TY - JOUR
AB - inhalt Der verlässliche Betrieb von technischen Produkten wird zunehmend durch bewusste Angriffe bedroht. Vollständige Sicherheit ist dabei nicht möglich, durchschlagende Angriffe sind unvermeidbar (Assume Breach). Dies erfordert einen Paradigmenwechsel in der sicherheitsgerechten Entwicklung mechatronischer und cyber-physischer Systeme hin zu Defense-in-Depth. Systeme müssen so ausgelegt werden, dass sie auch bei gezielten Angriffen möglichst hohe Zuverlässigkeit und Sicherheit gewährleisten. Der hier beschriebene Lösungsansatz erweitert das Systemmodell um Angriffsszenarien und Verteidigungslinien. Diese werden am Beispiel eines industriellen Schließsystems zur Anlagensicherheit erläutert. Entwickler werden sensibilisiert, Angriffe systematisch zu berücksichtigen und interdisziplinär Verteidigungselemente gegenüber Bedrohungen und Angriffen zu spezifizieren.
AU - Gräßler, Iris
AU - Bodden, Eric
AU - Wiechel, Dominik
AU - Pottebaum, Jens
ID - 48946
IS - 11-12
JF - Konstruktion
KW - Mechanical Engineering
KW - Mechanics of Materials
KW - General Materials Science
KW - Theoretical Computer Science
SN - 0720-5953
TI - Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security
VL - 75
ER -
TY - CONF
AB - The security of Industrial Control Systems is relevant both for reliable production system operations and for high-quality throughput in terms of manufactured products. Security measures are designed, operated and maintained by different roles along product and production system lifecycles. Defense-in-Depth as a paradigm builds upon the assumption that breaches are unavoidable. The paper at hand provides an analysis of roles, corresponding Human Factors and their relevance for data theft and sabotage attacks. The resulting taxonomy is reflected by an example related to Additive Manufacturing. The results assist in both designing and redesigning Industrial Control System as part of an entire production system so that Defense-in-Depth with regard to Human Factors is built in by design.
AU - Pottebaum, Jens
AU - Rossel, Jost
AU - Somorovsky, Juraj
AU - Acar, Yasemin
AU - Fahr, René
AU - Arias Cabarcos, Patricia
AU - Bodden, Eric
AU - Gräßler, Iris
ID - 46500
KW - Defense-in-Depth
KW - Human Factors
KW - Production Engineering
KW - Product Design
KW - Systems Engineering
T2 - 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
TI - Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth
ER -
TY - CONF
AB - Many Android applications collect data from users. When they do, they must
protect this collected data according to the current legal frameworks. Such
data protection has become even more important since the European Union rolled
out the General Data Protection Regulation (GDPR). App developers have limited
tool support to reason about data protection throughout their app development
process. Although many Android applications state a privacy policy, privacy
policy compliance checks are currently manual, expensive, and prone to error.
One of the major challenges in privacy audits is the significant gap between
legal privacy statements (in English text) and technical measures that Android
apps use to protect their user's privacy. In this thesis, we will explore to
what extent we can use static analysis to answer important questions regarding
data protection. Our main goal is to design a tool based approach that aids app
developers and auditors in ensuring data protection in Android applications,
based on automated static program analysis.
AU - Khedkar, Mugdha
ID - 44146
KW - static analysis
KW - data protection and privacy
KW - GDPR compliance
T2 - Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23)
TI - Static Analysis for Android GDPR Compliance Assurance
ER -
TY - CHAP
AB - Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research emphasizes technical challenges of such tools but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and user dissatisfaction may even lead to tool abandonment. To comprehensively assess the state of the art, we present the first systematic usability evaluation of a wide range of static analysis tools. We derived a set of 36 relevant criteria from the literature and used them to evaluate a total of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. The evaluation against the usability criteria in a multiple-raters approach shows that two thirds of the considered tools off er poor warning messages, while about three-quarters provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for instance, to improve handling of false positives. Finally, issues regarding workflow integration and specialized user interfaces are revealed. These findings should prove useful in guiding and focusing further research and development in user experience for static code analyses.
AU - Nachtigall, Marcus
AU - Schlichtig, Michael
AU - Bodden, Eric
ID - 52662
KW - Automated static analysis
KW - Software usability
SN - 978-3-88579-726-5
T2 - Software Engineering 2023
TI - Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale
ER -
TY - CHAP
AB - Application Programming Interfaces (APIs) are the primary mechanism developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and how they are caused, is important to prevent them, eg, with API misuse detectors. However, definitions for API misuses and related terms in literature vary. This paper presents a systematic literature review to clarify these terms and introduces FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To address this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detector’s capabilities, we performed a case study on the state-of the-art misuse detection tool CogniCrypt. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements.
AU - Schlichtig, Michael
AU - Sassalla, Steffen
AU - Narasimhan, Krishna
AU - Bodden, Eric
ID - 52660
KW - API misuses API usage constraints
KW - classification framework
KW - API misuse detection
KW - static analysis
SN - 978-3-88579-726-5
T2 - Software Engineering 2023
TI - Introducing FUM: A Framework for API Usage Constraint and Misuse Classification
ER -
TY - JOUR
AB - Encrypting data before sending it to the cloud ensures data confidentiality but requires the cloud to compute on encrypted data. Trusted execution environments, such as Intel SGX enclaves, promise to provide a secure environment in which data can be decrypted and then processed. However, vulnerabilities in the executed program give attackers ample opportunities to execute arbitrary code inside the enclave. This code can modify the dataflow of the program and leak secrets via SGX side channels. Fully homomorphic encryption would be an alternative to compute on encrypted data without data leaks. However, due to its high computational complexity, its applicability to general-purpose computing remains limited. Researchers have made several proposals for transforming programs to perform encrypted computations on less powerful encryption schemes. Yet current approaches do not support programs making control-flow decisions based on encrypted data.
We introduce the concept of
dataflow authentication
(DFAuth) to enable such programs. DFAuth prevents an adversary from arbitrarily deviating from the dataflow of a program. Our technique hence offers protections against the side-channel attacks described previously. We implemented two flavors of DFAuth, a Java bytecode-to-bytecode compiler, and an SGX enclave running a small and program-independent trusted code base. We applied DFAuth to a neural network performing machine learning on sensitive medical data and a smart charging scheduler for electric vehicles. Our transformation yields a neural network with encrypted weights, which can be evaluated on encrypted inputs in
\( 12.55 \,\mathrm{m}\mathrm{s} \)
. Our protected scheduler is capable of updating the encrypted charging plan in approximately 1.06 seconds.
AU - Fischer, Andreas
AU - Fuhry, Benny
AU - Kußmaul, Jörn
AU - Janneck, Jonas
AU - Kerschbaum, Florian
AU - Bodden, Eric
ID - 31844
IS - 3
JF - ACM Transactions on Privacy and Security
KW - Safety
KW - Risk
KW - Reliability and Quality
KW - General Computer Science
SN - 2471-2566
TI - Computation on Encrypted Data Using Dataflow Authentication
VL - 25
ER -
TY - GEN
AB - Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection Tool Benchmark Suite". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain.
AU - Schlichtig, Michael
AU - Wickert, Anna-Katharina
AU - Krüger, Stefan
AU - Bodden, Eric
AU - Mezini, Mira
ID - 32409
KW - cryptography
KW - benchmark
KW - API misuse
KW - static analysis
TI - CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite
ER -
TY - CONF
AB - Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment.
To comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria.
The evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further.
These findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses.
AU - Nachtigall, Marcus
AU - Schlichtig, Michael
AU - Bodden, Eric
ID - 32410
KW - Automated static analysis
KW - Software usability
SN - 9781450393799
T2 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis
TI - A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools
ER -
TY - CONF
AB - Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools.
AU - Schlichtig, Michael
AU - Sassalla, Steffen
AU - Narasimhan, Krishna
AU - Bodden, Eric
ID - 31133
KW - API misuses
KW - API usage constraints
KW - classification framework
KW - API misuse detection
KW - static analysis
T2 - 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)
TI - FUM - A Framework for API Usage constraint and Misuse Classification
ER -
TY - CONF
AU - Pasic, Faruk
AU - Becker, Matthias
ID - 34057
T2 - 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA)
TI - Domain-specific Language for Condition Monitoring Software Development
ER -
TY - JOUR
AB - AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems.
AU - Schubert, Philipp
AU - Gazzillo, Paul
AU - Patterson, Zach
AU - Braha, Julian
AU - Schiebel, Fabian
AU - Hermann, Ben
AU - Wei, Shiyi
AU - Bodden, Eric
ID - 30511
IS - 1
JF - Automated Software Engineering
KW - inter-procedural static analysis
KW - software product lines
KW - preprocessor
KW - LLVM
KW - C/C++
SN - 0928-8910
TI - Static data-flow analysis for software product lines in C
VL - 29
ER -
TY - JOUR
AB -
Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of
gadgets
present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it
public
– can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.
For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.
AU - Sayar, Imen
AU - Bartel, Alexandre
AU - Bodden, Eric
AU - Le Traon, Yves
ID - 33835
JF - ACM Transactions on Software Engineering and Methodology
KW - Software
SN - 1049-331X
TI - An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
ER -
TY - JOUR
AU - Piskachev, Goran
AU - Späth, Johannes
AU - Budde, Ingo
AU - Bodden, Eric
ID - 33836
IS - 5
JF - Empirical Software Engineering
TI - Fluently specifying taint-flow queries with fluentTQL
VL - 27
ER -
TY - CONF
AU - Krishnamurthy, Ranjith
AU - Piskachev, Goran
AU - Bodden, Eric
ID - 33838
TI - To what extent can we analyze Kotlin programs using existing Java taint analysis tools?
ER -
TY - CONF
AU - Piskachev, Goran
AU - Dziwok, Stefan
AU - Koch, Thorsten
AU - Merschjohann, Sven
AU - Bodden, Eric
ID - 33837
TI - How far are German companies in improving security through static program analysis tools?
ER -
TY - GEN
AB - Recent studies have revealed that 87 % to 96 % of the Android apps using cryptographic APIs have a misuse which may cause security vulnerabilities. As previous studies did not conduct a qualitative examination of the validity and severity of the findings, our objective was to understand the findings in more depth. We analyzed a set of 936 open-source Java applications for cryptographic misuses. Our study reveals that 88.10 % of the analyzed applications fail to use cryptographic APIs securely. Through our manual analysis of a random sample, we gained new insights into effective false positives. For example, every fourth misuse of the frequently misused JCA class MessageDigest is an effective false positive due to its occurrence in a non-security context. As we wanted to gain deeper insights into the security implications of these misuses, we created an extensive vulnerability model for cryptographic API misuses. Our model includes previously undiscussed attacks in the context of cryptographic APIs such as DoS attacks. This model reveals that nearly half of the misuses are of high severity, e.g., hard-coded credentials and potential Man-in-the-Middle attacks.
AU - Wickert, Anna-Katharina
AU - Baumgärtner, Lars
AU - Schlichtig, Michael
AU - Mezini, Mira
ID - 33959
TI - To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild
ER -
TY - JOUR
AB - Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.
AU - Luo, Linghui
AU - Pauck, Felix
AU - Piskachev, Goran
AU - Benz, Manuel
AU - Pashchenko, Ivan
AU - Mory, Martin
AU - Bodden, Eric
AU - Hermann, Ben
AU - Massacci, Fabio
ID - 27045
JF - Empirical Software Engineering
SN - 1382-3256
TI - TaintBench: Automatic real-world malware benchmarking of Android taint analyses
ER -
TY - THES
AU - Luo, Linghui
ID - 27158
TI - Improving Real-World Applicability of Static Taint Analysis
ER -
TY - JOUR
AU - Stockmann, Lars
AU - Laux, Sven
AU - Bodden, Eric
ID - 21595
JF - Journal of Automotive Software Engineering
SN - 2589-2258
TI - Using Architectural Runtime Verification for Offline Data Analysis
ER -
TY - THES
AU - Fischer, Andreas
ID - 21596
TI - Computing on Encrypted Data using Trusted Execution Environments
ER -