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it
public
– can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.
For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.
AU - Sayar, Imen
AU - Bartel, Alexandre
AU - Bodden, Eric
AU - Le Traon, Yves
ID - 33835
JF - ACM Transactions on Software Engineering and Methodology
KW - Software
SN - 1049-331X
TI - An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
ER -
TY - JOUR
AU - Piskachev, Goran
AU - Späth, Johannes
AU - Budde, Ingo
AU - Bodden, Eric
ID - 33836
IS - 5
JF - Empirical Software Engineering
TI - Fluently specifying taint-flow queries with fluentTQL
VL - 27
ER -
TY - CONF
AU - Krishnamurthy, Ranjith
AU - Piskachev, Goran
AU - Bodden, Eric
ID - 33838
TI - To what extent can we analyze Kotlin programs using existing Java taint analysis tools?
ER -
TY - CONF
AU - Piskachev, Goran
AU - Dziwok, Stefan
AU - Koch, Thorsten
AU - Merschjohann, Sven
AU - Bodden, Eric
ID - 33837
TI - How far are German companies in improving security through static program analysis tools?
ER -
TY - GEN
AB - Recent studies have revealed that 87 % to 96 % of the Android apps using cryptographic APIs have a misuse which may cause security vulnerabilities. As previous studies did not conduct a qualitative examination of the validity and severity of the findings, our objective was to understand the findings in more depth. We analyzed a set of 936 open-source Java applications for cryptographic misuses. Our study reveals that 88.10 % of the analyzed applications fail to use cryptographic APIs securely. Through our manual analysis of a random sample, we gained new insights into effective false positives. For example, every fourth misuse of the frequently misused JCA class MessageDigest is an effective false positive due to its occurrence in a non-security context. As we wanted to gain deeper insights into the security implications of these misuses, we created an extensive vulnerability model for cryptographic API misuses. Our model includes previously undiscussed attacks in the context of cryptographic APIs such as DoS attacks. This model reveals that nearly half of the misuses are of high severity, e.g., hard-coded credentials and potential Man-in-the-Middle attacks.
AU - Wickert, Anna-Katharina
AU - Baumgärtner, Lars
AU - Schlichtig, Michael
AU - Mezini, Mira
ID - 33959
TI - To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild
ER -
TY - JOUR
AB - Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.
AU - Luo, Linghui
AU - Pauck, Felix
AU - Piskachev, Goran
AU - Benz, Manuel
AU - Pashchenko, Ivan
AU - Mory, Martin
AU - Bodden, Eric
AU - Hermann, Ben
AU - Massacci, Fabio
ID - 27045
JF - Empirical Software Engineering
SN - 1382-3256
TI - TaintBench: Automatic real-world malware benchmarking of Android taint analyses
ER -
TY - THES
AU - Luo, Linghui
ID - 27158
TI - Improving Real-World Applicability of Static Taint Analysis
ER -
TY - JOUR
AU - Stockmann, Lars
AU - Laux, Sven
AU - Bodden, Eric
ID - 21595
JF - Journal of Automotive Software Engineering
SN - 2589-2258
TI - Using Architectural Runtime Verification for Offline Data Analysis
ER -
TY - THES
AU - Fischer, Andreas
ID - 21596
TI - Computing on Encrypted Data using Trusted Execution Environments
ER -
TY - JOUR
AU - Holzinger, Philipp
AU - Bodden, Eric
ID - 21597
JF - International Symposium on Advanced Security on Software and Systems (ASSS)
TI - A Systematic Hardening of Java's Information Hiding
ER -
TY - JOUR
AU - Bonifacio, Rodrigo
AU - Krüger, Stefan
AU - Narasimhan, Krishna
AU - Bodden, Eric
AU - Mezini, Mira
ID - 21599
JF - European Conference on Object-Oriented Programming (ECOOP)
TI - Dealing with Variability in API Misuse Specification
ER -
TY - CONF
AU - Shivarpatna Venkatesh, Ashwin Prasad
AU - Bodden, Eric
ID - 22462
T2 - International Workshop on AI and Software Testing/Analysis (AISTA)
TI - Automated Cell Header Generator for Jupyter Notebooks
ER -
TY - CONF
AU - Kummita, Sriteja
AU - Piskachev, Goran
AU - Spath, Johannes
AU - Bodden, Eric
ID - 23374
T2 - 2021 International Conference on Code Quality (ICCQ)
TI - Qualitative and Quantitative Analysis of Callgraph Algorithms for Python
ER -
TY - CONF
AU - Karakaya, Kadiray
AU - Bodden, Eric
ID - 30084
T2 - 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)
TI - SootFX: A Static Code Feature Extraction Tool for Java and Android
ER -
TY - CONF
AB - Static analysis is used to automatically detect bugs and security breaches, and aids compileroptimization. Whole-program analysis (WPA) can yield high precision, however causes long analysistimes and thus does not match common software-development workflows, making it often impracticalto use for large, real-world applications.This paper thus presents the design and implementation ofModAlyzer, a novel static-analysisapproach that aims at accelerating whole-program analysis by making the analysis modular andcompositional. It shows how to computelossless, persisted summaries for callgraph, points-to anddata-flow information, and it reports under which circumstances this function-level compositionalanalysis outperforms WPA.We implementedModAlyzeras an extension to LLVM and PhASAR, and applied it to 12 real-world C and C++ applications. At analysis time,ModAlyzermodularly and losslessly summarizesthe analysis effect of the library code those applications share, hence avoiding its repeated re-analysis.The experimental results show that the reuse of these summaries can save, on average, 72% ofanalysis time over WPA. Moreover, because it is lossless, the module-wise analysis fully retainsprecision and recall. Surprisingly, as our results show, it sometimes even yields precision superior toWPA. The initial summary generation, on average, takes about 3.67 times as long as WPA.
AU - Schubert, Philipp
AU - Hermann, Ben
AU - Bodden, Eric
ID - 21598
T2 - European Conference on Object-Oriented Programming (ECOOP)
TI - Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis
ER -
TY - JOUR
AU - Dann, Andreas Peter
AU - Plate, Henrik
AU - Hermann, Ben
AU - Ponta, Serena Elisa
AU - Bodden, Eric
ID - 31132
JF - IEEE Transactions on Software Engineering
KW - Software
SN - 0098-5589
TI - Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite
ER -
TY - CONF
AU - Piskachev, Goran
AU - Krishnamurthy, Ranjith
AU - Bodden, Eric
ID - 26407
T2 - 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)
TI - SecuCheck: Engineering configurable taint analysis for software developers
ER -
TY - CONF
AU - Luo, Linghui
AU - Schäf, Martin
AU - Sanchez, Daniel
AU - Bodden, Eric
ID - 22463
T2 - Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
TI - IDE Support for Cloud-Based Static Analyses
ER -
TY - CONF
AU - Karakaya, Kadiray
AU - Bodden, Eric
ID - 33840
T2 - 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)
TI - SootFX: A Static Code Feature Extraction Tool for Java and Android
ER -
TY - CONF
AU - Schubert, Philipp
AU - Hermann, Ben
AU - Bodden, Eric
AU - Leer, Richard
ID - 26406
T2 - SCAM '21: IEEE International Working Conference on Source Code Analysis and Manipulation (Engineering Track)
TI - Into the Woods: Experiences from Building a Dataflow Analysis Framework for C/C++
ER -
TY - CONF
AU - Schubert, Philipp
AU - Sattler, Florian
AU - Schiebel, Fabian
AU - Hermann, Ben
AU - Bodden, Eric
ID - 26405
T2 - 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)
TI - Modeling the Effects of Global Variables in Data-Flow Analysis for C/C++
ER -
TY - JOUR
AU - Geismann, Johannes
AU - Bodden, Eric
ID - 20507
JF - Journal of Systems and Software
SN - 0164-1212
TI - A systematic literature review of model-driven security engineering for cyber–physical systems
VL - 169
ER -
TY - JOUR
AU - Nguyen Quang Do, Lisa
AU - Bodden, Eric
ID - 20508
JF - IEEE Transactions on Software Engineering
TI - Explaining Static Analysis with Rule Graphs
ER -
TY - CONF
AU - Fischer, Andreas
AU - Janneck, Jonas
AU - Kussmaul, Jörn
AU - Krätzschmar, Nikolas
AU - Kerschbaum, Florian
AU - Bodden, Eric
ID - 20509
T2 - 2020 IEEE Computer Security Foundations Symposium (CSF)
TI - PASAPTO: Policy-aware Security and Performance Trade-off Analysis - Computation on Encrypted Data with Restricted Leakage
ER -
TY - CONF
AU - Benz, Manuel
AU - Krogh Kristensen, Erik
AU - Luo, Linghui
AU - P. Borges Jr., Nataniel
AU - Bodden, Eric
AU - Zeller, Andreas
ID - 20510
T2 - International Conference for Software Engineering (ICSE)
TI - Heaps'n Leaks: How Heap Snapshots Improve Android Taint Analysis
ER -
TY - CONF
AU - Fischer, Andreas
AU - Fuhry, Benny
AU - Kerschbaum, Florian
AU - Bodden, Eric
ID - 20511
T2 - Privacy Enhancing Technologies Symposium (PETS/PoPETS)
TI - Computation on Encrypted Data using Dataflow Authentication
ER -
TY - CONF
AU - Krüger, Stefan
AU - Ali, Karim
AU - Bodden, Eric
ID - 20512
T2 - International Symposium on Code Generation and Optimization (CGO)
TI - CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs
ER -
TY - THES
AB - Frühere Studien haben empirisch offenbart, dass Fehlbenutzungen von kryptographischen APIs in Softwareanwendungen weitverbreitet sind. Dies geschieht vor allem, weil Software-Entwickler_innen aufgrund schlechten API-Designs und fehlenden Kryptographiewissens Probleme bekommen, wenn sie versuchen kryptographische Features zu implementieren. Die Literatur liefert mehrere Ansätze und Vorschläge diese Probleme zu lösen, aber alle scheitern schlussendlich auf die eine oder andere Weise daran die Anforderungen der Entwickler_innenzu erfüllen. Das Resultat ist eine insgesamt lückenhafte Landschaft verschiedener nur wenigkomplementärer Ansätze.In dieser Arbeit adressieren wir das Problem kryptographischer Fehlbenutzungen systematischer durch CogniCrypt. CogniCrypt integriert verschiedene Arten von Tool Supportin einen gemeinsamen Ansatz, der Entwickler_innen davon befreit wissen zu müssen, wie diese APIs benutzt werden müssen. Zentral für unseren Ansatz ist CrySL, eine Beschreibungssprache,die die kognitive Lücke zwischen Kryptographie-Expert_innen und Software-Entwickler_innenüberbrückt. CrySL ermöglicht es Kryptographie-Expert_innen zu spezifizeren, wie die APIs,die sie bereitstellen, richtig benutzt werden. Wir haben einen Compiler für CrySL implementiert, der es erlaubt auf CrySL-Spezifikationen aufbauenden Tool Support zu entwickeln. Wir haben weiterhin die statische Analyse CogniCrypt_SAST und den Code-Generator CogniCrypt_GEN entwickelt. Schlussendlich haben wir CogniCrypt prototypisch implementiert und diesen Prototyp in einem kontrollierten Experiment evaluiert.
AU - Krüger, Stefan
ID - 20513
TI - CogniCrypt -- The Secure Integration of Cryptographic Software
ER -
TY - CONF
AU - Koch, Thorsten
AU - Dziwok, Stefan
AU - Holtmann, Jörg
AU - Bodden, Eric
ID - 20518
T2 - ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20)
TI - Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers
ER -
TY - THES
AU - Gerking, Christopher
ID - 20521
TI - Model-Driven Information Flow Security Engineering for Cyber-Physical Systems
ER -
TY - GEN
AU - Schubert, Philipp
AU - Bodden, Eric
AU - Hermann, Ben
ID - 20712
TI - Accelerating Static Call-Graph, Points-to and Data-Flow Analysis Through Persisted Summaries
ER -
TY - CHAP
AB - Today, software systems are rarely developed monolithically, but may be composed of numerous individually developed features. Their modularization facilitates independent development and verification. While feature-based strategies to verify features in isolation have existed for years, they cannot address interactions between features. The problem with feature interactions is that they are typically unknown and may involve any subset of the features. Contrary, a family-based verification strategy captures feature interactions, but does not scale well when features evolve frequently. To the best of our knowledge, there currently exists no approach with focus on evolving features that combines both strategies and aims at eliminating their respective drawbacks. To fill this gap, we introduce Fefalution, a feature-family-based verification approach based on abstract contracts to verify evolving features and their interactions. Fefalution builds partial proofs for each evolving feature and then reuses the resulting partial proofs in verifying feature interactions, yielding a full verification of the complete software system. Moreover, to investigate whether a combination of both strategies is fruitful, we present the first empirical study for the verification of evolving features implemented by means of feature-oriented programming and by comparing Fefalution with another five family-based approaches varying in a set of optimizations. Our results indicate that partial proofs based on abstract contracts exhibit huge reuse potential, but also come with a substantial overhead for smaller evolution scenarios.
AU - Knüppel, Alexander
AU - Krüger, Stefan
AU - Thüm, Thomas
AU - Bubel, Richard
AU - Krieter, Sebastian
AU - Bodden, Eric
AU - Schaefer, Ina
ID - 20891
SN - 0302-9743
T2 - Lecture Notes in Computer Science
TI - Using Abstract Contracts for Verifying Evolving Features and Their Interactions
ER -
TY - CONF
AU - Piskachev, Goran
AU - Nguyen Quang Do, Lisa
AU - Johnson, Oshando
AU - Bodden, Eric
ID - 23376
T2 - 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)
TI - SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods
ER -
TY - CHAP
AU - Piskachev, Goran
AU - Petrasch, Tobias
AU - Späth, Johannes
AU - Bodden, Eric
ID - 23377
SN - 0302-9743
T2 - Lecture Notes in Computer Science
TI - AuthCheck: Program-State Analysis for Access-Control Vulnerabilities
ER -
TY - THES
AU - Holzinger, Philipp
ID - 20522
TI - A Systematic Analysis and Hardening of the Java Security Architecture
ER -
TY - THES
AU - Nguyen Quang Do, Lisa
ID - 20524
TI - User-Centered Tool Design for Data-Flow Analysis
ER -
TY - CONF
AU - Stockmann, Lars
AU - Laux, Sven
AU - Bodden, Eric
ID - 20525
T2 - 2019 IEEE International Conference on Software Architecture Companion (ICSA-C)
TI - Architectural Runtime Verification
ER -
TY - CONF
AU - Hazhirpasand, Mohammadreza
AU - Ghafari, Mohammad
AU - Krüger, Stefan
AU - Bodden, Eric
AU - Nierstrasz, Oskar
ID - 20527
SN - 1949-3770
T2 - 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
TI - The Impact of Developer Experience in Using Java Cryptography
ER -
TY - CONF
AU - Piskachev, Goran
AU - Petrasch, Tobias
AU - Späth, Johannes
AU - Bodden, Eric
ID - 20528
T2 - 10th Workshop on Tools for Automatic Program Analysis (TAPAS)
TI - AuthCheck: Program-state Analysis for Access-control Vulnerabilities
ER -
TY - CONF
AU - Nachtigall, Marcus
AU - Nguyen Quang Do, Lisa
AU - Bodden, Eric
ID - 20529
T2 - 1st International Workshop on Explainable Software (EXPLAIN) at ASE
TI - Explaining Static Analysis -- A Perspective
ER -
TY - CONF
AU - Luo, Linghui
AU - Bodden, Eric
AU - Späth, Johannes
ID - 20531
T2 - IEEE/ACM International Conference on Automated Software Engineering (ASE 2019)
TI - A Qualitative Analysis of Android Taint-Analysis Results
ER -
TY - CONF
AU - Piskachev, Goran
AU - Nguyen Quang Do, Lisa
AU - Johnson, Oshando
AU - Bodden, Eric
ID - 20532
T2 - IEEE/ACM International Conference on Automated Software Engineering (ASE 2019), Tool Demo Track
TI - SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods
ER -
TY - JOUR
AU - Krüger, Stefan
AU - Späth, Johannes
AU - Ali, Karim
AU - Bodden, Eric
AU - Mezini, Mira
ID - 20533
JF - IEEE Transactions on Software Engineering
KW - Java
KW - Encryption
KW - Static analysis
KW - Tools
KW - Ciphers
KW - Semantics
KW - cryptography
KW - domain-specific language
KW - static analysis
SN - 2326-3881
TI - CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs
ER -
TY - CONF
AU - Piskachev, Goran
AU - Nguyen Quang Do, Lisa
AU - Bodden, Eric
ID - 20534
T2 - ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)
TI - Codebase-Adaptive Detection of Security-Relevant Methods
ER -
TY - CONF
AU - Luo, Linghui
AU - Dolby, Julian
AU - Bodden, Eric
ID - 20535
T2 - European Conference on Object-Oriented Programming (ECOOP)
TI - MagpieBridge: A General Approach to Integrating Static Analyses into IDEs and Editors
ER -
TY - THES
AU - Späth, Johannes
ID - 20536
TI - Synchronized Pushdown Systems for Pointer and Data-Flow Analysis
ER -
TY - GEN
AU - Piskachev, Goran
AU - Nguyen, Lisa
AU - Bodden, Eric
ID - 20537
TI - Codebase-Adaptive Detection of Security-Relevant Methods
ER -
TY - CONF
AU - Albert Gorski Iii, Sigmund
AU - Andow, Benjamin
AU - Nadkarni, Adwait
AU - Manandhar, Sunil
AU - Enck, William
AU - Bodden, Eric
AU - Bartel, Alexandre
ID - 20538
KW - ITSECWEBSITE
KW - CROSSING
T2 - ACM Conference on Data and Application Security and Privacy (CODASPY 2019)
TI - ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware
ER -
TY - JOUR
AU - Späth, Johannes
AU - Ali, Karim
AU - Bodden, Eric
ID - 20539
IS - POPL
JF - Proceedings of the ACM SIGPLAN Symposium on Principles of Programming Languages
KW - ATTRACT
KW - ITSECWEBSITE
KW - CROSSING
SN - 2475-1421
TI - Context-, Flow-, and Field-sensitive Data-flow Analysis Using Synchronized Pushdown Systems
VL - 3
ER -
TY - CONF
AU - Gerking, Christopher
AU - Schubert, David
ID - 20759
T2 - International Conference on Software Architecture (ICSA 2019)
TI - Component-Based Refinement and Verification of Information-Flow Security Policies for Cyber-Physical Microservice Architectures
ER -
TY - CONF
AU - Piskachev, Goran
AU - Do, Lisa Nguyen Quang
AU - Bodden, Eric
ID - 23378
T2 - Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis
TI - Codebase-adaptive detection of security-relevant methods
ER -
TY - GEN
AU - Selbach, Nils
ID - 7628
TI - Modeling Crypto API usages in OpenSSL's EVP library
ER -
TY - JOUR
AU - Dann, Andreas
AU - Hermann, Ben
AU - Bodden, Eric
ID - 14896
JF - IEEE Transactions on Software Engineering
SN - 0098-5589
TI - ModGuard: Identifying Integrity &Confidentiality Violations in Java Modules
ER -
TY - CONF
AU - Dann, Andreas
AU - Hermann, Ben
AU - Bodden, Eric
ID - 14897
SN - 9781450367202
T2 - Proceedings of the 8th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2019
TI - SootDiff: bytecode comparison across different Java compilers
ER -
TY - CONF
AU - Kruger, Stefan
AU - Hermann, Ben
ID - 14899
SN - 9781728122458
T2 - 2019 IEEE/ACM 2nd International Workshop on Gender Equality in Software Engineering (GE)
TI - Can an Online Service Predict Gender? On the State-of-the-Art in Gender Identification from Texts
ER -
TY - CONF
AU - Schubert, Philipp
AU - Hermann, Ben
AU - Bodden, Eric
ID - 7626
T2 - Proceedings of the 25th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2019), Held as Part of the European Joint Conferences on Theory and Practice of Software (ETAPS 2019)
TI - PhASAR: An Inter-Procedural Static Analysis Framework for C/C++
VL - II
ER -
TY - CONF
AU - Schubert, Philipp
AU - Leer, Richard
AU - Hermann, Ben
AU - Bodden, Eric
ID - 14898
SN - 9781450367202
T2 - Proceedings of the 8th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis - SOAP 2019
TI - Know your analysis: how instrumentation aids understanding static analysis
ER -
TY - GEN
AB - In recent years, researchers have developed a number of tools to conduct
taint analysis of Android applications. While all the respective papers aim at
providing a thorough empirical evaluation, comparability is hindered by varying
or unclear evaluation targets. Sometimes, the apps used for evaluation are not
precisely described. In other cases, authors use an established benchmark but
cover it only partially. In yet other cases, the evaluations differ in terms of
the data leaks searched for, or lack a ground truth to compare against. All
those limitations make it impossible to truly compare the tools based on those
published evaluations.
We thus present ReproDroid, a framework allowing the accurate comparison of
Android taint analysis tools. ReproDroid supports researchers in inferring the
ground truth for data leaks in apps, in automatically applying tools to
benchmarks, and in evaluating the obtained results. We use ReproDroid to
comparatively evaluate on equal grounds the six prominent taint analysis tools
Amandroid, DIALDroid, DidFail, DroidSafe, FlowDroid and IccTA. The results are
largely positive although four tools violate some promises concerning features
and accuracy. Finally, we contribute to the area of unbiased benchmarking with
a new and improved version of the open test suite DroidBench.
AU - Pauck, Felix
AU - Bodden, Eric
AU - Wehrheim, Heike
ID - 2711
T2 - arXiv:1804.02903
TI - Do Android Taint Analysis Tools Keep their Promises?
ER -
TY - CONF
AU - Bodden, Eric
AU - Nguyen Quang Do, Lisa
ID - 20530
SN - 978-3-88579-673-2
T2 - Software Engineering und Software Management 2018, Fachtagung des GI-Fachbereichs Softwaretechnik, {SE} 2018, 5.-9. M{\"{a}}rz 2018, Ulm, Germany.
TI - Explainable Static Analysis
ER -
TY - JOUR
AU - Nguyen Quang Do, Lisa
AU - Krüger, Stefan
AU - Hill, Patrick
AU - Ali, Karim
AU - Bodden, Eric
ID - 20543
JF - IEEE Transactions on Software Engineering
KW - Debugging
KW - Static analysis
KW - Tools
KW - Computer bugs
KW - Standards
KW - Writing
KW - Encoding
KW - Testing and Debugging
KW - Program analysis
KW - Development tools
KW - Integrated environments
KW - Graphical environments
KW - Usability testing
SN - 2326-3881
TI - Debugging Static Analysis
ER -
TY - GEN
ED - Tichy, Matthias
ED - Bodden, Eric
ED - Kuhrmann, Marco
ED - Wagner, Stefan
ED - Steghöfer, Jan-Philipp
ID - 20544
SN - 978-3-88579-673-2
TI - Software Engineering und Software Management 2018, Fachtagung des GI-Fachbereichs Softwaretechnik, SE 2018, 5.-9. März 2018, Ulm, Germany
VL - {P-279}
ER -
TY - GEN
ED - Tip, Frank
ED - Bodden, Eric
ID - 20545
TI - Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018, Amsterdam, The Netherlands, July 16-21, 2018
ER -
TY - CONF
AU - Gerking, Christopher
AU - Schubert, David
AU - Bodden, Eric
ED - Payer, Mathias
ED - Rashid, Awais
ED - Such, Jose M.
ID - 20546
T2 - Engineering Secure Software and Systems
TI - Model Checking the Information Flow Security of Real-Time Systems
ER -
TY - CONF
AU - Nguyen Quang Do, Lisa
AU - Bodden, Eric
ID - 20547
KW - Gamification
KW - Integrated Environments
KW - Program analysis
SN - 978-1-4503-5573-5
T2 - Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
TI - Gamifying Static Analysis
ER -
TY - CONF
AU - Bodden, Eric
ID - 20548
KW - ATTRACT
KW - ITSECWEBSITE
SN - 978-1-4503-5939-9
T2 - ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis (SOAP 2018)
TI - The Secret Sauce in Efficient and Precise Static Analysis: The Beauty of Distributive, Summary-based Static Analyses (and How to Master Them)
ER -
TY - CONF
AU - Geismann, Johannes
AU - Gerking, Christopher
AU - Bodden, Eric
ID - 20549
KW - ITSECWEBSITE
T2 - International Conference on Software and System Processes (ICSSP)
TI - Towards Ensuring Security by Design in Cyber-Physical Systems Engineering Processes
ER -
TY - CONF
AU - Bodden, Eric
ID - 20550
KW - ATTRACT
KW - ITSECWEBSITE
SN - 978-1-4503-5662-6
T2 - Proceedings of the 40th International Conference on Software Engineering: New Ideas and Emerging Results
TI - Self-adaptive Static Analysis
ER -
TY - CONF
AU - Nguyen Quang Do, Lisa
AU - Krüger, Stefan
AU - Hill, Patrick
AU - Ali, Karim
AU - Bodden, Eric
ID - 20551
KW - ATTRACT
KW - ITSECWEBSITE
T2 - International Conference for Software Engineering (ICSE), Tool Demonstrations Track
TI - VISUFLOW, a Debugging Environment for Static Analyses
ER -
TY - THES
AB - Der hohe Grad an Innovation in mechatronischen Systemen führt zu sogenannten Cyber-Physical Systems (CPS). Diese haben eine komplexe Funktionalität und Kommunikation. Wie sicherheitskritisch solche Systeme sind, wird durch sogenannte Sicherheits-Integritätslevel (SIL) kategorisiert, die durch Normen wie der ISO 26262 definiert werden. Ein bestimmter SIL beschreibt nicht nur die Höhe des Gefährdungsrisikos, sondern diktiert auch den erforderlichen Grad an Sorgfalt bei der Entwicklung des Systems. Ein hoher SIL erfordert die Anwendung von Safety-Maßnahmen mit einem hohen Sorgfaltsgrad in allen Phasen der Entwicklung und impliziert daher einen hohen Safety-Aufwand. SIL-Tailoring ist ein Mittel um den Safety-Aufwand zu reduzieren, indem man Subsystemen geringere SILs zuordnet, falls sie von kritischeren Subsystemen getrennt sind oder redundante Safety-Anforderungen erfüllen. Um den nötigen Safety-Aufwand zu planen, sollten Möglichkeiten für SIL-Tailoring so früh wie möglich identifiziert werden - d.h. bereits in der Anforderungsanalyse. Durch die Komplexität von CPS, ist es schwierig valide SIL-Tailorings zu finden. Die Validität von SIL-Tailorings muss durch Analyse von Fehlerpropagierungspfaden geprüft und durch Argumente im Safety Case begründet werden. Der Beitrag dieser Dissertation ist ein systematischer, tool-unterstützter SIL-Tailoring-Prozess, der im Safety Requirements Engineering angewendet wird. Der Prozess nutzt eine modell-basierte, formale Anforderungsspezifikation und stellt einen Katalog von Anforderungsmustern bereit. Basierend auf diesen Anforderungen werden Fehlerpropagierungsmodelle generiert und Subsystemen automatisch SILs zugeordnet. Das minimiert den Sicherheitsanalyseaufwand. Aus den generierten Ergebnissen wird automatisch ein Safety Case mit Argumenten für die SIL-Tailoring-Validität abgeleitet.
AU - Fockel, Markus
ID - 20779
TI - Safety Requirements Engineering for Early SIL Tailoring
ER -
TY - CONF
AU - Gerking, Christopher
AU - Schubert, David
ID - 20781
IS - 11048
T2 - European Conference on Software Architecture (ECSA 2018)
TI - Towards Preserving Information Flow Security on Architectural Composition of Cyber-Physical Systems
ER -
TY - CONF
AU - Geismann, Johannes
ID - 20784
T2 - IEEE International Conference on Software Architecture Companion (ICSA-C 2018)
TI - Traceable Threat Modeling for Safety-critical Systems
ER -
TY - CONF
AB - Cyber-physical Systems are distributed, embedded systems that interact with their physical environment. Typically, these systems consist of several Electronic Control Units using multiple processing cores for the execution. Many systems are applied in safety-critical contexts and have to fulfill hard real-time requirements. The model-driven engineering paradigm enables system developers to consider all requirements in a systematical manner. In the software design phase, they prove the fulfillment of the requirements using model checking. When deploying the software to the executing platform, one important task is to ensure that the runtime scheduling does not violate the verified requirements by neglecting the model checking assumptions. Current model-driven approaches do not consider the problem of deriving feasible execution schedules for embedded multi-core platforms respecting hard real-time requirements. This paper extends the previous work on providing an approach for a semi-automatic synthesis of behavioral models into a deterministic real-time scheduling. We add an approach for the partitioning and mapping development tasks. This extended approach enables the utilization of parallel resources within a single ECU considering the verification assumptions by extending the open tool platform App4mc. We evaluate our approach using an example of a distributed automotive system with hard real-time requirements specified with the MechatronicUML method.
AU - Geismann, Johannes
AU - Höttger, Robert
AU - Krawczyk, Lukas
AU - Pohlmann, Uwe
AU - Schmelter, David
ED - Pires, Luís Ferreira
ED - Hammoudi, Slimane
ED - Selic, Bran
ID - 20785
T2 - Model-Driven Engineering and Software Development
TI - Automated Synthesis of a Real-Time Scheduling for Cyber-Physical Multi-core Systems
VL - 1
ER -
TY - THES
AU - Pohlmann, Uwe
ID - 20789
TI - A Model-driven Software Construction Approach for Cyber-physical Systems
ER -
TY - CONF
AU - Pauck, Felix
AU - Bodden, Eric
AU - Wehrheim, Heike
ID - 4999
SN - 9781450355735
T2 - Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering - ESEC/FSE 2018
TI - Do Android taint analysis tools keep their promises?
ER -
TY - CONF
AU - Krüger, Stefan
AU - Späth, Johannes
AU - Ali, Karim
AU - Bodden, Eric
AU - Mezini, Mira
ID - 5203
KW - ITSECWEBSITE
KW - CROSSING
T2 - European Conference on Object-Oriented Programming (ECOOP)
TI - CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs
ER -
TY - GEN
AU - Leer, Richard
ID - 1044
TI - Measuring Performance of a Static Analysis Framework with an application to Immutability Analysis
ER -
TY - GEN
AU - Strüwer, Jan Niclas
ID - 1045
TI - Interactive Data Visualization for Exploded Supergraphs
ER -
TY - CHAP
AB - Das Zukunftsszenario der Industrie 4.0 ist gepr{\"a}gt durch einen massiven Anstieg der unternehmens{\"u}bergreifenden Vernetzung. Um einer Bedrohung durch unautorisierte Weitergabe oder Sabotage vertraulicher Daten entgegenzuwirken, muss der Informationssicherheit bereits im Entwurf der cyber-physischen Produktionssysteme ein hoher Stellenwert einger{\"a}umt werden. Dieses Paradigma wird als Security by Design bezeichnet. {\"U}ber den gesamten Entstehungsprozess hinweg muss nachverfolgt werden k{\"o}nnen, ob die Systeme spezifische Anforderungen an die Informationssicherheit erf{\"u}llen und damit die Eigenschaft der Industrial Security gew{\"a}hrleisten. Dieser Beitrag stellt einen Entwurfsansatz zur Nachverfolgung der Informationssicherheit vor, der durch Integration softwaretechnischer Methoden in das Systems Engineering eine Entwicklung nach dem Paradigma Security by Design erm{\"o}glicht.
AU - Gerking, Christopher
AU - Bodden, Eric
AU - Schäfer, Wilhelm
ED - Maier, Günter W.
ED - Engels, Gregor
ED - Steffen, Eckhard
ID - 20552
KW - ITSECWEBSITE
SN - 978-3-662-52903-4
T2 - Handbuch Gestaltung digitaler und vernetzter Arbeitswelten
TI - Industrial Security by Design
ER -
TY - JOUR
AB - Finding and fixing software vulnerabilities have become a major struggle for most software development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP's secure development process, and we show how the issue fix time could be used to monitor the fixing process. We use three machine learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that vulnerability type has less dominant impact on issue fix time than previously believed. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. The development teams at SAP develop different types of software, adopt different internal development processes, use different programming languages and platforms, and are located in different cities and countries. Other organizations, may use the results---with precaution---and be learning organizations.
AU - Ben Othmane, Lotfi
AU - Chehrazi, Golriz
AU - Bodden, Eric
AU - Tsalovski, Petar
AU - Brucker, Achim D.
ID - 20553
IS - 2
JF - Data Science and Engineering
SN - 2364-1541
TI - Time for Addressing Software Security Issues: Prediction Models and Impacting Factors
VL - 2
ER -
TY - GEN
AU - Bodden, Eric
ID - 20554
TI - Self-adaptive static analysis
ER -
TY - GEN
AU - Krüger, Stefan
AU - Späth, Johannes
AU - Ali, Karim
AU - Bodden, Eric
AU - Mezini, Mira
ID - 20555
KW - ITSECWEBSITE
TI - CrySL: Validating Correct Usage of Cryptographic APIs
ER -
TY - JOUR
AU - Lillack, Max
AU - Kästner, Christian
AU - Bodden, Eric
ID - 20557
IS - 99
JF - IEEE Transactions on Software Engineering
KW - Androids
KW - Bluetooth
KW - Humanoid robots
KW - Java
KW - Software
KW - Tools
KW - Configuration options
KW - Static analysis
KW - Variability mining
SN - 0098-5589
TI - Tracking Load-time Configuration Options
VL - PP
ER -
TY - CONF
AU - Krüger, Stefan
AU - Nadi, Sarah
AU - Reif, Michael
AU - Ali, Karim
AU - Mezini, Mira
AU - Bodden, Eric
AU - Göpfert, Florian
AU - Günther, Felix
AU - Weinert, Christian
AU - Demmler, Daniel
AU - Kamath, Ram
ID - 20558
KW - ITSECWEBSITE
KW - CROSSING
T2 - International Conference on Automated Software Engineering (ASE 2017), Tool Demo Track
TI - CogniCrypt: Supporting Developers in using Cryptography
ER -
TY - CONF
AU - Do, Lisa Nguyen Quang
AU - Ali, Karim
AU - Livshits, Benjamin
AU - Bodden, Eric
AU - Smith, Justin
AU - Murphy-Hill, Emerson
ID - 20559
KW - Just-in-Time
KW - Layered analysis
KW - Static analysis
SN - 978-1-4503-5076-1
T2 - Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis
TI - Just-in-time Static Analysis
ER -
TY - CONF
AU - Nguyen Quang Do, Lisa
AU - Ali, Karim
AU - Livshits, Benjamin
AU - Bodden, Eric
AU - Smith, Justin
AU - Murphy-Hill, Emerson
ID - 20715
KW - ATTRACT
KW - ITSECWEBSITE
T2 - International Conference for Software Engineering (ICSE), Tool Demonstrations Track
TI - Cheetah: Just-in-Time Taint Analysis for Android Apps
ER -
TY - CONF
AU - Schivo, Stefano
AU - Yildiz., Bugra M.
AU - Ruijters, Enno
AU - Gerking, Christopher
AU - Kumar, Rajesh
AU - Dziwok, Stefan
AU - Rensink, Arend
AU - Stoelinga, Mariëlle
ED - Larsen, Kim G.
ED - Sokolsky, Oleg
ED - Wang, Ji
ID - 20792
IS - 10606
T2 - Dependable Software Engineering, 3rd International Symposium (SETTA 2017)
TI - How to Efficiently Build a Front-End Tool for UPPAAL: A Model-Driven Approach
ER -
TY - THES
AB - Cyber-physische Systeme (CPSs) sind die nächste Generation von eingebetteten Systemen, die fortwährend ihre Zusammenarbeit koordinieren, um anspruchsvolle Funktionen zu erfüllen. Die Koordination zwischen ihnen kann in Software mittels asynchroner Nachrichtenkommunikation realisiert werden. Um die funktionale Korrektheit der Software zu gewährleisten, ist aufgrund der Kritikalität dieser Systeme eine formale Verifikation wie z.B. Model Checking notwendig. Die Eingabesprache eines Model Checkers unterstützt jedoch domänenspezifische Aspekte wie asynchrone Kommunikation nicht direkt, wodurch diese vom Softwareingenieur mittels zahlreicher Modellelemente spezifiziert werden müssen. Dies ist hochgradig komplex und somit fehleranfällig. Im Rahmen dieser Arbeit wird eine modellgetriebene Methode zur domänenspezifischen Spezifikation und vollautomatischen Verifikation der nachrichtenbasierten Koordination von CPSs präsentiert. Mit Hilfe dieser Methode kann der Softwareingenieur die Koordination kompakt modellieren und muss nicht länger verstehen, wie seine Spezifikation auf der Ebene des Model Checkers ausgedrückt wird. Insgesamt wird die Komplexität für den Softwareingenieur somit deutlich handhabbarer. Bezüglich der Spezifikation einer solchen Koordination definiert die Arbeit eine domänenspezifische Sprache namens Real-Time Coordination Protocols (RTCPs). Darüber hinaus wird eine domänenspezifische Sprache zur Spezifikation von Verifikationseigenschaften eingeführt und Entwurfsmuster für RTCPs präsentiert, um die Anzahl der Modellierungsfehler zu senken.
AU - Dziwok, Stefan
ID - 20794
TI - Specification and Verification for Real-Time Coordination Protocols of Cyber-physical Systems
ER -
TY - CONF
AU - Gerking, Christopher
AU - Schubert, David
AU - Budde, Ingo
ED - Guerra, Esther
ED - van den Brand, Mark
ID - 20797
IS - 10374
T2 - Theory and Practice of Model Transformation, 10th International Conference (ICMT 2017)
TI - Reducing the Verbosity of Imperative Model Refinements by using General-Purpose Language Facilities
ER -
TY - CONF
AB - Modern Cyber-physical Systems are executed in physical environments and distributed over several Electronic Control Units using multiple cores for execution. These systems perform safety-critical tasks and, therefore, have to fulfill hard real-time requirements. To face these requirements systematically, system engineers de- velop these systems model-driven and prove the fulfillment of these requirements via model checking. It is important to ensure that the runtime scheduling does not violate the verified requirements by neglecting the model checking assumptions. Currently, there is a gap in the process for model-driven approaches to derive a feasible runtime scheduling that respects these assumptions. In this paper, we present an approach for a semi- automatic synthesis of behavioral models into a deterministic scheduling that respects real-time requirements at runtime. We evaluate our approach using an example of a distributed automotive system with hard real-time requirements specified with the MechatronicUML method.
AU - Geismann, Johannes
AU - Pohlmann, Uwe
AU - Schmelter, David
ID - 20804
T2 - Proceedings of the 5th International Conference on Model-Driven Engineering and Software Development
TI - Towards an Automated Synthesis of a Real-time Scheduling for Cyber-physical Multi-core Systems
ER -
TY - THES
AU - Becker, Matthias
ID - 20805
TI - Engineering Self-Adaptive Systems with Simulation-Based Performance Prediction
ER -
TY - CONF
AU - Späth, Johannes
AU - Ali, Karim
AU - Bodden, Eric
ID - 5204
KW - ATTRACT
KW - ITSECWEBSITE
KW - CROSSING
T2 - 2017 International Conference on Object-Oriented Programming, Languages and Applications (OOPSLA/SPLASH)
TI - IDEal: Efficient and Precise Alias-aware Dataflow Analysis
ER -
TY - JOUR
AU - Fischer, Andreas
AU - Fuhry, Benny
AU - Kerschbaum, Florian
AU - Bodden, Eric
ID - 5209
JF - CoRR
TI - Computation on Encrypted Data using Data Flow Authentication
VL - abs/1710.00390
ER -
TY - THES
AU - Becker, Matthias
ID - 102
TI - Engineering Self-Adaptive Systems with Simulation-Based Performence Prediction
ER -
TY - THES
AU - Platenius, Marie Christin
ID - 195
TI - Fuzzy Matching of Comprehensive Service Specifications
ER -
TY - GEN
AU - Jazayeri, Bahar
AU - Platenius, Marie Christin
AU - Engels, Gregor
AU - Kundisch, Dennis
ID - 198
TI - Features of IT Service Markets: A Systematic Literature Review (Supplementary Material)
ER -
TY - CONF
AB - The provision of IT solutions over electronic marketplaces became prominent in recent years. We call such marketplaces IT service markets. IT service markets have some core architectural building blocks that impact the quality attributes of these markets. However, these building blocks and their impacts are not well-known. Thus, design choices for IT service markets have been made ad-hoc until now. Furthermore, only single aspects of such markets have been investigated until now, but a comprehensive view is missing.In this paper, we identify common features and their interrelations on the basis of a systematic literature review of 60 publications using grounded theory.This knowledge provides an empirical evidence on the interdisciplinary design choices of IT service markets and it serves as a basis to support market providers and developers to integrate market features. Thereby, we make a first step towards the creation of a reference model for IT service markets that provides a holistic integrated view that can be used to create and maintain successful markets in the future.
AU - Jazayeri, Bahar
AU - Platenius, Marie
AU - Engels, Gregor
AU - Kundisch, Dennis
ID - 199
T2 - Proceedings of the 14th International Conference on Service Oriented Computing (ICSOC)
TI - Features of IT Service Markets: A Systematic Literature Review
VL - 9936
ER -
TY - CONF
AU - Bodden, Eric
AU - I Pun, Ka
AU - Steffen, Martin
AU - Stolz, Volker
AU - Wickert, Anna-Katharina
ID - 20556
T2 - Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques - 7th International Symposium, ISoLA 2016, Imperial, Corfu, Greece, October 10-14, 2016, Proceedings, Part {I}
TI - Information Flow Analysis for Go
ER -
TY - CONF
AU - Bodden, Eric
AU - Eichberg, Michael
AU - I Pun, Ka
AU - Steffen, Martin
AU - Stolz, Volker
AU - Wickert, Anna-Katharina
ID - 20716
T2 - Nordic Workshop on Programming Theory (NWPT'16)
TI - Don't let data Go astray---A Context-Sensitive Taint Analysis for Concurrent Programs in Go
ER -
TY - GEN
AU - Nguyen Quang Do, Lisa
AU - Ali, Karim
AU - Livshits, Benjamin
AU - Bodden, Eric
AU - Smith, Justin
AU - Murphy-Hill, Emerson
ID - 20717
KW - ATTRACT
KW - ITSECWEBSITE
TI - Just-in-Time Static Analysis
ER -