TY - CONF AB - Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis. AU - Khedkar, Mugdha AU - Bodden, Eric ID - 52235 KW - static program analysis KW - data protection and privacy KW - GDPR compliance T2 - Proceedings of the 9th International Conference on Mobile Software Engineering and Systems TI - Toward an Android Static Analysis Approach for Data Protection ER - TY - JOUR AU - Bodden, Eric AU - Pottebaum, Jens AU - Fockel, Markus AU - Gräßler, Iris ID - 52587 IS - 1 JF - IEEE Security & Privacy KW - Law KW - Electrical and Electronic Engineering KW - Computer Networks and Communications SN - 1540-7993 TI - Evaluating Security Through Isolation and Defense in Depth VL - 22 ER - TY - GEN AB - Context Static analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results. Method To address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview. Result We found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis. Conclusion Our results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains. AU - Wickert, Anna-Katharina AU - Schlichtig, Michael AU - Vogel, Marvin AU - Winter, Lukas AU - Mezini, Mira AU - Bodden, Eric ID - 52663 KW - Static analysis KW - error chains KW - false positive re- duction KW - empirical studies TI - Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability ER - TY - CONF AU - Dann, Andreas Peter AU - Hermann, Ben AU - Bodden, Eric ID - 35083 TI - UpCy: Safely Updating Outdated Dependencies ER - TY - CONF AU - Luo, Linghui AU - Piskachev, Goran AU - Krishnamurthy, Ranjith AU - Dolby, Julian AU - Schäf, Martin AU - Bodden, Eric ID - 41812 T2 - IEEE International Conference on Software Testing, Verification and Validation (ICST) TI - Model Generation For Java Frameworks ER - TY - CONF AU - Shivarpatna Venkatesh, Ashwin Prasad AU - Wang, Jiawei AU - Li, Li AU - Bodden, Eric ID - 41813 T2 - IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) TI - Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis ER - TY - CONF AU - Karakaya, Kadiray AU - Bodden, Eric ID - 45312 T2 - 2023 IEEE Conference on Software Testing, Verification and Validation (ICST) TI - Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis ER - TY - JOUR AU - Torres, Adriano AU - Costa, Pedro AU - Amaral, Luis AU - Pastro, Jonata AU - Bonifácio, Rodrigo AU - d'Amorim, Marcelo AU - Legunsen, Owolabi AU - Bodden, Eric AU - Dias Canedo, Edna ID - 46816 IS - 10 JF - IEEE Transactions on Software Engineering KW - Software SN - 0098-5589 TI - Runtime Verification of Crypto APIs: An Empirical Study VL - 49 ER - TY - JOUR AB - AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope. AU - Piskachev, Goran AU - Becker, Matthias AU - Bodden, Eric ID - 49439 IS - 5 JF - Empirical Software Engineering KW - Software SN - 1382-3256 TI - Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study VL - 28 ER - TY - CONF AU - Krüger, Stefan AU - Reif, Michael AU - Wickert, Anna-Katharina AU - Nadi, Sarah AU - Ali, Karim AU - Bodden, Eric AU - Acar, Yasemin AU - Mezini, Mira AU - Fahl, Sascha ID - 49438 T2 - 2023 IEEE Secure Development Conference (SecDev) TI - Securing Your Crypto-API Usage Through Tool Support - A Usability Study ER - TY - JOUR AB - inhalt Der verlässliche Betrieb von technischen Produkten wird zunehmend durch bewusste Angriffe bedroht. Vollständige Sicherheit ist dabei nicht möglich, durchschlagende Angriffe sind unvermeidbar (Assume Breach). Dies erfordert einen Paradigmenwechsel in der sicherheitsgerechten Entwicklung mechatronischer und cyber-physischer Systeme hin zu Defense-in-Depth. Systeme müssen so ausgelegt werden, dass sie auch bei gezielten Angriffen möglichst hohe Zuverlässigkeit und Sicherheit gewährleisten. Der hier beschriebene Lösungsansatz erweitert das Systemmodell um Angriffsszenarien und Verteidigungslinien. Diese werden am Beispiel eines industriellen Schließsystems zur Anlagensicherheit erläutert. Entwickler werden sensibilisiert, Angriffe systematisch zu berücksichtigen und interdisziplinär Verteidigungselemente gegenüber Bedrohungen und Angriffen zu spezifizieren. AU - Gräßler, Iris AU - Bodden, Eric AU - Wiechel, Dominik AU - Pottebaum, Jens ID - 48946 IS - 11-12 JF - Konstruktion KW - Mechanical Engineering KW - Mechanics of Materials KW - General Materials Science KW - Theoretical Computer Science SN - 0720-5953 TI - Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security VL - 75 ER - TY - CONF AB - The security of Industrial Control Systems is relevant both for reliable production system operations and for high-quality throughput in terms of manufactured products. Security measures are designed, operated and maintained by different roles along product and production system lifecycles. Defense-in-Depth as a paradigm builds upon the assumption that breaches are unavoidable. The paper at hand provides an analysis of roles, corresponding Human Factors and their relevance for data theft and sabotage attacks. The resulting taxonomy is reflected by an example related to Additive Manufacturing. The results assist in both designing and redesigning Industrial Control System as part of an entire production system so that Defense-in-Depth with regard to Human Factors is built in by design. AU - Pottebaum, Jens AU - Rossel, Jost AU - Somorovsky, Juraj AU - Acar, Yasemin AU - Fahr, René AU - Arias Cabarcos, Patricia AU - Bodden, Eric AU - Gräßler, Iris ID - 46500 KW - Defense-in-Depth KW - Human Factors KW - Production Engineering KW - Product Design KW - Systems Engineering T2 - 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) TI - Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth ER - TY - CONF AB - Many Android applications collect data from users. When they do, they must protect this collected data according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). App developers have limited tool support to reason about data protection throughout their app development process. Although many Android applications state a privacy policy, privacy policy compliance checks are currently manual, expensive, and prone to error. One of the major challenges in privacy audits is the significant gap between legal privacy statements (in English text) and technical measures that Android apps use to protect their user's privacy. In this thesis, we will explore to what extent we can use static analysis to answer important questions regarding data protection. Our main goal is to design a tool based approach that aids app developers and auditors in ensuring data protection in Android applications, based on automated static program analysis. AU - Khedkar, Mugdha ID - 44146 KW - static analysis KW - data protection and privacy KW - GDPR compliance T2 - Proceedings of the 45th International Conference on Software Engineering: Companion Proceedings (ICSE ‘23) TI - Static Analysis for Android GDPR Compliance Assurance ER - TY - CHAP AB - Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research emphasizes technical challenges of such tools but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and user dissatisfaction may even lead to tool abandonment. To comprehensively assess the state of the art, we present the first systematic usability evaluation of a wide range of static analysis tools. We derived a set of 36 relevant criteria from the literature and used them to evaluate a total of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. The evaluation against the usability criteria in a multiple-raters approach shows that two thirds of the considered tools off er poor warning messages, while about three-quarters provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for instance, to improve handling of false positives. Finally, issues regarding workflow integration and specialized user interfaces are revealed. These findings should prove useful in guiding and focusing further research and development in user experience for static code analyses. AU - Nachtigall, Marcus AU - Schlichtig, Michael AU - Bodden, Eric ID - 52662 KW - Automated static analysis KW - Software usability SN - 978-3-88579-726-5 T2 - Software Engineering 2023 TI - Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale ER - TY - CHAP AB - Application Programming Interfaces (APIs) are the primary mechanism developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and how they are caused, is important to prevent them, eg, with API misuse detectors. However, definitions for API misuses and related terms in literature vary. This paper presents a systematic literature review to clarify these terms and introduces FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To address this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detector’s capabilities, we performed a case study on the state-of the-art misuse detection tool CogniCrypt. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements. AU - Schlichtig, Michael AU - Sassalla, Steffen AU - Narasimhan, Krishna AU - Bodden, Eric ID - 52660 KW - API misuses API usage constraints KW - classification framework KW - API misuse detection KW - static analysis SN - 978-3-88579-726-5 T2 - Software Engineering 2023 TI - Introducing FUM: A Framework for API Usage Constraint and Misuse Classification ER - TY - JOUR AB - Encrypting data before sending it to the cloud ensures data confidentiality but requires the cloud to compute on encrypted data. Trusted execution environments, such as Intel SGX enclaves, promise to provide a secure environment in which data can be decrypted and then processed. However, vulnerabilities in the executed program give attackers ample opportunities to execute arbitrary code inside the enclave. This code can modify the dataflow of the program and leak secrets via SGX side channels. Fully homomorphic encryption would be an alternative to compute on encrypted data without data leaks. However, due to its high computational complexity, its applicability to general-purpose computing remains limited. Researchers have made several proposals for transforming programs to perform encrypted computations on less powerful encryption schemes. Yet current approaches do not support programs making control-flow decisions based on encrypted data. We introduce the concept of dataflow authentication (DFAuth) to enable such programs. DFAuth prevents an adversary from arbitrarily deviating from the dataflow of a program. Our technique hence offers protections against the side-channel attacks described previously. We implemented two flavors of DFAuth, a Java bytecode-to-bytecode compiler, and an SGX enclave running a small and program-independent trusted code base. We applied DFAuth to a neural network performing machine learning on sensitive medical data and a smart charging scheduler for electric vehicles. Our transformation yields a neural network with encrypted weights, which can be evaluated on encrypted inputs in \( 12.55 \,\mathrm{m}\mathrm{s} \) . Our protected scheduler is capable of updating the encrypted charging plan in approximately 1.06 seconds. AU - Fischer, Andreas AU - Fuhry, Benny AU - Kußmaul, Jörn AU - Janneck, Jonas AU - Kerschbaum, Florian AU - Bodden, Eric ID - 31844 IS - 3 JF - ACM Transactions on Privacy and Security KW - Safety KW - Risk KW - Reliability and Quality KW - General Computer Science SN - 2471-2566 TI - Computation on Encrypted Data Using Dataflow Authentication VL - 25 ER - TY - GEN AB - Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection Tool Benchmark Suite". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain. AU - Schlichtig, Michael AU - Wickert, Anna-Katharina AU - Krüger, Stefan AU - Bodden, Eric AU - Mezini, Mira ID - 32409 KW - cryptography KW - benchmark KW - API misuse KW - static analysis TI - CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite ER - TY - CONF AB - Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment. To comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria. The evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further. These findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses. AU - Nachtigall, Marcus AU - Schlichtig, Michael AU - Bodden, Eric ID - 32410 KW - Automated static analysis KW - Software usability SN - 9781450393799 T2 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis TI - A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools ER - TY - CONF AB - Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools. AU - Schlichtig, Michael AU - Sassalla, Steffen AU - Narasimhan, Krishna AU - Bodden, Eric ID - 31133 KW - API misuses KW - API usage constraints KW - classification framework KW - API misuse detection KW - static analysis T2 - 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) TI - FUM - A Framework for API Usage constraint and Misuse Classification ER - TY - CONF AU - Pasic, Faruk AU - Becker, Matthias ID - 34057 T2 - 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA) TI - Domain-specific Language for Condition Monitoring Software Development ER -