TY - JOUR
AB - AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems.
AU - Schubert, Philipp
AU - Gazzillo, Paul
AU - Patterson, Zach
AU - Braha, Julian
AU - Schiebel, Fabian
AU - Hermann, Ben
AU - Wei, Shiyi
AU - Bodden, Eric
ID - 30511
IS - 1
JF - Automated Software Engineering
KW - inter-procedural static analysis
KW - software product lines
KW - preprocessor
KW - LLVM
KW - C/C++
SN - 0928-8910
TI - Static data-flow analysis for software product lines in C
VL - 29
ER -
TY - JOUR
AB -
Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of
gadgets
present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it
public
– can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.
For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.
AU - Sayar, Imen
AU - Bartel, Alexandre
AU - Bodden, Eric
AU - Le Traon, Yves
ID - 33835
JF - ACM Transactions on Software Engineering and Methodology
KW - Software
SN - 1049-331X
TI - An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
ER -
TY - JOUR
AU - Piskachev, Goran
AU - Späth, Johannes
AU - Budde, Ingo
AU - Bodden, Eric
ID - 33836
IS - 5
JF - Empirical Software Engineering
TI - Fluently specifying taint-flow queries with fluentTQL
VL - 27
ER -
TY - CONF
AU - Krishnamurthy, Ranjith
AU - Piskachev, Goran
AU - Bodden, Eric
ID - 33838
TI - To what extent can we analyze Kotlin programs using existing Java taint analysis tools?
ER -
TY - CONF
AU - Piskachev, Goran
AU - Dziwok, Stefan
AU - Koch, Thorsten
AU - Merschjohann, Sven
AU - Bodden, Eric
ID - 33837
TI - How far are German companies in improving security through static program analysis tools?
ER -
TY - GEN
AB - Recent studies have revealed that 87 % to 96 % of the Android apps using cryptographic APIs have a misuse which may cause security vulnerabilities. As previous studies did not conduct a qualitative examination of the validity and severity of the findings, our objective was to understand the findings in more depth. We analyzed a set of 936 open-source Java applications for cryptographic misuses. Our study reveals that 88.10 % of the analyzed applications fail to use cryptographic APIs securely. Through our manual analysis of a random sample, we gained new insights into effective false positives. For example, every fourth misuse of the frequently misused JCA class MessageDigest is an effective false positive due to its occurrence in a non-security context. As we wanted to gain deeper insights into the security implications of these misuses, we created an extensive vulnerability model for cryptographic API misuses. Our model includes previously undiscussed attacks in the context of cryptographic APIs such as DoS attacks. This model reveals that nearly half of the misuses are of high severity, e.g., hard-coded credentials and potential Man-in-the-Middle attacks.
AU - Wickert, Anna-Katharina
AU - Baumgärtner, Lars
AU - Schlichtig, Michael
AU - Mezini, Mira
ID - 33959
TI - To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild
ER -
TY - JOUR
AB - Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.
AU - Luo, Linghui
AU - Pauck, Felix
AU - Piskachev, Goran
AU - Benz, Manuel
AU - Pashchenko, Ivan
AU - Mory, Martin
AU - Bodden, Eric
AU - Hermann, Ben
AU - Massacci, Fabio
ID - 27045
JF - Empirical Software Engineering
SN - 1382-3256
TI - TaintBench: Automatic real-world malware benchmarking of Android taint analyses
ER -
TY - THES
AU - Luo, Linghui
ID - 27158
TI - Improving Real-World Applicability of Static Taint Analysis
ER -
TY - JOUR
AU - Stockmann, Lars
AU - Laux, Sven
AU - Bodden, Eric
ID - 21595
JF - Journal of Automotive Software Engineering
SN - 2589-2258
TI - Using Architectural Runtime Verification for Offline Data Analysis
ER -
TY - THES
AU - Fischer, Andreas
ID - 21596
TI - Computing on Encrypted Data using Trusted Execution Environments
ER -
TY - JOUR
AU - Holzinger, Philipp
AU - Bodden, Eric
ID - 21597
JF - International Symposium on Advanced Security on Software and Systems (ASSS)
TI - A Systematic Hardening of Java's Information Hiding
ER -
TY - JOUR
AU - Bonifacio, Rodrigo
AU - Krüger, Stefan
AU - Narasimhan, Krishna
AU - Bodden, Eric
AU - Mezini, Mira
ID - 21599
JF - European Conference on Object-Oriented Programming (ECOOP)
TI - Dealing with Variability in API Misuse Specification
ER -
TY - CONF
AU - Shivarpatna Venkatesh, Ashwin Prasad
AU - Bodden, Eric
ID - 22462
T2 - International Workshop on AI and Software Testing/Analysis (AISTA)
TI - Automated Cell Header Generator for Jupyter Notebooks
ER -
TY - CONF
AU - Kummita, Sriteja
AU - Piskachev, Goran
AU - Spath, Johannes
AU - Bodden, Eric
ID - 23374
T2 - 2021 International Conference on Code Quality (ICCQ)
TI - Qualitative and Quantitative Analysis of Callgraph Algorithms for Python
ER -
TY - CONF
AU - Karakaya, Kadiray
AU - Bodden, Eric
ID - 30084
T2 - 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)
TI - SootFX: A Static Code Feature Extraction Tool for Java and Android
ER -
TY - CONF
AB - Static analysis is used to automatically detect bugs and security breaches, and aids compileroptimization. Whole-program analysis (WPA) can yield high precision, however causes long analysistimes and thus does not match common software-development workflows, making it often impracticalto use for large, real-world applications.This paper thus presents the design and implementation ofModAlyzer, a novel static-analysisapproach that aims at accelerating whole-program analysis by making the analysis modular andcompositional. It shows how to computelossless, persisted summaries for callgraph, points-to anddata-flow information, and it reports under which circumstances this function-level compositionalanalysis outperforms WPA.We implementedModAlyzeras an extension to LLVM and PhASAR, and applied it to 12 real-world C and C++ applications. At analysis time,ModAlyzermodularly and losslessly summarizesthe analysis effect of the library code those applications share, hence avoiding its repeated re-analysis.The experimental results show that the reuse of these summaries can save, on average, 72% ofanalysis time over WPA. Moreover, because it is lossless, the module-wise analysis fully retainsprecision and recall. Surprisingly, as our results show, it sometimes even yields precision superior toWPA. The initial summary generation, on average, takes about 3.67 times as long as WPA.
AU - Schubert, Philipp
AU - Hermann, Ben
AU - Bodden, Eric
ID - 21598
T2 - European Conference on Object-Oriented Programming (ECOOP)
TI - Lossless, Persisted Summarization of Static Callgraph, Points-To and Data-Flow Analysis
ER -
TY - JOUR
AU - Dann, Andreas Peter
AU - Plate, Henrik
AU - Hermann, Ben
AU - Ponta, Serena Elisa
AU - Bodden, Eric
ID - 31132
JF - IEEE Transactions on Software Engineering
KW - Software
SN - 0098-5589
TI - Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite
ER -
TY - CONF
AU - Piskachev, Goran
AU - Krishnamurthy, Ranjith
AU - Bodden, Eric
ID - 26407
T2 - 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)
TI - SecuCheck: Engineering configurable taint analysis for software developers
ER -
TY - CONF
AU - Luo, Linghui
AU - Schäf, Martin
AU - Sanchez, Daniel
AU - Bodden, Eric
ID - 22463
T2 - Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
TI - IDE Support for Cloud-Based Static Analyses
ER -
TY - CONF
AU - Karakaya, Kadiray
AU - Bodden, Eric
ID - 33840
T2 - 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)
TI - SootFX: A Static Code Feature Extraction Tool for Java and Android
ER -