--- _id: '52235' abstract: - lang: eng text: "Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process.\r\nThis paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis. " author: - first_name: Mugdha full_name: Khedkar, Mugdha id: '88024' last_name: Khedkar - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection. In: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems. ; 2024.' apa: Khedkar, M., & Bodden, E. (2024). Toward an Android Static Analysis Approach for Data Protection. Proceedings of the 9th International Conference on Mobile Software Engineering and Systems. 9th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal. bibtex: '@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis Approach for Data Protection}, booktitle={Proceedings of the 9th International Conference on Mobile Software Engineering and Systems}, author={Khedkar, Mugdha and Bodden, Eric}, year={2024} }' chicago: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” In Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024. ieee: M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for Data Protection,” presented at the 9th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal, 2024. mla: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024. short: 'M. Khedkar, E. Bodden, in: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024.' conference: end_date: 2024-04-15 location: Lisbon, Portugal name: 9th International Conference on Mobile Software Engineering and Systems 2024 start_date: 2024-04-14 date_created: 2024-03-03T14:37:53Z date_updated: 2024-03-06T13:00:38Z ddc: - '006' department: - _id: '76' external_id: arxiv: - '2402.07889' file: - access_level: closed content_type: application/pdf creator: khedkarm date_created: 2024-03-03T14:39:08Z date_updated: 2024-03-03T14:39:08Z file_id: '52236' file_name: 2402.07889v1.pdf file_size: 530812 relation: main_file success: 1 file_date_updated: 2024-03-03T14:39:08Z has_accepted_license: '1' keyword: - static program analysis - data protection and privacy - GDPR compliance language: - iso: eng publication: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems status: public title: Toward an Android Static Analysis Approach for Data Protection type: conference user_id: '88024' year: '2024' ... --- _id: '52587' author: - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Jens full_name: Pottebaum, Jens id: '405' last_name: Pottebaum orcid: http://orcid.org/0000-0001-8778-2989 - first_name: Markus full_name: Fockel, Markus last_name: Fockel - first_name: Iris full_name: Gräßler, Iris id: '47565' last_name: Gräßler orcid: 0000-0001-5765-971X citation: ama: Bodden E, Pottebaum J, Fockel M, Gräßler I. Evaluating Security Through Isolation and Defense in Depth. IEEE Security & Privacy. 2024;22(1):69-72. doi:10.1109/msec.2023.3336028 apa: Bodden, E., Pottebaum, J., Fockel, M., & Gräßler, I. (2024). Evaluating Security Through Isolation and Defense in Depth. IEEE Security & Privacy, 22(1), 69–72. https://doi.org/10.1109/msec.2023.3336028 bibtex: '@article{Bodden_Pottebaum_Fockel_Gräßler_2024, title={Evaluating Security Through Isolation and Defense in Depth}, volume={22}, DOI={10.1109/msec.2023.3336028}, number={1}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Bodden, Eric and Pottebaum, Jens and Fockel, Markus and Gräßler, Iris}, year={2024}, pages={69–72} }' chicago: 'Bodden, Eric, Jens Pottebaum, Markus Fockel, and Iris Gräßler. “Evaluating Security Through Isolation and Defense in Depth.” IEEE Security & Privacy 22, no. 1 (2024): 69–72. https://doi.org/10.1109/msec.2023.3336028.' ieee: 'E. Bodden, J. Pottebaum, M. Fockel, and I. Gräßler, “Evaluating Security Through Isolation and Defense in Depth,” IEEE Security & Privacy, vol. 22, no. 1, pp. 69–72, 2024, doi: 10.1109/msec.2023.3336028.' mla: Bodden, Eric, et al. “Evaluating Security Through Isolation and Defense in Depth.” IEEE Security & Privacy, vol. 22, no. 1, Institute of Electrical and Electronics Engineers (IEEE), 2024, pp. 69–72, doi:10.1109/msec.2023.3336028. short: E. Bodden, J. Pottebaum, M. Fockel, I. Gräßler, IEEE Security & Privacy 22 (2024) 69–72. date_created: 2024-03-15T20:16:18Z date_updated: 2024-03-15T20:25:13Z department: - _id: '152' - _id: '76' - _id: '241' doi: 10.1109/msec.2023.3336028 intvolume: ' 22' issue: '1' keyword: - Law - Electrical and Electronic Engineering - Computer Networks and Communications language: - iso: eng page: 69-72 publication: IEEE Security & Privacy publication_identifier: issn: - 1540-7993 - 1558-4046 publication_status: published publisher: Institute of Electrical and Electronics Engineers (IEEE) quality_controlled: '1' status: public title: Evaluating Security Through Isolation and Defense in Depth type: journal_article user_id: '405' volume: 22 year: '2024' ... --- _id: '52663' abstract: - lang: eng text: "Context\r\nStatic analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results.\r\nMethod\r\nTo address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains." author: - first_name: Anna-Katharina full_name: Wickert, Anna-Katharina last_name: Wickert - first_name: Michael full_name: Schlichtig, Michael id: '32312' last_name: Schlichtig orcid: 0000-0001-6600-6171 - first_name: Marvin full_name: Vogel, Marvin last_name: Vogel - first_name: Lukas full_name: Winter, Lukas last_name: Winter - first_name: Mira full_name: Mezini, Mira last_name: Mezini - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.; 2024. apa: Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden, E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. bibtex: '@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability}, author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }' chicago: Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter, Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024. ieee: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024. mla: Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024. short: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024. date_created: 2024-03-20T09:28:36Z date_updated: 2024-03-20T09:32:29Z department: - _id: '76' keyword: - Static analysis - error chains - false positive re- duction - empirical studies language: - iso: eng main_file_link: - url: https://arxiv.org/abs/2403.07808 status: public title: Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability type: misc user_id: '32312' year: '2024' ... --- _id: '35083' author: - first_name: Andreas Peter full_name: Dann, Andreas Peter id: '26886' last_name: Dann - first_name: Ben full_name: Hermann, Ben id: '66173' last_name: Hermann orcid: 0000-0001-9848-2017 - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Dann AP, Hermann B, Bodden E. UpCy: Safely Updating Outdated Dependencies. Published online 2023.' apa: 'Dann, A. P., Hermann, B., & Bodden, E. (2023). UpCy: Safely Updating Outdated Dependencies.' bibtex: '@article{Dann_Hermann_Bodden_2023, series={International Conference on Software Engineering (ICSE)}, title={UpCy: Safely Updating Outdated Dependencies}, author={Dann, Andreas Peter and Hermann, Ben and Bodden, Eric}, year={2023}, collection={International Conference on Software Engineering (ICSE)} }' chicago: 'Dann, Andreas Peter, Ben Hermann, and Eric Bodden. “UpCy: Safely Updating Outdated Dependencies.” International Conference on Software Engineering (ICSE), 2023.' ieee: 'A. P. Dann, B. Hermann, and E. Bodden, “UpCy: Safely Updating Outdated Dependencies.” 2023.' mla: 'Dann, Andreas Peter, et al. UpCy: Safely Updating Outdated Dependencies. 2023.' short: A.P. Dann, B. Hermann, E. Bodden, (2023). date_created: 2023-01-02T09:26:50Z date_updated: 2023-01-02T09:28:32Z department: - _id: '76' language: - iso: eng series_title: International Conference on Software Engineering (ICSE) status: public title: 'UpCy: Safely Updating Outdated Dependencies' type: conference user_id: '15249' year: '2023' ... --- _id: '36522' abstract: - lang: eng text: "Jupyter notebooks enable developers to interleave code snippets with rich-text and in-line visualizations. Data scientists use Jupyter notebook as the de-facto standard for creating and sharing machine-learning based solutions, primarily written in Python. Recent studies have demonstrated, however, that a large portion of Jupyter notebooks available on public platforms are undocumented and lacks a narrative structure. This reduces the readability of these notebooks. To address this shortcoming, this paper presents HeaderGen, a novel tool-based approach that automatically annotates code cells with categorical markdown headers based on a taxonomy of machine-learning operations, and classifies and displays function calls according to this taxonomy. For this functionality to be realized, HeaderGen enhances an existing call graph analysis in PyCG. To improve precision, HeaderGen extends PyCG's analysis with support for handling external library code and flow-sensitivity. The former is realized by facilitating the resolution of function return-types. Furthermore, HeaderGen uses type information to perform pattern matching on code syntax to annotate code cells.\r\nThe evaluation on 15 real-world Jupyter notebooks from Kaggle shows that HeaderGen's underlying call graph analysis yields high accuracy (96.4% precision and 95.9% recall). This is because HeaderGen can resolve return-types of external libraries where existing type inference tools such as pytype (by Google), pyright (by Microsoft), and Jedi fall short. The header generation has a precision of 82.2% and a recall rate of 96.8% with regard to headers created manually by experts. In a user study, HeaderGen helps participants finish comprehension and navigation tasks faster. All participants clearly perceive HeaderGen as useful to their task." author: - first_name: Ashwin Prasad full_name: Shivarpatna Venkatesh, Ashwin Prasad id: '66637' last_name: Shivarpatna Venkatesh - first_name: Jiawei full_name: Wang, Jiawei last_name: Wang - first_name: Li full_name: Li, Li last_name: Li - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering); 2023. doi:10.48550/ARXIV.2301.04419' apa: Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering). https://doi.org/10.48550/ARXIV.2301.04419 bibtex: '@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, DOI={10.48550/ARXIV.2301.04419}, publisher={IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden, Eric}, year={2023} }' chicago: Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering), 2023. https://doi.org/10.48550/ARXIV.2301.04419. ieee: 'A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis,” presented at the IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering), 2023, doi: 10.48550/ARXIV.2301.04419.' mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering), 2023, doi:10.48550/ARXIV.2301.04419. short: 'A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering), 2023.' conference: name: IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering) date_created: 2023-01-13T08:03:26Z date_updated: 2023-01-26T10:50:42Z ddc: - '000' doi: 10.48550/ARXIV.2301.04419 file: - access_level: open_access content_type: application/pdf creator: ashwin date_created: 2023-01-26T10:48:40Z date_updated: 2023-01-26T10:48:40Z file_id: '40304' file_name: 2301.04419.pdf file_size: 1862440 relation: main_file file_date_updated: 2023-01-26T10:48:40Z has_accepted_license: '1' keyword: - static analysis - python - code comprehension - annotation - literate programming - jupyter notebook language: - iso: eng oa: '1' publisher: IEEE SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering) status: public title: Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis type: conference user_id: '66637' year: '2023' ... --- _id: '41812' author: - first_name: Linghui full_name: Luo, Linghui last_name: Luo - first_name: Goran full_name: Piskachev, Goran id: '41936' last_name: Piskachev orcid: 0000-0003-4424-5838 - first_name: Ranjith full_name: Krishnamurthy, Ranjith id: '78060' last_name: Krishnamurthy orcid: 0000-0002-0906-5463 - first_name: Julian full_name: Dolby, Julian last_name: Dolby - first_name: Martin full_name: Schäf, Martin last_name: Schäf - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation For Java Frameworks. In: IEEE International Conference on Software Testing, Verification and Validation (ICST). ; 2023.' apa: Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden, E. (2023). Model Generation For Java Frameworks. IEEE International Conference on Software Testing, Verification and Validation (ICST). bibtex: '@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model Generation For Java Frameworks}, booktitle={IEEE International Conference on Software Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev, Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden, Eric}, year={2023} }' chicago: Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023. ieee: L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden, “Model Generation For Java Frameworks,” 2023. mla: Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023. short: 'L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in: IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.' date_created: 2023-02-06T10:37:23Z date_updated: 2023-02-06T10:42:29Z department: - _id: '76' - _id: '662' language: - iso: eng publication: IEEE International Conference on Software Testing, Verification and Validation (ICST) status: public title: Model Generation For Java Frameworks type: conference user_id: '15249' year: '2023' ... --- _id: '41813' author: - first_name: Ashwin Prasad full_name: Shivarpatna Venkatesh, Ashwin Prasad id: '66637' last_name: Shivarpatna Venkatesh - first_name: Jiawei full_name: Wang, Jiawei last_name: Wang - first_name: Li full_name: Li, Li last_name: Li - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2023.' apa: Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). bibtex: '@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, booktitle={IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden, Eric}, year={2023} }' chicago: Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” In IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023. ieee: A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis,” 2023. mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023. short: 'A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.' date_created: 2023-02-06T10:44:08Z date_updated: 2023-02-06T10:46:00Z department: - _id: '76' language: - iso: eng publication: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) status: public title: Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis type: conference user_id: '15249' year: '2023' ... --- _id: '45888' author: - first_name: Heike full_name: Wehrheim, Heike id: '573' last_name: Wehrheim - first_name: Marco full_name: Platzner, Marco id: '398' last_name: Platzner - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: 'Philipp ' full_name: 'Schubert, Philipp ' last_name: Schubert - first_name: Felix full_name: Pauck, Felix id: '22398' last_name: Pauck - first_name: Marie-Christine full_name: Jakobs, Marie-Christine last_name: Jakobs citation: ama: 'Wehrheim H, Platzner M, Bodden E, Schubert P, Pauck F, Jakobs M-C. Verifying Software and Reconfigurable Hardware Services. In: Haake C-J, Meyer auf der Heide F, Platzner M, Wachsmuth H, Wehrheim H, eds. On-The-Fly Computing -- Individualized IT-Services in Dynamic Markets. Vol 412. Verlagsschriftenreihe des Heinz Nixdorf Instituts. Heinz Nixdorf Institut, Universität Paderborn; 2023:125-144. doi:10.5281/zenodo.8068583' apa: Wehrheim, H., Platzner, M., Bodden, E., Schubert, P., Pauck, F., & Jakobs, M.-C. (2023). Verifying Software and Reconfigurable Hardware Services. In C.-J. Haake, F. Meyer auf der Heide, M. Platzner, H. Wachsmuth, & H. Wehrheim (Eds.), On-The-Fly Computing -- Individualized IT-services in dynamic markets (Vol. 412, pp. 125–144). Heinz Nixdorf Institut, Universität Paderborn. https://doi.org/10.5281/zenodo.8068583 bibtex: '@inbook{Wehrheim_Platzner_Bodden_Schubert_Pauck_Jakobs_2023, place={Paderborn}, series={Verlagsschriftenreihe des Heinz Nixdorf Instituts}, title={Verifying Software and Reconfigurable Hardware Services}, volume={412}, DOI={10.5281/zenodo.8068583}, booktitle={On-The-Fly Computing -- Individualized IT-services in dynamic markets}, publisher={Heinz Nixdorf Institut, Universität Paderborn}, author={Wehrheim, Heike and Platzner, Marco and Bodden, Eric and Schubert, Philipp and Pauck, Felix and Jakobs, Marie-Christine}, editor={Haake, Claus-Jochen and Meyer auf der Heide, Friedhelm and Platzner, Marco and Wachsmuth, Henning and Wehrheim, Heike}, year={2023}, pages={125–144}, collection={Verlagsschriftenreihe des Heinz Nixdorf Instituts} }' chicago: 'Wehrheim, Heike, Marco Platzner, Eric Bodden, Philipp Schubert, Felix Pauck, and Marie-Christine Jakobs. “Verifying Software and Reconfigurable Hardware Services.” In On-The-Fly Computing -- Individualized IT-Services in Dynamic Markets, edited by Claus-Jochen Haake, Friedhelm Meyer auf der Heide, Marco Platzner, Henning Wachsmuth, and Heike Wehrheim, 412:125–44. Verlagsschriftenreihe Des Heinz Nixdorf Instituts. Paderborn: Heinz Nixdorf Institut, Universität Paderborn, 2023. https://doi.org/10.5281/zenodo.8068583.' ieee: 'H. Wehrheim, M. Platzner, E. Bodden, P. Schubert, F. Pauck, and M.-C. Jakobs, “Verifying Software and Reconfigurable Hardware Services,” in On-The-Fly Computing -- Individualized IT-services in dynamic markets, vol. 412, C.-J. Haake, F. Meyer auf der Heide, M. Platzner, H. Wachsmuth, and H. Wehrheim, Eds. Paderborn: Heinz Nixdorf Institut, Universität Paderborn, 2023, pp. 125–144.' mla: Wehrheim, Heike, et al. “Verifying Software and Reconfigurable Hardware Services.” On-The-Fly Computing -- Individualized IT-Services in Dynamic Markets, edited by Claus-Jochen Haake et al., vol. 412, Heinz Nixdorf Institut, Universität Paderborn, 2023, pp. 125–44, doi:10.5281/zenodo.8068583. short: 'H. Wehrheim, M. Platzner, E. Bodden, P. Schubert, F. Pauck, M.-C. Jakobs, in: C.-J. Haake, F. Meyer auf der Heide, M. Platzner, H. Wachsmuth, H. Wehrheim (Eds.), On-The-Fly Computing -- Individualized IT-Services in Dynamic Markets, Heinz Nixdorf Institut, Universität Paderborn, Paderborn, 2023, pp. 125–144.' date_created: 2023-07-07T08:01:23Z date_updated: 2023-07-07T11:18:59Z ddc: - '004' department: - _id: '7' doi: 10.5281/zenodo.8068583 editor: - first_name: Claus-Jochen full_name: Haake, Claus-Jochen last_name: Haake - first_name: Friedhelm full_name: Meyer auf der Heide, Friedhelm last_name: Meyer auf der Heide - first_name: Marco full_name: Platzner, Marco last_name: Platzner - first_name: Henning full_name: Wachsmuth, Henning last_name: Wachsmuth - first_name: Heike full_name: Wehrheim, Heike last_name: Wehrheim file: - access_level: open_access content_type: application/pdf creator: florida date_created: 2023-07-07T08:01:12Z date_updated: 2023-07-07T11:18:59Z file_id: '45889' file_name: B4-Chapter-SFB-Buch-Final.pdf file_size: 840964 relation: main_file file_date_updated: 2023-07-07T11:18:59Z has_accepted_license: '1' intvolume: ' 412' language: - iso: eng oa: '1' page: 125-144 place: Paderborn project: - _id: '1' grant_number: '160364472' name: 'SFB 901: SFB 901: On-The-Fly Computing - Individualisierte IT-Dienstleistungen in dynamischen Märkten ' - _id: '3' name: 'SFB 901 - B: SFB 901 - Project Area B' - _id: '12' name: 'SFB 901 - B4: SFB 901 - Subproject B4' publication: On-The-Fly Computing -- Individualized IT-services in dynamic markets publisher: Heinz Nixdorf Institut, Universität Paderborn series_title: Verlagsschriftenreihe des Heinz Nixdorf Instituts status: public title: Verifying Software and Reconfigurable Hardware Services type: book_chapter user_id: '477' volume: 412 year: '2023' ... --- _id: '46816' author: - first_name: Adriano full_name: Torres, Adriano last_name: Torres - first_name: Pedro full_name: Costa, Pedro last_name: Costa - first_name: Luis full_name: Amaral, Luis last_name: Amaral - first_name: Jonata full_name: Pastro, Jonata last_name: Pastro - first_name: Rodrigo full_name: Bonifácio, Rodrigo last_name: Bonifácio - first_name: Marcelo full_name: d'Amorim, Marcelo last_name: d'Amorim - first_name: Owolabi full_name: Legunsen, Owolabi last_name: Legunsen - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Edna full_name: Dias Canedo, Edna last_name: Dias Canedo citation: ama: 'Torres A, Costa P, Amaral L, et al. Runtime Verification of Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering. 2023;49(10):4510-4525. doi:10.1109/tse.2023.3301660' apa: 'Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M., Legunsen, O., Bodden, E., & Dias Canedo, E. (2023). Runtime Verification of Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering, 49(10), 4510–4525. https://doi.org/10.1109/tse.2023.3301660' bibtex: '@article{Torres_Costa_Amaral_Pastro_Bonifácio_d’Amorim_Legunsen_Bodden_Dias Canedo_2023, title={Runtime Verification of Crypto APIs: An Empirical Study}, volume={49}, DOI={10.1109/tse.2023.3301660}, number={10}, journal={IEEE Transactions on Software Engineering}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Torres, Adriano and Costa, Pedro and Amaral, Luis and Pastro, Jonata and Bonifácio, Rodrigo and d’Amorim, Marcelo and Legunsen, Owolabi and Bodden, Eric and Dias Canedo, Edna}, year={2023}, pages={4510–4525} }' chicago: 'Torres, Adriano, Pedro Costa, Luis Amaral, Jonata Pastro, Rodrigo Bonifácio, Marcelo d’Amorim, Owolabi Legunsen, Eric Bodden, and Edna Dias Canedo. “Runtime Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software Engineering 49, no. 10 (2023): 4510–25. https://doi.org/10.1109/tse.2023.3301660.' ieee: 'A. Torres et al., “Runtime Verification of Crypto APIs: An Empirical Study,” IEEE Transactions on Software Engineering, vol. 49, no. 10, pp. 4510–4525, 2023, doi: 10.1109/tse.2023.3301660.' mla: 'Torres, Adriano, et al. “Runtime Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software Engineering, vol. 49, no. 10, Institute of Electrical and Electronics Engineers (IEEE), 2023, pp. 4510–25, doi:10.1109/tse.2023.3301660.' short: A. Torres, P. Costa, L. Amaral, J. Pastro, R. Bonifácio, M. d’Amorim, O. Legunsen, E. Bodden, E. Dias Canedo, IEEE Transactions on Software Engineering 49 (2023) 4510–4525. date_created: 2023-09-06T07:42:40Z date_updated: 2023-12-04T11:05:26Z department: - _id: '76' doi: 10.1109/tse.2023.3301660 intvolume: ' 49' issue: '10' keyword: - Software language: - iso: eng page: 4510 - 4525 publication: IEEE Transactions on Software Engineering publication_identifier: issn: - 0098-5589 - 1939-3520 - 2326-3881 publication_status: published publisher: Institute of Electrical and Electronics Engineers (IEEE) status: public title: 'Runtime Verification of Crypto APIs: An Empirical Study' type: journal_article user_id: '15249' volume: 49 year: '2023' ... --- _id: '49439' abstract: - lang: eng text: AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope. article_number: '118' author: - first_name: Goran full_name: Piskachev, Goran id: '41936' last_name: Piskachev orcid: 0000-0003-4424-5838 - first_name: Matthias full_name: Becker, Matthias id: '4870' last_name: Becker orcid: https://orcid.org/0000-0003-2465-9347 - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3 apa: Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3 bibtex: '@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study}, volume={28}, DOI={10.1007/s10664-023-10354-3}, number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden, Eric}, year={2023} }' chicago: Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3. ieee: 'G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study,” Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi: 10.1007/s10664-023-10354-3.' mla: Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC, 2023, doi:10.1007/s10664-023-10354-3. short: G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023). date_created: 2023-12-04T11:14:34Z date_updated: 2023-12-04T11:29:49Z department: - _id: '76' - _id: '662' doi: 10.1007/s10664-023-10354-3 intvolume: ' 28' issue: '5' keyword: - Software language: - iso: eng publication: Empirical Software Engineering publication_identifier: issn: - 1382-3256 - 1573-7616 publication_status: published publisher: Springer Science and Business Media LLC status: public title: Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study type: journal_article user_id: '15249' volume: 28 year: '2023' ... --- _id: '49438' author: - first_name: Stefan full_name: Krüger, Stefan last_name: Krüger - first_name: Michael full_name: Reif, Michael last_name: Reif - first_name: Anna-Katharina full_name: Wickert, Anna-Katharina last_name: Wickert - first_name: Sarah full_name: Nadi, Sarah last_name: Nadi - first_name: Karim full_name: Ali, Karim last_name: Ali - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Yasemin full_name: Acar, Yasemin id: '94636' last_name: Acar - first_name: Mira full_name: Mezini, Mira last_name: Mezini - first_name: Sascha full_name: Fahl, Sascha last_name: Fahl citation: ama: 'Krüger S, Reif M, Wickert A-K, et al. Securing Your Crypto-API Usage Through Tool Support - A Usability Study. In: 2023 IEEE Secure Development Conference (SecDev). IEEE; 2023. doi:10.1109/secdev56634.2023.00015' apa: Krüger, S., Reif, M., Wickert, A.-K., Nadi, S., Ali, K., Bodden, E., Acar, Y., Mezini, M., & Fahl, S. (2023). Securing Your Crypto-API Usage Through Tool Support - A Usability Study. 2023 IEEE Secure Development Conference (SecDev). https://doi.org/10.1109/secdev56634.2023.00015 bibtex: '@inproceedings{Krüger_Reif_Wickert_Nadi_Ali_Bodden_Acar_Mezini_Fahl_2023, title={Securing Your Crypto-API Usage Through Tool Support - A Usability Study}, DOI={10.1109/secdev56634.2023.00015}, booktitle={2023 IEEE Secure Development Conference (SecDev)}, publisher={IEEE}, author={Krüger, Stefan and Reif, Michael and Wickert, Anna-Katharina and Nadi, Sarah and Ali, Karim and Bodden, Eric and Acar, Yasemin and Mezini, Mira and Fahl, Sascha}, year={2023} }' chicago: Krüger, Stefan, Michael Reif, Anna-Katharina Wickert, Sarah Nadi, Karim Ali, Eric Bodden, Yasemin Acar, Mira Mezini, and Sascha Fahl. “Securing Your Crypto-API Usage Through Tool Support - A Usability Study.” In 2023 IEEE Secure Development Conference (SecDev). IEEE, 2023. https://doi.org/10.1109/secdev56634.2023.00015. ieee: 'S. Krüger et al., “Securing Your Crypto-API Usage Through Tool Support - A Usability Study,” 2023, doi: 10.1109/secdev56634.2023.00015.' mla: Krüger, Stefan, et al. “Securing Your Crypto-API Usage Through Tool Support - A Usability Study.” 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023, doi:10.1109/secdev56634.2023.00015. short: 'S. Krüger, M. Reif, A.-K. Wickert, S. Nadi, K. Ali, E. Bodden, Y. Acar, M. Mezini, S. Fahl, in: 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023.' date_created: 2023-12-04T11:07:08Z date_updated: 2023-12-04T11:14:10Z department: - _id: '76' - _id: '740' doi: 10.1109/secdev56634.2023.00015 language: - iso: eng publication: 2023 IEEE Secure Development Conference (SecDev) publication_status: published publisher: IEEE status: public title: Securing Your Crypto-API Usage Through Tool Support - A Usability Study type: conference user_id: '15249' year: '2023' ... --- _id: '48946' abstract: - lang: ger text: inhalt Der verlässliche Betrieb von technischen Produkten wird zunehmend durch bewusste Angriffe bedroht. Vollständige Sicherheit ist dabei nicht möglich, durchschlagende Angriffe sind unvermeidbar (Assume Breach). Dies erfordert einen Paradigmenwechsel in der sicherheitsgerechten Entwicklung mechatronischer und cyber-physischer Systeme hin zu Defense-in-Depth. Systeme müssen so ausgelegt werden, dass sie auch bei gezielten Angriffen möglichst hohe Zuverlässigkeit und Sicherheit gewährleisten. Der hier beschriebene Lösungsansatz erweitert das Systemmodell um Angriffsszenarien und Verteidigungslinien. Diese werden am Beispiel eines industriellen Schließsystems zur Anlagensicherheit erläutert. Entwickler werden sensibilisiert, Angriffe systematisch zu berücksichtigen und interdisziplinär Verteidigungselemente gegenüber Bedrohungen und Angriffen zu spezifizieren. - lang: eng text: The reliable operation of technical products is increasingly threatened by deliberate attacks. Complete security is not possible, striking attacks are unavoidable (assume breach). This requires a paradigm shift in security-oriented engineering of mechatronic and cyber-physical systems towards Defense-in-Depth. Systems need to be engineered in a way that full reliability and security are ensured even in case of targeted attacks. The solution approach described here expands the system model to include attack scenarios and lines of defence. It is applied to an industrial locking system for plant security as an example. Developers are sensitised to systematically consider attacks and to specify interdisciplinary defence elements against threats and attacks. article_type: original author: - first_name: Iris full_name: Gräßler, Iris id: '47565' last_name: Gräßler orcid: 0000-0001-5765-971X - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Dominik full_name: Wiechel, Dominik id: '67161' last_name: Wiechel - first_name: Jens full_name: Pottebaum, Jens id: '405' last_name: Pottebaum orcid: http://orcid.org/0000-0001-8778-2989 citation: ama: 'Gräßler I, Bodden E, Wiechel D, Pottebaum J. Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security. Konstruktion. 2023;75(11-12):60-65. doi:10.37544/0720-5953-2023-11-12-60' apa: 'Gräßler, I., Bodden, E., Wiechel, D., & Pottebaum, J. (2023). Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security. Konstruktion, 75(11–12), 60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60' bibtex: '@article{Gräßler_Bodden_Wiechel_Pottebaum_2023, title={Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security}, volume={75}, DOI={10.37544/0720-5953-2023-11-12-60}, number={11–12}, journal={Konstruktion}, publisher={VDI Fachmedien GmbH and Co. KG}, author={Gräßler, Iris and Bodden, Eric and Wiechel, Dominik and Pottebaum, Jens}, year={2023}, pages={60–65} }' chicago: 'Gräßler, Iris, Eric Bodden, Dominik Wiechel, and Jens Pottebaum. “Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security.” Konstruktion 75, no. 11–12 (2023): 60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60.' ieee: 'I. Gräßler, E. Bodden, D. Wiechel, and J. Pottebaum, “Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security,” Konstruktion, vol. 75, no. 11–12, pp. 60–65, 2023, doi: 10.37544/0720-5953-2023-11-12-60.' mla: 'Gräßler, Iris, et al. “Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security.” Konstruktion, vol. 75, no. 11–12, VDI Fachmedien GmbH and Co. KG, 2023, pp. 60–65, doi:10.37544/0720-5953-2023-11-12-60.' short: I. Gräßler, E. Bodden, D. Wiechel, J. Pottebaum, Konstruktion 75 (2023) 60–65. date_created: 2023-11-16T08:23:12Z date_updated: 2023-12-20T14:10:51Z department: - _id: '152' - _id: '76' doi: 10.37544/0720-5953-2023-11-12-60 intvolume: ' 75' issue: 11-12 keyword: - Mechanical Engineering - Mechanics of Materials - General Materials Science - Theoretical Computer Science language: - iso: ger page: 60-65 publication: Konstruktion publication_identifier: issn: - 0720-5953 publication_status: published publisher: VDI Fachmedien GmbH and Co. KG quality_controlled: '1' status: public title: 'Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security' type: journal_article user_id: '405' volume: 75 year: '2023' ... --- _id: '46500' abstract: - lang: eng text: The security of Industrial Control Systems is relevant both for reliable production system operations and for high-quality throughput in terms of manufactured products. Security measures are designed, operated and maintained by different roles along product and production system lifecycles. Defense-in-Depth as a paradigm builds upon the assumption that breaches are unavoidable. The paper at hand provides an analysis of roles, corresponding Human Factors and their relevance for data theft and sabotage attacks. The resulting taxonomy is reflected by an example related to Additive Manufacturing. The results assist in both designing and redesigning Industrial Control System as part of an entire production system so that Defense-in-Depth with regard to Human Factors is built in by design. author: - first_name: Jens full_name: Pottebaum, Jens id: '405' last_name: Pottebaum orcid: http://orcid.org/0000-0001-8778-2989 - first_name: Jost full_name: Rossel, Jost id: '58331' last_name: Rossel orcid: 0000-0002-3182-4059 - first_name: Juraj full_name: Somorovsky, Juraj id: '83504' last_name: Somorovsky orcid: 0000-0002-3593-7720 - first_name: Yasemin full_name: Acar, Yasemin id: '94636' last_name: Acar - first_name: René full_name: Fahr, René id: '111' last_name: Fahr - first_name: Patricia full_name: Arias Cabarcos, Patricia id: '92804' last_name: Arias Cabarcos - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Iris full_name: Gräßler, Iris id: '47565' last_name: Gräßler orcid: 0000-0001-5765-971X citation: ama: 'Pottebaum J, Rossel J, Somorovsky J, et al. Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth. In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE; 2023:379-385. doi:10.1109/eurospw59978.2023.00048' apa: Pottebaum, J., Rossel, J., Somorovsky, J., Acar, Y., Fahr, R., Arias Cabarcos, P., Bodden, E., & Gräßler, I. (2023). Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth. 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 379–385. https://doi.org/10.1109/eurospw59978.2023.00048 bibtex: '@inproceedings{Pottebaum_Rossel_Somorovsky_Acar_Fahr_Arias Cabarcos_Bodden_Gräßler_2023, title={Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth}, DOI={10.1109/eurospw59978.2023.00048}, booktitle={2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)}, publisher={IEEE}, author={Pottebaum, Jens and Rossel, Jost and Somorovsky, Juraj and Acar, Yasemin and Fahr, René and Arias Cabarcos, Patricia and Bodden, Eric and Gräßler, Iris}, year={2023}, pages={379–385} }' chicago: Pottebaum, Jens, Jost Rossel, Juraj Somorovsky, Yasemin Acar, René Fahr, Patricia Arias Cabarcos, Eric Bodden, and Iris Gräßler. “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.” In 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 379–85. IEEE, 2023. https://doi.org/10.1109/eurospw59978.2023.00048. ieee: 'J. Pottebaum et al., “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth,” in 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Delft, Netherlands, 2023, pp. 379–385, doi: 10.1109/eurospw59978.2023.00048.' mla: Pottebaum, Jens, et al. “Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.” 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE, 2023, pp. 379–85, doi:10.1109/eurospw59978.2023.00048. short: 'J. Pottebaum, J. Rossel, J. Somorovsky, Y. Acar, R. Fahr, P. Arias Cabarcos, E. Bodden, I. Gräßler, in: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE, 2023, pp. 379–385.' conference: end_date: 2023-07-07 location: Delft, Netherlands name: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) start_date: 2023-07-03 date_created: 2023-08-15T12:21:05Z date_updated: 2023-12-20T14:12:25Z department: - _id: '34' - _id: '740' - _id: '152' - _id: '76' doi: 10.1109/eurospw59978.2023.00048 keyword: - Defense-in-Depth - Human Factors - Production Engineering - Product Design - Systems Engineering language: - iso: eng main_file_link: - url: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10190647 page: 379-385 publication: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) publication_status: published publisher: IEEE quality_controlled: '1' status: public title: Re-Envisioning Industrial Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth type: conference user_id: '405' year: '2023' ... --- _id: '52662' abstract: - lang: eng text: Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research emphasizes technical challenges of such tools but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and user dissatisfaction may even lead to tool abandonment. To comprehensively assess the state of the art, we present the first systematic usability evaluation of a wide range of static analysis tools. We derived a set of 36 relevant criteria from the literature and used them to evaluate a total of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. The evaluation against the usability criteria in a multiple-raters approach shows that two thirds of the considered tools off er poor warning messages, while about three-quarters provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for instance, to improve handling of false positives. Finally, issues regarding workflow integration and specialized user interfaces are revealed. These findings should prove useful in guiding and focusing further research and development in user experience for static code analyses. author: - first_name: Marcus full_name: Nachtigall, Marcus id: '41213' last_name: Nachtigall - first_name: Michael full_name: Schlichtig, Michael id: '32312' last_name: Schlichtig orcid: 0000-0001-6600-6171 - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Nachtigall M, Schlichtig M, Bodden E. Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale. In: Software Engineering 2023. Gesellschaft für Informatik e.V.; 2023:95–96.' apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2023). Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale. In Software Engineering 2023 (pp. 95–96). Gesellschaft für Informatik e.V. bibtex: '@inbook{Nachtigall_Schlichtig_Bodden_2023, place={Bonn}, title={Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale}, booktitle={Software Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}, year={2023}, pages={95–96} }' chicago: 'Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” In Software Engineering 2023, 95–96. Bonn: Gesellschaft für Informatik e.V., 2023.' ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale,” in Software Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 95–96.' mla: Nachtigall, Marcus, et al. “Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” Software Engineering 2023, Gesellschaft für Informatik e.V., 2023, pp. 95–96. short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Software Engineering 2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 95–96.' date_created: 2024-03-20T09:26:29Z date_updated: 2024-03-20T09:27:41Z department: - _id: '76' keyword: - Automated static analysis - Software usability language: - iso: eng main_file_link: - url: https://dl.gi.de/items/5afe477f-2f6a-4b3d-b391-f024baf0b7a5 page: 95–96 place: Bonn publication: Software Engineering 2023 publication_identifier: isbn: - 978-3-88579-726-5 publisher: Gesellschaft für Informatik e.V. status: public title: Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large Scale type: book_chapter user_id: '32312' year: '2023' ... --- _id: '52660' abstract: - lang: eng text: Application Programming Interfaces (APIs) are the primary mechanism developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and how they are caused, is important to prevent them, eg, with API misuse detectors. However, definitions for API misuses and related terms in literature vary. This paper presents a systematic literature review to clarify these terms and introduces FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To address this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detector’s capabilities, we performed a case study on the state-of the-art misuse detection tool CogniCrypt. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements. author: - first_name: Michael full_name: Schlichtig, Michael id: '32312' last_name: Schlichtig orcid: 0000-0001-6600-6171 - first_name: Steffen full_name: Sassalla, Steffen last_name: Sassalla - first_name: Krishna full_name: Narasimhan, Krishna last_name: Narasimhan - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. Introducing FUM: A Framework for API Usage Constraint and Misuse Classification. In: Software Engineering 2023. Gesellschaft für Informatik e.V.; 2023:105–106.' apa: 'Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2023). Introducing FUM: A Framework for API Usage Constraint and Misuse Classification. In Software Engineering 2023 (pp. 105–106). Gesellschaft für Informatik e.V.' bibtex: '@inbook{Schlichtig_Sassalla_Narasimhan_Bodden_2023, place={Bonn}, title={Introducing FUM: A Framework for API Usage Constraint and Misuse Classification}, booktitle={Software Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2023}, pages={105–106} }' chicago: 'Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.” In Software Engineering 2023, 105–106. Bonn: Gesellschaft für Informatik e.V., 2023.' ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification,” in Software Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 105–106.' mla: 'Schlichtig, Michael, et al. “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.” Software Engineering 2023, Gesellschaft für Informatik e.V., 2023, pp. 105–106.' short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: Software Engineering 2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 105–106.' date_created: 2024-03-20T09:22:27Z date_updated: 2024-03-20T09:25:46Z department: - _id: '76' keyword: - API misuses API usage constraints - classification framework - API misuse detection - static analysis language: - iso: eng main_file_link: - url: https://dl.gi.de/items/c4825557-cf3d-4038-933a-d8f95fd324a2 page: 105–106 place: Bonn publication: Software Engineering 2023 publication_identifier: isbn: - 978-3-88579-726-5 publisher: Gesellschaft für Informatik e.V. status: public title: 'Introducing FUM: A Framework for API Usage Constraint and Misuse Classification' type: book_chapter user_id: '32312' year: '2023' ... --- _id: '29844' author: - first_name: Thorsten full_name: Koch, Thorsten id: '13616' last_name: Koch - first_name: Sascha full_name: Trippel, Sascha last_name: Trippel - first_name: Stefan full_name: Dziwok, Stefan id: '3901' last_name: Dziwok orcid: http://orcid.org/0000-0002-8679-6673 - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Koch T, Trippel S, Dziwok S, Bodden E. Integrating Security Protocols in Scenario-based Requirements Specifications. In: Proceedings of the 10th International Conference on Model-Driven Engineering and Software Development. SCITEPRESS - Science and Technology Publications; 2022. doi:10.5220/0010783300003119' apa: Koch, T., Trippel, S., Dziwok, S., & Bodden, E. (2022). Integrating Security Protocols in Scenario-based Requirements Specifications. Proceedings of the 10th International Conference on Model-Driven Engineering and Software Development. https://doi.org/10.5220/0010783300003119 bibtex: '@inproceedings{Koch_Trippel_Dziwok_Bodden_2022, title={Integrating Security Protocols in Scenario-based Requirements Specifications}, DOI={10.5220/0010783300003119}, booktitle={Proceedings of the 10th International Conference on Model-Driven Engineering and Software Development}, publisher={SCITEPRESS - Science and Technology Publications}, author={Koch, Thorsten and Trippel, Sascha and Dziwok, Stefan and Bodden, Eric}, year={2022} }' chicago: Koch, Thorsten, Sascha Trippel, Stefan Dziwok, and Eric Bodden. “Integrating Security Protocols in Scenario-Based Requirements Specifications.” In Proceedings of the 10th International Conference on Model-Driven Engineering and Software Development. SCITEPRESS - Science and Technology Publications, 2022. https://doi.org/10.5220/0010783300003119. ieee: 'T. Koch, S. Trippel, S. Dziwok, and E. Bodden, “Integrating Security Protocols in Scenario-based Requirements Specifications,” 2022, doi: 10.5220/0010783300003119.' mla: Koch, Thorsten, et al. “Integrating Security Protocols in Scenario-Based Requirements Specifications.” Proceedings of the 10th International Conference on Model-Driven Engineering and Software Development, SCITEPRESS - Science and Technology Publications, 2022, doi:10.5220/0010783300003119. short: 'T. Koch, S. Trippel, S. Dziwok, E. Bodden, in: Proceedings of the 10th International Conference on Model-Driven Engineering and Software Development, SCITEPRESS - Science and Technology Publications, 2022.' date_created: 2022-02-15T07:47:51Z date_updated: 2022-02-15T07:48:53Z department: - _id: '241' - _id: '662' doi: 10.5220/0010783300003119 language: - iso: eng publication: Proceedings of the 10th International Conference on Model-Driven Engineering and Software Development publication_status: published publisher: SCITEPRESS - Science and Technology Publications status: public title: Integrating Security Protocols in Scenario-based Requirements Specifications type: conference user_id: '13616' year: '2022' ... --- _id: '31844' abstract: - lang: eng text: "Encrypting data before sending it to the cloud ensures data confidentiality but requires the cloud to compute on encrypted data. Trusted execution environments, such as Intel SGX enclaves, promise to provide a secure environment in which data can be decrypted and then processed. However, vulnerabilities in the executed program give attackers ample opportunities to execute arbitrary code inside the enclave. This code can modify the dataflow of the program and leak secrets via SGX side channels. Fully homomorphic encryption would be an alternative to compute on encrypted data without data leaks. However, due to its high computational complexity, its applicability to general-purpose computing remains limited. Researchers have made several proposals for transforming programs to perform encrypted computations on less powerful encryption schemes. Yet current approaches do not support programs making control-flow decisions based on encrypted data.\r\n \r\n \ We introduce the concept of\r\n dataflow authentication\r\n \ (DFAuth) to enable such programs. DFAuth prevents an adversary from arbitrarily deviating from the dataflow of a program. Our technique hence offers protections against the side-channel attacks described previously. We implemented two flavors of DFAuth, a Java bytecode-to-bytecode compiler, and an SGX enclave running a small and program-independent trusted code base. We applied DFAuth to a neural network performing machine learning on sensitive medical data and a smart charging scheduler for electric vehicles. Our transformation yields a neural network with encrypted weights, which can be evaluated on encrypted inputs in\r\n \r\n \\( 12.55 \\,\\mathrm{m}\\mathrm{s} \\)\r\n \ \r\n . Our protected scheduler is capable of updating the encrypted charging plan in approximately 1.06 seconds.\r\n \ " author: - first_name: Andreas full_name: Fischer, Andreas last_name: Fischer - first_name: Benny full_name: Fuhry, Benny last_name: Fuhry - first_name: Jörn full_name: Kußmaul, Jörn last_name: Kußmaul - first_name: Jonas full_name: Janneck, Jonas last_name: Janneck - first_name: Florian full_name: Kerschbaum, Florian last_name: Kerschbaum - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: Fischer A, Fuhry B, Kußmaul J, Janneck J, Kerschbaum F, Bodden E. Computation on Encrypted Data Using Dataflow Authentication. ACM Transactions on Privacy and Security. 2022;25(3):1-36. doi:10.1145/3513005 apa: Fischer, A., Fuhry, B., Kußmaul, J., Janneck, J., Kerschbaum, F., & Bodden, E. (2022). Computation on Encrypted Data Using Dataflow Authentication. ACM Transactions on Privacy and Security, 25(3), 1–36. https://doi.org/10.1145/3513005 bibtex: '@article{Fischer_Fuhry_Kußmaul_Janneck_Kerschbaum_Bodden_2022, title={Computation on Encrypted Data Using Dataflow Authentication}, volume={25}, DOI={10.1145/3513005}, number={3}, journal={ACM Transactions on Privacy and Security}, publisher={Association for Computing Machinery (ACM)}, author={Fischer, Andreas and Fuhry, Benny and Kußmaul, Jörn and Janneck, Jonas and Kerschbaum, Florian and Bodden, Eric}, year={2022}, pages={1–36} }' chicago: 'Fischer, Andreas, Benny Fuhry, Jörn Kußmaul, Jonas Janneck, Florian Kerschbaum, and Eric Bodden. “Computation on Encrypted Data Using Dataflow Authentication.” ACM Transactions on Privacy and Security 25, no. 3 (2022): 1–36. https://doi.org/10.1145/3513005.' ieee: 'A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, and E. Bodden, “Computation on Encrypted Data Using Dataflow Authentication,” ACM Transactions on Privacy and Security, vol. 25, no. 3, pp. 1–36, 2022, doi: 10.1145/3513005.' mla: Fischer, Andreas, et al. “Computation on Encrypted Data Using Dataflow Authentication.” ACM Transactions on Privacy and Security, vol. 25, no. 3, Association for Computing Machinery (ACM), 2022, pp. 1–36, doi:10.1145/3513005. short: A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, E. Bodden, ACM Transactions on Privacy and Security 25 (2022) 1–36. date_created: 2022-06-09T10:28:03Z date_updated: 2022-06-09T10:29:19Z department: - _id: '76' doi: 10.1145/3513005 intvolume: ' 25' issue: '3' keyword: - Safety - Risk - Reliability and Quality - General Computer Science language: - iso: eng page: 1-36 publication: ACM Transactions on Privacy and Security publication_identifier: issn: - 2471-2566 - 2471-2574 publication_status: published publisher: Association for Computing Machinery (ACM) status: public title: Computation on Encrypted Data Using Dataflow Authentication type: journal_article user_id: '15249' volume: 25 year: '2022' ... --- _id: '32409' abstract: - lang: eng text: 'Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection Tool Benchmark Suite". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain.' author: - first_name: Michael full_name: Schlichtig, Michael id: '32312' last_name: Schlichtig orcid: 0000-0001-6600-6171 - first_name: Anna-Katharina full_name: Wickert, Anna-Katharina last_name: Wickert - first_name: Stefan full_name: Krüger, Stefan last_name: Krüger - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Mira full_name: Mezini, Mira last_name: Mezini citation: ama: Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite.; 2022. doi:10.48550/ARXIV.2204.06447 apa: Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., & Mezini, M. (2022). CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. https://doi.org/10.48550/ARXIV.2204.06447 bibtex: '@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={10.48550/ARXIV.2204.06447}, author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and Bodden, Eric and Mezini, Mira}, year={2022} }' chicago: Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden, and Mira Mezini. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022. https://doi.org/10.48550/ARXIV.2204.06447. ieee: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022. mla: Schlichtig, Michael, et al. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022, doi:10.48550/ARXIV.2204.06447. short: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022. date_created: 2022-07-25T07:56:59Z date_updated: 2022-07-25T10:23:44Z department: - _id: '76' doi: 10.48550/ARXIV.2204.06447 keyword: - cryptography - benchmark - API misuse - static analysis language: - iso: eng related_material: link: - relation: confirmation url: https://arxiv.org/abs/2204.06447 status: public title: CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite type: misc user_id: '32312' year: '2022' ... --- _id: '32410' abstract: - lang: eng text: "Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment.\r\nTo comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria.\r\nThe evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further.\r\nThese findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses." author: - first_name: Marcus full_name: Nachtigall, Marcus id: '41213' last_name: Nachtigall - first_name: Michael full_name: Schlichtig, Michael id: '32312' last_name: Schlichtig orcid: 0000-0001-6600-6171 - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Nachtigall M, Schlichtig M, Bodden E. A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM; 2022:532-543. doi:10.1145/3533767' apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2022). A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools. Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 532–543. https://doi.org/10.1145/3533767 bibtex: '@inproceedings{Nachtigall_Schlichtig_Bodden_2022, title={A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools}, DOI={10.1145/3533767}, booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis}, publisher={ACM}, author={Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric}, year={2022}, pages={532–543} }' chicago: Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools.” In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 532–43. ACM, 2022. https://doi.org/10.1145/3533767. ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools,” in Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp. 532–543, doi: 10.1145/3533767.' mla: Nachtigall, Marcus, et al. “A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools.” Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–43, doi:10.1145/3533767. short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–543.' date_created: 2022-07-25T08:02:36Z date_updated: 2022-07-26T11:42:23Z department: - _id: '76' doi: 10.1145/3533767 keyword: - Automated static analysis - Software usability language: - iso: eng page: 532 - 543 publication: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis publication_identifier: isbn: - '9781450393799' publication_status: published publisher: ACM quality_controlled: '1' related_material: link: - relation: confirmation url: https://dl.acm.org/doi/10.1145/3533767.3534374 status: public title: A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools type: conference user_id: '32312' year: '2022' ... --- _id: '31133' abstract: - lang: eng text: Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools. author: - first_name: Michael full_name: Schlichtig, Michael id: '32312' last_name: Schlichtig orcid: 0000-0001-6600-6171 - first_name: Steffen full_name: Sassalla, Steffen last_name: Sassalla - first_name: Krishna full_name: Narasimhan, Krishna last_name: Narasimhan - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API Usage constraint and Misuse Classification. In: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2022:673-684. doi:https://doi.org/10.1109/SANER53432.2022.00085' apa: Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2022). FUM - A Framework for API Usage constraint and Misuse Classification. 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 673–684. https://doi.org/10.1109/SANER53432.2022.00085 bibtex: '@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM - A Framework for API Usage constraint and Misuse Classification}, DOI={https://doi.org/10.1109/SANER53432.2022.00085}, booktitle={2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }' chicago: Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “FUM - A Framework for API Usage Constraint and Misuse Classification.” In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 673–84, 2022. https://doi.org/10.1109/SANER53432.2022.00085. ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework for API Usage constraint and Misuse Classification,” in 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684, doi: https://doi.org/10.1109/SANER53432.2022.00085.' mla: Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and Misuse Classification.” 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–84, doi:https://doi.org/10.1109/SANER53432.2022.00085. short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684.' date_created: 2022-05-09T13:04:10Z date_updated: 2022-07-26T11:42:30Z department: - _id: '76' doi: https://doi.org/10.1109/SANER53432.2022.00085 keyword: - API misuses - API usage constraints - classification framework - API misuse detection - static analysis language: - iso: eng page: 673 - 684 publication: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) quality_controlled: '1' related_material: link: - relation: confirmation url: https://ieeexplore.ieee.org/document/9825763 status: public title: FUM - A Framework for API Usage constraint and Misuse Classification type: conference user_id: '32312' year: '2022' ...