---
_id: '52235'
abstract:
- lang: eng
text: "Android applications collecting data from users must protect it according
to the current legal frameworks. Such data protection has become even more important
since the European Union rolled out the General Data Protection Regulation (GDPR).
Since app developers are not legal experts, they find it difficult to write privacy-aware
source code. Moreover, they have limited tool support to reason about data protection
throughout their app development process.\r\nThis paper motivates the need for
a static analysis approach to diagnose and explain data protection in Android
apps. The analysis will recognize personal data sources in the source code, and
aims to further examine the data flow originating from these sources. App developers
can then address key questions about data manipulation, derived data, and the
presence of technical measures. Despite challenges, we explore to what extent
one can realize this analysis through static taint analysis, a common method for
identifying security vulnerabilities. This is a first step towards designing a
tool-based approach that aids app developers and assessors in ensuring data protection
in Android apps, based on automated static program analysis. "
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection.
In: Proceedings of the 9th International Conference on Mobile Software Engineering
and Systems. ; 2024.'
apa: Khedkar, M., & Bodden, E. (2024). Toward an Android Static Analysis Approach
for Data Protection. Proceedings of the 9th International Conference on Mobile
Software Engineering and Systems. 9th International Conference on Mobile Software
Engineering and Systems 2024, Lisbon, Portugal.
bibtex: '@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis
Approach for Data Protection}, booktitle={Proceedings of the 9th International
Conference on Mobile Software Engineering and Systems}, author={Khedkar, Mugdha
and Bodden, Eric}, year={2024} }'
chicago: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach
for Data Protection.” In Proceedings of the 9th International Conference on
Mobile Software Engineering and Systems, 2024.
ieee: M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for
Data Protection,” presented at the 9th International Conference on Mobile Software
Engineering and Systems 2024, Lisbon, Portugal, 2024.
mla: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach
for Data Protection.” Proceedings of the 9th International Conference on Mobile
Software Engineering and Systems, 2024.
short: 'M. Khedkar, E. Bodden, in: Proceedings of the 9th International Conference
on Mobile Software Engineering and Systems, 2024.'
conference:
end_date: 2024-04-15
location: Lisbon, Portugal
name: 9th International Conference on Mobile Software Engineering and Systems 2024
start_date: 2024-04-14
date_created: 2024-03-03T14:37:53Z
date_updated: 2024-03-06T13:00:38Z
ddc:
- '006'
department:
- _id: '76'
external_id:
arxiv:
- '2402.07889'
file:
- access_level: closed
content_type: application/pdf
creator: khedkarm
date_created: 2024-03-03T14:39:08Z
date_updated: 2024-03-03T14:39:08Z
file_id: '52236'
file_name: 2402.07889v1.pdf
file_size: 530812
relation: main_file
success: 1
file_date_updated: 2024-03-03T14:39:08Z
has_accepted_license: '1'
keyword:
- static program analysis
- data protection and privacy
- GDPR compliance
language:
- iso: eng
license: https://creativecommons.org/licenses/by/4.0/
publication: Proceedings of the 9th International Conference on Mobile Software Engineering
and Systems
status: public
title: Toward an Android Static Analysis Approach for Data Protection
type: conference
user_id: '88024'
year: '2024'
...
---
_id: '52587'
author:
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
- first_name: Markus
full_name: Fockel, Markus
last_name: Fockel
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
citation:
ama: Bodden E, Pottebaum J, Fockel M, Gräßler I. Evaluating Security Through Isolation
and Defense in Depth. IEEE Security & Privacy. 2024;22(1):69-72. doi:10.1109/msec.2023.3336028
apa: Bodden, E., Pottebaum, J., Fockel, M., & Gräßler, I. (2024). Evaluating
Security Through Isolation and Defense in Depth. IEEE Security & Privacy,
22(1), 69–72. https://doi.org/10.1109/msec.2023.3336028
bibtex: '@article{Bodden_Pottebaum_Fockel_Gräßler_2024, title={Evaluating Security
Through Isolation and Defense in Depth}, volume={22}, DOI={10.1109/msec.2023.3336028},
number={1}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical
and Electronics Engineers (IEEE)}, author={Bodden, Eric and Pottebaum, Jens and
Fockel, Markus and Gräßler, Iris}, year={2024}, pages={69–72} }'
chicago: 'Bodden, Eric, Jens Pottebaum, Markus Fockel, and Iris Gräßler. “Evaluating
Security Through Isolation and Defense in Depth.” IEEE Security & Privacy
22, no. 1 (2024): 69–72. https://doi.org/10.1109/msec.2023.3336028.'
ieee: 'E. Bodden, J. Pottebaum, M. Fockel, and I. Gräßler, “Evaluating Security
Through Isolation and Defense in Depth,” IEEE Security & Privacy, vol.
22, no. 1, pp. 69–72, 2024, doi: 10.1109/msec.2023.3336028.'
mla: Bodden, Eric, et al. “Evaluating Security Through Isolation and Defense in
Depth.” IEEE Security & Privacy, vol. 22, no. 1, Institute of Electrical
and Electronics Engineers (IEEE), 2024, pp. 69–72, doi:10.1109/msec.2023.3336028.
short: E. Bodden, J. Pottebaum, M. Fockel, I. Gräßler, IEEE Security & Privacy
22 (2024) 69–72.
date_created: 2024-03-15T20:16:18Z
date_updated: 2024-03-15T20:25:13Z
department:
- _id: '152'
- _id: '76'
- _id: '241'
doi: 10.1109/msec.2023.3336028
intvolume: ' 22'
issue: '1'
keyword:
- Law
- Electrical and Electronic Engineering
- Computer Networks and Communications
language:
- iso: eng
page: 69-72
publication: IEEE Security & Privacy
publication_identifier:
issn:
- 1540-7993
- 1558-4046
publication_status: published
publisher: Institute of Electrical and Electronics Engineers (IEEE)
quality_controlled: '1'
status: public
title: Evaluating Security Through Isolation and Defense in Depth
type: journal_article
user_id: '405'
volume: 22
year: '2024'
...
---
_id: '52663'
abstract:
- lang: eng
text: "Context\r\nStatic analyses are well-established to aid in understanding bugs
or vulnerabilities during the development process or in large-scale studies. A
low false-positive rate is essential for the adaption in practice and for precise
results of empirical studies. Unfortunately, static analyses tend to report where
a vulnerability manifests rather than the fix location. This can cause presumed
false positives or imprecise results.\r\nMethod\r\nTo address this problem, we
designed an adaption of an existing static analysis algorithm that can distinguish
between a manifestation and fix location, and reports error chains. An error chain
represents at least two interconnected errors that occur successively, thus building
the connection between the fix and manifestation location. We used our tool CogniCryptSUBS
for a case study on 471 GitHub repositories, a performance benchmark to compare
different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe
found that 50 % of the projects with a report had at least one error chain. Our
runtime benchmark demonstrated that our improvement caused only a minimal runtime
overhead of less than 4 %. The results of our expert interview indicate that with
our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur
results indicate that error chains occur frequently in real-world projects, and
ignoring them can lead to imprecise evaluation results. The runtime benchmark
indicates that our tool is a feasible and efficient solution for detecting error
chains in real-world projects. Further, our results gave a hint that the usability
of static analyses may benefit from supporting error chains."
author:
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Marvin
full_name: Vogel, Marvin
last_name: Vogel
- first_name: Lukas
full_name: Winter, Lukas
last_name: Winter
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting
Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.;
2024.
apa: Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden,
E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation
Results and Enhanced Usability.
bibtex: '@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting
Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability},
author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and
Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }'
chicago: Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter,
Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for
Precise Evaluation Results and Enhanced Usability, 2024.
ieee: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden,
Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability. 2024.
mla: Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis
for Precise Evaluation Results and Enhanced Usability. 2024.
short: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden,
Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability, 2024.
date_created: 2024-03-20T09:28:36Z
date_updated: 2024-03-20T09:32:29Z
department:
- _id: '76'
keyword:
- Static analysis
- error chains
- false positive re- duction
- empirical studies
language:
- iso: eng
main_file_link:
- url: https://arxiv.org/abs/2403.07808
status: public
title: Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability
type: misc
user_id: '32312'
year: '2024'
...
---
_id: '35083'
author:
- first_name: Andreas Peter
full_name: Dann, Andreas Peter
id: '26886'
last_name: Dann
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Dann AP, Hermann B, Bodden E. UpCy: Safely Updating Outdated Dependencies.
Published online 2023.'
apa: 'Dann, A. P., Hermann, B., & Bodden, E. (2023). UpCy: Safely Updating
Outdated Dependencies.'
bibtex: '@article{Dann_Hermann_Bodden_2023, series={International Conference on
Software Engineering (ICSE)}, title={UpCy: Safely Updating Outdated Dependencies},
author={Dann, Andreas Peter and Hermann, Ben and Bodden, Eric}, year={2023}, collection={International
Conference on Software Engineering (ICSE)} }'
chicago: 'Dann, Andreas Peter, Ben Hermann, and Eric Bodden. “UpCy: Safely Updating
Outdated Dependencies.” International Conference on Software Engineering (ICSE),
2023.'
ieee: 'A. P. Dann, B. Hermann, and E. Bodden, “UpCy: Safely Updating Outdated Dependencies.”
2023.'
mla: 'Dann, Andreas Peter, et al. UpCy: Safely Updating Outdated Dependencies.
2023.'
short: A.P. Dann, B. Hermann, E. Bodden, (2023).
date_created: 2023-01-02T09:26:50Z
date_updated: 2023-01-02T09:28:32Z
department:
- _id: '76'
language:
- iso: eng
series_title: International Conference on Software Engineering (ICSE)
status: public
title: 'UpCy: Safely Updating Outdated Dependencies'
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '41812'
author:
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
id: '78060'
last_name: Krishnamurthy
orcid: 0000-0002-0906-5463
- first_name: Julian
full_name: Dolby, Julian
last_name: Dolby
- first_name: Martin
full_name: Schäf, Martin
last_name: Schäf
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation
For Java Frameworks. In: IEEE International Conference on Software Testing,
Verification and Validation (ICST). ; 2023.'
apa: Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden,
E. (2023). Model Generation For Java Frameworks. IEEE International Conference
on Software Testing, Verification and Validation (ICST).
bibtex: '@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model
Generation For Java Frameworks}, booktitle={IEEE International Conference on Software
Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev,
Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden,
Eric}, year={2023} }'
chicago: Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin
Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International
Conference on Software Testing, Verification and Validation (ICST), 2023.
ieee: L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden,
“Model Generation For Java Frameworks,” 2023.
mla: Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International
Conference on Software Testing, Verification and Validation (ICST), 2023.
short: 'L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in:
IEEE International Conference on Software Testing, Verification and Validation
(ICST), 2023.'
date_created: 2023-02-06T10:37:23Z
date_updated: 2023-02-06T10:42:29Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
publication: IEEE International Conference on Software Testing, Verification and Validation
(ICST)
status: public
title: Model Generation For Java Frameworks
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '41813'
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: Jiawei
full_name: Wang, Jiawei
last_name: Wang
- first_name: Li
full_name: Li, Li
last_name: Li
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2023.'
apa: Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER).
bibtex: '@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, booktitle={IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER)},
author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden,
Eric}, year={2023} }'
chicago: Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden.
“Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.”
In IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER), 2023.
ieee: A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis,” 2023.
mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. “Enhancing Comprehension and Navigation
in Jupyter Notebooks with Static Analysis.” IEEE International Conference on
Software Analysis, Evolution and Reengineering (SANER), 2023.
short: 'A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.'
date_created: 2023-02-06T10:44:08Z
date_updated: 2023-02-06T10:46:00Z
department:
- _id: '76'
language:
- iso: eng
publication: IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER)
status: public
title: Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '45312'
author:
- first_name: Kadiray
full_name: Karakaya, Kadiray
last_name: Karakaya
- first_name: Eric
full_name: Bodden, Eric
last_name: Bodden
citation:
ama: 'Karakaya K, Bodden E. Two Sparsification Strategies for Accelerating Demand-Driven
Pointer Analysis. In: 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST). IEEE; 2023. doi:10.1109/icst57152.2023.00036'
apa: Karakaya, K., & Bodden, E. (2023). Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis. 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST). https://doi.org/10.1109/icst57152.2023.00036
bibtex: '@inproceedings{Karakaya_Bodden_2023, title={Two Sparsification Strategies
for Accelerating Demand-Driven Pointer Analysis}, DOI={10.1109/icst57152.2023.00036},
booktitle={2023 IEEE Conference on Software Testing, Verification and Validation
(ICST)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden, Eric}, year={2023}
}'
chicago: Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for
Accelerating Demand-Driven Pointer Analysis.” In 2023 IEEE Conference on Software
Testing, Verification and Validation (ICST). IEEE, 2023. https://doi.org/10.1109/icst57152.2023.00036.
ieee: 'K. Karakaya and E. Bodden, “Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis,” 2023, doi: 10.1109/icst57152.2023.00036.'
mla: Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating
Demand-Driven Pointer Analysis.” 2023 IEEE Conference on Software Testing,
Verification and Validation (ICST), IEEE, 2023, doi:10.1109/icst57152.2023.00036.
short: 'K. Karakaya, E. Bodden, in: 2023 IEEE Conference on Software Testing, Verification
and Validation (ICST), IEEE, 2023.'
date_created: 2023-05-29T12:09:43Z
date_updated: 2023-05-29T12:12:17Z
department:
- _id: '76'
doi: 10.1109/icst57152.2023.00036
publication: 2023 IEEE Conference on Software Testing, Verification and Validation
(ICST)
publication_status: published
publisher: IEEE
status: public
title: Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis
type: conference
user_id: '70410'
year: '2023'
...
---
_id: '46816'
author:
- first_name: Adriano
full_name: Torres, Adriano
last_name: Torres
- first_name: Pedro
full_name: Costa, Pedro
last_name: Costa
- first_name: Luis
full_name: Amaral, Luis
last_name: Amaral
- first_name: Jonata
full_name: Pastro, Jonata
last_name: Pastro
- first_name: Rodrigo
full_name: Bonifácio, Rodrigo
last_name: Bonifácio
- first_name: Marcelo
full_name: d'Amorim, Marcelo
last_name: d'Amorim
- first_name: Owolabi
full_name: Legunsen, Owolabi
last_name: Legunsen
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Edna
full_name: Dias Canedo, Edna
last_name: Dias Canedo
citation:
ama: 'Torres A, Costa P, Amaral L, et al. Runtime Verification of Crypto APIs: An
Empirical Study. IEEE Transactions on Software Engineering. 2023;49(10):4510-4525.
doi:10.1109/tse.2023.3301660'
apa: 'Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M.,
Legunsen, O., Bodden, E., & Dias Canedo, E. (2023). Runtime Verification of
Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering,
49(10), 4510–4525. https://doi.org/10.1109/tse.2023.3301660'
bibtex: '@article{Torres_Costa_Amaral_Pastro_Bonifácio_d’Amorim_Legunsen_Bodden_Dias
Canedo_2023, title={Runtime Verification of Crypto APIs: An Empirical Study},
volume={49}, DOI={10.1109/tse.2023.3301660},
number={10}, journal={IEEE Transactions on Software Engineering}, publisher={Institute
of Electrical and Electronics Engineers (IEEE)}, author={Torres, Adriano and Costa,
Pedro and Amaral, Luis and Pastro, Jonata and Bonifácio, Rodrigo and d’Amorim,
Marcelo and Legunsen, Owolabi and Bodden, Eric and Dias Canedo, Edna}, year={2023},
pages={4510–4525} }'
chicago: 'Torres, Adriano, Pedro Costa, Luis Amaral, Jonata Pastro, Rodrigo Bonifácio,
Marcelo d’Amorim, Owolabi Legunsen, Eric Bodden, and Edna Dias Canedo. “Runtime
Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software
Engineering 49, no. 10 (2023): 4510–25. https://doi.org/10.1109/tse.2023.3301660.'
ieee: 'A. Torres et al., “Runtime Verification of Crypto APIs: An Empirical
Study,” IEEE Transactions on Software Engineering, vol. 49, no. 10, pp.
4510–4525, 2023, doi: 10.1109/tse.2023.3301660.'
mla: 'Torres, Adriano, et al. “Runtime Verification of Crypto APIs: An Empirical
Study.” IEEE Transactions on Software Engineering, vol. 49, no. 10, Institute
of Electrical and Electronics Engineers (IEEE), 2023, pp. 4510–25, doi:10.1109/tse.2023.3301660.'
short: A. Torres, P. Costa, L. Amaral, J. Pastro, R. Bonifácio, M. d’Amorim, O.
Legunsen, E. Bodden, E. Dias Canedo, IEEE Transactions on Software Engineering
49 (2023) 4510–4525.
date_created: 2023-09-06T07:42:40Z
date_updated: 2023-12-04T11:05:26Z
department:
- _id: '76'
doi: 10.1109/tse.2023.3301660
intvolume: ' 49'
issue: '10'
keyword:
- Software
language:
- iso: eng
page: 4510 - 4525
publication: IEEE Transactions on Software Engineering
publication_identifier:
issn:
- 0098-5589
- 1939-3520
- 2326-3881
publication_status: published
publisher: Institute of Electrical and Electronics Engineers (IEEE)
status: public
title: 'Runtime Verification of Crypto APIs: An Empirical Study'
type: journal_article
user_id: '15249'
volume: 49
year: '2023'
...
---
_id: '49439'
abstract:
- lang: eng
text: AbstractThe use of static analysis security
testing (SAST) tools has been increasing in recent years. However, previous studies
have shown that, when shipped to end users such as development or security teams,
the findings of these tools are often unsatisfying. Users report high numbers
of false positives or long analysis times, making the tools unusable in the daily
workflow. To address this, SAST tool creators provide a wide range of configuration
options, such as customization of rules through domain-specific languages or specification
of the application-specific analysis scope. In this paper, we study the configuration
space of selected existing SAST tools when used within the integrated development
environment (IDE). We focus on the configuration options that impact three dimensions,
for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime.
We perform a between-subjects user study with 40 users from multiple development
and security teams - to our knowledge, the largest population for this kind of
user study in the software engineering community. The results show that users
who configure SAST tools are more effective in resolving security vulnerabilities
detected by the tools than those using the default configuration. Based on post-study
interviews, we identify common strategies that users have while configuring the
SAST tools to provide further insights for tool creators. Finally, an evaluation
of the configuration options of two commercial SAST tools, Fortify
and CheckMarx, reveals that a quarter of the users do not understand
the configuration options provided. The configuration options that are found most
useful relate to the analysis scope.
article_number: '118'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Matthias
full_name: Becker, Matthias
id: '4870'
last_name: Becker
orcid: https://orcid.org/0000-0003-2465-9347
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make
resolving security vulnerabilities more effective? - A user study. Empirical
Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3
apa: Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of
static analyses make resolving security vulnerabilities more effective? - A user
study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3
bibtex: '@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of
static analyses make resolving security vulnerabilities more effective? - A user
study}, volume={28}, DOI={10.1007/s10664-023-10354-3},
number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science
and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden,
Eric}, year={2023} }'
chicago: Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration
of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A
User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3.
ieee: 'G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static
analyses make resolving security vulnerabilities more effective? - A user study,”
Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi:
10.1007/s10664-023-10354-3.'
mla: Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving
Security Vulnerabilities More Effective? - A User Study.” Empirical Software
Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC,
2023, doi:10.1007/s10664-023-10354-3.
short: G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023).
date_created: 2023-12-04T11:14:34Z
date_updated: 2023-12-04T11:29:49Z
department:
- _id: '76'
- _id: '662'
doi: 10.1007/s10664-023-10354-3
intvolume: ' 28'
issue: '5'
keyword:
- Software
language:
- iso: eng
publication: Empirical Software Engineering
publication_identifier:
issn:
- 1382-3256
- 1573-7616
publication_status: published
publisher: Springer Science and Business Media LLC
status: public
title: Can the configuration of static analyses make resolving security vulnerabilities
more effective? - A user study
type: journal_article
user_id: '15249'
volume: 28
year: '2023'
...
---
_id: '49438'
author:
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Michael
full_name: Reif, Michael
last_name: Reif
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Sarah
full_name: Nadi, Sarah
last_name: Nadi
- first_name: Karim
full_name: Ali, Karim
last_name: Ali
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Yasemin
full_name: Acar, Yasemin
id: '94636'
last_name: Acar
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
- first_name: Sascha
full_name: Fahl, Sascha
last_name: Fahl
citation:
ama: 'Krüger S, Reif M, Wickert A-K, et al. Securing Your Crypto-API Usage Through
Tool Support - A Usability Study. In: 2023 IEEE Secure Development Conference
(SecDev). IEEE; 2023. doi:10.1109/secdev56634.2023.00015'
apa: Krüger, S., Reif, M., Wickert, A.-K., Nadi, S., Ali, K., Bodden, E., Acar,
Y., Mezini, M., & Fahl, S. (2023). Securing Your Crypto-API Usage Through
Tool Support - A Usability Study. 2023 IEEE Secure Development Conference (SecDev).
https://doi.org/10.1109/secdev56634.2023.00015
bibtex: '@inproceedings{Krüger_Reif_Wickert_Nadi_Ali_Bodden_Acar_Mezini_Fahl_2023,
title={Securing Your Crypto-API Usage Through Tool Support - A Usability Study},
DOI={10.1109/secdev56634.2023.00015},
booktitle={2023 IEEE Secure Development Conference (SecDev)}, publisher={IEEE},
author={Krüger, Stefan and Reif, Michael and Wickert, Anna-Katharina and Nadi,
Sarah and Ali, Karim and Bodden, Eric and Acar, Yasemin and Mezini, Mira and Fahl,
Sascha}, year={2023} }'
chicago: Krüger, Stefan, Michael Reif, Anna-Katharina Wickert, Sarah Nadi, Karim
Ali, Eric Bodden, Yasemin Acar, Mira Mezini, and Sascha Fahl. “Securing Your Crypto-API
Usage Through Tool Support - A Usability Study.” In 2023 IEEE Secure Development
Conference (SecDev). IEEE, 2023. https://doi.org/10.1109/secdev56634.2023.00015.
ieee: 'S. Krüger et al., “Securing Your Crypto-API Usage Through Tool Support
- A Usability Study,” 2023, doi: 10.1109/secdev56634.2023.00015.'
mla: Krüger, Stefan, et al. “Securing Your Crypto-API Usage Through Tool Support
- A Usability Study.” 2023 IEEE Secure Development Conference (SecDev),
IEEE, 2023, doi:10.1109/secdev56634.2023.00015.
short: 'S. Krüger, M. Reif, A.-K. Wickert, S. Nadi, K. Ali, E. Bodden, Y. Acar,
M. Mezini, S. Fahl, in: 2023 IEEE Secure Development Conference (SecDev), IEEE,
2023.'
date_created: 2023-12-04T11:07:08Z
date_updated: 2023-12-04T11:14:10Z
department:
- _id: '76'
- _id: '740'
doi: 10.1109/secdev56634.2023.00015
language:
- iso: eng
publication: 2023 IEEE Secure Development Conference (SecDev)
publication_status: published
publisher: IEEE
status: public
title: Securing Your Crypto-API Usage Through Tool Support - A Usability Study
type: conference
user_id: '15249'
year: '2023'
...