---
_id: '48946'
abstract:
- lang: ger
text: inhalt Der verlässliche Betrieb von technischen Produkten wird zunehmend durch
bewusste Angriffe bedroht. Vollständige Sicherheit ist dabei nicht möglich, durchschlagende
Angriffe sind unvermeidbar (Assume Breach). Dies erfordert einen Paradigmenwechsel
in der sicherheitsgerechten Entwicklung mechatronischer und cyber-physischer Systeme
hin zu Defense-in-Depth. Systeme müssen so ausgelegt werden, dass sie auch bei
gezielten Angriffen möglichst hohe Zuverlässigkeit und Sicherheit gewährleisten.
Der hier beschriebene Lösungsansatz erweitert das Systemmodell um Angriffsszenarien
und Verteidigungslinien. Diese werden am Beispiel eines industriellen Schließsystems
zur Anlagensicherheit erläutert. Entwickler werden sensibilisiert, Angriffe systematisch
zu berücksichtigen und interdisziplinär Verteidigungselemente gegenüber Bedrohungen
und Angriffen zu spezifizieren.
- lang: eng
text: The reliable operation of technical products is increasingly threatened by
deliberate attacks. Complete security is not possible, striking attacks are unavoidable
(assume breach). This requires a paradigm shift in security-oriented engineering
of mechatronic and cyber-physical systems towards Defense-in-Depth. Systems need
to be engineered in a way that full reliability and security are ensured even
in case of targeted attacks. The solution approach described here expands the
system model to include attack scenarios and lines of defence. It is applied to
an industrial locking system for plant security as an example. Developers are
sensitised to systematically consider attacks and to specify interdisciplinary
defence elements against threats and attacks.
article_type: original
author:
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Dominik
full_name: Wiechel, Dominik
id: '67161'
last_name: Wiechel
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
citation:
ama: 'Gräßler I, Bodden E, Wiechel D, Pottebaum J. Defense-in-Depth als neues Paradigma
der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste
und lösungsorientierte Security. Konstruktion. 2023;75(11-12):60-65. doi:10.37544/0720-5953-2023-11-12-60'
apa: 'Gräßler, I., Bodden, E., Wiechel, D., & Pottebaum, J. (2023). Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security. Konstruktion, 75(11–12),
60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60'
bibtex: '@article{Gräßler_Bodden_Wiechel_Pottebaum_2023, title={Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security}, volume={75}, DOI={10.37544/0720-5953-2023-11-12-60},
number={11–12}, journal={Konstruktion}, publisher={VDI Fachmedien GmbH and Co.
KG}, author={Gräßler, Iris and Bodden, Eric and Wiechel, Dominik and Pottebaum,
Jens}, year={2023}, pages={60–65} }'
chicago: 'Gräßler, Iris, Eric Bodden, Dominik Wiechel, and Jens Pottebaum. “Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security.” Konstruktion 75, no.
11–12 (2023): 60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60.'
ieee: 'I. Gräßler, E. Bodden, D. Wiechel, and J. Pottebaum, “Defense-in-Depth als
neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security,” Konstruktion, vol.
75, no. 11–12, pp. 60–65, 2023, doi: 10.37544/0720-5953-2023-11-12-60.'
mla: 'Gräßler, Iris, et al. “Defense-in-Depth als neues Paradigma der sicherheitsgerechten
Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte
Security.” Konstruktion, vol. 75, no. 11–12, VDI Fachmedien GmbH and Co.
KG, 2023, pp. 60–65, doi:10.37544/0720-5953-2023-11-12-60.'
short: I. Gräßler, E. Bodden, D. Wiechel, J. Pottebaum, Konstruktion 75 (2023) 60–65.
date_created: 2023-11-16T08:23:12Z
date_updated: 2023-12-20T14:10:51Z
department:
- _id: '152'
- _id: '76'
doi: 10.37544/0720-5953-2023-11-12-60
intvolume: ' 75'
issue: 11-12
keyword:
- Mechanical Engineering
- Mechanics of Materials
- General Materials Science
- Theoretical Computer Science
language:
- iso: ger
page: 60-65
publication: Konstruktion
publication_identifier:
issn:
- 0720-5953
publication_status: published
publisher: VDI Fachmedien GmbH and Co. KG
quality_controlled: '1'
status: public
title: 'Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung:
interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security'
type: journal_article
user_id: '405'
volume: 75
year: '2023'
...
---
_id: '46500'
abstract:
- lang: eng
text: The security of Industrial Control Systems is relevant both for reliable production
system operations and for high-quality throughput in terms of manufactured products.
Security measures are designed, operated and maintained by different roles along
product and production system lifecycles. Defense-in-Depth as a paradigm builds
upon the assumption that breaches are unavoidable. The paper at hand provides
an analysis of roles, corresponding Human Factors and their relevance for data
theft and sabotage attacks. The resulting taxonomy is reflected by an example
related to Additive Manufacturing. The results assist in both designing and redesigning
Industrial Control System as part of an entire production system so that Defense-in-Depth
with regard to Human Factors is built in by design.
author:
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
- first_name: Jost
full_name: Rossel, Jost
id: '58331'
last_name: Rossel
orcid: 0000-0002-3182-4059
- first_name: Juraj
full_name: Somorovsky, Juraj
id: '83504'
last_name: Somorovsky
orcid: 0000-0002-3593-7720
- first_name: Yasemin
full_name: Acar, Yasemin
id: '94636'
last_name: Acar
- first_name: René
full_name: Fahr, René
id: '111'
last_name: Fahr
- first_name: Patricia
full_name: Arias Cabarcos, Patricia
id: '92804'
last_name: Arias Cabarcos
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
citation:
ama: 'Pottebaum J, Rossel J, Somorovsky J, et al. Re-Envisioning Industrial Control
Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.
In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).
IEEE; 2023:379-385. doi:10.1109/eurospw59978.2023.00048'
apa: Pottebaum, J., Rossel, J., Somorovsky, J., Acar, Y., Fahr, R., Arias Cabarcos,
P., Bodden, E., & Gräßler, I. (2023). Re-Envisioning Industrial Control Systems
Security by Considering Human Factors as a Core Element of Defense-in-Depth. 2023
IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
379–385. https://doi.org/10.1109/eurospw59978.2023.00048
bibtex: '@inproceedings{Pottebaum_Rossel_Somorovsky_Acar_Fahr_Arias Cabarcos_Bodden_Gräßler_2023,
title={Re-Envisioning Industrial Control Systems Security by Considering Human
Factors as a Core Element of Defense-in-Depth}, DOI={10.1109/eurospw59978.2023.00048},
booktitle={2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)},
publisher={IEEE}, author={Pottebaum, Jens and Rossel, Jost and Somorovsky, Juraj
and Acar, Yasemin and Fahr, René and Arias Cabarcos, Patricia and Bodden, Eric
and Gräßler, Iris}, year={2023}, pages={379–385} }'
chicago: Pottebaum, Jens, Jost Rossel, Juraj Somorovsky, Yasemin Acar, René Fahr,
Patricia Arias Cabarcos, Eric Bodden, and Iris Gräßler. “Re-Envisioning Industrial
Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.”
In 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
379–85. IEEE, 2023. https://doi.org/10.1109/eurospw59978.2023.00048.
ieee: 'J. Pottebaum et al., “Re-Envisioning Industrial Control Systems Security
by Considering Human Factors as a Core Element of Defense-in-Depth,” in 2023
IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
Delft, Netherlands, 2023, pp. 379–385, doi: 10.1109/eurospw59978.2023.00048.'
mla: Pottebaum, Jens, et al. “Re-Envisioning Industrial Control Systems Security
by Considering Human Factors as a Core Element of Defense-in-Depth.” 2023 IEEE
European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE,
2023, pp. 379–85, doi:10.1109/eurospw59978.2023.00048.
short: 'J. Pottebaum, J. Rossel, J. Somorovsky, Y. Acar, R. Fahr, P. Arias Cabarcos,
E. Bodden, I. Gräßler, in: 2023 IEEE European Symposium on Security and Privacy
Workshops (EuroS&PW), IEEE, 2023, pp. 379–385.'
conference:
end_date: 2023-07-07
location: Delft, Netherlands
name: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
start_date: 2023-07-03
date_created: 2023-08-15T12:21:05Z
date_updated: 2023-12-20T14:12:25Z
department:
- _id: '34'
- _id: '740'
- _id: '152'
- _id: '76'
doi: 10.1109/eurospw59978.2023.00048
keyword:
- Defense-in-Depth
- Human Factors
- Production Engineering
- Product Design
- Systems Engineering
language:
- iso: eng
main_file_link:
- url: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10190647
page: 379-385
publication: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
publication_status: published
publisher: IEEE
quality_controlled: '1'
status: public
title: Re-Envisioning Industrial Control Systems Security by Considering Human Factors
as a Core Element of Defense-in-Depth
type: conference
user_id: '405'
year: '2023'
...
---
_id: '44146'
abstract:
- lang: eng
text: "Many Android applications collect data from users. When they do, they must\r\nprotect
this collected data according to the current legal frameworks. Such\r\ndata protection
has become even more important since the European Union rolled\r\nout the General
Data Protection Regulation (GDPR). App developers have limited\r\ntool support
to reason about data protection throughout their app development\r\nprocess. Although
many Android applications state a privacy policy, privacy\r\npolicy compliance
checks are currently manual, expensive, and prone to error.\r\nOne of the major
challenges in privacy audits is the significant gap between\r\nlegal privacy statements
(in English text) and technical measures that Android\r\napps use to protect their
user's privacy. In this thesis, we will explore to\r\nwhat extent we can use static
analysis to answer important questions regarding\r\ndata protection. Our main
goal is to design a tool based approach that aids app\r\ndevelopers and auditors
in ensuring data protection in Android applications,\r\nbased on automated static
program analysis."
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
citation:
ama: 'Khedkar M. Static Analysis for Android GDPR Compliance Assurance. In: Proceedings
of the 45th International Conference on Software Engineering: Companion Proceedings
(ICSE ‘23). doi:10.1109/ICSE-Companion58688.2023.00054'
apa: 'Khedkar, M. (n.d.). Static Analysis for Android GDPR Compliance Assurance.
Proceedings of the 45th International Conference on Software Engineering: Companion
Proceedings (ICSE ‘23). https://doi.org/10.1109/ICSE-Companion58688.2023.00054'
bibtex: '@inproceedings{Khedkar, title={Static Analysis for Android GDPR Compliance
Assurance}, DOI={10.1109/ICSE-Companion58688.2023.00054},
booktitle={Proceedings of the 45th International Conference on Software Engineering:
Companion Proceedings (ICSE ‘23)}, author={Khedkar, Mugdha} }'
chicago: 'Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.”
In Proceedings of the 45th International Conference on Software Engineering:
Companion Proceedings (ICSE ‘23), n.d. https://doi.org/10.1109/ICSE-Companion58688.2023.00054.'
ieee: 'M. Khedkar, “Static Analysis for Android GDPR Compliance Assurance,” doi:
10.1109/ICSE-Companion58688.2023.00054.'
mla: 'Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.”
Proceedings of the 45th International Conference on Software Engineering: Companion
Proceedings (ICSE ‘23), doi:10.1109/ICSE-Companion58688.2023.00054.'
short: 'M. Khedkar, in: Proceedings of the 45th International Conference on Software
Engineering: Companion Proceedings (ICSE ‘23), n.d.'
date_created: 2023-04-24T12:14:17Z
date_updated: 2024-03-03T14:45:09Z
ddc:
- '004'
department:
- _id: '76'
doi: 10.1109/ICSE-Companion58688.2023.00054
external_id:
arxiv:
- '2303.09606'
file:
- access_level: closed
content_type: application/pdf
creator: khedkarm
date_created: 2023-04-24T12:15:27Z
date_updated: 2023-04-24T12:15:27Z
file_id: '44147'
file_name: 2023047614.pdf
file_size: 85313
relation: main_file
success: 1
file_date_updated: 2023-04-24T12:15:27Z
has_accepted_license: '1'
keyword:
- static analysis
- data protection and privacy
- GDPR compliance
language:
- iso: eng
publication: 'Proceedings of the 45th International Conference on Software Engineering:
Companion Proceedings (ICSE ‘23)'
publication_status: accepted
status: public
title: Static Analysis for Android GDPR Compliance Assurance
type: conference
user_id: '88024'
year: '2023'
...
---
_id: '52662'
abstract:
- lang: eng
text: Static analysis tools support developers in detecting potential coding issues,
such as bugs or vulnerabilities. Research emphasizes technical challenges of such
tools but also mentions severe usability shortcomings. These shortcomings hinder
the adoption of static analysis tools, and user dissatisfaction may even lead
to tool abandonment. To comprehensively assess the state of the art, we present
the first systematic usability evaluation of a wide range of static analysis tools.
We derived a set of 36 relevant criteria from the literature and used them to
evaluate a total of 46 static analysis tools complying with our inclusion and
exclusion criteria - a representative set of mainly non-proprietary tools. The
evaluation against the usability criteria in a multiple-raters approach shows
that two thirds of the considered tools off er poor warning messages, while about
three-quarters provide hardly any fix support. Furthermore, the integration of
user knowledge is strongly neglected, which could be used for instance, to improve
handling of false positives. Finally, issues regarding workflow integration and
specialized user interfaces are revealed. These findings should prove useful in
guiding and focusing further research and development in user experience for static
code analyses.
author:
- first_name: Marcus
full_name: Nachtigall, Marcus
id: '41213'
last_name: Nachtigall
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Nachtigall M, Schlichtig M, Bodden E. Evaluation of Usability Criteria Addressed
by Static Analysis Tools on a Large Scale. In: Software Engineering 2023.
Gesellschaft für Informatik e.V.; 2023:95–96.'
apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2023). Evaluation of Usability
Criteria Addressed by Static Analysis Tools on a Large Scale. In Software Engineering
2023 (pp. 95–96). Gesellschaft für Informatik e.V.
bibtex: '@inbook{Nachtigall_Schlichtig_Bodden_2023, place={Bonn}, title={Evaluation
of Usability Criteria Addressed by Static Analysis Tools on a Large Scale}, booktitle={Software
Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Nachtigall,
Marcus and Schlichtig, Michael and Bodden, Eric}, year={2023}, pages={95–96} }'
chicago: 'Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “Evaluation of
Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” In Software
Engineering 2023, 95–96. Bonn: Gesellschaft für Informatik e.V., 2023.'
ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “Evaluation of Usability Criteria
Addressed by Static Analysis Tools on a Large Scale,” in Software Engineering
2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 95–96.'
mla: Nachtigall, Marcus, et al. “Evaluation of Usability Criteria Addressed by Static
Analysis Tools on a Large Scale.” Software Engineering 2023, Gesellschaft
für Informatik e.V., 2023, pp. 95–96.
short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Software Engineering 2023,
Gesellschaft für Informatik e.V., Bonn, 2023, pp. 95–96.'
date_created: 2024-03-20T09:26:29Z
date_updated: 2024-03-20T09:27:41Z
department:
- _id: '76'
keyword:
- Automated static analysis
- Software usability
language:
- iso: eng
main_file_link:
- url: https://dl.gi.de/items/5afe477f-2f6a-4b3d-b391-f024baf0b7a5
page: 95–96
place: Bonn
publication: Software Engineering 2023
publication_identifier:
isbn:
- 978-3-88579-726-5
publisher: Gesellschaft für Informatik e.V.
status: public
title: Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large
Scale
type: book_chapter
user_id: '32312'
year: '2023'
...
---
_id: '52660'
abstract:
- lang: eng
text: Application Programming Interfaces (APIs) are the primary mechanism developers
use to obtain access to third-party algorithms and services. Unfortunately, APIs
can be misused, which can have catastrophic consequences, especially if the APIs
provide security-critical functionalities like cryptography. Understanding what
API misuses are, and how they are caused, is important to prevent them, eg, with
API misuse detectors. However, definitions for API misuses and related terms in
literature vary. This paper presents a systematic literature review to clarify
these terms and introduces FUM, a novel Framework for API Usage constraint and
Misuse classification. The literature review revealed that API misuses are violations
of API usage constraints. To address this, we provide unified definitions and
use them to derive FUM. To assess the extent to which FUM aids in determining
and guiding the improvement of an API misuses detector’s capabilities, we performed
a case study on the state-of the-art misuse detection tool CogniCrypt. The study
showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify
weaknesses and assist in deriving mitigations and improvements.
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Steffen
full_name: Sassalla, Steffen
last_name: Sassalla
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. Introducing FUM: A Framework
for API Usage Constraint and Misuse Classification. In: Software Engineering
2023. Gesellschaft für Informatik e.V.; 2023:105–106.'
apa: 'Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2023). Introducing
FUM: A Framework for API Usage Constraint and Misuse Classification. In Software
Engineering 2023 (pp. 105–106). Gesellschaft für Informatik e.V.'
bibtex: '@inbook{Schlichtig_Sassalla_Narasimhan_Bodden_2023, place={Bonn}, title={Introducing
FUM: A Framework for API Usage Constraint and Misuse Classification}, booktitle={Software
Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Schlichtig,
Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2023},
pages={105–106} }'
chicago: 'Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden.
“Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.”
In Software Engineering 2023, 105–106. Bonn: Gesellschaft für Informatik
e.V., 2023.'
ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “Introducing FUM:
A Framework for API Usage Constraint and Misuse Classification,” in Software
Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 105–106.'
mla: 'Schlichtig, Michael, et al. “Introducing FUM: A Framework for API Usage Constraint
and Misuse Classification.” Software Engineering 2023, Gesellschaft für
Informatik e.V., 2023, pp. 105–106.'
short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: Software Engineering
2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 105–106.'
date_created: 2024-03-20T09:22:27Z
date_updated: 2024-03-20T09:25:46Z
department:
- _id: '76'
keyword:
- API misuses API usage constraints
- classification framework
- API misuse detection
- static analysis
language:
- iso: eng
main_file_link:
- url: https://dl.gi.de/items/c4825557-cf3d-4038-933a-d8f95fd324a2
page: 105–106
place: Bonn
publication: Software Engineering 2023
publication_identifier:
isbn:
- 978-3-88579-726-5
publisher: Gesellschaft für Informatik e.V.
status: public
title: 'Introducing FUM: A Framework for API Usage Constraint and Misuse Classification'
type: book_chapter
user_id: '32312'
year: '2023'
...
---
_id: '31844'
abstract:
- lang: eng
text: "Encrypting data before sending it to the cloud ensures data confidentiality
but requires the cloud to compute on encrypted data. Trusted execution environments,
such as Intel SGX enclaves, promise to provide a secure environment in which data
can be decrypted and then processed. However, vulnerabilities in the executed
program give attackers ample opportunities to execute arbitrary code inside the
enclave. This code can modify the dataflow of the program and leak secrets via
SGX side channels. Fully homomorphic encryption would be an alternative to compute
on encrypted data without data leaks. However, due to its high computational complexity,
its applicability to general-purpose computing remains limited. Researchers have
made several proposals for transforming programs to perform encrypted computations
on less powerful encryption schemes. Yet current approaches do not support programs
making control-flow decisions based on encrypted data.\r\n \r\n
\ We introduce the concept of\r\n dataflow authentication\r\n
\ (DFAuth) to enable such programs. DFAuth prevents an adversary from
arbitrarily deviating from the dataflow of a program. Our technique hence offers
protections against the side-channel attacks described previously. We implemented
two flavors of DFAuth, a Java bytecode-to-bytecode compiler, and an SGX enclave
running a small and program-independent trusted code base. We applied DFAuth to
a neural network performing machine learning on sensitive medical data and a smart
charging scheduler for electric vehicles. Our transformation yields a neural network
with encrypted weights, which can be evaluated on encrypted inputs in\r\n \r\n \\( 12.55 \\,\\mathrm{m}\\mathrm{s} \\)\r\n
\ \r\n . Our protected scheduler is
capable of updating the encrypted charging plan in approximately 1.06 seconds.\r\n
\ "
author:
- first_name: Andreas
full_name: Fischer, Andreas
last_name: Fischer
- first_name: Benny
full_name: Fuhry, Benny
last_name: Fuhry
- first_name: Jörn
full_name: Kußmaul, Jörn
last_name: Kußmaul
- first_name: Jonas
full_name: Janneck, Jonas
last_name: Janneck
- first_name: Florian
full_name: Kerschbaum, Florian
last_name: Kerschbaum
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Fischer A, Fuhry B, Kußmaul J, Janneck J, Kerschbaum F, Bodden E. Computation
on Encrypted Data Using Dataflow Authentication. ACM Transactions on Privacy
and Security. 2022;25(3):1-36. doi:10.1145/3513005
apa: Fischer, A., Fuhry, B., Kußmaul, J., Janneck, J., Kerschbaum, F., & Bodden,
E. (2022). Computation on Encrypted Data Using Dataflow Authentication. ACM
Transactions on Privacy and Security, 25(3), 1–36. https://doi.org/10.1145/3513005
bibtex: '@article{Fischer_Fuhry_Kußmaul_Janneck_Kerschbaum_Bodden_2022, title={Computation
on Encrypted Data Using Dataflow Authentication}, volume={25}, DOI={10.1145/3513005},
number={3}, journal={ACM Transactions on Privacy and Security}, publisher={Association
for Computing Machinery (ACM)}, author={Fischer, Andreas and Fuhry, Benny and
Kußmaul, Jörn and Janneck, Jonas and Kerschbaum, Florian and Bodden, Eric}, year={2022},
pages={1–36} }'
chicago: 'Fischer, Andreas, Benny Fuhry, Jörn Kußmaul, Jonas Janneck, Florian Kerschbaum,
and Eric Bodden. “Computation on Encrypted Data Using Dataflow Authentication.”
ACM Transactions on Privacy and Security 25, no. 3 (2022): 1–36. https://doi.org/10.1145/3513005.'
ieee: 'A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, and E. Bodden,
“Computation on Encrypted Data Using Dataflow Authentication,” ACM Transactions
on Privacy and Security, vol. 25, no. 3, pp. 1–36, 2022, doi: 10.1145/3513005.'
mla: Fischer, Andreas, et al. “Computation on Encrypted Data Using Dataflow Authentication.”
ACM Transactions on Privacy and Security, vol. 25, no. 3, Association for
Computing Machinery (ACM), 2022, pp. 1–36, doi:10.1145/3513005.
short: A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, E. Bodden, ACM
Transactions on Privacy and Security 25 (2022) 1–36.
date_created: 2022-06-09T10:28:03Z
date_updated: 2022-06-09T10:29:19Z
department:
- _id: '76'
doi: 10.1145/3513005
intvolume: ' 25'
issue: '3'
keyword:
- Safety
- Risk
- Reliability and Quality
- General Computer Science
language:
- iso: eng
page: 1-36
publication: ACM Transactions on Privacy and Security
publication_identifier:
issn:
- 2471-2566
- 2471-2574
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: Computation on Encrypted Data Using Dataflow Authentication
type: journal_article
user_id: '15249'
volume: 25
year: '2022'
...
---
_id: '32409'
abstract:
- lang: eng
text: 'Context: Cryptographic APIs are often misused in real-world applications.
Therefore, many cryptographic API misuse detection tools have been introduced.
However, there exists no established reference benchmark for a fair and comprehensive
comparison and evaluation of these tools. While there are benchmarks, they often
only address a subset of the domain or were only used to evaluate a subset of
existing misuse detection tools. Objective: To fairly compare cryptographic API
misuse detection tools and to drive future development in this domain, we will
devise such a benchmark. Openness and transparency in the generation process are
key factors to fairly generate and establish the needed benchmark. Method: We
propose an approach where we derive the benchmark generation methodology from
the literature which consists of general best practices in benchmarking and domain-specific
benchmark generation. A part of this methodology is transparency and openness
of the generation process, which is achieved by pre-registering this work. Based
on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection
Tool Benchmark Suite". We will implement the first version of CamBench limiting
the domain to Java, the JCA, and static analyses. Finally, we will use CamBench
to compare current misuse detection tools and compare CamBench to related benchmarks
of its domain.'
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
citation:
ama: Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. CamBench -- Cryptographic
API Misuse Detection Tool Benchmark Suite.; 2022. doi:10.48550/ARXIV.2204.06447
apa: Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., & Mezini, M. (2022).
CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. https://doi.org/10.48550/ARXIV.2204.06447
bibtex: '@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench --
Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={10.48550/ARXIV.2204.06447},
author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and
Bodden, Eric and Mezini, Mira}, year={2022} }'
chicago: Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden,
and Mira Mezini. CamBench -- Cryptographic API Misuse Detection Tool Benchmark
Suite, 2022. https://doi.org/10.48550/ARXIV.2204.06447.
ieee: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, CamBench
-- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022.
mla: Schlichtig, Michael, et al. CamBench -- Cryptographic API Misuse Detection
Tool Benchmark Suite. 2022, doi:10.48550/ARXIV.2204.06447.
short: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench --
Cryptographic API Misuse Detection Tool Benchmark Suite, 2022.
date_created: 2022-07-25T07:56:59Z
date_updated: 2022-07-25T10:23:44Z
department:
- _id: '76'
doi: 10.48550/ARXIV.2204.06447
keyword:
- cryptography
- benchmark
- API misuse
- static analysis
language:
- iso: eng
related_material:
link:
- relation: confirmation
url: https://arxiv.org/abs/2204.06447
status: public
title: CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite
type: misc
user_id: '32312'
year: '2022'
...
---
_id: '32410'
abstract:
- lang: eng
text: "Static analysis tools support developers in detecting potential coding issues,
such as bugs or vulnerabilities. Research on static analysis emphasizes its technical
challenges but also mentions severe usability shortcomings. These shortcomings
hinder the adoption of static analysis tools, and in some cases, user dissatisfaction
even leads to tool abandonment.\r\nTo comprehensively assess the current state
of the art, this paper presents the first systematic usability evaluation in a
wide range of static analysis tools. We derived a set of 36 relevant criteria
from the scientific literature and gathered a collection of 46 static analysis
tools complying with our inclusion and exclusion criteria - a representative set
of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill
the aforementioned criteria.\r\nThe evaluation shows that more than half of the
considered tools offer poor warning messages, while about three-quarters of the
tools provide hardly any fix support. Furthermore, the integration of user knowledge
is strongly neglected, which could be used for improved handling of false positives
and tuning the results for the corresponding developer. Finally, issues regarding
workflow integration and specialized user interfaces are proved further.\r\nThese
findings should prove useful in guiding and focusing further research and development
in the area of user experience for static code analyses."
author:
- first_name: Marcus
full_name: Nachtigall, Marcus
id: '41213'
last_name: Nachtigall
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Nachtigall M, Schlichtig M, Bodden E. A Large-Scale Study of Usability Criteria
Addressed by Static Analysis Tools. In: Proceedings of the 31st ACM SIGSOFT
International Symposium on Software Testing and Analysis. ACM; 2022:532-543.
doi:10.1145/3533767'
apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2022). A Large-Scale Study
of Usability Criteria Addressed by Static Analysis Tools. Proceedings of the
31st ACM SIGSOFT International Symposium on Software Testing and Analysis,
532–543. https://doi.org/10.1145/3533767
bibtex: '@inproceedings{Nachtigall_Schlichtig_Bodden_2022, title={A Large-Scale
Study of Usability Criteria Addressed by Static Analysis Tools}, DOI={10.1145/3533767},
booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software
Testing and Analysis}, publisher={ACM}, author={Nachtigall, Marcus and Schlichtig,
Michael and Bodden, Eric}, year={2022}, pages={532–543} }'
chicago: Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “A Large-Scale
Study of Usability Criteria Addressed by Static Analysis Tools.” In Proceedings
of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis,
532–43. ACM, 2022. https://doi.org/10.1145/3533767.
ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “A Large-Scale Study of Usability
Criteria Addressed by Static Analysis Tools,” in Proceedings of the 31st ACM
SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp.
532–543, doi: 10.1145/3533767.'
mla: Nachtigall, Marcus, et al. “A Large-Scale Study of Usability Criteria Addressed
by Static Analysis Tools.” Proceedings of the 31st ACM SIGSOFT International
Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–43, doi:10.1145/3533767.
short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Proceedings of the 31st ACM
SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp.
532–543.'
date_created: 2022-07-25T08:02:36Z
date_updated: 2022-07-26T11:42:23Z
department:
- _id: '76'
doi: 10.1145/3533767
keyword:
- Automated static analysis
- Software usability
language:
- iso: eng
page: 532 - 543
publication: Proceedings of the 31st ACM SIGSOFT International Symposium on Software
Testing and Analysis
publication_identifier:
isbn:
- '9781450393799'
publication_status: published
publisher: ACM
quality_controlled: '1'
related_material:
link:
- relation: confirmation
url: https://dl.acm.org/doi/10.1145/3533767.3534374
status: public
title: A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools
type: conference
user_id: '32312'
year: '2022'
...
---
_id: '31133'
abstract:
- lang: eng
text: Application Programming Interfaces (APIs) are the primary mechanism that developers
use to obtain access to third-party algorithms and services. Unfortunately, APIs
can be misused, which can have catastrophic consequences, especially if the APIs
provide security-critical functionalities like cryptography. Understanding what
API misuses are, and for what reasons they are caused, is important to prevent
them, e.g., with API misuse detectors. However, definitions and nominations for
API misuses and related terms in literature vary and are diverse. This paper addresses
the problem of scattered knowledge and definitions of API misuses by presenting
a systematic literature review on the subject and introducing FUM, a novel Framework
for API Usage constraint and Misuse classification. The literature review revealed
that API misuses are violations of API usage constraints. To capture this, we
provide unified definitions and use them to derive FUM. To assess the extent to
which FUM aids in determining and guiding the improvement of an API misuses detectors'
capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse
detector for cryptographic APIs. The study showed that FUM can be used to properly
assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations
and improvements. And it appears that also more generally FUM can aid the development
and improvement of misuse detection tools.
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Steffen
full_name: Sassalla, Steffen
last_name: Sassalla
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API
Usage constraint and Misuse Classification. In: 2022 IEEE International Conference
on Software Analysis, Evolution and Reengineering (SANER). ; 2022:673-684.
doi:https://doi.org/10.1109/SANER53432.2022.00085'
apa: Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2022). FUM
- A Framework for API Usage constraint and Misuse Classification. 2022 IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER),
673–684. https://doi.org/10.1109/SANER53432.2022.00085
bibtex: '@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM -
A Framework for API Usage constraint and Misuse Classification}, DOI={https://doi.org/10.1109/SANER53432.2022.00085},
booktitle={2022 IEEE International Conference on Software Analysis, Evolution
and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen
and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }'
chicago: Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden.
“FUM - A Framework for API Usage Constraint and Misuse Classification.” In 2022
IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER), 673–84, 2022. https://doi.org/10.1109/SANER53432.2022.00085.
ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework
for API Usage constraint and Misuse Classification,” in 2022 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2022,
pp. 673–684, doi: https://doi.org/10.1109/SANER53432.2022.00085.'
mla: Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and
Misuse Classification.” 2022 IEEE International Conference on Software Analysis,
Evolution and Reengineering (SANER), 2022, pp. 673–84, doi:https://doi.org/10.1109/SANER53432.2022.00085.
short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp.
673–684.'
date_created: 2022-05-09T13:04:10Z
date_updated: 2022-07-26T11:42:30Z
department:
- _id: '76'
doi: https://doi.org/10.1109/SANER53432.2022.00085
keyword:
- API misuses
- API usage constraints
- classification framework
- API misuse detection
- static analysis
language:
- iso: eng
page: 673 - 684
publication: 2022 IEEE International Conference on Software Analysis, Evolution and
Reengineering (SANER)
quality_controlled: '1'
related_material:
link:
- relation: confirmation
url: https://ieeexplore.ieee.org/document/9825763
status: public
title: FUM - A Framework for API Usage constraint and Misuse Classification
type: conference
user_id: '32312'
year: '2022'
...
---
_id: '34057'
author:
- first_name: Faruk
full_name: Pasic, Faruk
last_name: Pasic
- first_name: Matthias
full_name: Becker, Matthias
last_name: Becker
citation:
ama: 'Pasic F, Becker M. Domain-specific Language for Condition Monitoring Software
Development. In: 2022 IEEE 27th International Conference on Emerging Technologies
and Factory Automation (ETFA). IEEE; 2022. doi:10.1109/etfa52439.2022.9921730'
apa: Pasic, F., & Becker, M. (2022). Domain-specific Language for Condition
Monitoring Software Development. 2022 IEEE 27th International Conference on
Emerging Technologies and Factory Automation (ETFA). https://doi.org/10.1109/etfa52439.2022.9921730
bibtex: '@inproceedings{Pasic_Becker_2022, title={Domain-specific Language for Condition
Monitoring Software Development}, DOI={10.1109/etfa52439.2022.9921730},
booktitle={2022 IEEE 27th International Conference on Emerging Technologies and
Factory Automation (ETFA)}, publisher={IEEE}, author={Pasic, Faruk and Becker,
Matthias}, year={2022} }'
chicago: Pasic, Faruk, and Matthias Becker. “Domain-Specific Language for Condition
Monitoring Software Development.” In 2022 IEEE 27th International Conference
on Emerging Technologies and Factory Automation (ETFA). IEEE, 2022. https://doi.org/10.1109/etfa52439.2022.9921730.
ieee: 'F. Pasic and M. Becker, “Domain-specific Language for Condition Monitoring
Software Development,” 2022, doi: 10.1109/etfa52439.2022.9921730.'
mla: Pasic, Faruk, and Matthias Becker. “Domain-Specific Language for Condition
Monitoring Software Development.” 2022 IEEE 27th International Conference on
Emerging Technologies and Factory Automation (ETFA), IEEE, 2022, doi:10.1109/etfa52439.2022.9921730.
short: 'F. Pasic, M. Becker, in: 2022 IEEE 27th International Conference on Emerging
Technologies and Factory Automation (ETFA), IEEE, 2022.'
date_created: 2022-11-10T14:30:16Z
date_updated: 2022-11-10T14:30:42Z
department:
- _id: '241'
- _id: '76'
doi: 10.1109/etfa52439.2022.9921730
publication: 2022 IEEE 27th International Conference on Emerging Technologies and
Factory Automation (ETFA)
publication_status: published
publisher: IEEE
status: public
title: Domain-specific Language for Condition Monitoring Software Development
type: conference
user_id: '49576'
year: '2022'
...