TY - JOUR AU - Maack, Marten ID - 44077 IS - 3 JF - Operations Research Letters KW - Applied Mathematics KW - Industrial and Manufacturing Engineering KW - Management Science and Operations Research KW - Software SN - 0167-6377 TI - Online load balancing on uniform machines with limited migration VL - 51 ER - TY - JOUR AB - The success of engineering complex technical systems is determined by meeting customer requirements and institutional regulations. One example relevant to the automobile industry is the United Nations Economic Commission of Europe (UN ECE), which specifies the homologation of automobile series and requires proof of traceability. The required traceability can be achieved by modeling system artifacts and their relations in a consistent, seamless model—an effect-chain model. Currently, no in-depth methodology exists to support engineers in developing certification-compliant effect-chain models. For this purpose, a new methodology for certification-compliant effect-chain modeling was developed, which includes extensions of an existing method, suitable models, and tools to support engineers in the modeling process. For evaluation purposes, applicability is proven based on the experience of more than 300 workshops at an automotive OEM and an automotive supplier. The following case example is chosen to demonstrate applicability: the development of a window lifter that has to meet the demands of UN ECE Regulations R156 and R21. Results indicate multiple benefits in supporting engineers with the certification-compliant modeling of effect chains. Three benefits are goal-oriented modeling to reduce the necessary modeling capacity, increasing model quality by applying information quality criteria, and the potential to reduce costs through automatable effect-chain analyses for technical changes. Further, companies in the automotive and other industries will benefit from increased modeling capabilities that can be used for architecture modeling and to comply with other regulations such as ASPICE or ISO 26262. AU - Gräßler, Iris AU - Wiechel, Dominik AU - Koch, Anna-Sophie AU - Sturm, Tim AU - Markfelder, Thomas ID - 44382 IS - 3 JF - Systems KW - Information Systems and Management KW - Computer Networks and Communications KW - Modeling and Simulation KW - Control and Systems Engineering KW - Software SN - 2079-8954 TI - Methodology for Certification-Compliant Effect-Chain Modeling VL - 11 ER - TY - JOUR AB - The non-orthogonal local submatrix method applied to electronic structure–based molecular dynamics simulations is shown to exceed 1.1 EFLOP/s in FP16/FP32-mixed floating-point arithmetic when using 4400 NVIDIA A100 GPUs of the Perlmutter system. This is enabled by a modification of the original method that pushes the sustained fraction of the peak performance to about 80%. Example calculations are performed for SARS-CoV-2 spike proteins with up to 83 million atoms. AU - Schade, Robert AU - Kenter, Tobias AU - Elgabarty, Hossam AU - Lass, Michael AU - Kühne, Thomas AU - Plessl, Christian ID - 45361 JF - The International Journal of High Performance Computing Applications KW - Hardware and Architecture KW - Theoretical Computer Science KW - Software SN - 1094-3420 TI - Breaking the exascale barrier for the electronic structure problem in ab-initio molecular dynamics ER - TY - JOUR AB - The introduction of Systems Engineering is an approach for dealing with the increasing complexity of products and their associated product development. Several introduction strategies are available in the literature; nevertheless, the introduction of Systems Engineering into practice still poses a great challenge to companies. Many companies have already gained experience in the introduction of Systems Engineering. Therefore, as part of the SE4OWL research project, the need to conduct a study including expert interviews and to collect the experiences of experts was identified. A total of 78 hypotheses were identified from 13 expert interviews concerning the lessons learned. Using exclusion criteria, 52 hypotheses were validated in a subsequent quantitative survey with 112 participants. Of these 52 hypotheses, 40 could be confirmed based on the survey results. Only four hypotheses were rejected, and eight could neither be confirmed nor rejected. Through this research, guidance is provided to companies to leverage best practices for the introduction of their own Systems Engineering and to avoid the poor practices of other companies. AU - Wilke, Daria AU - Grothe, Robin AU - Bretz, Lukas AU - Anacker, Harald AU - Dumitrescu, Roman ID - 47800 IS - 3 JF - Systems KW - Information Systems and Management KW - Computer Networks and Communications KW - Modeling and Simulation KW - Control and Systems Engineering KW - Software SN - 2079-8954 TI - Lessons Learned from the Introduction of Systems Engineering VL - 11 ER - TY - JOUR AB - AbstractExplainable artificial intelligence has mainly focused on static learning scenarios so far. We are interested in dynamic scenarios where data is sampled progressively, and learning is done in an incremental rather than a batch mode. We seek efficient incremental algorithms for computing feature importance (FI). Permutation feature importance (PFI) is a well-established model-agnostic measure to obtain global FI based on feature marginalization of absent features. We propose an efficient, model-agnostic algorithm called iPFI to estimate this measure incrementally and under dynamic modeling conditions including concept drift. We prove theoretical guarantees on the approximation quality in terms of expectation and variance. To validate our theoretical findings and the efficacy of our approaches in incremental scenarios dealing with streaming data rather than traditional batch settings, we conduct multiple experimental studies on benchmark data with and without concept drift. AU - Fumagalli, Fabian AU - Muschalik, Maximilian AU - Hüllermeier, Eyke AU - Hammer, Barbara ID - 48777 JF - Machine Learning KW - Artificial Intelligence KW - Software SN - 0885-6125 TI - Incremental permutation feature importance (iPFI): towards online explanations on data streams ER - TY - JOUR AU - Torres, Adriano AU - Costa, Pedro AU - Amaral, Luis AU - Pastro, Jonata AU - Bonifácio, Rodrigo AU - d'Amorim, Marcelo AU - Legunsen, Owolabi AU - Bodden, Eric AU - Dias Canedo, Edna ID - 46816 IS - 10 JF - IEEE Transactions on Software Engineering KW - Software SN - 0098-5589 TI - Runtime Verification of Crypto APIs: An Empirical Study VL - 49 ER - TY - JOUR AB - AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope. AU - Piskachev, Goran AU - Becker, Matthias AU - Bodden, Eric ID - 49439 IS - 5 JF - Empirical Software Engineering KW - Software SN - 1382-3256 TI - Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study VL - 28 ER - TY - JOUR AB - AbstractWorkarounds are goal‐driven deviations from the standard operating procedures performed to overcome obstacles constraining day‐to‐day work. Despite starting as temporary fixes, they can become established across an organisation and trigger the innovation of processes and IT artefacts that can resolve misfits permanently. Although prior research has elicited antecedents and types of workarounds, it is not known how workarounds diffuse in an organisation and, thereby, innovating co‐workers' activities, IT artefacts, and organisational structures. The results of our multiple two‐year case study provide unique empirical insights into the diffusion of workarounds and how they can act as generative mechanisms for bottom‐up process innovation. AU - Bartelheimer, Christian AU - Wolf, Verena AU - Beverungen, Daniel ID - 51770 IS - 5 JF - Information Systems Journal KW - Computer Networks and Communications KW - Information Systems KW - Software SN - 1350-1917 TI - Workarounds as generative mechanisms for bottom‐up process innovation—Insights from a multiple case study VL - 33 ER - TY - JOUR AB - AbstractExplainable artificial intelligence has mainly focused on static learning scenarios so far. We are interested in dynamic scenarios where data is sampled progressively, and learning is done in an incremental rather than a batch mode. We seek efficient incremental algorithms for computing feature importance (FI). Permutation feature importance (PFI) is a well-established model-agnostic measure to obtain global FI based on feature marginalization of absent features. We propose an efficient, model-agnostic algorithm called iPFI to estimate this measure incrementally and under dynamic modeling conditions including concept drift. We prove theoretical guarantees on the approximation quality in terms of expectation and variance. To validate our theoretical findings and the efficacy of our approaches in incremental scenarios dealing with streaming data rather than traditional batch settings, we conduct multiple experimental studies on benchmark data with and without concept drift. AU - Fumagalli, Fabian AU - Muschalik, Maximilian AU - Hüllermeier, Eyke AU - Hammer, Barbara ID - 50262 IS - 12 JF - Machine Learning KW - Artificial Intelligence KW - Software SN - 0885-6125 TI - Incremental permutation feature importance (iPFI): towards online explanations on data streams VL - 112 ER - TY - CHAP AB - Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research emphasizes technical challenges of such tools but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and user dissatisfaction may even lead to tool abandonment. To comprehensively assess the state of the art, we present the first systematic usability evaluation of a wide range of static analysis tools. We derived a set of 36 relevant criteria from the literature and used them to evaluate a total of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. The evaluation against the usability criteria in a multiple-raters approach shows that two thirds of the considered tools off er poor warning messages, while about three-quarters provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for instance, to improve handling of false positives. Finally, issues regarding workflow integration and specialized user interfaces are revealed. These findings should prove useful in guiding and focusing further research and development in user experience for static code analyses. AU - Nachtigall, Marcus AU - Schlichtig, Michael AU - Bodden, Eric ID - 52662 KW - Automated static analysis KW - Software usability SN - 978-3-88579-726-5 T2 - Software Engineering 2023 TI - Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale ER - TY - JOUR AB - System-level interconnects provide the backbone for increasingly complex systems on a chip. Their vulnerability to electromigration and crosstalk can lead to serious reliability and safety issues during the system lifetime. This article presents an approach for periodic in-system testing which maintains a reliability profile to detect potential problems before they actually cause a failure. Relying on a common infrastructure for EM-aware system workload management and test, it minimizes the stress induced by the test itself and contributes to the self-healing of system-induced electromigration degradations. AU - Sadeghi-Kohan, Somayeh AU - Hellebrand, Sybille AU - Wunderlich, Hans-Joachim ID - 46264 JF - IEEE Design &Test KW - Electrical and Electronic Engineering KW - Hardware and Architecture KW - Software SN - 2168-2356 TI - Workload-Aware Periodic Interconnect BIST ER - TY - CONF AB - To build successful software products, developers continuously have to discover what features the users really need. This discovery can be achieved with continuous experimentation, testing different software variants with distinct user groups, and deploying the superior variant for all users. However, existing approaches do not focus on explicit modeling of variants and experiments, which offers advantages such as traceability of decisions and combinability of experiments. Therefore, our vision is the provision of model-driven continuous experimentation, which provides the developer with a framework for structuring the experimentation process. For that, we introduce the overall concept, apply it to the experimentation on component-based software architectures and point out future research questions. In particular, we show the applicability by combining feature models for modeling the software variants, users, and experiments (i.e., model-driven) with MAPE-K for the adaptation (i.e., continuous experimentation) and implementing the concept based on the component-based Angular framework. AU - Gottschalk, Sebastian AU - Yigitbas, Enes AU - Engels, Gregor ID - 29842 KW - continuous experimentation KW - model-driven KW - component-based software architectures KW - self-adaptation T2 - Proceedings of the 18th International Conference on Software Architecture Companion TI - Model-driven Continuous Experimentation on Component-based Software Architectures ER - TY - CONF AB - Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment. To comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria. The evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further. These findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses. AU - Nachtigall, Marcus AU - Schlichtig, Michael AU - Bodden, Eric ID - 32410 KW - Automated static analysis KW - Software usability SN - 9781450393799 T2 - Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis TI - A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools ER - TY - JOUR AB - AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems. AU - Schubert, Philipp AU - Gazzillo, Paul AU - Patterson, Zach AU - Braha, Julian AU - Schiebel, Fabian AU - Hermann, Ben AU - Wei, Shiyi AU - Bodden, Eric ID - 30511 IS - 1 JF - Automated Software Engineering KW - inter-procedural static analysis KW - software product lines KW - preprocessor KW - LLVM KW - C/C++ SN - 0928-8910 TI - Static data-flow analysis for software product lines in C VL - 29 ER - TY - JOUR AB - Distributed, software-intensive systems (e.g., in the automotive sector) must fulfill communication requirements under hard real-time constraints. The requirements have to be documented and validated carefully using a systematic requirements engineering (RE) approach, for example, by applying scenario-based requirements notations. The resources of the execution platforms and their properties (e.g., CPU frequency or bus throughput) induce effects on the timing behavior, which may lead to violations of the real-time requirements. Nowadays, the platform properties and their induced timing effects are verified against the real-time requirements by means of timing analysis techniques mostly implemented in commercial-off-the-shelf tools. However, such timing analyses are conducted in late development phases since they rely on artifacts produced during these phases (e.g., the platform-specific code). In order to enable early timing analyses already during RE, we extend a scenario-based requirements notation with allocation means to platform models and define operational semantics for the purpose of simulation-based, platform-aware timing analyses. We illustrate and evaluate the approach with an automotive software-intensive system. AU - Holtmann, Jörg AU - Deantoni, Julien AU - Fockel, Markus ID - 31071 JF - Software and Systems Modeling KW - Modeling and Simulation KW - Software SN - 1619-1366 TI - Early timing analysis based on scenario requirements and platform models ER - TY - JOUR AB - Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256 515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of gadgets present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class – such as making it public – can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks. For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged. AU - Sayar, Imen AU - Bartel, Alexandre AU - Bodden, Eric AU - Le Traon, Yves ID - 33835 JF - ACM Transactions on Software Engineering and Methodology KW - Software SN - 1049-331X TI - An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities ER - TY - JOUR AB - Given a steadily increasing demand on multi-material lightweight designs, fast and cost-efficient production technologies, such as the mechanical joining process clinching, are becoming more and more relevant for series production. Since the application of such joining techniques often base on the ability to reach similar or even better joint loading capacities compared to established joining processes (e.g., spot welding), few contributions investigated the systematic improvement of clinch joint characteristics. In this regard, the use of data-driven methods in combination with optimization algorithms showed already high potentials for the analysis of individual joints and the definition of optimal tool configurations. However, the often missing consideration of uncertainties, such as varying material properties, and the related calculation of their impact on clinch joint properties can lead to poor estimation results and thus to a decreased reliability of the entire joint connection. This can cause major challenges, especially for the design and dimensioning of safety-relevant components, such as in car bodies. Motivated by this, the presented contribution introduces a novel method for the robust estimation of clinch joint characteristics including uncertainties of varying and versatile process chains in mechanical joining. Therefore, the utilization of Gaussian process regression models is demonstrated and evaluated regarding the ability to achieve sufficient prediction qualities. AU - Zirngibl, Christoph AU - Schleich, Benjamin AU - Wartzack, Sandro ID - 34414 JF - The International Journal of Advanced Manufacturing Technology KW - Industrial and Manufacturing Engineering KW - Computer Science Applications KW - Mechanical Engineering KW - Software KW - Control and Systems Engineering SN - 0268-3768 TI - Robust estimation of clinch joint characteristics based on data-driven methods ER - TY - CONF AB - Due to the increasing influences of a VUCA world, design thinking workshops have been established as a standard technique to build solutions according to uncertain customer needs. Concerning the ongoing pandemic and rising development of solutions across organizations, more and more workshops were conducted online with software support. However, existing software tools insufficiently address the different workshop situations in terms of the process (i.e., fixed tasks to conduct), the place (e.g., static online whiteboards), and people (i.e., synchronous working of all stakeholders). Therefore, we propose a design science study to develop a situation-specific software support that can be configured with flexible development processes, different places, and task-related people. Based on practical experience in existing research projects, we derive the initial design requirements and map them to a set of design principles. Out of that, we design a concept with its implementation as a software tool and point out open challenges. AU - Gottschalk, Sebastian AU - Yigitbas, Enes AU - Nowosad, Alexander AU - Engels, Gregor ID - 32309 KW - design thinking KW - situation-specific KW - cross-organizational KW - software support T2 - Proceedings of the 5th International Workshop on Software-intensive Business (IWSiB'22) TI - Towards Situation-specific Software Support for Cross-organizational Design Thinking Processes ER - TY - JOUR AB - Abstract In this paper, we investigate the parameterized complexity of model checking for Dependence and Independence logic, which are well studied logics in the area of Team Semantics. We start with a list of nine immediate parameterizations for this problem, namely the number of disjunctions (i.e. splits)/(free) variables/universal quantifiers, formula-size, the tree-width of the Gaifman graph of the input structure, the size of the universe/team and the arity of dependence atoms. We present a comprehensive picture of the parameterized complexity of model checking and obtain a division of the problem into tractable and various intractable degrees. Furthermore, we also consider the complexity of the most important variants (data and expression complexity) of the model checking problem by fixing parts of the input. AU - Kontinen, Juha AU - Meier, Arne AU - Mahmood, Yasir ID - 45847 IS - 8 JF - Journal of Logic and Computation KW - Logic KW - Hardware and Architecture KW - Arts and Humanities (miscellaneous) KW - Software KW - Theoretical Computer Science SN - 0955-792X TI - A parameterized view on the complexity of dependence and independence logic VL - 32 ER - TY - JOUR AU - Schade, Robert AU - Kenter, Tobias AU - Elgabarty, Hossam AU - Lass, Michael AU - Schütt, Ole AU - Lazzaro, Alfio AU - Pabst, Hans AU - Mohr, Stephan AU - Hutter, Jürg AU - Kühne, Thomas AU - Plessl, Christian ID - 33684 JF - Parallel Computing KW - Artificial Intelligence KW - Computer Graphics and Computer-Aided Design KW - Computer Networks and Communications KW - Hardware and Architecture KW - Theoretical Computer Science KW - Software SN - 0167-8191 TI - Towards electronic structure-based ab-initio molecular dynamics simulations with hundreds of millions of atoms VL - 111 ER -