[{"title":"TaintBench: Automatic real-world malware benchmarking of Android taint analyses","main_file_link":[{"open_access":"1","url":"https://link.springer.com/content/pdf/10.1007/s10664-021-10013-5.pdf"}],"doi":"10.1007/s10664-021-10013-5","date_updated":"2022-01-06T06:57:32Z","oa":"1","date_created":"2021-11-02T05:13:49Z","author":[{"full_name":"Luo, Linghui","last_name":"Luo","first_name":"Linghui"},{"first_name":"Felix","full_name":"Pauck, Felix","id":"22398","last_name":"Pauck"},{"id":"41936","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838","last_name":"Piskachev","first_name":"Goran"},{"first_name":"Manuel","full_name":"Benz, Manuel","last_name":"Benz"},{"last_name":"Pashchenko","full_name":"Pashchenko, Ivan","first_name":"Ivan"},{"full_name":"Mory, Martin","id":"65667","orcid":"0000-0001-5609-0031","last_name":"Mory","first_name":"Martin"},{"full_name":"Bodden, Eric","id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"},{"first_name":"Ben","id":"66173","full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017","last_name":"Hermann"},{"full_name":"Massacci, Fabio","last_name":"Massacci","first_name":"Fabio"}],"year":"2021","citation":{"ama":"Luo L, Pauck F, Piskachev G, et al. TaintBench: Automatic real-world malware benchmarking of Android taint analyses. <i>Empirical Software Engineering</i>. Published online 2021. doi:<a href=\"https://doi.org/10.1007/s10664-021-10013-5\">10.1007/s10664-021-10013-5</a>","ieee":"L. Luo <i>et al.</i>, “TaintBench: Automatic real-world malware benchmarking of Android taint analyses,” <i>Empirical Software Engineering</i>, 2021, doi: <a href=\"https://doi.org/10.1007/s10664-021-10013-5\">10.1007/s10664-021-10013-5</a>.","chicago":"Luo, Linghui, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko, Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” <i>Empirical Software Engineering</i>, 2021. <a href=\"https://doi.org/10.1007/s10664-021-10013-5\">https://doi.org/10.1007/s10664-021-10013-5</a>.","mla":"Luo, Linghui, et al. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” <i>Empirical Software Engineering</i>, 2021, doi:<a href=\"https://doi.org/10.1007/s10664-021-10013-5\">10.1007/s10664-021-10013-5</a>.","bibtex":"@article{Luo_Pauck_Piskachev_Benz_Pashchenko_Mory_Bodden_Hermann_Massacci_2021, title={TaintBench: Automatic real-world malware benchmarking of Android taint analyses}, DOI={<a href=\"https://doi.org/10.1007/s10664-021-10013-5\">10.1007/s10664-021-10013-5</a>}, journal={Empirical Software Engineering}, author={Luo, Linghui and Pauck, Felix and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and Bodden, Eric and Hermann, Ben and Massacci, Fabio}, year={2021} }","short":"L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden, B. Hermann, F. Massacci, Empirical Software Engineering (2021).","apa":"Luo, L., Pauck, F., Piskachev, G., Benz, M., Pashchenko, I., Mory, M., Bodden, E., Hermann, B., &#38; Massacci, F. (2021). TaintBench: Automatic real-world malware benchmarking of Android taint analyses. <i>Empirical Software Engineering</i>. <a href=\"https://doi.org/10.1007/s10664-021-10013-5\">https://doi.org/10.1007/s10664-021-10013-5</a>"},"publication_status":"published","publication_identifier":{"issn":["1382-3256","1573-7616"]},"ddc":["000"],"language":[{"iso":"eng"}],"project":[{"name":"SFB 901","_id":"1"},{"_id":"3","name":"SFB 901 - Project Area B"},{"name":"SFB 901 - Subproject B4","_id":"12"}],"_id":"27045","user_id":"15249","department":[{"_id":"77"},{"_id":"76"}],"abstract":[{"text":"Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.","lang":"eng"}],"status":"public","type":"journal_article","publication":"Empirical Software Engineering"},{"title":"Security Implications Of Compiler Optimizations On Cryptography -- A  Review","date_updated":"2022-01-06T06:54:26Z","date_created":"2020-11-11T17:46:16Z","author":[{"first_name":"Ashwin Prasad","last_name":"Shivarpatna Venkatesh","full_name":"Shivarpatna Venkatesh, Ashwin Prasad","id":"66637"},{"full_name":"Handadi, A. Bhat","last_name":"Handadi","first_name":"A. Bhat"},{"first_name":"Martin","orcid":"0000-0001-5609-0031","last_name":"Mory","id":"65667","full_name":"Mory, Martin"}],"year":"2019","citation":{"apa":"Shivarpatna Venkatesh, A. P., Handadi, A. B., &#38; Mory, M. (2019). Security Implications Of Compiler Optimizations On Cryptography -- A  Review. <i>ArXiv:1907.02530</i>.","mla":"Shivarpatna Venkatesh, Ashwin Prasad, et al. “Security Implications Of Compiler Optimizations On Cryptography -- A  Review.” <i>ArXiv:1907.02530</i>, 2019.","bibtex":"@article{Shivarpatna Venkatesh_Handadi_Mory_2019, title={Security Implications Of Compiler Optimizations On Cryptography -- A  Review}, journal={arXiv:1907.02530}, author={Shivarpatna Venkatesh, Ashwin Prasad and Handadi, A. Bhat and Mory, Martin}, year={2019} }","short":"A.P. Shivarpatna Venkatesh, A.B. Handadi, M. Mory, ArXiv:1907.02530 (2019).","ama":"Shivarpatna Venkatesh AP, Handadi AB, Mory M. Security Implications Of Compiler Optimizations On Cryptography -- A  Review. <i>arXiv:190702530</i>. 2019.","chicago":"Shivarpatna Venkatesh, Ashwin Prasad, A. Bhat Handadi, and Martin Mory. “Security Implications Of Compiler Optimizations On Cryptography -- A  Review.” <i>ArXiv:1907.02530</i>, 2019.","ieee":"A. P. Shivarpatna Venkatesh, A. B. Handadi, and M. Mory, “Security Implications Of Compiler Optimizations On Cryptography -- A  Review,” <i>arXiv:1907.02530</i>. 2019."},"has_accepted_license":"1","ddc":["000"],"language":[{"iso":"eng"}],"file_date_updated":"2021-02-17T11:39:14Z","_id":"20341","user_id":"66637","abstract":[{"text":"When implementing secure software, developers must ensure certain\r\nrequirements, such as the erasure of secret data after its use and execution in\r\nreal time. Such requirements are not explicitly captured by the C language and\r\ncould potentially be violated by compiler optimizations. As a result,\r\ndevelopers typically use indirect methods to hide their code's semantics from\r\nthe compiler and avoid unwanted optimizations. However, such workarounds are\r\nnot permanent solutions, as increasingly efficient compiler optimization causes\r\ncode that was considered secure in the past now vulnerable. This paper is a\r\nliterature review of (1) the security complications caused by compiler\r\noptimizations, (2) approaches used by developers to mitigate optimization\r\nproblems, and (3) recent academic efforts towards enabling security engineers\r\nto communicate implicit security requirements to the compiler. In addition, we\r\npresent a short study of six cryptographic libraries and how they approach the\r\nissue of ensuring security requirements. With this paper, we highlight the need\r\nfor software developers and compiler designers to work together in order to\r\ndesign efficient systems for writing secure software.","lang":"eng"}],"file":[{"file_size":663876,"file_id":"21255","access_level":"closed","file_name":"1907.02530.pdf","date_updated":"2021-02-17T11:39:14Z","creator":"ashwin","date_created":"2021-02-17T11:39:14Z","success":1,"relation":"main_file","content_type":"application/pdf"}],"status":"public","type":"preprint","publication":"arXiv:1907.02530"}]