@misc{32409, abstract = {{Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection Tool Benchmark Suite". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain.}}, author = {{Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and Bodden, Eric and Mezini, Mira}}, keywords = {{cryptography, benchmark, API misuse, static analysis}}, title = {{{CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite}}}, doi = {{10.48550/ARXIV.2204.06447}}, year = {{2022}}, } @inproceedings{32410, abstract = {{Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment. To comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria. The evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further. These findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses.}}, author = {{Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}}, booktitle = {{Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis}}, isbn = {{9781450393799}}, keywords = {{Automated static analysis, Software usability}}, pages = {{532 -- 543}}, publisher = {{ACM}}, title = {{{A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools}}}, doi = {{10.1145/3533767}}, year = {{2022}}, } @inproceedings{31133, abstract = {{Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools.}}, author = {{Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}}, booktitle = {{2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}}, keywords = {{API misuses, API usage constraints, classification framework, API misuse detection, static analysis}}, pages = {{673 -- 684}}, title = {{{FUM - A Framework for API Usage constraint and Misuse Classification}}}, doi = {{https://doi.org/10.1109/SANER53432.2022.00085}}, year = {{2022}}, } @misc{33959, abstract = {{Recent studies have revealed that 87 % to 96 % of the Android apps using cryptographic APIs have a misuse which may cause security vulnerabilities. As previous studies did not conduct a qualitative examination of the validity and severity of the findings, our objective was to understand the findings in more depth. We analyzed a set of 936 open-source Java applications for cryptographic misuses. Our study reveals that 88.10 % of the analyzed applications fail to use cryptographic APIs securely. Through our manual analysis of a random sample, we gained new insights into effective false positives. For example, every fourth misuse of the frequently misused JCA class MessageDigest is an effective false positive due to its occurrence in a non-security context. As we wanted to gain deeper insights into the security implications of these misuses, we created an extensive vulnerability model for cryptographic API misuses. Our model includes previously undiscussed attacks in the context of cryptographic APIs such as DoS attacks. This model reveals that nearly half of the misuses are of high severity, e.g., hard-coded credentials and potential Man-in-the-Middle attacks.}}, author = {{Wickert, Anna-Katharina and Baumgärtner, Lars and Schlichtig, Michael and Mezini, Mira}}, title = {{{To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild}}}, doi = {{10.48550/ARXIV.2209.11103}}, year = {{2022}}, } @inproceedings{29298, abstract = {{Die Themen „Big Data“, „Künstliche Intelligenz und „Data Science“ werden seit einiger Zeit nicht nur in der breiten Öffentlichkeit kontrovers diskutiert, sondern stellen für die Ausbildung in den IT- und IT-nahen Berufen schon heute neue Herausforderungen dar, die in Zukunft durch die gesellschaftliche und technologische Weiterentwicklung hin zu einer Datengesellschaft noch größer werden. An dieser Stelle stellt sich die Frage, welche Aspekte dieses großen Themenkomplexes für Schule und Ausbildung von Wichtigkeit sind und wie diese Themen sinnstiftend und gewinnbringend in die informatische Ausbildung in verschiedenen Bildungsgängen integriert werden können. Im Rahmen des von uns im Jahr 2017 organisierten Symposiums zum Thema „Data Science“ wurden für die Bildung relevante Aspekte erörtert, wodurch als Kernelemente für den Unterricht Algorithmen der Künstlichen Intelligenz und ihre Anwendung in Industrie und Gesellschaft, Explorationen von Big Data sowie der Umgang mit eigenen Daten in sozialen Netzwerken herausgearbeitet wurden. Ziel ist, aus diesen Themenbereichen sowohl ein umfassendes Curriculum als auch Module für verschiedene Unterrichtsszenarien zu entwickeln und zu erproben. Durch diese Materialien soll es Lehrkräften aus der Informatik, Mathematik oder Technik ermöglicht werden, diese Themen auf Basis des Curriculums und der erprobten Unterrichtskonzepte selbst zu unterrichten. Hierfür wurde im Rahmen des Projekts ProDaBi (Projekt Data Science und Big Data in der Schule, https://www.prodabi.de), initiiert von der Telekom Stiftung, ein experimenteller Projektkurs entwickelt, den wir mit Schüler:innen der Sekundarstufe II an der Universität Paderborn im Schuljahr 2018/19 durchführten. Dieser Kurs enthält neben einem Modul zur Exploration von Big Data und einem weiteren Modul zum Maschinellen Lernen als Teil der Künstlichen Intelligenz auch eine Projektphase, die es in Zusammenarbeit mit lokalen Unternehmen den Schüler:innen ermöglicht, das Erlernte in ein reales Data Science-Projekt einzubringen. Aus den Erfahrungen dieses Projektkurses sowie den parallel durchgeführten Erprobungen einzelner Bausteine auch mit beruflichen Schulen werden ab dem Schuljahr 2019/20 die hierfür verwendeten Materialien weiterentwickelt und weiteren Kooperationspartnern zur Erprobung zur Verfügung gestellt. Damit wurden zum Ende des Projekts nicht nur vollständige Unterrichtsmaterialien, sondern auch ein umfassendes Curriculum entwickelt.}}, author = {{Opel, Simone Anna and Schlichtig, Michael}}, booktitle = {{Sammelband der 27. Fachtagung der BAG Berufliche Bildung}}, editor = {{Vollmer, Thomas and Karges, Torben and Richter, Tim and Schlömer, Britta and Schütt-Sayed, Sören}}, keywords = {{Berufsbildung, vocational education, Ausbildung, training, berufliche Weiterbildung, advanced vocational education, Digitalisierung, digitalization, Unterricht, teaching, Lehrmethode, teaching method, Interdisziplinarität, interdisciplinarity, Fachdidaktik, subject didactics, Curriculum, curriculum, gewerblich-technischer Beruf, vocational/technical occupation, Fachkraft, specialist, Qualifikationsanforderungen, qualification requirements, Kompetenz, competence, Lehrerbildung, teacher training, Bundesrepublik Deutschland, Federal Republic of Germany}}, location = {{Siegen}}, pages = {{176--194}}, publisher = {{wbv Media GmbH & Co. KG}}, title = {{{Data Science und Big Data in der beruflichen Bildung – Konzeption und Erprobung eines Projektkurses für die Sekundarstufe II}}}, doi = {{https://doi.org/10.3278/6004722w}}, volume = {{55}}, year = {{2020}}, } @inproceedings{15332, abstract = {{Artificial intelligence (AI) has the potential for far-reaching – in our opinion – irreversible changes. They range from effects on the individual and society to new societal and social issues. The question arises as to how students can learn the basic functioning of AI systems, what areas of life and society are affected by these and – most important – how their own lives are affected by these changes. Therefore, we are developing and evaluating school materials for the German ”Science Year AI”. It can be used for students of all school types from the seventh grade upwards and will be distributed to about 2000 schools in autumn with the support of the Federal Ministry of Education and Research. The material deals with the following aspects of AI: Discussing everyday experiences with AI, how does machine learning work, historical development of AI concepts, difference between man and machine, future distribution of roles between man and machine, in which AI world do we want to live and how much AI would we like to have in our lives. Through an accompanying evaluation, high quality of the technical content and didactic preparation is achieved in order to guarantee the long-term applicability in the teaching context in the different age groups and school types. In this paper, we describe the current state of the material development, the challenges arising, and the results of tests with different classes to date. We also present first ideas for evaluating the results.}}, author = {{Schlichtig, Michael and Opel, Simone Anna and Budde, Lea and Schulte, Carsten}}, booktitle = {{ISSEP 2019 - 12th International conference on informatics in schools: Situation, evaluation and perspectives, Local Proceedings}}, editor = {{Jasutė, Eglė and Pozdniakov, Sergei}}, isbn = {{978-9925-553-27-3}}, keywords = {{Artificial Intelligence, Machine Learning, Teaching Material, Societal Aspects, Ethics. Social Aspects, Science Year, Simulation Game}}, location = {{Lanarca}}, pages = {{65 -- 73}}, title = {{{Understanding Artificial Intelligence – A Project for the Development of Comprehensive Teaching Material}}}, volume = {{12}}, year = {{2019}}, } @inproceedings{15640, author = {{Opel, Simone Anna and Schlichtig, Michael and Schulte, Carsten and Biehler, Rolf and Frischemeier, Daniel and Podworny, Susanne and Wassong, Thomas}}, booktitle = {{INFOS}}, pages = {{285--294}}, publisher = {{Gesellschaft für Informatik}}, title = {{{Entwicklung und Reflexion einer Unterrichtssequenz zum Maschinellen Lernen als Aspekt von Data Science in der Sekundarstufe II}}}, volume = {{P-288}}, year = {{2019}}, } @inproceedings{15641, author = {{Schlichtig, Michael and Opel, Simone Anna and Schulte, Carsten and Biehler, Rolf and Frischemeier, Daniel and Podworny, Susanne and Wassong, Thomas}}, booktitle = {{INFOS}}, pages = {{385}}, publisher = {{Gesellschaft für Informatik}}, title = {{{Maschinelles Lernen im Unterricht mit Jupyter Notebook}}}, volume = {{P-288}}, year = {{2019}}, } @inproceedings{15643, author = {{Opel, Simone Anna and Schlichtig, Michael and Schulte, Carsten}}, booktitle = {{WiPSCE}}, pages = {{11:1--11:2}}, publisher = {{ACM}}, title = {{{Developing Teaching Materials on Artificial Intelligence by Using a Simulation Game (Work in Progress)}}}, year = {{2019}}, } @inproceedings{3265, abstract = {{We present CLARC (Cryptographic Library for Anonymous Reputation and Credentials), an anonymous credentials system (ACS) combined with an anonymous reputation system. Using CLARC, users can receive attribute-based credentials from issuers. They can efficiently prove that their credentials satisfy complex (access) policies in a privacy-preserving way. This implements anonymous access control with complex policies. Furthermore, CLARC is the first ACS that is combined with an anonymous reputation system where users can anonymously rate services. A user who gets access to a service via a credential, also anonymously receives a review token to rate the service. If a user creates more than a single rating, this can be detected by anyone, preventing users from spamming ratings to sway public opinion. To evaluate feasibility of our construction, we present an open-source prototype implementation.}}, author = {{Bemmann, Kai and Blömer, Johannes and Bobolz, Jan and Bröcher, Henrik and Diemert, Denis Pascal and Eidens, Fabian and Eilers, Lukas and Haltermann, Jan Frederik and Juhnke, Jakob and Otour, Burhan and Porzenheim, Laurens Alexander and Pukrop, Simon and Schilling, Erik and Schlichtig, Michael and Stienemeier, Marcel}}, booktitle = {{Proceedings of the 13th International Conference on Availability, Reliability and Security - ARES '18}}, isbn = {{978-1-4503-6448-5}}, location = {{Hamburg, Germany}}, publisher = {{ACM}}, title = {{{Fully-Featured Anonymous Credentials with Reputation System}}}, doi = {{10.1145/3230833.3234517}}, year = {{2018}}, }