Search

Your search keyword '"Bodden, Eric"' showing total 516 results
Start Over Author "Bodden, Eric"

Refine your results

more »

more »

more »

more »
516 results on '"Bodden, Eric"'

1. An Empirical Study of Large Language Models for Type and Call Graph Analysis

Author

Venkatesh, Ashwin Prasad Shivarpatna, Sunil, Rose, Sabu, Samkutty, Mir, Amir M., Reis, Sofia, and Bodden, Eric

Subjects
Computer Science - Software Engineering
Abstract

Large Language Models (LLMs) are increasingly being explored for their potential in software engineering, particularly in static analysis tasks. In this study, we investigate the potential of current LLMs to enhance call-graph analysis and type inference for Python and JavaScript programs. We empirically evaluated 24 LLMs, including OpenAI's GPT series and open-source models like LLaMA and Mistral, using existing and newly developed benchmarks. Specifically, we enhanced TypeEvalPy, a micro-benchmarking framework for type inference in Python, with auto-generation capabilities, expanding its scope from 860 to 77,268 type annotations for Python. Additionally, we introduced SWARM-CG and SWARM-JS, comprehensive benchmarking suites for evaluating call-graph construction tools across multiple programming languages. Our findings reveal a contrasting performance of LLMs in static analysis tasks. For call-graph generation in Python, traditional static analysis tools like PyCG significantly outperform LLMs. In JavaScript, the static tool TAJS underperforms due to its inability to handle modern language features, while LLMs, despite showing potential with models like mistral-large-it-2407-123b and GPT-4o, struggle with completeness and soundness in both languages for call-graph analysis. Conversely, LLMs demonstrate a clear advantage in type inference for Python, surpassing traditional tools like HeaderGen and hybrid approaches such as HiTyper. These results suggest that while LLMs hold promise in type inference, their limitations in call-graph analysis highlight the need for further research. Our study provides a foundation for integrating LLMs into static analysis workflows, offering insights into their strengths and current limitations., Comment: Pre-print: Submitted to EMSE journal for review

Published
2024

2. Software Security Analysis in 2030 and Beyond: A Research Roadmap

Author

Böhme, Marcel, Bodden, Eric, Bultan, Tevfik, Cadar, Cristian, Liu, Yang, and Scanniello, Giuseppe

Subjects
Computer Science - Software Engineering, Computer Science - Cryptography and Security
Abstract

As our lives, our businesses, and indeed our world economy become increasingly reliant on the secure operation of many interconnected software systems, the software engineering research community is faced with unprecedented research challenges, but also with exciting new opportunities. In this roadmap paper, we outline our vision of Software Security Analysis for the software systems of the future. Given the recent advances in generative AI, we need new methods to evaluate and maximize the security of code co-written by machines. As our software systems become increasingly heterogeneous, we need practical approaches that work even if some functions are automatically generated, e.g., by deep neural networks. As software systems depend evermore on the software supply chain, we need tools that scale to an entire ecosystem. What kind of vulnerabilities exist in future systems and how do we detect them? When all the shallow bugs are found, how do we discover vulnerabilities hidden deeply in the system? Assuming we cannot find all security flaws, how can we nevertheless protect our system? To answer these questions, we start our research roadmap with a survey of recent advances in software security, then discuss open challenges and opportunities, and conclude with a long-term perspective for the field., Comment: 25 pages single-column, Invited article for ACM TOSEM

Published
2024

3. Advancing Android Privacy Assessments with Automation

Author

Khedkar, Mugdha, Schlichtig, Michael, and Bodden, Eric

Subjects
Computer Science - Cryptography and Security
Abstract

Android apps collecting data from users must comply with legal frameworks to ensure data protection. This requirement has become even more important since the implementation of the General Data Protection Regulation (GDPR) by the European Union in 2018. Moreover, with the proposed Cyber Resilience Act on the horizon, stakeholders will soon need to assess software against even more stringent security and privacy standards. Effective privacy assessments require collaboration among groups with diverse expertise to function effectively as a cohesive unit. This paper motivates the need for an automated approach that enhances understanding of data protection in Android apps and improves communication between the various parties involved in privacy assessments. We propose the Assessor View, a tool designed to bridge the knowledge gap between these parties, facilitating more effective privacy assessments of Android applications., Comment: Accepted at the 7th International Workshop on Advances in Mobile App Analysis held in conjunction with ASE 2024

Published
2024

4. Do Android App Developers Accurately Report Collection of Privacy-Related Data?

Author

Khedkar, Mugdha, Mondal, Ambuj Kumar, and Bodden, Eric

Subjects
Computer Science - Cryptography and Security
Abstract

Many Android applications collect data from users. The European Union's General Data Protection Regulation (GDPR) requires vendors to faithfully disclose which data their apps collect. This task is complicated because many apps use third-party code for which the same information is not readily available. Hence we ask: how accurately do current Android apps fulfill these requirements? In this work, we first expose a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. Additionally, we develop a prototype to statically extract and label privacy-related data collected via app source code, user interfaces, and permissions. Comparing the prototype's results with the data safety sections of 20 apps reveals reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. Our results show that app developers struggle to accurately report data collection, either due to Google's abstract definition of collected data or insufficient existing tool support., Comment: Accepted at the 7th International Workshop on Advances in Mobile App Analysis held in conjunction with ASE 2024

Published
2024

5. Compilation of Commit Changes within Java Source Code Repositories

Author

Schott, Stefan, Fischer, Wolfram, Ponta, Serena Elisa, Klauke, Jonas, and Bodden, Eric

Subjects
Computer Science - Software Engineering, Computer Science - Programming Languages
Abstract

Java applications include third-party dependencies as bytecode. To keep these applications secure, researchers have proposed tools to re-identify dependencies that contain known vulnerabilities. Yet, to allow such re-identification, one must obtain, for each vulnerability patch, the bytecode fixing the respective vulnerability at first. Such patches for dependencies are curated in databases in the form of fix-commits. But fixcommits are in source code, and automatically compiling whole Java projects to bytecode is notoriously hard, particularly for non-current versions of the code. In this paper, we thus propose JESS, an approach that largely avoids this problem by compiling solely the relevant code that was modified within a given commit. JESS reduces the code, retaining only those parts that the committed change references. To avoid name-resolution errors, JESS automatically infers stubs for references to entities that are unavailable to the compiler. A challenge is here that, to facilitate the above mentioned reidentification, JESS must seek to produce bytecode that is almost identical to the bytecode which one would obtain by a successful compilation of the full project. An evaluation on 347 GitHub projects shows that JESS is able to compile, in isolation, 72% of methods and constructors, of which 89% have bytecode equal to the original one. Furthermore, on the Project KB database of fix-commits, in which only 8% of files modified within the commits can be compiled with the provided build scripts, JESS is able to compile 73% of all files that these commits modify., Comment: To be published in: ICSME 2024 Proceedings

Published
2024

6. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability

Author

Wickert, Anna-Katharina, Schlichtig, Michael, Vogel, Marvin, Winter, Lukas, Mezini, Mira, and Bodden, Eric

Subjects
Computer Science - Software Engineering
Abstract

Context: Static analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results. Method: To address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview. Result: We found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis. Conclusion: Our results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains., Comment: 12 pages, 4 figures, accepted by the IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), March 12-15, 2024, Rovaniemi, Finland at the research papers track

Published
2024

7. Detecting Security-Relevant Methods using Multi-label Machine Learning

Author

Johnson, Oshando, Piskachev, Goran, Krishnamurthy, Ranjith, and Bodden, Eric

Subjects
Computer Science - Machine Learning
Abstract

To detect security vulnerabilities, static analysis tools need to be configured with security-relevant methods. Current approaches can automatically identify such methods using binary relevance machine learning approaches. However, they ignore dependencies among security-relevant methods, over-generalize and perform poorly in practice. Additionally, users have to nevertheless manually configure static analysis tools using the detected methods. Based on feedback from users and our observations, the excessive manual steps can often be tedious, error-prone and counter-intuitive. In this paper, we present Dev-Assist, an IntelliJ IDEA plugin that detects security-relevant methods using a multi-label machine learning approach that considers dependencies among labels. The plugin can automatically generate configurations for static analysis tools, run the static analysis, and show the results in IntelliJ IDEA. Our experiments reveal that Dev-Assist's machine learning approach has a higher F1-Measure than related approaches. Moreover, the plugin reduces and simplifies the manual effort required when configuring and using static analysis tools., Comment: 6 pages, 3 figures, The IDE Workshop

Published
2024
Full Text
View/download PDF

8. The Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks

Author

Venkatesh, Ashwin Prasad Shivarpatna, Sabu, Samkutty, Mir, Amir M., Reis, Sofia, and Bodden, Eric

Subjects
Computer Science - Software Engineering
Abstract

The application of Large Language Models (LLMs) in software engineering, particularly in static analysis tasks, represents a paradigm shift in the field. In this paper, we investigate the role that current LLMs can play in improving callgraph analysis and type inference for Python programs. Using the PyCG, HeaderGen, and TypeEvalPy micro-benchmarks, we evaluate 26 LLMs, including OpenAI's GPT series and open-source models such as LLaMA. Our study reveals that LLMs show promising results in type inference, demonstrating higher accuracy than traditional methods, yet they exhibit limitations in callgraph analysis. This contrast emphasizes the need for specialized fine-tuning of LLMs to better suit specific static analysis tasks. Our findings provide a foundation for further research towards integrating LLMs for static analysis tasks., Comment: To be published in: ICSE FORGE 2024 (AI Foundation Models and Software Engineering)

Published
2024

9. Toward an Android Static Analysis Approach for Data Protection

Author

Khedkar, Mugdha and Bodden, Eric

Subjects
Computer Science - Software Engineering, Computer Science - Cryptography and Security
Abstract

Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis., Comment: Accepted at MOBILESoft 2024 Research Forum Track

Published
2024

10. Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems

Author

Karakaya, Kadiray and Bodden, Eric

Subjects
Computer Science - Software Engineering
Abstract

Previous work has shown that one can often greatly speed up static analysis by computing data flows not for every edge in the program's control-flow graph but instead only along definition-use chains. This yields a so-called sparse static analysis. Recent work on SparseDroid has shown that specifically taint analysis can be "sparsified" with extraordinary effectiveness because the taint state of one variable does not depend on those of others. This allows one to soundly omit more flow-function computations than in the general case. In this work, we now assess whether this result carries over to the more generic setting of so-called Interprocedural Distributive Environment (IDE) problems. Opposed to taint analysis, IDE comprises distributive problems with large or even infinitely broad domains, such as typestate analysis or linear constant propagation. Specifically, this paper presents Sparse IDE, a framework that realizes sparsification for any static analysis that fits the IDE framework. We implement Sparse IDE in SparseHeros, as an extension to the popular Heros IDE solver, and evaluate its performance on real-world Java libraries by comparing it to the baseline IDE algorithm. To this end, we design, implement and evaluate a linear constant propagation analysis client on top of SparseHeros. Our experiments show that, although IDE analyses can only be sparsified with respect to symbols and not (numeric) values, Sparse IDE can nonetheless yield significantly lower runtimes and often also memory consumptions compared to the original IDE., Comment: To be published in ICSE 2024

Published
2024

11. TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference Tools

Author

Venkatesh, Ashwin Prasad Shivarpatna, Sabu, Samkutty, Wang, Jiawei, Mir, Amir M., Li, Li, and Bodden, Eric

Subjects
Computer Science - Software Engineering
Abstract

In light of the growing interest in type inference research for Python, both researchers and practitioners require a standardized process to assess the performance of various type inference techniques. This paper introduces TypeEvalPy, a comprehensive micro-benchmarking framework for evaluating type inference tools. TypeEvalPy contains 154 code snippets with 845 type annotations across 18 categories that target various Python features. The framework manages the execution of containerized tools, transforms inferred types into a standardized format, and produces meaningful metrics for assessment. Through our analysis, we compare the performance of six type inference tools, highlighting their strengths and limitations. Our findings provide a foundation for further research and optimization in the domain of Python type inference., Comment: To be published in ICSE 2024

Published
2023

12. slash: A Technique for Static Configuration-Logic Identification

Author

Alhanahnah, Mohannad, Schubert, Philipp, Reps, Thomas, Jha, Somesh, and Bodden, Eric

Subjects
Computer Science - Software Engineering, Computer Science - Programming Languages
Abstract

Researchers have recently devised tools for debloating software and detecting configuration errors. Several of these tools rely on the observation that programs are composed of an initialization phase followed by a main-computation phase. Users of these tools are required to manually annotate the boundary that separates these phases, a task that can be time-consuming and error-prone (typically, the user has to read and understand the source code or trace executions with a debugger). Because errors can impair the tool's accuracy and functionality, the manual-annotation requirement hinders the ability to apply the tools on a large scale. In this paper, we present a field study of 24 widely-used C/C++ programs, identifying common boundary properties in 96\% of them. We then introduce \textit{slash}, an automated tool that locates the boundary based on the identified properties. \textit{slash} successfully identifies the boundary in 87.5\% of the studied programs within 8.5\ minutes, using up to 4.4\ GB memory. In an independent test, carried out after \textit{slash} was developed, \textit{slash} identified the boundary in 85.7\% of a dataset of 21 popular C/C++ GitHub repositories. Finally, we demonstrate \textit{slash}'s potential to streamline the boundary-identification process of software-debloating and error-detection tools.

Published
2023

14. Ernst Denert Software Engineering Award 2022

Author

Bodden, Eric, Felderer, Michael, Hasselbring, Wilhelm, Herber, Paula, Koziolek, Heiko, Lilienthal, Carola, Matthes, Florian, Prechelt, Lutz, Rumpe, Bernhard, Schaefer, Ina, Bodden, Eric, editor, Felderer, Michael, editor, Hasselbring, Wilhelm, editor, Herber, Paula, editor, Koziolek, Heiko, editor, Lilienthal, Carola, editor, Matthes, Florian, editor, Prechelt, Lutz, editor, Rumpe, Bernhard, editor, and Schaefer, Ina, editor

Published
2024
Full Text
View/download PDF

15. Static Analysis Driven Enhancements for Comprehension in Machine Learning Notebooks

Author

Venkatesh, Ashwin Prasad Shivarpatna, Sabu, Samkutty, Chekkapalli, Mouli, Wang, Jiawei, Li, Li, and Bodden, Eric

Subjects
Computer Science - Software Engineering
Abstract

Jupyter notebooks enable developers to interleave code snippets with rich-text and in-line visualizations. Data scientists use Jupyter notebook as the de-facto standard for creating and sharing machine-learning based solutions, primarily written in Python. Recent studies have demonstrated, however, that a large portion of Jupyter notebooks available on public platforms are undocumented and lacks a narrative structure. This reduces the readability of these notebooks. To address this shortcoming, this paper presents HeaderGen, a novel tool-based approach that automatically annotates code cells with categorical markdown headers based on a taxonomy of ML operations, and classifies and displays function calls according to this taxonomy. For this functionality to be realized, HeaderGen enhances an existing call graph analysis in PyCG. To improve precision, HeaderGen extends PyCG's analysis with support for handling external library code and flow-sensitivity. The former is realized by facilitating the resolution of function return-types. The evaluation on 15 real-world Jupyter notebooks from Kaggle shows that HeaderGen's underlying call graph analysis yields high accuracy (95.6% precision and 95.3% recall). This is because HeaderGen can resolve return-types of external libraries where existing type inference tools such as pytype (by Google), pyright (by Microsoft), and Jedi fall short. The header generation has a precision of 85.7% and a recall rate of 92.8%. In a user study, HeaderGen helps participants finish comprehension and navigation tasks faster. To further evaluate the type inference capability of tools, we introduce TypeEvalPy, a framework for evaluating type inference tools with a micro-benchmark containing 154 code snippets and 845 type annotations. Our comparative analysis on four tools revealed that HeaderGen outperforms other tools in exact matches with the ground truth., Comment: To be published in: EMSE Journal

Published
2023

16. An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities

Author

Sayar, Imen, Bartel, Alexandre, Bodden, Eric, and Traon, Yves Le

Subjects
Computer Science - Cryptography and Security, Computer Science - Software Engineering
Abstract

Nowadays, an increasing number of applications uses deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP's list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of gadgets present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class -- such as making it public -- can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks. For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged., Comment: ACM Transactions on Software Engineering and Methodology, Association for Computing Machinery, 2022

Published
2022
Full Text
View/download PDF

17. How far are German companies in improving security through static program analysis tools?

Author

Piskachev, Goran, Dziwok, Stefan, Koch, Thorsten, Merschjohan, Sven, and Bodden, Eric

Subjects
Computer Science - Cryptography and Security, Computer Science - Software Engineering
Abstract

As security becomes more relevant for many companies, the popularity of static program analysis (SPA) tools is increasing. In this paper, we target the use of SPA tools among companies in Germany with a focus on security. We give insights on the current issues and the developers' willingness to configure the tools to overcome these issues. Compared to previous studies, our study considers the companies' culture and processes for using SPA tools. We conducted an online survey with 256 responses and semi-structured interviews with 17 product owners and executives from multiple companies. Our results show a diversity in the usage of tools. Only half of our survey participants use SPA tools. The free tools tend to be more popular among software developers. In most companies, software developers are encouraged to use free tools, whereas commercial tools can be requested. However, the product owners and executives in our interviews reported that their developers do not request new tools. We also find out that automatic security checks with tools are rarely performed on each release., Comment: IEEE Secure Development Conference 2022

Published
2022

18. SootUp: A Redesign of the Soot Static Analysis Framework

Author

Karakaya, Kadiray, Schott, Stefan, Klauke, Jonas, Bodden, Eric, Schmidt, Markus, Luo, Linghui, He, Dongjie, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Finkbeiner, Bernd, editor, and Kovács, Laura, editor

Published
2024
Full Text
View/download PDF

19. To what extent can we analyze Kotlin programs using existing Java taint analysis tools? (Extended Version)

Author

Krishnamurthy, Ranjith, Piskachev, Goran, and Bodden, Eric

Subjects
Computer Science - Programming Languages, Computer Science - Cryptography and Security, Computer Science - Software Engineering
Abstract

As an alternative to Java, Kotlin has gained rapid popularity since its introduction and has become the default choice for developing Android apps. However, due to its interoperability with Java, Kotlin programs may contain almost the same security vulnerabilities as their Java counterparts. Hence, we question: to what extent can one use an existing Java static taint analysis on Kotlin code? In this paper, we investigate the challenges in implementing a taint analysis for Kotlin compared to Java. To answer this question, we performed an exploratory study where each Kotlin construct was examined and compared to its Java equivalent. We identified 18 engineering challenges that static-analysis writers need to handle differently due to Kotlin's unique constructs or the differences in the generated bytecode between the Kotlin and Java compilers. For eight of them, we provide a conceptual solution, while six of those we implemented as part of SecuCheck-Kotlin, an extension to the existing Java taint analysis SecuCheck., Comment: 12 pages, Technical Report

Published
2022

20. CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite

Author

Schlichtig, Michael, Wickert, Anna-Katharina, Krüger, Stefan, Bodden, Eric, and Mezini, Mira

Subjects
Computer Science - Software Engineering
Abstract

Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair "Cryptographic API Misuse Detection Tool Benchmark Suite". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain., Comment: 8 pages, accepted at the MSR 2022 Registered Reports Track as a In-Principal Acceptance (IPA)

Published
2022

21. Fluently specifying taint-flow queries with fluentTQL

Author

Piskachev, Goran, Späth, Johannes, Budde, Ingo, and Bodden, Eric

Subjects
Computer Science - Programming Languages
Abstract

Previous work has shown that taint analyses are only useful if correctly customized to the context in which they are used. Existing domain-specific languages (DSLs) allow such customization through the definition of deny-listing data-flow rules that describe potentially vulnerable taint-flows. These languages, however, are designed primarily for security experts who are knowledgeable in taint analysis. Software developers consider these languages to be complex. This paper presents fluentTQL, a query language particularly for taint-flow. fluentTQL is internal Java DSL and uses a fluent-interface design. fluentTQL queries can express various taint-style vulnerability types, e.g. injections, cross-site scripting or path traversal. This paper describes fluentTQL's abstract and concrete syntax and defines its runtime semantics. The semantics are independent of any underlying analysis and allows evaluation of fluentTQL queries by a variety of taint analyses. Instantiations of fluentTQL, on top of two taint analysis solvers, Boomerang and FlowDroid, show and validate fluentTQL expressiveness. Based on existing examples from the literature, we implemented queries for 11 popular security vulnerability types in Java. Using our SQL injection specification, the Boomerang-based taint analysis found all 17 known taint-flows in the OWASP WebGoat application, whereas with FlowDroid 13 taint-flows were found. Similarly, in a vulnerable version of the Java PetClinic application, the Boomerang-based taint analysis found all seven expected taint-flows. In seven real-world Android apps with 25 expected taint-flows, 18 were detected. In a user study with 26 software developers, fluentTQL reached a high usability score. In comparison to CodeQL, the state-of-the-art DSL by Semmle/GitHub, participants found fluentTQL more usable and with it they were able to specify taint analysis queries in shorter time., Comment: 39 pages, Springer Journal on Empirical Software Engineering

Published
2022

22. Ernst Denert Award for Software Engineering 2022

Author

Bodden, Eric, Felderer, Michael, Hasselbring, Wilhelm, Herber, Paula, Koziolek, Heiko, Lilienthal, Carola, Matthes, Florian, Prechelt, Lutz, Rumpe, Bernhard, and Schaefer, Ina

Subjects
Software Engineering, Requirements Engineering, Best Thesis Award, Model-Driven Software Development, Software Development, thema EDItEUR::U Computing and Information Technology::UM Computer programming / software engineering::UMZ Software Engineering
Abstract

This open access book provides an overview of the dissertations of the five nominees for the Ernst Denert Award for Software Engineering in 2022. The prize, kindly sponsored by the Gerlind & Ernst Denert Stiftung, is awarded for excellent work within the discipline of Software Engineering, which includes methods, tools and procedures for better and efficient development of high quality software. An essential requirement for the nominated work is its applicability and usability in industrial practice. The book contains five papers that describe the works by Jannik Fischbach (Netlight Consulting GmbH and fortiss GmbH), who won the award, entitled Conditional Statements in Requirements Artifacts: Logical Interpretation, Use Cases for Automated Software Engineering, and Fine-Grained Extraction, Christian Kirchhof's (RWTH Aachen University) From Design to Reality: An Overview of the MontiThings Ecosystem for Model-Driven IoT Applications, Sven Peldszus's (Ruhr University Bochum) research about Security Compliance in Model-driven Development of Software Systems in Presence of Long-Term Evolution and Variants, Florian Rademacher's (RWTH Aachen University) work on Model-Driven Engineering of Microservice Architectures, and Alexander Trautsch's (University of Passau) Usefulness of Automatic Static Analysis Tools: Evidence from Four Case Studies. The chapters describe key findings of the respective works, show their relevance and applicability to practice and industrial software engineering projects, and provide additional information and findings that have only been discovered afterwards, e.g. when applying the results in industry. This way, the book is not only interesting to other researchers, but also to industrial software professionals who would like to learn about the application of state-of-the-art methods in their daily work.

Published
2024
Full Text
View/download PDF

23. Dealing with Variability in API Misuse Specification

Author

Bonifacio, Rodrigo, Krüger, Stefan, Narasimhan, Krishna, Bodden, Eric, and Mezini, Mira

Subjects
Computer Science - Cryptography and Security, Computer Science - Software Engineering, 68N19, D.2.1, D.3.3
Abstract

APIs are the primary mechanism for developers to gain access to externally defined services and tools. However, previous research has revealed API misuses that violate the contract of APIs to be prevalent. Such misuses can have harmful consequences, especially in the context of cryptographic libraries. Various API misuse detectors have been proposed to address this issue including CogniCrypt, one of the most versatile of such detectors and that uses a language CrySL to specify cryptographic API usage contracts. Nonetheless, existing approaches to detect API misuse had not been designed for systematic reuse, ignoring the fact that different versions of a library, different versions of a platform, and different recommendations or guidelines might introduce variability in the correct usage of an API. Yet, little is known about how such variability impacts the specification of the correct API usage. This paper investigates this question by analyzing the impact of various sources of variability on widely used Java cryptographic libraries including JCA, Bouncy Castle, and Google Tink. The results of our investigation show that sources of variability like new versions of the API and security standards significantly impact the specifications. We then use the insights gained from our investigation to motivate an extension to the CrySL language named MetaCrySL, which builds on meta programming concepts. We evaluate MetaCrySL by specifying usage rules for a family of Android versions and illustrate that MetaCrySL can model all forms of variability we identified and drastically reduce the size of a family of specifications for the correct usage of cryptographic APIs, Comment: 28 pages, 16 figures

Published
2021

24. The Impact of Developer Experience in Using Java Cryptography

Author

Hazhirpasand, Mohammadreza, Ghafari, Mohammad, Krüger, Stefan, Bodden, Eric, and Nierstrasz, Oscar

Subjects
Computer Science - Cryptography and Security, Computer Science - Software Engineering
Abstract

Previous research has shown that crypto APIs are hard for developers to understand and difficult for them to use. They consequently rely on unvalidated boilerplate code from online resources where security vulnerabilities are common. We analyzed 2,324 open-source Java projects that rely on Java Cryptography Architecture (JCA) to understand how crypto APIs are used in practice, and what factors account for the performance of developers in using these APIs. We found that, in general, the experience of developers in using JCA does not correlate with their performance. In particular, none of the factors such as the number or frequency of committed lines of code, the number of JCA APIs developers use, or the number of projects they are involved in correlate with developer performance in this domain. We call for qualitative studies to shed light on the reasons underlying the success of developers who are expert in using cryptography. Also, detailed investigation at API level is necessary to further clarify a developer obstacles in this domain., Comment: The ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

Published
2019

26. ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware

Author

Gorski III, Sigmund Albert, Andow, Benjamin, Nadkarni, Adwait, Manandhar, Sunil, Enck, William, Bodden, Eric, and Bartel, Alexandre

Subjects
Computer Science - Cryptography and Security
Abstract

Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android's permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. In this paper, we propose Authorization Check Miner (ACMiner), a framework for evaluating the correctness of Android's access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities. We used ACMiner to study the AOSP version of Android 7.1.1 to identify 28 vulnerabilities relating to missing authorization checks. In doing so, we demonstrate ACMiner's ability to help domain experts process thousands of authorization checks scattered across millions of lines of code.

Published
2019

27. Do Android Taint Analysis Tools Keep Their Promises?

Author

Pauck, Felix, Bodden, Eric, and Wehrheim, Heike

Subjects
Computer Science - Software Engineering
Abstract

In recent years, researchers have developed a number of tools to conduct taint analysis of Android applications. While all the respective papers aim at providing a thorough empirical evaluation, comparability is hindered by varying or unclear evaluation targets. Sometimes, the apps used for evaluation are not precisely described. In other cases, authors use an established benchmark but cover it only partially. In yet other cases, the evaluations differ in terms of the data leaks searched for, or lack a ground truth to compare against. All those limitations make it impossible to truly compare the tools based on those published evaluations. We thus present ReproDroid, a framework allowing the accurate comparison of Android taint analysis tools. ReproDroid supports researchers in inferring the ground truth for data leaks in apps, in automatically applying tools to benchmarks, and in evaluating the obtained results. We use ReproDroid to comparatively evaluate on equal grounds the six prominent taint analysis tools Amandroid, DIALDroid, DidFail, DroidSafe, FlowDroid and IccTA. The results are largely positive although four tools violate some promises concerning features and accuracy. Finally, we contribute to the area of unbiased benchmarking with a new and improved version of the open test suite DroidBench.

Published
2018
Full Text
View/download PDF

28. Debugging Static Analysis

Author

Do, Lisa Nguyen Quang, Krüger, Stefan, Hill, Patrick, Ali, Karim, and Bodden, Eric

Subjects
Computer Science - Software Engineering
Abstract

To detect and fix bugs and security vulnerabilities, software companies use static analysis as part of the development process. However, static analysis code itself is also prone to bugs. To ensure a consistent level of precision, as analyzed programs grow more complex, a static analysis has to handle more code constructs, frameworks, and libraries that the programs use. While more complex analyses are written and used in production systems every day, the cost of debugging and fixing them also increases tremendously. To better understand the difficulties of debugging static analyses, we surveyed 115 static analysis writers. From their responses, we extracted the core requirements to build a debugger for static analysis, which revolve around two main issues: (1) abstracting from two code bases at the same time (the analysis code and the analyzed code) and (2) tracking the analysis internal state throughout both code bases. Most current debugging tools that our survey participants use lack the capabilities to address both issues. Focusing on those requirements, we introduce VisuFlow, a debugging environment for static data-flow analysis that is integrated in the Eclipse development environment. VisuFlow features graph visualizations that enable users to view the state of a data-flow analysis and its intermediate results at any time. Special breakpoints in VisuFlow help users step through the analysis code and the analyzed simultaneously. To evaluate the usefulness of VisuFlow, we have conducted a user study on 20 static analysis writers. Using VisuFlow helped our sample of analysis writers identify 25% and fix 50% more errors in the analysis code compared to using the standard Eclipse debugging environment.

Published
2018

29. Self-adaptive static analysis

Author

Bodden, Eric

Subjects
Computer Science - Software Engineering
Abstract

Static code analysis is a powerful approach to detect quality deficiencies such as performance bottlenecks, safety violations or security vulnerabilities already during a software system's implementation. Yet, as current software systems continue to grow, current static-analysis systems more frequently face the problem of insufficient scalability. We argue that this is mainly due to the fact that current static analyses are implemented fully manually, often in general-purpose programming languages such as Java or C, or in declarative languages such as Datalog. This design choice predefines the way in which the static analysis evaluates, and limits the optimizations and extensions static-analysis designers can apply. To boost scalability to a new level, we propose to fuse static-analysis with just-in-time-optimization technology, introducing for the first time static analyses that are managed and inherently self-adaptive. Those analyses automatically adapt themselves to yield a performance/precision tradeoff that is optimal with respect to the analyzed software system and to the analysis itself. Self-adaptivity is enabled by the novel idea of designing a dedicated intermediate representation, not for the analyzed program but for the analysis itself. This representation allows for an automatic optimization and adaptation of the analysis code, both ahead-of-time (through static analysis of the static analysis) as well as just-in-time during the analysis' execution, similar to just-in-time compilers.

Published
2017

30. CrySL: Validating Correct Usage of Cryptographic APIs

Author

Krüger, Stefan, Späth, Johannes, Ali, Karim, Bodden, Eric, and Mezini, Mira

Subjects
Computer Science - Software Engineering
Abstract

Various studies have empirically shown that the majority of Java and Android apps misuse cryptographic libraries, causing devastating breaches of data security. Therefore, it is crucial to detect such misuses early in the development process. The fact that insecure usages are not the exception but the norm precludes approaches based on property inference and anomaly detection. In this paper, we present CrySL, a definition language that enables cryptography experts to specify the secure usage of the cryptographic libraries that they provide. CrySL combines the generic concepts of method-call sequences and data-flow constraints with domain-specific constraints related to cryptographic algorithms and their parameters. We have implemented a compiler that translates a CrySL ruleset into a context- and flow-sensitive demand-driven static analysis. The analysis automatically checks a given Java or Android app for violations of the CrySL-encoded rules. We empirically evaluated our ruleset through analyzing 10,001 Android apps. Our results show that misuse of cryptographic APIs is still widespread, with 96% of apps containing at least one misuse. However, we observed fewer of the misuses that were reported in previous work., Comment: 11 pages

Published
2017

31. Computation on Encrypted Data using Data Flow Authentication

Author

Fischer, Andreas, Fuhry, Benny, Kerschbaum, Florian, and Bodden, Eric

Subjects
Computer Science - Cryptography and Security
Abstract

Encrypting data before sending it to the cloud protects it against hackers and malicious insiders, but requires the cloud to compute on encrypted data. Trusted (hardware) modules, e.g., secure enclaves like Intel's SGX, can very efficiently run entire programs in encrypted memory. However, it already has been demonstrated that software vulnerabilities give an attacker ample opportunity to insert arbitrary code into the program. This code can then modify the data flow of the program and leak any secret in the program to an observer in the cloud via SGX side-channels. Since any larger program is rife with software vulnerabilities, it is not a good idea to outsource entire programs to an SGX enclave. A secure alternative with a small trusted code base would be fully homomorphic encryption (FHE) -- the holy grail of encrypted computation. However, due to its high computational complexity it is unlikely to be adopted in the near future. As a result researchers have made several proposals for transforming programs to perform encrypted computations on less powerful encryption schemes. Yet, current approaches fail on programs that make control-flow decisions based on encrypted data. In this paper, we introduce the concept of data flow authentication (DFAuth). DFAuth prevents an adversary from arbitrarily deviating from the data flow of a program. Hence, an attacker cannot perform an attack as outlined before on SGX. This enables that all programs, even those including operations on control-flow decision variables, can be computed on encrypted data. We implemented DFAuth using a novel authenticated homomorphic encryption scheme, a Java bytecode-to-bytecode compiler producing fully executable programs, and SGX enclaves. A transformed neural network that performs machine learning on sensitive medical data can be evaluated on encrypted inputs and encrypted weights in 0.86 seconds.

Published
2017

32. Analyzing the Gadgets Towards a Metric to Measure Gadget Quality

Author

Follner, Andreas, Bartel, Alexandre, and Bodden, Eric

Subjects
Computer Science - Software Engineering, Computer Science - Cryptography and Security
Abstract

Current low-level exploits often rely on code-reuse, whereby short sections of code (gadgets) are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this attack vector by applying code transformations to reduce the number of available gadgets. Nevertheless, it has emerged that the residual gadgets can still be sufficient to conduct a successful attack. Crucially, the lack of a common metric for "gadget quality" hinders the effective comparison of current mitigations. This work proposes four metrics that assign scores to a set of gadgets, measuring quality, usefulness, and practicality. We apply these metrics to binaries produced when compiling programs for architectures implementing Intel's recent MPX CPU extensions. Our results demonstrate a 17% increase in useful gadgets in MPX binaries, and a decrease in side-effects and preconditions, making them better suited for ROP attacks., Comment: International Symposium on Engineering Secure Software and Systems, Apr 2016, London, United Kingdom

Published
2016

33. ROPocop - Dynamic Mitigation of Code-Reuse Attacks

Author

Follner, Andreas and Bodden, Eric

Subjects
Computer Science - Cryptography and Security
Abstract

Control-flow attacks, usually achieved by exploiting a buffer-overflow vulnerability, have been a serious threat to system security for over fifteen years. Researchers have answered the threat with various mitigation techniques, but nevertheless, new exploits that successfully bypass these technologies still appear on a regular basis. In this paper, we propose ROPocop, a novel approach for detecting and preventing the execution of injected code and for mitigating code-reuse attacks such as return-oriented programming (RoP). ROPocop uses dynamic binary instrumentation, requiring neither access to source code nor debug symbols or changes to the operating system. It mitigates attacks by both monitoring the program counter at potentially dangerous points and by detecting suspicious program flows. We have implemented ROPocop for Windows x86 using PIN, a dynamic program instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite show an average overhead of 2.4x, which is comparable to similar approaches, which give weaker guarantees. Real-world applications show only an initially noticeable input lag and no stutter. In our evaluation our tool successfully detected all 11 of the latest real-world code-reuse exploits, with no false alarms. Therefore, despite the overhead, it is a viable, temporary solution to secure critical systems against exploits if a vendor patch is not yet available.

Published
2015

35. Security-Oriented Fault-Tolerance in Systems Engineering: A Conceptual Threat Modelling Approach for Cyber-Physical Production Systems

Author

Gräßler, Iris, Bodden, Eric, Pottebaum, Jens, Geismann, Johannes, Roesmann, Daniel, Kacprzyk, Janusz, Series Editor, Pal, Nikhil R., Advisory Editor, Bello Perez, Rafael, Advisory Editor, Corchado, Emilio S., Advisory Editor, Hagras, Hani, Advisory Editor, Kóczy, László T., Advisory Editor, Kreinovich, Vladik, Advisory Editor, Lin, Chin-Teng, Advisory Editor, Lu, Jie, Advisory Editor, Melin, Patricia, Advisory Editor, Nedjah, Nadia, Advisory Editor, Nguyen, Ngoc Thanh, Advisory Editor, Wang, Jun, Advisory Editor, Bartoszewicz, Andrzej, editor, and Kabziński, Jacek, editor

Published
2020
Full Text
View/download PDF

36. Using Abstract Contracts for Verifying Evolving Features and Their Interactions

Author

Knüppel, Alexander, Krüger, Stefan, Thüm, Thomas, Bubel, Richard, Krieter, Sebastian, Bodden, Eric, Schaefer, Ina, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Ahrendt, Wolfgang, editor, Beckert, Bernhard, editor, Bubel, Richard, editor, Hähnle, Reiner, editor, and Ulbrich, Mattias, editor

Published
2020
Full Text
View/download PDF

37. AuthCheck: Program-State Analysis for Access-Control Vulnerabilities

Author

Piskachev, Goran, Petrasch, Tobias, Späth, Johannes, Bodden, Eric, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Sekerinski, Emil, editor, Moreira, Nelma, editor, Oliveira, José N., editor, Ratiu, Daniel, editor, Guidotti, Riccardo, editor, Farrell, Marie, editor, Luckcuck, Matt, editor, Marmsoler, Diego, editor, Campos, José, editor, Astarte, Troy, editor, Gonnord, Laure, editor, Cerone, Antonio, editor, Couto, Luis, editor, Dongol, Brijesh, editor, Kutrib, Martin, editor, Monteiro, Pedro, editor, and Delmas, David, editor

Published
2020
Full Text
View/download PDF

43. I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis

Author

Li, Li, Bartel, Alexandre, Klein, Jacques, Traon, Yves Le, Arzt, Steven, Rasthofer, Siegfried, Bodden, Eric, Octeau, Damien, and McDaniel, Patrick

Subjects
Computer Science - Software Engineering, Computer Science - Cryptography and Security, D.2.4, D.4.6
Abstract

Android applications may leak privacy data carelessly or maliciously. In this work we perform inter-component data-flow analysis to detect privacy leaks between components of Android applications. Unlike all current approaches, our tool, called IccTA, propagates the context between the components, which improves the precision of the analysis. IccTA outperforms all other available tools by reaching a precision of 95.0% and a recall of 82.6% on DroidBench. Our approach detects 147 inter-component based privacy leaks in 14 applications in a set of 3000 real-world applications with a precision of 88.4%. With the help of ApkCombiner, our approach is able to detect inter-app based privacy leaks.

Published
2014

45. PhASAR: An Inter-procedural Static Analysis Framework for C/C++

Author

Schubert, Philipp Dominik, Hermann, Ben, Bodden, Eric, Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Vojnar, Tomáš, editor, and Zhang, Lijun, editor

Published
2019
Full Text
View/download PDF

47. The Rocky Road to Sustainable Security

Author

Pasquale, Liliana, Ramkumar, Kushal, Cai, Wanling, McCarthy, John, Doherty, Gavin, Nuseibeh, Bashar, Bodden, Eric, Massacci, Fabio, and Sabetta, Antonino

Abstract

In this column, we illustrate real-world scenarios in which modern systems cannot preserve security during operation. We examine the notion of sustainable security and discuss the challenges to engineering sustainably secure systems.

Published
2024
Full Text
View/download PDF

49. Model Checking the Information Flow Security of Real-Time Systems

Author

Gerking, Christopher, Schubert, David, Bodden, Eric, Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Weikum, Gerhard, Series Editor, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Payer, Mathias, editor, Rashid, Awais, editor, and Such, Jose M., editor

Published
2018
Full Text
View/download PDF

50. Are Machine Learning Models for Malware Detection Ready for Prime Time?

Author

Cavallaro, Lorenzo, Kinder, Johannes, Pendlebury, Feargus, Pierazzi, Fabio, Massacci, Fabio, Bodden, Eric, Sabetta, Antonino, Computer Systems, and Network Institute

Subjects
Computer Networks and Communications, Electrical and Electronic Engineering, Law
Abstract

We investigate why the performance of machine learning models for malware detection observed in a lab setting often cannot be reproduced in practice. We discuss how to set up experiments mimicking a practical deployment and how to measure the robustness of a model over time.

Published
2023
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results