CCS 2013: Tutorial on Android instrumentation

Posted on August 8, 2013 by Eric Bodden

At CCS 2013, we will be giving a tutorial on instrumenting Android apps to enhance their security. You are most welcome to attend! From the abstract:

Novel types of malware on mobile devices have raised researchers interest in implementing static and dynamic techniques for detecting and mitigating malicious behavior of mobile applications. In this hands-on tutorial we will demonstrate and explain different techniques for instrumenting Android applications using the Aspect Bench Compiler (abc) and the program analysis and transformation tool Soot. Through high-level abstractions such as AspectJ aspects and Tracematches, abc supports a declarative style of instrumentation that lends itself to the rapid prototyping of at least simple instrumentation schemes. Soot supports instrumentation in an imperative style, which requires more work but allows more fine-grained control. Both abc and Soot are inter operable, as they instrument the same intermediate program representation. Furthermore, as we show, both can be easily integrated with static program analyses that can be used to specialize instrumentation schemes based on additional information extracted from the static structure of the instrumented app.

In September, Steven Arzt and Siegfried Rasthofer will be giving a similar tutorial at RV 2013.

Looking for Research Assistant in the Field of Secure Software Engineering

Posted on July 16, 2013 by Eric Bodden

We are currently looking to fill a number of positions for Research Assistants in the field of Secure Software Engineering (German version here). These are PhD and PostDoc positions at Fraunhofer SIT where we are looking into developing a novel framework for automated security code analyses. If you are experienced in this area we definitely encourage you to apply!

New Lecture in Fall: Automated Code Analysis for Large Software Systems (ACA)

Posted on July 12, 2013 by Eric Bodden

In Fall/Winter 2013 we will be offering a new lecture on automated code analyses for large software systems. We will be discussing the most important algorithms to solve static code analysis problems efficiently and precisely, and will be presenting novel extensions of these algorithms that we have recently developed to address important real-world analysis problems like automatically detecting vulnerabilities in the Java Runtime Library (e.g. CVE_2012_4681). Continue reading →

Master Thesis on FlowDroid now available

Posted on July 12, 2013 by Eric Bodden

Christian Fritz has just submitted his Master Thesis on FlowDroid. It gives many additional details not mentioned in our earlier Tech Report. You can check it out here:

FlowDroid: A Precise and Scalable Data Flow Analysis for Android (Christian Fritz), Master thesis, TU Darmstadt, July 2013.

Responsible Disclosure: Darmstadt Researchers Discover Security Vulnerability in AppGuard Pro

Posted on July 8, 2013 by Eric Bodden

Stephan Huber (Fraunhofer SIT Darmstadt) and Siegfried Rasthofer (TU Darmstadt) discovered a security vulnerability in versions 2.0.0 – 2.0.5 of the security tool AppGuard Pro. A few weeks ago, we informed the vendor Backes SRT who has now fixed the vulnerability in the latest release. The vulnerability gives malicious apps full control of all settings in the AppGuard Pro application. The vulnerability not only allows such apps to bypass any and all of the tool’s security measures, on top of that the malicious apps can even misuse AppGuard Pro to convince the user into perceiving the malicious app as harmless. Users should download the update as soon as possible.

Continue reading →

Trend- und Strategiebericht: Entwicklung sicherer Software durch Security by Design

Posted on June 6, 2013 by Eric Bodden

Am heutigen Donnerstag veröffentlichen die vom BMBF geförderten drei Kompetenzzentren für IT-Sicherheit CISPA, Kastel und EC SPRIDE den Trend- und Strategiebericht Entwicklung sicherer Software durch Security by Design. Der Bericht vertritt die These, dass die Entwicklung und Integration sicherer Software nach dem Prinzip Security by Design ausgestaltet werden muss und benennt entsprechende Herausforderungen für eine praxisorientierte Forschungsagenda.

Hello World!

Posted on April 11, 2013 by Eric Bodden

We – the SSE-Group (Secure Software Engineering) at EC-SPRIDE Darmstadt – created a new blog that informs you about our current research.

Our research includes, but is not limited to, the following topics:

Android Security
Buffer Overflow Mitigation
Timing Channel Mitigation

If you are interested in using or extending our tools, or if you have any questions in general, do not hesitate to contact us!

Let the blogging begin!

Secure Software Engineering

at Paderborn University and TU Darmstadt

Author Archives: Eric Bodden