---
_id: '52235'
abstract:
- lang: eng
text: "Android applications collecting data from users must protect it according
to the current legal frameworks. Such data protection has become even more important
since the European Union rolled out the General Data Protection Regulation (GDPR).
Since app developers are not legal experts, they find it difficult to write privacy-aware
source code. Moreover, they have limited tool support to reason about data protection
throughout their app development process.\r\nThis paper motivates the need for
a static analysis approach to diagnose and explain data protection in Android
apps. The analysis will recognize personal data sources in the source code, and
aims to further examine the data flow originating from these sources. App developers
can then address key questions about data manipulation, derived data, and the
presence of technical measures. Despite challenges, we explore to what extent
one can realize this analysis through static taint analysis, a common method for
identifying security vulnerabilities. This is a first step towards designing a
tool-based approach that aids app developers and assessors in ensuring data protection
in Android apps, based on automated static program analysis. "
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection.
In: Proceedings of the 9th International Conference on Mobile Software Engineering
and Systems. ; 2024.'
apa: Khedkar, M., & Bodden, E. (2024). Toward an Android Static Analysis Approach
for Data Protection. Proceedings of the 9th International Conference on Mobile
Software Engineering and Systems. 9th International Conference on Mobile Software
Engineering and Systems 2024, Lisbon, Portugal.
bibtex: '@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis
Approach for Data Protection}, booktitle={Proceedings of the 9th International
Conference on Mobile Software Engineering and Systems}, author={Khedkar, Mugdha
and Bodden, Eric}, year={2024} }'
chicago: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach
for Data Protection.” In Proceedings of the 9th International Conference on
Mobile Software Engineering and Systems, 2024.
ieee: M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for
Data Protection,” presented at the 9th International Conference on Mobile Software
Engineering and Systems 2024, Lisbon, Portugal, 2024.
mla: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach
for Data Protection.” Proceedings of the 9th International Conference on Mobile
Software Engineering and Systems, 2024.
short: 'M. Khedkar, E. Bodden, in: Proceedings of the 9th International Conference
on Mobile Software Engineering and Systems, 2024.'
conference:
end_date: 2024-04-15
location: Lisbon, Portugal
name: 9th International Conference on Mobile Software Engineering and Systems 2024
start_date: 2024-04-14
date_created: 2024-03-03T14:37:53Z
date_updated: 2024-03-06T13:00:38Z
ddc:
- '006'
department:
- _id: '76'
external_id:
arxiv:
- '2402.07889'
file:
- access_level: closed
content_type: application/pdf
creator: khedkarm
date_created: 2024-03-03T14:39:08Z
date_updated: 2024-03-03T14:39:08Z
file_id: '52236'
file_name: 2402.07889v1.pdf
file_size: 530812
relation: main_file
success: 1
file_date_updated: 2024-03-03T14:39:08Z
has_accepted_license: '1'
keyword:
- static program analysis
- data protection and privacy
- GDPR compliance
language:
- iso: eng
publication: Proceedings of the 9th International Conference on Mobile Software Engineering
and Systems
status: public
title: Toward an Android Static Analysis Approach for Data Protection
type: conference
user_id: '88024'
year: '2024'
...
---
_id: '52587'
author:
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
- first_name: Markus
full_name: Fockel, Markus
last_name: Fockel
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
citation:
ama: Bodden E, Pottebaum J, Fockel M, Gräßler I. Evaluating Security Through Isolation
and Defense in Depth. IEEE Security & Privacy. 2024;22(1):69-72. doi:10.1109/msec.2023.3336028
apa: Bodden, E., Pottebaum, J., Fockel, M., & Gräßler, I. (2024). Evaluating
Security Through Isolation and Defense in Depth. IEEE Security & Privacy,
22(1), 69–72. https://doi.org/10.1109/msec.2023.3336028
bibtex: '@article{Bodden_Pottebaum_Fockel_Gräßler_2024, title={Evaluating Security
Through Isolation and Defense in Depth}, volume={22}, DOI={10.1109/msec.2023.3336028},
number={1}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical
and Electronics Engineers (IEEE)}, author={Bodden, Eric and Pottebaum, Jens and
Fockel, Markus and Gräßler, Iris}, year={2024}, pages={69–72} }'
chicago: 'Bodden, Eric, Jens Pottebaum, Markus Fockel, and Iris Gräßler. “Evaluating
Security Through Isolation and Defense in Depth.” IEEE Security & Privacy
22, no. 1 (2024): 69–72. https://doi.org/10.1109/msec.2023.3336028.'
ieee: 'E. Bodden, J. Pottebaum, M. Fockel, and I. Gräßler, “Evaluating Security
Through Isolation and Defense in Depth,” IEEE Security & Privacy, vol.
22, no. 1, pp. 69–72, 2024, doi: 10.1109/msec.2023.3336028.'
mla: Bodden, Eric, et al. “Evaluating Security Through Isolation and Defense in
Depth.” IEEE Security & Privacy, vol. 22, no. 1, Institute of Electrical
and Electronics Engineers (IEEE), 2024, pp. 69–72, doi:10.1109/msec.2023.3336028.
short: E. Bodden, J. Pottebaum, M. Fockel, I. Gräßler, IEEE Security & Privacy
22 (2024) 69–72.
date_created: 2024-03-15T20:16:18Z
date_updated: 2024-03-15T20:25:13Z
department:
- _id: '152'
- _id: '76'
- _id: '241'
doi: 10.1109/msec.2023.3336028
intvolume: ' 22'
issue: '1'
keyword:
- Law
- Electrical and Electronic Engineering
- Computer Networks and Communications
language:
- iso: eng
page: 69-72
publication: IEEE Security & Privacy
publication_identifier:
issn:
- 1540-7993
- 1558-4046
publication_status: published
publisher: Institute of Electrical and Electronics Engineers (IEEE)
quality_controlled: '1'
status: public
title: Evaluating Security Through Isolation and Defense in Depth
type: journal_article
user_id: '405'
volume: 22
year: '2024'
...
---
_id: '52663'
abstract:
- lang: eng
text: "Context\r\nStatic analyses are well-established to aid in understanding bugs
or vulnerabilities during the development process or in large-scale studies. A
low false-positive rate is essential for the adaption in practice and for precise
results of empirical studies. Unfortunately, static analyses tend to report where
a vulnerability manifests rather than the fix location. This can cause presumed
false positives or imprecise results.\r\nMethod\r\nTo address this problem, we
designed an adaption of an existing static analysis algorithm that can distinguish
between a manifestation and fix location, and reports error chains. An error chain
represents at least two interconnected errors that occur successively, thus building
the connection between the fix and manifestation location. We used our tool CogniCryptSUBS
for a case study on 471 GitHub repositories, a performance benchmark to compare
different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe
found that 50 % of the projects with a report had at least one error chain. Our
runtime benchmark demonstrated that our improvement caused only a minimal runtime
overhead of less than 4 %. The results of our expert interview indicate that with
our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur
results indicate that error chains occur frequently in real-world projects, and
ignoring them can lead to imprecise evaluation results. The runtime benchmark
indicates that our tool is a feasible and efficient solution for detecting error
chains in real-world projects. Further, our results gave a hint that the usability
of static analyses may benefit from supporting error chains."
author:
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Marvin
full_name: Vogel, Marvin
last_name: Vogel
- first_name: Lukas
full_name: Winter, Lukas
last_name: Winter
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting
Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.;
2024.
apa: Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden,
E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation
Results and Enhanced Usability.
bibtex: '@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting
Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability},
author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and
Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }'
chicago: Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter,
Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for
Precise Evaluation Results and Enhanced Usability, 2024.
ieee: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden,
Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability. 2024.
mla: Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis
for Precise Evaluation Results and Enhanced Usability. 2024.
short: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden,
Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability, 2024.
date_created: 2024-03-20T09:28:36Z
date_updated: 2024-03-20T09:32:29Z
department:
- _id: '76'
keyword:
- Static analysis
- error chains
- false positive re- duction
- empirical studies
language:
- iso: eng
main_file_link:
- url: https://arxiv.org/abs/2403.07808
status: public
title: Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability
type: misc
user_id: '32312'
year: '2024'
...
---
_id: '35083'
author:
- first_name: Andreas Peter
full_name: Dann, Andreas Peter
id: '26886'
last_name: Dann
- first_name: Ben
full_name: Hermann, Ben
id: '66173'
last_name: Hermann
orcid: 0000-0001-9848-2017
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Dann AP, Hermann B, Bodden E. UpCy: Safely Updating Outdated Dependencies.
Published online 2023.'
apa: 'Dann, A. P., Hermann, B., & Bodden, E. (2023). UpCy: Safely Updating
Outdated Dependencies.'
bibtex: '@article{Dann_Hermann_Bodden_2023, series={International Conference on
Software Engineering (ICSE)}, title={UpCy: Safely Updating Outdated Dependencies},
author={Dann, Andreas Peter and Hermann, Ben and Bodden, Eric}, year={2023}, collection={International
Conference on Software Engineering (ICSE)} }'
chicago: 'Dann, Andreas Peter, Ben Hermann, and Eric Bodden. “UpCy: Safely Updating
Outdated Dependencies.” International Conference on Software Engineering (ICSE),
2023.'
ieee: 'A. P. Dann, B. Hermann, and E. Bodden, “UpCy: Safely Updating Outdated Dependencies.”
2023.'
mla: 'Dann, Andreas Peter, et al. UpCy: Safely Updating Outdated Dependencies.
2023.'
short: A.P. Dann, B. Hermann, E. Bodden, (2023).
date_created: 2023-01-02T09:26:50Z
date_updated: 2023-01-02T09:28:32Z
department:
- _id: '76'
language:
- iso: eng
series_title: International Conference on Software Engineering (ICSE)
status: public
title: 'UpCy: Safely Updating Outdated Dependencies'
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '36522'
abstract:
- lang: eng
text: "Jupyter notebooks enable developers to interleave code snippets with rich-text
and in-line visualizations. Data scientists use Jupyter notebook as the de-facto
standard for creating and sharing machine-learning based solutions, primarily
written in Python. Recent studies have demonstrated, however, that a large portion
of Jupyter notebooks available on public platforms are undocumented and lacks
a narrative structure. This reduces the readability of these notebooks. To address
this shortcoming, this paper presents HeaderGen, a novel tool-based approach that
automatically annotates code cells with categorical markdown headers based on
a taxonomy of machine-learning operations, and classifies and displays function
calls according to this taxonomy. For this functionality to be realized, HeaderGen
enhances an existing call graph analysis in PyCG. To improve precision, HeaderGen
extends PyCG's analysis with support for handling external library code and flow-sensitivity.
The former is realized by facilitating the resolution of function return-types.
Furthermore, HeaderGen uses type information to perform pattern matching on code
syntax to annotate code cells.\r\nThe evaluation on 15 real-world Jupyter notebooks
from Kaggle shows that HeaderGen's underlying call graph analysis yields high
accuracy (96.4% precision and 95.9% recall). This is because HeaderGen can resolve
return-types of external libraries where existing type inference tools such as
pytype (by Google), pyright (by Microsoft), and Jedi fall short. The header generation
has a precision of 82.2% and a recall rate of 96.8% with regard to headers created
manually by experts. In a user study, HeaderGen helps participants finish comprehension
and navigation tasks faster. All participants clearly perceive HeaderGen as useful
to their task."
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: Jiawei
full_name: Wang, Jiawei
last_name: Wang
- first_name: Li
full_name: Li, Li
last_name: Li
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE SANER 2023
(International Conference on Software Analysis, Evolution and Reengineering);
2023. doi:10.48550/ARXIV.2301.04419'
apa: Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE
SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering).
https://doi.org/10.48550/ARXIV.2301.04419
bibtex: '@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, DOI={10.48550/ARXIV.2301.04419},
publisher={IEEE SANER 2023 (International Conference on Software Analysis, Evolution
and Reengineering)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei
and Li, Li and Bodden, Eric}, year={2023} }'
chicago: Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden.
“Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.”
IEEE SANER 2023 (International Conference on Software Analysis, Evolution and
Reengineering), 2023. https://doi.org/10.48550/ARXIV.2301.04419.
ieee: 'A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis,” presented at the IEEE
SANER 2023 (International Conference on Software Analysis, Evolution and Reengineering),
2023, doi: 10.48550/ARXIV.2301.04419.'
mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. Enhancing Comprehension and
Navigation in Jupyter Notebooks with Static Analysis. IEEE SANER 2023 (International
Conference on Software Analysis, Evolution and Reengineering), 2023, doi:10.48550/ARXIV.2301.04419.
short: 'A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE SANER 2023
(International Conference on Software Analysis, Evolution and Reengineering),
2023.'
conference:
name: IEEE SANER 2023 (International Conference on Software Analysis, Evolution
and Reengineering)
date_created: 2023-01-13T08:03:26Z
date_updated: 2023-01-26T10:50:42Z
ddc:
- '000'
doi: 10.48550/ARXIV.2301.04419
file:
- access_level: open_access
content_type: application/pdf
creator: ashwin
date_created: 2023-01-26T10:48:40Z
date_updated: 2023-01-26T10:48:40Z
file_id: '40304'
file_name: 2301.04419.pdf
file_size: 1862440
relation: main_file
file_date_updated: 2023-01-26T10:48:40Z
has_accepted_license: '1'
keyword:
- static analysis
- python
- code comprehension
- annotation
- literate programming
- jupyter notebook
language:
- iso: eng
oa: '1'
publisher: IEEE SANER 2023 (International Conference on Software Analysis, Evolution
and Reengineering)
status: public
title: Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis
type: conference
user_id: '66637'
year: '2023'
...
---
_id: '41812'
author:
- first_name: Linghui
full_name: Luo, Linghui
last_name: Luo
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
id: '78060'
last_name: Krishnamurthy
orcid: 0000-0002-0906-5463
- first_name: Julian
full_name: Dolby, Julian
last_name: Dolby
- first_name: Martin
full_name: Schäf, Martin
last_name: Schäf
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation
For Java Frameworks. In: IEEE International Conference on Software Testing,
Verification and Validation (ICST). ; 2023.'
apa: Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden,
E. (2023). Model Generation For Java Frameworks. IEEE International Conference
on Software Testing, Verification and Validation (ICST).
bibtex: '@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model
Generation For Java Frameworks}, booktitle={IEEE International Conference on Software
Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev,
Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden,
Eric}, year={2023} }'
chicago: Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin
Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International
Conference on Software Testing, Verification and Validation (ICST), 2023.
ieee: L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden,
“Model Generation For Java Frameworks,” 2023.
mla: Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International
Conference on Software Testing, Verification and Validation (ICST), 2023.
short: 'L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in:
IEEE International Conference on Software Testing, Verification and Validation
(ICST), 2023.'
date_created: 2023-02-06T10:37:23Z
date_updated: 2023-02-06T10:42:29Z
department:
- _id: '76'
- _id: '662'
language:
- iso: eng
publication: IEEE International Conference on Software Testing, Verification and Validation
(ICST)
status: public
title: Model Generation For Java Frameworks
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '41813'
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: Jiawei
full_name: Wang, Jiawei
last_name: Wang
- first_name: Li
full_name: Li, Li
last_name: Li
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2023.'
apa: Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER).
bibtex: '@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing
Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, booktitle={IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER)},
author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden,
Eric}, year={2023} }'
chicago: Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden.
“Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.”
In IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER), 2023.
ieee: A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension
and Navigation in Jupyter Notebooks with Static Analysis,” 2023.
mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. “Enhancing Comprehension and Navigation
in Jupyter Notebooks with Static Analysis.” IEEE International Conference on
Software Analysis, Evolution and Reengineering (SANER), 2023.
short: 'A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.'
date_created: 2023-02-06T10:44:08Z
date_updated: 2023-02-06T10:46:00Z
department:
- _id: '76'
language:
- iso: eng
publication: IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER)
status: public
title: Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '45888'
author:
- first_name: Heike
full_name: Wehrheim, Heike
id: '573'
last_name: Wehrheim
- first_name: Marco
full_name: Platzner, Marco
id: '398'
last_name: Platzner
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: 'Philipp '
full_name: 'Schubert, Philipp '
last_name: Schubert
- first_name: Felix
full_name: Pauck, Felix
id: '22398'
last_name: Pauck
- first_name: Marie-Christine
full_name: Jakobs, Marie-Christine
last_name: Jakobs
citation:
ama: 'Wehrheim H, Platzner M, Bodden E, Schubert P, Pauck F, Jakobs M-C. Verifying
Software and Reconfigurable Hardware Services. In: Haake C-J, Meyer auf der Heide
F, Platzner M, Wachsmuth H, Wehrheim H, eds. On-The-Fly Computing -- Individualized
IT-Services in Dynamic Markets. Vol 412. Verlagsschriftenreihe des Heinz Nixdorf
Instituts. Heinz Nixdorf Institut, Universität Paderborn; 2023:125-144. doi:10.5281/zenodo.8068583'
apa: Wehrheim, H., Platzner, M., Bodden, E., Schubert, P., Pauck, F., & Jakobs,
M.-C. (2023). Verifying Software and Reconfigurable Hardware Services. In C.-J.
Haake, F. Meyer auf der Heide, M. Platzner, H. Wachsmuth, & H. Wehrheim (Eds.),
On-The-Fly Computing -- Individualized IT-services in dynamic markets (Vol.
412, pp. 125–144). Heinz Nixdorf Institut, Universität Paderborn. https://doi.org/10.5281/zenodo.8068583
bibtex: '@inbook{Wehrheim_Platzner_Bodden_Schubert_Pauck_Jakobs_2023, place={Paderborn},
series={Verlagsschriftenreihe des Heinz Nixdorf Instituts}, title={Verifying Software
and Reconfigurable Hardware Services}, volume={412}, DOI={10.5281/zenodo.8068583},
booktitle={On-The-Fly Computing -- Individualized IT-services in dynamic markets},
publisher={Heinz Nixdorf Institut, Universität Paderborn}, author={Wehrheim, Heike
and Platzner, Marco and Bodden, Eric and Schubert, Philipp and Pauck, Felix and
Jakobs, Marie-Christine}, editor={Haake, Claus-Jochen and Meyer auf der Heide,
Friedhelm and Platzner, Marco and Wachsmuth, Henning and Wehrheim, Heike}, year={2023},
pages={125–144}, collection={Verlagsschriftenreihe des Heinz Nixdorf Instituts}
}'
chicago: 'Wehrheim, Heike, Marco Platzner, Eric Bodden, Philipp Schubert, Felix
Pauck, and Marie-Christine Jakobs. “Verifying Software and Reconfigurable Hardware
Services.” In On-The-Fly Computing -- Individualized IT-Services in Dynamic
Markets, edited by Claus-Jochen Haake, Friedhelm Meyer auf der Heide, Marco
Platzner, Henning Wachsmuth, and Heike Wehrheim, 412:125–44. Verlagsschriftenreihe
Des Heinz Nixdorf Instituts. Paderborn: Heinz Nixdorf Institut, Universität Paderborn,
2023. https://doi.org/10.5281/zenodo.8068583.'
ieee: 'H. Wehrheim, M. Platzner, E. Bodden, P. Schubert, F. Pauck, and M.-C. Jakobs,
“Verifying Software and Reconfigurable Hardware Services,” in On-The-Fly Computing
-- Individualized IT-services in dynamic markets, vol. 412, C.-J. Haake, F.
Meyer auf der Heide, M. Platzner, H. Wachsmuth, and H. Wehrheim, Eds. Paderborn:
Heinz Nixdorf Institut, Universität Paderborn, 2023, pp. 125–144.'
mla: Wehrheim, Heike, et al. “Verifying Software and Reconfigurable Hardware Services.”
On-The-Fly Computing -- Individualized IT-Services in Dynamic Markets,
edited by Claus-Jochen Haake et al., vol. 412, Heinz Nixdorf Institut, Universität
Paderborn, 2023, pp. 125–44, doi:10.5281/zenodo.8068583.
short: 'H. Wehrheim, M. Platzner, E. Bodden, P. Schubert, F. Pauck, M.-C. Jakobs,
in: C.-J. Haake, F. Meyer auf der Heide, M. Platzner, H. Wachsmuth, H. Wehrheim
(Eds.), On-The-Fly Computing -- Individualized IT-Services in Dynamic Markets,
Heinz Nixdorf Institut, Universität Paderborn, Paderborn, 2023, pp. 125–144.'
date_created: 2023-07-07T08:01:23Z
date_updated: 2023-07-07T11:18:59Z
ddc:
- '004'
department:
- _id: '7'
doi: 10.5281/zenodo.8068583
editor:
- first_name: Claus-Jochen
full_name: Haake, Claus-Jochen
last_name: Haake
- first_name: Friedhelm
full_name: Meyer auf der Heide, Friedhelm
last_name: Meyer auf der Heide
- first_name: Marco
full_name: Platzner, Marco
last_name: Platzner
- first_name: Henning
full_name: Wachsmuth, Henning
last_name: Wachsmuth
- first_name: Heike
full_name: Wehrheim, Heike
last_name: Wehrheim
file:
- access_level: open_access
content_type: application/pdf
creator: florida
date_created: 2023-07-07T08:01:12Z
date_updated: 2023-07-07T11:18:59Z
file_id: '45889'
file_name: B4-Chapter-SFB-Buch-Final.pdf
file_size: 840964
relation: main_file
file_date_updated: 2023-07-07T11:18:59Z
has_accepted_license: '1'
intvolume: ' 412'
language:
- iso: eng
oa: '1'
page: 125-144
place: Paderborn
project:
- _id: '1'
grant_number: '160364472'
name: 'SFB 901: SFB 901: On-The-Fly Computing - Individualisierte IT-Dienstleistungen
in dynamischen Märkten '
- _id: '3'
name: 'SFB 901 - B: SFB 901 - Project Area B'
- _id: '12'
name: 'SFB 901 - B4: SFB 901 - Subproject B4'
publication: On-The-Fly Computing -- Individualized IT-services in dynamic markets
publisher: Heinz Nixdorf Institut, Universität Paderborn
series_title: Verlagsschriftenreihe des Heinz Nixdorf Instituts
status: public
title: Verifying Software and Reconfigurable Hardware Services
type: book_chapter
user_id: '477'
volume: 412
year: '2023'
...
---
_id: '46816'
author:
- first_name: Adriano
full_name: Torres, Adriano
last_name: Torres
- first_name: Pedro
full_name: Costa, Pedro
last_name: Costa
- first_name: Luis
full_name: Amaral, Luis
last_name: Amaral
- first_name: Jonata
full_name: Pastro, Jonata
last_name: Pastro
- first_name: Rodrigo
full_name: Bonifácio, Rodrigo
last_name: Bonifácio
- first_name: Marcelo
full_name: d'Amorim, Marcelo
last_name: d'Amorim
- first_name: Owolabi
full_name: Legunsen, Owolabi
last_name: Legunsen
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Edna
full_name: Dias Canedo, Edna
last_name: Dias Canedo
citation:
ama: 'Torres A, Costa P, Amaral L, et al. Runtime Verification of Crypto APIs: An
Empirical Study. IEEE Transactions on Software Engineering. 2023;49(10):4510-4525.
doi:10.1109/tse.2023.3301660'
apa: 'Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M.,
Legunsen, O., Bodden, E., & Dias Canedo, E. (2023). Runtime Verification of
Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering,
49(10), 4510–4525. https://doi.org/10.1109/tse.2023.3301660'
bibtex: '@article{Torres_Costa_Amaral_Pastro_Bonifácio_d’Amorim_Legunsen_Bodden_Dias
Canedo_2023, title={Runtime Verification of Crypto APIs: An Empirical Study},
volume={49}, DOI={10.1109/tse.2023.3301660},
number={10}, journal={IEEE Transactions on Software Engineering}, publisher={Institute
of Electrical and Electronics Engineers (IEEE)}, author={Torres, Adriano and Costa,
Pedro and Amaral, Luis and Pastro, Jonata and Bonifácio, Rodrigo and d’Amorim,
Marcelo and Legunsen, Owolabi and Bodden, Eric and Dias Canedo, Edna}, year={2023},
pages={4510–4525} }'
chicago: 'Torres, Adriano, Pedro Costa, Luis Amaral, Jonata Pastro, Rodrigo Bonifácio,
Marcelo d’Amorim, Owolabi Legunsen, Eric Bodden, and Edna Dias Canedo. “Runtime
Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software
Engineering 49, no. 10 (2023): 4510–25. https://doi.org/10.1109/tse.2023.3301660.'
ieee: 'A. Torres et al., “Runtime Verification of Crypto APIs: An Empirical
Study,” IEEE Transactions on Software Engineering, vol. 49, no. 10, pp.
4510–4525, 2023, doi: 10.1109/tse.2023.3301660.'
mla: 'Torres, Adriano, et al. “Runtime Verification of Crypto APIs: An Empirical
Study.” IEEE Transactions on Software Engineering, vol. 49, no. 10, Institute
of Electrical and Electronics Engineers (IEEE), 2023, pp. 4510–25, doi:10.1109/tse.2023.3301660.'
short: A. Torres, P. Costa, L. Amaral, J. Pastro, R. Bonifácio, M. d’Amorim, O.
Legunsen, E. Bodden, E. Dias Canedo, IEEE Transactions on Software Engineering
49 (2023) 4510–4525.
date_created: 2023-09-06T07:42:40Z
date_updated: 2023-12-04T11:05:26Z
department:
- _id: '76'
doi: 10.1109/tse.2023.3301660
intvolume: ' 49'
issue: '10'
keyword:
- Software
language:
- iso: eng
page: 4510 - 4525
publication: IEEE Transactions on Software Engineering
publication_identifier:
issn:
- 0098-5589
- 1939-3520
- 2326-3881
publication_status: published
publisher: Institute of Electrical and Electronics Engineers (IEEE)
status: public
title: 'Runtime Verification of Crypto APIs: An Empirical Study'
type: journal_article
user_id: '15249'
volume: 49
year: '2023'
...
---
_id: '49439'
abstract:
- lang: eng
text: AbstractThe use of static analysis security
testing (SAST) tools has been increasing in recent years. However, previous studies
have shown that, when shipped to end users such as development or security teams,
the findings of these tools are often unsatisfying. Users report high numbers
of false positives or long analysis times, making the tools unusable in the daily
workflow. To address this, SAST tool creators provide a wide range of configuration
options, such as customization of rules through domain-specific languages or specification
of the application-specific analysis scope. In this paper, we study the configuration
space of selected existing SAST tools when used within the integrated development
environment (IDE). We focus on the configuration options that impact three dimensions,
for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime.
We perform a between-subjects user study with 40 users from multiple development
and security teams - to our knowledge, the largest population for this kind of
user study in the software engineering community. The results show that users
who configure SAST tools are more effective in resolving security vulnerabilities
detected by the tools than those using the default configuration. Based on post-study
interviews, we identify common strategies that users have while configuring the
SAST tools to provide further insights for tool creators. Finally, an evaluation
of the configuration options of two commercial SAST tools, Fortify
and CheckMarx, reveals that a quarter of the users do not understand
the configuration options provided. The configuration options that are found most
useful relate to the analysis scope.
article_number: '118'
author:
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Matthias
full_name: Becker, Matthias
id: '4870'
last_name: Becker
orcid: https://orcid.org/0000-0003-2465-9347
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make
resolving security vulnerabilities more effective? - A user study. Empirical
Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3
apa: Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of
static analyses make resolving security vulnerabilities more effective? - A user
study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3
bibtex: '@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of
static analyses make resolving security vulnerabilities more effective? - A user
study}, volume={28}, DOI={10.1007/s10664-023-10354-3},
number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science
and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden,
Eric}, year={2023} }'
chicago: Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration
of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A
User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3.
ieee: 'G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static
analyses make resolving security vulnerabilities more effective? - A user study,”
Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi:
10.1007/s10664-023-10354-3.'
mla: Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving
Security Vulnerabilities More Effective? - A User Study.” Empirical Software
Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC,
2023, doi:10.1007/s10664-023-10354-3.
short: G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023).
date_created: 2023-12-04T11:14:34Z
date_updated: 2023-12-04T11:29:49Z
department:
- _id: '76'
- _id: '662'
doi: 10.1007/s10664-023-10354-3
intvolume: ' 28'
issue: '5'
keyword:
- Software
language:
- iso: eng
publication: Empirical Software Engineering
publication_identifier:
issn:
- 1382-3256
- 1573-7616
publication_status: published
publisher: Springer Science and Business Media LLC
status: public
title: Can the configuration of static analyses make resolving security vulnerabilities
more effective? - A user study
type: journal_article
user_id: '15249'
volume: 28
year: '2023'
...
---
_id: '49438'
author:
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Michael
full_name: Reif, Michael
last_name: Reif
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Sarah
full_name: Nadi, Sarah
last_name: Nadi
- first_name: Karim
full_name: Ali, Karim
last_name: Ali
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Yasemin
full_name: Acar, Yasemin
id: '94636'
last_name: Acar
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
- first_name: Sascha
full_name: Fahl, Sascha
last_name: Fahl
citation:
ama: 'Krüger S, Reif M, Wickert A-K, et al. Securing Your Crypto-API Usage Through
Tool Support - A Usability Study. In: 2023 IEEE Secure Development Conference
(SecDev). IEEE; 2023. doi:10.1109/secdev56634.2023.00015'
apa: Krüger, S., Reif, M., Wickert, A.-K., Nadi, S., Ali, K., Bodden, E., Acar,
Y., Mezini, M., & Fahl, S. (2023). Securing Your Crypto-API Usage Through
Tool Support - A Usability Study. 2023 IEEE Secure Development Conference (SecDev).
https://doi.org/10.1109/secdev56634.2023.00015
bibtex: '@inproceedings{Krüger_Reif_Wickert_Nadi_Ali_Bodden_Acar_Mezini_Fahl_2023,
title={Securing Your Crypto-API Usage Through Tool Support - A Usability Study},
DOI={10.1109/secdev56634.2023.00015},
booktitle={2023 IEEE Secure Development Conference (SecDev)}, publisher={IEEE},
author={Krüger, Stefan and Reif, Michael and Wickert, Anna-Katharina and Nadi,
Sarah and Ali, Karim and Bodden, Eric and Acar, Yasemin and Mezini, Mira and Fahl,
Sascha}, year={2023} }'
chicago: Krüger, Stefan, Michael Reif, Anna-Katharina Wickert, Sarah Nadi, Karim
Ali, Eric Bodden, Yasemin Acar, Mira Mezini, and Sascha Fahl. “Securing Your Crypto-API
Usage Through Tool Support - A Usability Study.” In 2023 IEEE Secure Development
Conference (SecDev). IEEE, 2023. https://doi.org/10.1109/secdev56634.2023.00015.
ieee: 'S. Krüger et al., “Securing Your Crypto-API Usage Through Tool Support
- A Usability Study,” 2023, doi: 10.1109/secdev56634.2023.00015.'
mla: Krüger, Stefan, et al. “Securing Your Crypto-API Usage Through Tool Support
- A Usability Study.” 2023 IEEE Secure Development Conference (SecDev),
IEEE, 2023, doi:10.1109/secdev56634.2023.00015.
short: 'S. Krüger, M. Reif, A.-K. Wickert, S. Nadi, K. Ali, E. Bodden, Y. Acar,
M. Mezini, S. Fahl, in: 2023 IEEE Secure Development Conference (SecDev), IEEE,
2023.'
date_created: 2023-12-04T11:07:08Z
date_updated: 2023-12-04T11:14:10Z
department:
- _id: '76'
- _id: '740'
doi: 10.1109/secdev56634.2023.00015
language:
- iso: eng
publication: 2023 IEEE Secure Development Conference (SecDev)
publication_status: published
publisher: IEEE
status: public
title: Securing Your Crypto-API Usage Through Tool Support - A Usability Study
type: conference
user_id: '15249'
year: '2023'
...
---
_id: '48946'
abstract:
- lang: ger
text: inhalt Der verlässliche Betrieb von technischen Produkten wird zunehmend durch
bewusste Angriffe bedroht. Vollständige Sicherheit ist dabei nicht möglich, durchschlagende
Angriffe sind unvermeidbar (Assume Breach). Dies erfordert einen Paradigmenwechsel
in der sicherheitsgerechten Entwicklung mechatronischer und cyber-physischer Systeme
hin zu Defense-in-Depth. Systeme müssen so ausgelegt werden, dass sie auch bei
gezielten Angriffen möglichst hohe Zuverlässigkeit und Sicherheit gewährleisten.
Der hier beschriebene Lösungsansatz erweitert das Systemmodell um Angriffsszenarien
und Verteidigungslinien. Diese werden am Beispiel eines industriellen Schließsystems
zur Anlagensicherheit erläutert. Entwickler werden sensibilisiert, Angriffe systematisch
zu berücksichtigen und interdisziplinär Verteidigungselemente gegenüber Bedrohungen
und Angriffen zu spezifizieren.
- lang: eng
text: The reliable operation of technical products is increasingly threatened by
deliberate attacks. Complete security is not possible, striking attacks are unavoidable
(assume breach). This requires a paradigm shift in security-oriented engineering
of mechatronic and cyber-physical systems towards Defense-in-Depth. Systems need
to be engineered in a way that full reliability and security are ensured even
in case of targeted attacks. The solution approach described here expands the
system model to include attack scenarios and lines of defence. It is applied to
an industrial locking system for plant security as an example. Developers are
sensitised to systematically consider attacks and to specify interdisciplinary
defence elements against threats and attacks.
article_type: original
author:
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Dominik
full_name: Wiechel, Dominik
id: '67161'
last_name: Wiechel
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
citation:
ama: 'Gräßler I, Bodden E, Wiechel D, Pottebaum J. Defense-in-Depth als neues Paradigma
der sicherheitsgerechten Produktentwicklung: interdisziplinäre, bedrohungsbewusste
und lösungsorientierte Security. Konstruktion. 2023;75(11-12):60-65. doi:10.37544/0720-5953-2023-11-12-60'
apa: 'Gräßler, I., Bodden, E., Wiechel, D., & Pottebaum, J. (2023). Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security. Konstruktion, 75(11–12),
60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60'
bibtex: '@article{Gräßler_Bodden_Wiechel_Pottebaum_2023, title={Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security}, volume={75}, DOI={10.37544/0720-5953-2023-11-12-60},
number={11–12}, journal={Konstruktion}, publisher={VDI Fachmedien GmbH and Co.
KG}, author={Gräßler, Iris and Bodden, Eric and Wiechel, Dominik and Pottebaum,
Jens}, year={2023}, pages={60–65} }'
chicago: 'Gräßler, Iris, Eric Bodden, Dominik Wiechel, and Jens Pottebaum. “Defense-in-Depth
als neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security.” Konstruktion 75, no.
11–12 (2023): 60–65. https://doi.org/10.37544/0720-5953-2023-11-12-60.'
ieee: 'I. Gräßler, E. Bodden, D. Wiechel, and J. Pottebaum, “Defense-in-Depth als
neues Paradigma der sicherheitsgerechten Produktentwicklung: interdisziplinäre,
bedrohungsbewusste und lösungsorientierte Security,” Konstruktion, vol.
75, no. 11–12, pp. 60–65, 2023, doi: 10.37544/0720-5953-2023-11-12-60.'
mla: 'Gräßler, Iris, et al. “Defense-in-Depth als neues Paradigma der sicherheitsgerechten
Produktentwicklung: interdisziplinäre, bedrohungsbewusste und lösungsorientierte
Security.” Konstruktion, vol. 75, no. 11–12, VDI Fachmedien GmbH and Co.
KG, 2023, pp. 60–65, doi:10.37544/0720-5953-2023-11-12-60.'
short: I. Gräßler, E. Bodden, D. Wiechel, J. Pottebaum, Konstruktion 75 (2023) 60–65.
date_created: 2023-11-16T08:23:12Z
date_updated: 2023-12-20T14:10:51Z
department:
- _id: '152'
- _id: '76'
doi: 10.37544/0720-5953-2023-11-12-60
intvolume: ' 75'
issue: 11-12
keyword:
- Mechanical Engineering
- Mechanics of Materials
- General Materials Science
- Theoretical Computer Science
language:
- iso: ger
page: 60-65
publication: Konstruktion
publication_identifier:
issn:
- 0720-5953
publication_status: published
publisher: VDI Fachmedien GmbH and Co. KG
quality_controlled: '1'
status: public
title: 'Defense-in-Depth als neues Paradigma der sicherheitsgerechten Produktentwicklung:
interdisziplinäre, bedrohungsbewusste und lösungsorientierte Security'
type: journal_article
user_id: '405'
volume: 75
year: '2023'
...
---
_id: '46500'
abstract:
- lang: eng
text: The security of Industrial Control Systems is relevant both for reliable production
system operations and for high-quality throughput in terms of manufactured products.
Security measures are designed, operated and maintained by different roles along
product and production system lifecycles. Defense-in-Depth as a paradigm builds
upon the assumption that breaches are unavoidable. The paper at hand provides
an analysis of roles, corresponding Human Factors and their relevance for data
theft and sabotage attacks. The resulting taxonomy is reflected by an example
related to Additive Manufacturing. The results assist in both designing and redesigning
Industrial Control System as part of an entire production system so that Defense-in-Depth
with regard to Human Factors is built in by design.
author:
- first_name: Jens
full_name: Pottebaum, Jens
id: '405'
last_name: Pottebaum
orcid: http://orcid.org/0000-0001-8778-2989
- first_name: Jost
full_name: Rossel, Jost
id: '58331'
last_name: Rossel
orcid: 0000-0002-3182-4059
- first_name: Juraj
full_name: Somorovsky, Juraj
id: '83504'
last_name: Somorovsky
orcid: 0000-0002-3593-7720
- first_name: Yasemin
full_name: Acar, Yasemin
id: '94636'
last_name: Acar
- first_name: René
full_name: Fahr, René
id: '111'
last_name: Fahr
- first_name: Patricia
full_name: Arias Cabarcos, Patricia
id: '92804'
last_name: Arias Cabarcos
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Iris
full_name: Gräßler, Iris
id: '47565'
last_name: Gräßler
orcid: 0000-0001-5765-971X
citation:
ama: 'Pottebaum J, Rossel J, Somorovsky J, et al. Re-Envisioning Industrial Control
Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.
In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).
IEEE; 2023:379-385. doi:10.1109/eurospw59978.2023.00048'
apa: Pottebaum, J., Rossel, J., Somorovsky, J., Acar, Y., Fahr, R., Arias Cabarcos,
P., Bodden, E., & Gräßler, I. (2023). Re-Envisioning Industrial Control Systems
Security by Considering Human Factors as a Core Element of Defense-in-Depth. 2023
IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
379–385. https://doi.org/10.1109/eurospw59978.2023.00048
bibtex: '@inproceedings{Pottebaum_Rossel_Somorovsky_Acar_Fahr_Arias Cabarcos_Bodden_Gräßler_2023,
title={Re-Envisioning Industrial Control Systems Security by Considering Human
Factors as a Core Element of Defense-in-Depth}, DOI={10.1109/eurospw59978.2023.00048},
booktitle={2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)},
publisher={IEEE}, author={Pottebaum, Jens and Rossel, Jost and Somorovsky, Juraj
and Acar, Yasemin and Fahr, René and Arias Cabarcos, Patricia and Bodden, Eric
and Gräßler, Iris}, year={2023}, pages={379–385} }'
chicago: Pottebaum, Jens, Jost Rossel, Juraj Somorovsky, Yasemin Acar, René Fahr,
Patricia Arias Cabarcos, Eric Bodden, and Iris Gräßler. “Re-Envisioning Industrial
Control Systems Security by Considering Human Factors as a Core Element of Defense-in-Depth.”
In 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
379–85. IEEE, 2023. https://doi.org/10.1109/eurospw59978.2023.00048.
ieee: 'J. Pottebaum et al., “Re-Envisioning Industrial Control Systems Security
by Considering Human Factors as a Core Element of Defense-in-Depth,” in 2023
IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
Delft, Netherlands, 2023, pp. 379–385, doi: 10.1109/eurospw59978.2023.00048.'
mla: Pottebaum, Jens, et al. “Re-Envisioning Industrial Control Systems Security
by Considering Human Factors as a Core Element of Defense-in-Depth.” 2023 IEEE
European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE,
2023, pp. 379–85, doi:10.1109/eurospw59978.2023.00048.
short: 'J. Pottebaum, J. Rossel, J. Somorovsky, Y. Acar, R. Fahr, P. Arias Cabarcos,
E. Bodden, I. Gräßler, in: 2023 IEEE European Symposium on Security and Privacy
Workshops (EuroS&PW), IEEE, 2023, pp. 379–385.'
conference:
end_date: 2023-07-07
location: Delft, Netherlands
name: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
start_date: 2023-07-03
date_created: 2023-08-15T12:21:05Z
date_updated: 2023-12-20T14:12:25Z
department:
- _id: '34'
- _id: '740'
- _id: '152'
- _id: '76'
doi: 10.1109/eurospw59978.2023.00048
keyword:
- Defense-in-Depth
- Human Factors
- Production Engineering
- Product Design
- Systems Engineering
language:
- iso: eng
main_file_link:
- url: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10190647
page: 379-385
publication: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
publication_status: published
publisher: IEEE
quality_controlled: '1'
status: public
title: Re-Envisioning Industrial Control Systems Security by Considering Human Factors
as a Core Element of Defense-in-Depth
type: conference
user_id: '405'
year: '2023'
...
---
_id: '52662'
abstract:
- lang: eng
text: Static analysis tools support developers in detecting potential coding issues,
such as bugs or vulnerabilities. Research emphasizes technical challenges of such
tools but also mentions severe usability shortcomings. These shortcomings hinder
the adoption of static analysis tools, and user dissatisfaction may even lead
to tool abandonment. To comprehensively assess the state of the art, we present
the first systematic usability evaluation of a wide range of static analysis tools.
We derived a set of 36 relevant criteria from the literature and used them to
evaluate a total of 46 static analysis tools complying with our inclusion and
exclusion criteria - a representative set of mainly non-proprietary tools. The
evaluation against the usability criteria in a multiple-raters approach shows
that two thirds of the considered tools off er poor warning messages, while about
three-quarters provide hardly any fix support. Furthermore, the integration of
user knowledge is strongly neglected, which could be used for instance, to improve
handling of false positives. Finally, issues regarding workflow integration and
specialized user interfaces are revealed. These findings should prove useful in
guiding and focusing further research and development in user experience for static
code analyses.
author:
- first_name: Marcus
full_name: Nachtigall, Marcus
id: '41213'
last_name: Nachtigall
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Nachtigall M, Schlichtig M, Bodden E. Evaluation of Usability Criteria Addressed
by Static Analysis Tools on a Large Scale. In: Software Engineering 2023.
Gesellschaft für Informatik e.V.; 2023:95–96.'
apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2023). Evaluation of Usability
Criteria Addressed by Static Analysis Tools on a Large Scale. In Software Engineering
2023 (pp. 95–96). Gesellschaft für Informatik e.V.
bibtex: '@inbook{Nachtigall_Schlichtig_Bodden_2023, place={Bonn}, title={Evaluation
of Usability Criteria Addressed by Static Analysis Tools on a Large Scale}, booktitle={Software
Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Nachtigall,
Marcus and Schlichtig, Michael and Bodden, Eric}, year={2023}, pages={95–96} }'
chicago: 'Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “Evaluation of
Usability Criteria Addressed by Static Analysis Tools on a Large Scale.” In Software
Engineering 2023, 95–96. Bonn: Gesellschaft für Informatik e.V., 2023.'
ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “Evaluation of Usability Criteria
Addressed by Static Analysis Tools on a Large Scale,” in Software Engineering
2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 95–96.'
mla: Nachtigall, Marcus, et al. “Evaluation of Usability Criteria Addressed by Static
Analysis Tools on a Large Scale.” Software Engineering 2023, Gesellschaft
für Informatik e.V., 2023, pp. 95–96.
short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Software Engineering 2023,
Gesellschaft für Informatik e.V., Bonn, 2023, pp. 95–96.'
date_created: 2024-03-20T09:26:29Z
date_updated: 2024-03-20T09:27:41Z
department:
- _id: '76'
keyword:
- Automated static analysis
- Software usability
language:
- iso: eng
main_file_link:
- url: https://dl.gi.de/items/5afe477f-2f6a-4b3d-b391-f024baf0b7a5
page: 95–96
place: Bonn
publication: Software Engineering 2023
publication_identifier:
isbn:
- 978-3-88579-726-5
publisher: Gesellschaft für Informatik e.V.
status: public
title: Evaluation of Usability Criteria Addressed by Static Analysis Tools on a Large
Scale
type: book_chapter
user_id: '32312'
year: '2023'
...
---
_id: '52660'
abstract:
- lang: eng
text: Application Programming Interfaces (APIs) are the primary mechanism developers
use to obtain access to third-party algorithms and services. Unfortunately, APIs
can be misused, which can have catastrophic consequences, especially if the APIs
provide security-critical functionalities like cryptography. Understanding what
API misuses are, and how they are caused, is important to prevent them, eg, with
API misuse detectors. However, definitions for API misuses and related terms in
literature vary. This paper presents a systematic literature review to clarify
these terms and introduces FUM, a novel Framework for API Usage constraint and
Misuse classification. The literature review revealed that API misuses are violations
of API usage constraints. To address this, we provide unified definitions and
use them to derive FUM. To assess the extent to which FUM aids in determining
and guiding the improvement of an API misuses detector’s capabilities, we performed
a case study on the state-of the-art misuse detection tool CogniCrypt. The study
showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify
weaknesses and assist in deriving mitigations and improvements.
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Steffen
full_name: Sassalla, Steffen
last_name: Sassalla
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. Introducing FUM: A Framework
for API Usage Constraint and Misuse Classification. In: Software Engineering
2023. Gesellschaft für Informatik e.V.; 2023:105–106.'
apa: 'Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2023). Introducing
FUM: A Framework for API Usage Constraint and Misuse Classification. In Software
Engineering 2023 (pp. 105–106). Gesellschaft für Informatik e.V.'
bibtex: '@inbook{Schlichtig_Sassalla_Narasimhan_Bodden_2023, place={Bonn}, title={Introducing
FUM: A Framework for API Usage Constraint and Misuse Classification}, booktitle={Software
Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Schlichtig,
Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2023},
pages={105–106} }'
chicago: 'Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden.
“Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.”
In Software Engineering 2023, 105–106. Bonn: Gesellschaft für Informatik
e.V., 2023.'
ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “Introducing FUM:
A Framework for API Usage Constraint and Misuse Classification,” in Software
Engineering 2023, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 105–106.'
mla: 'Schlichtig, Michael, et al. “Introducing FUM: A Framework for API Usage Constraint
and Misuse Classification.” Software Engineering 2023, Gesellschaft für
Informatik e.V., 2023, pp. 105–106.'
short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: Software Engineering
2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 105–106.'
date_created: 2024-03-20T09:22:27Z
date_updated: 2024-03-20T09:25:46Z
department:
- _id: '76'
keyword:
- API misuses API usage constraints
- classification framework
- API misuse detection
- static analysis
language:
- iso: eng
main_file_link:
- url: https://dl.gi.de/items/c4825557-cf3d-4038-933a-d8f95fd324a2
page: 105–106
place: Bonn
publication: Software Engineering 2023
publication_identifier:
isbn:
- 978-3-88579-726-5
publisher: Gesellschaft für Informatik e.V.
status: public
title: 'Introducing FUM: A Framework for API Usage Constraint and Misuse Classification'
type: book_chapter
user_id: '32312'
year: '2023'
...
---
_id: '29844'
author:
- first_name: Thorsten
full_name: Koch, Thorsten
id: '13616'
last_name: Koch
- first_name: Sascha
full_name: Trippel, Sascha
last_name: Trippel
- first_name: Stefan
full_name: Dziwok, Stefan
id: '3901'
last_name: Dziwok
orcid: http://orcid.org/0000-0002-8679-6673
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Koch T, Trippel S, Dziwok S, Bodden E. Integrating Security Protocols in Scenario-based
Requirements Specifications. In: Proceedings of the 10th International Conference
on Model-Driven Engineering and Software Development. SCITEPRESS - Science
and Technology Publications; 2022. doi:10.5220/0010783300003119'
apa: Koch, T., Trippel, S., Dziwok, S., & Bodden, E. (2022). Integrating Security
Protocols in Scenario-based Requirements Specifications. Proceedings of the
10th International Conference on Model-Driven Engineering and Software Development.
https://doi.org/10.5220/0010783300003119
bibtex: '@inproceedings{Koch_Trippel_Dziwok_Bodden_2022, title={Integrating Security
Protocols in Scenario-based Requirements Specifications}, DOI={10.5220/0010783300003119},
booktitle={Proceedings of the 10th International Conference on Model-Driven Engineering
and Software Development}, publisher={SCITEPRESS - Science and Technology Publications},
author={Koch, Thorsten and Trippel, Sascha and Dziwok, Stefan and Bodden, Eric},
year={2022} }'
chicago: Koch, Thorsten, Sascha Trippel, Stefan Dziwok, and Eric Bodden. “Integrating
Security Protocols in Scenario-Based Requirements Specifications.” In Proceedings
of the 10th International Conference on Model-Driven Engineering and Software
Development. SCITEPRESS - Science and Technology Publications, 2022. https://doi.org/10.5220/0010783300003119.
ieee: 'T. Koch, S. Trippel, S. Dziwok, and E. Bodden, “Integrating Security Protocols
in Scenario-based Requirements Specifications,” 2022, doi: 10.5220/0010783300003119.'
mla: Koch, Thorsten, et al. “Integrating Security Protocols in Scenario-Based Requirements
Specifications.” Proceedings of the 10th International Conference on Model-Driven
Engineering and Software Development, SCITEPRESS - Science and Technology
Publications, 2022, doi:10.5220/0010783300003119.
short: 'T. Koch, S. Trippel, S. Dziwok, E. Bodden, in: Proceedings of the 10th International
Conference on Model-Driven Engineering and Software Development, SCITEPRESS -
Science and Technology Publications, 2022.'
date_created: 2022-02-15T07:47:51Z
date_updated: 2022-02-15T07:48:53Z
department:
- _id: '241'
- _id: '662'
doi: 10.5220/0010783300003119
language:
- iso: eng
publication: Proceedings of the 10th International Conference on Model-Driven Engineering
and Software Development
publication_status: published
publisher: SCITEPRESS - Science and Technology Publications
status: public
title: Integrating Security Protocols in Scenario-based Requirements Specifications
type: conference
user_id: '13616'
year: '2022'
...
---
_id: '31844'
abstract:
- lang: eng
text: "Encrypting data before sending it to the cloud ensures data confidentiality
but requires the cloud to compute on encrypted data. Trusted execution environments,
such as Intel SGX enclaves, promise to provide a secure environment in which data
can be decrypted and then processed. However, vulnerabilities in the executed
program give attackers ample opportunities to execute arbitrary code inside the
enclave. This code can modify the dataflow of the program and leak secrets via
SGX side channels. Fully homomorphic encryption would be an alternative to compute
on encrypted data without data leaks. However, due to its high computational complexity,
its applicability to general-purpose computing remains limited. Researchers have
made several proposals for transforming programs to perform encrypted computations
on less powerful encryption schemes. Yet current approaches do not support programs
making control-flow decisions based on encrypted data.\r\n \r\n
\ We introduce the concept of\r\n dataflow authentication\r\n
\ (DFAuth) to enable such programs. DFAuth prevents an adversary from
arbitrarily deviating from the dataflow of a program. Our technique hence offers
protections against the side-channel attacks described previously. We implemented
two flavors of DFAuth, a Java bytecode-to-bytecode compiler, and an SGX enclave
running a small and program-independent trusted code base. We applied DFAuth to
a neural network performing machine learning on sensitive medical data and a smart
charging scheduler for electric vehicles. Our transformation yields a neural network
with encrypted weights, which can be evaluated on encrypted inputs in\r\n \r\n \\( 12.55 \\,\\mathrm{m}\\mathrm{s} \\)\r\n
\ \r\n . Our protected scheduler is
capable of updating the encrypted charging plan in approximately 1.06 seconds.\r\n
\ "
author:
- first_name: Andreas
full_name: Fischer, Andreas
last_name: Fischer
- first_name: Benny
full_name: Fuhry, Benny
last_name: Fuhry
- first_name: Jörn
full_name: Kußmaul, Jörn
last_name: Kußmaul
- first_name: Jonas
full_name: Janneck, Jonas
last_name: Janneck
- first_name: Florian
full_name: Kerschbaum, Florian
last_name: Kerschbaum
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Fischer A, Fuhry B, Kußmaul J, Janneck J, Kerschbaum F, Bodden E. Computation
on Encrypted Data Using Dataflow Authentication. ACM Transactions on Privacy
and Security. 2022;25(3):1-36. doi:10.1145/3513005
apa: Fischer, A., Fuhry, B., Kußmaul, J., Janneck, J., Kerschbaum, F., & Bodden,
E. (2022). Computation on Encrypted Data Using Dataflow Authentication. ACM
Transactions on Privacy and Security, 25(3), 1–36. https://doi.org/10.1145/3513005
bibtex: '@article{Fischer_Fuhry_Kußmaul_Janneck_Kerschbaum_Bodden_2022, title={Computation
on Encrypted Data Using Dataflow Authentication}, volume={25}, DOI={10.1145/3513005},
number={3}, journal={ACM Transactions on Privacy and Security}, publisher={Association
for Computing Machinery (ACM)}, author={Fischer, Andreas and Fuhry, Benny and
Kußmaul, Jörn and Janneck, Jonas and Kerschbaum, Florian and Bodden, Eric}, year={2022},
pages={1–36} }'
chicago: 'Fischer, Andreas, Benny Fuhry, Jörn Kußmaul, Jonas Janneck, Florian Kerschbaum,
and Eric Bodden. “Computation on Encrypted Data Using Dataflow Authentication.”
ACM Transactions on Privacy and Security 25, no. 3 (2022): 1–36. https://doi.org/10.1145/3513005.'
ieee: 'A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, and E. Bodden,
“Computation on Encrypted Data Using Dataflow Authentication,” ACM Transactions
on Privacy and Security, vol. 25, no. 3, pp. 1–36, 2022, doi: 10.1145/3513005.'
mla: Fischer, Andreas, et al. “Computation on Encrypted Data Using Dataflow Authentication.”
ACM Transactions on Privacy and Security, vol. 25, no. 3, Association for
Computing Machinery (ACM), 2022, pp. 1–36, doi:10.1145/3513005.
short: A. Fischer, B. Fuhry, J. Kußmaul, J. Janneck, F. Kerschbaum, E. Bodden, ACM
Transactions on Privacy and Security 25 (2022) 1–36.
date_created: 2022-06-09T10:28:03Z
date_updated: 2022-06-09T10:29:19Z
department:
- _id: '76'
doi: 10.1145/3513005
intvolume: ' 25'
issue: '3'
keyword:
- Safety
- Risk
- Reliability and Quality
- General Computer Science
language:
- iso: eng
page: 1-36
publication: ACM Transactions on Privacy and Security
publication_identifier:
issn:
- 2471-2566
- 2471-2574
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: Computation on Encrypted Data Using Dataflow Authentication
type: journal_article
user_id: '15249'
volume: 25
year: '2022'
...
---
_id: '32409'
abstract:
- lang: eng
text: 'Context: Cryptographic APIs are often misused in real-world applications.
Therefore, many cryptographic API misuse detection tools have been introduced.
However, there exists no established reference benchmark for a fair and comprehensive
comparison and evaluation of these tools. While there are benchmarks, they often
only address a subset of the domain or were only used to evaluate a subset of
existing misuse detection tools. Objective: To fairly compare cryptographic API
misuse detection tools and to drive future development in this domain, we will
devise such a benchmark. Openness and transparency in the generation process are
key factors to fairly generate and establish the needed benchmark. Method: We
propose an approach where we derive the benchmark generation methodology from
the literature which consists of general best practices in benchmarking and domain-specific
benchmark generation. A part of this methodology is transparency and openness
of the generation process, which is achieved by pre-registering this work. Based
on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection
Tool Benchmark Suite". We will implement the first version of CamBench limiting
the domain to Java, the JCA, and static analyses. Finally, we will use CamBench
to compare current misuse detection tools and compare CamBench to related benchmarks
of its domain.'
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Stefan
full_name: Krüger, Stefan
last_name: Krüger
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
citation:
ama: Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. CamBench -- Cryptographic
API Misuse Detection Tool Benchmark Suite.; 2022. doi:10.48550/ARXIV.2204.06447
apa: Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., & Mezini, M. (2022).
CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite. https://doi.org/10.48550/ARXIV.2204.06447
bibtex: '@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench --
Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={10.48550/ARXIV.2204.06447},
author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and
Bodden, Eric and Mezini, Mira}, year={2022} }'
chicago: Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden,
and Mira Mezini. CamBench -- Cryptographic API Misuse Detection Tool Benchmark
Suite, 2022. https://doi.org/10.48550/ARXIV.2204.06447.
ieee: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, CamBench
-- Cryptographic API Misuse Detection Tool Benchmark Suite. 2022.
mla: Schlichtig, Michael, et al. CamBench -- Cryptographic API Misuse Detection
Tool Benchmark Suite. 2022, doi:10.48550/ARXIV.2204.06447.
short: M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench --
Cryptographic API Misuse Detection Tool Benchmark Suite, 2022.
date_created: 2022-07-25T07:56:59Z
date_updated: 2022-07-25T10:23:44Z
department:
- _id: '76'
doi: 10.48550/ARXIV.2204.06447
keyword:
- cryptography
- benchmark
- API misuse
- static analysis
language:
- iso: eng
related_material:
link:
- relation: confirmation
url: https://arxiv.org/abs/2204.06447
status: public
title: CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite
type: misc
user_id: '32312'
year: '2022'
...
---
_id: '32410'
abstract:
- lang: eng
text: "Static analysis tools support developers in detecting potential coding issues,
such as bugs or vulnerabilities. Research on static analysis emphasizes its technical
challenges but also mentions severe usability shortcomings. These shortcomings
hinder the adoption of static analysis tools, and in some cases, user dissatisfaction
even leads to tool abandonment.\r\nTo comprehensively assess the current state
of the art, this paper presents the first systematic usability evaluation in a
wide range of static analysis tools. We derived a set of 36 relevant criteria
from the scientific literature and gathered a collection of 46 static analysis
tools complying with our inclusion and exclusion criteria - a representative set
of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill
the aforementioned criteria.\r\nThe evaluation shows that more than half of the
considered tools offer poor warning messages, while about three-quarters of the
tools provide hardly any fix support. Furthermore, the integration of user knowledge
is strongly neglected, which could be used for improved handling of false positives
and tuning the results for the corresponding developer. Finally, issues regarding
workflow integration and specialized user interfaces are proved further.\r\nThese
findings should prove useful in guiding and focusing further research and development
in the area of user experience for static code analyses."
author:
- first_name: Marcus
full_name: Nachtigall, Marcus
id: '41213'
last_name: Nachtigall
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Nachtigall M, Schlichtig M, Bodden E. A Large-Scale Study of Usability Criteria
Addressed by Static Analysis Tools. In: Proceedings of the 31st ACM SIGSOFT
International Symposium on Software Testing and Analysis. ACM; 2022:532-543.
doi:10.1145/3533767'
apa: Nachtigall, M., Schlichtig, M., & Bodden, E. (2022). A Large-Scale Study
of Usability Criteria Addressed by Static Analysis Tools. Proceedings of the
31st ACM SIGSOFT International Symposium on Software Testing and Analysis,
532–543. https://doi.org/10.1145/3533767
bibtex: '@inproceedings{Nachtigall_Schlichtig_Bodden_2022, title={A Large-Scale
Study of Usability Criteria Addressed by Static Analysis Tools}, DOI={10.1145/3533767},
booktitle={Proceedings of the 31st ACM SIGSOFT International Symposium on Software
Testing and Analysis}, publisher={ACM}, author={Nachtigall, Marcus and Schlichtig,
Michael and Bodden, Eric}, year={2022}, pages={532–543} }'
chicago: Nachtigall, Marcus, Michael Schlichtig, and Eric Bodden. “A Large-Scale
Study of Usability Criteria Addressed by Static Analysis Tools.” In Proceedings
of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis,
532–43. ACM, 2022. https://doi.org/10.1145/3533767.
ieee: 'M. Nachtigall, M. Schlichtig, and E. Bodden, “A Large-Scale Study of Usability
Criteria Addressed by Static Analysis Tools,” in Proceedings of the 31st ACM
SIGSOFT International Symposium on Software Testing and Analysis, 2022, pp.
532–543, doi: 10.1145/3533767.'
mla: Nachtigall, Marcus, et al. “A Large-Scale Study of Usability Criteria Addressed
by Static Analysis Tools.” Proceedings of the 31st ACM SIGSOFT International
Symposium on Software Testing and Analysis, ACM, 2022, pp. 532–43, doi:10.1145/3533767.
short: 'M. Nachtigall, M. Schlichtig, E. Bodden, in: Proceedings of the 31st ACM
SIGSOFT International Symposium on Software Testing and Analysis, ACM, 2022, pp.
532–543.'
date_created: 2022-07-25T08:02:36Z
date_updated: 2022-07-26T11:42:23Z
department:
- _id: '76'
doi: 10.1145/3533767
keyword:
- Automated static analysis
- Software usability
language:
- iso: eng
page: 532 - 543
publication: Proceedings of the 31st ACM SIGSOFT International Symposium on Software
Testing and Analysis
publication_identifier:
isbn:
- '9781450393799'
publication_status: published
publisher: ACM
quality_controlled: '1'
related_material:
link:
- relation: confirmation
url: https://dl.acm.org/doi/10.1145/3533767.3534374
status: public
title: A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools
type: conference
user_id: '32312'
year: '2022'
...
---
_id: '31133'
abstract:
- lang: eng
text: Application Programming Interfaces (APIs) are the primary mechanism that developers
use to obtain access to third-party algorithms and services. Unfortunately, APIs
can be misused, which can have catastrophic consequences, especially if the APIs
provide security-critical functionalities like cryptography. Understanding what
API misuses are, and for what reasons they are caused, is important to prevent
them, e.g., with API misuse detectors. However, definitions and nominations for
API misuses and related terms in literature vary and are diverse. This paper addresses
the problem of scattered knowledge and definitions of API misuses by presenting
a systematic literature review on the subject and introducing FUM, a novel Framework
for API Usage constraint and Misuse classification. The literature review revealed
that API misuses are violations of API usage constraints. To capture this, we
provide unified definitions and use them to derive FUM. To assess the extent to
which FUM aids in determining and guiding the improvement of an API misuses detectors'
capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse
detector for cryptographic APIs. The study showed that FUM can be used to properly
assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations
and improvements. And it appears that also more generally FUM can aid the development
and improvement of misuse detection tools.
author:
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Steffen
full_name: Sassalla, Steffen
last_name: Sassalla
- first_name: Krishna
full_name: Narasimhan, Krishna
last_name: Narasimhan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API
Usage constraint and Misuse Classification. In: 2022 IEEE International Conference
on Software Analysis, Evolution and Reengineering (SANER). ; 2022:673-684.
doi:https://doi.org/10.1109/SANER53432.2022.00085'
apa: Schlichtig, M., Sassalla, S., Narasimhan, K., & Bodden, E. (2022). FUM
- A Framework for API Usage constraint and Misuse Classification. 2022 IEEE
International Conference on Software Analysis, Evolution and Reengineering (SANER),
673–684. https://doi.org/10.1109/SANER53432.2022.00085
bibtex: '@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM -
A Framework for API Usage constraint and Misuse Classification}, DOI={https://doi.org/10.1109/SANER53432.2022.00085},
booktitle={2022 IEEE International Conference on Software Analysis, Evolution
and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen
and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }'
chicago: Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden.
“FUM - A Framework for API Usage Constraint and Misuse Classification.” In 2022
IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER), 673–84, 2022. https://doi.org/10.1109/SANER53432.2022.00085.
ieee: 'M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework
for API Usage constraint and Misuse Classification,” in 2022 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2022,
pp. 673–684, doi: https://doi.org/10.1109/SANER53432.2022.00085.'
mla: Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and
Misuse Classification.” 2022 IEEE International Conference on Software Analysis,
Evolution and Reengineering (SANER), 2022, pp. 673–84, doi:https://doi.org/10.1109/SANER53432.2022.00085.
short: 'M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp.
673–684.'
date_created: 2022-05-09T13:04:10Z
date_updated: 2022-07-26T11:42:30Z
department:
- _id: '76'
doi: https://doi.org/10.1109/SANER53432.2022.00085
keyword:
- API misuses
- API usage constraints
- classification framework
- API misuse detection
- static analysis
language:
- iso: eng
page: 673 - 684
publication: 2022 IEEE International Conference on Software Analysis, Evolution and
Reengineering (SANER)
quality_controlled: '1'
related_material:
link:
- relation: confirmation
url: https://ieeexplore.ieee.org/document/9825763
status: public
title: FUM - A Framework for API Usage constraint and Misuse Classification
type: conference
user_id: '32312'
year: '2022'
...