Paper accepted at OOPSLA Onward!

Our paper on “Secure Integration of Cryptographic Software” has been accepted at OOSPLA Onward!. In this paper we propose a new approach for implementing software that uses cryptographic algorithms in a way that is secure by design. With our approach, developers can avoid the pitfalls of complex crypto APIs without having to study crypto theory and implementations first. Instead, they select their high-level goals (e.g., “encrypt a file on disk” or “transmit data over a secure channel”) and let the OpenCCE expert system create implementation blueprints for them. After they have integrated the blueprints into their applications, automatically-derived static analyses make sure that no new issues have accidentally been introduced. This research is performed within the CROSSING CRC.

Responsible Disclosure: JFrog fixes vulnerability in Artifactory

We have recently discovered and reported a security vulnerability in JFrog’s Artifactory Pro software. The Artifactory is a product used to manage build artifacts and dependencies in a central enterprise repository. Due to the vulnerability, attackers could not only gain credentials for accessing the repository, but under some circumstances to the company-wide single-sign-on (SSO) system. In this worst case, attackers could access arbitrary systems with the identity of the victim.

Continue reading

New SSE Papers Accepted

Several new papers written by members of the Secure Software Engineering Group have now been accepted at renowned international venues. The papers cover topics such as the reduction of false positives in static data flow analysis, the in-depth analysis of modern, sophisticated malware applications, and the challenges of developing secure software using agile techniques.

Continue reading

Lambda Expressions Coming to Android?

In Java 8, Oracle added support for Lambda expressions to the Java programming language and the Java Virtual Machine (JVM). Though Android apps are also written in Java, this however doesn’t automatically make them available to app developers. In fact, it takes some time until Android catches up with newer Java developments.

The build chain for Android is (at least at the moment) built on top of the Java build chain: The normal Java compiler takes Java source files and creates Java class files. These files then serve as inputs to Android’s “dx” tool which finally emits the Dalvik bytecode that can be run on an Android device or emulator. In version 19 of the Android build tools, support for Java 1.7 class files was added – with the usual delay (Java 1.7 came out in July 2011, Android build tools v19 came out in April 2012). Up to now, that was the end of the line. But now, Java 1.8 support might be around the corner.

Continue reading

Time for new challenges: DroidBench 2.0 available

Our micro-benchmark suite DroidBench (published with FlowDroid at PLDI’14) aims at testing the precision and recall of static taint tracking tools for Android. It provides categorized, tested, and well-documented test cases for the various hard challenges in program analysis. The ground truth is provides makes it easy to check and compare the results of the various information-flow analysis tools proposed both in research and available commercially.

The suite has been used by various research groups all over the world and we have seen tools greatly improve on the precision and recall they achieve on DroidBench. With many tools now achieving very good results, it is time for new challenges.

We are thus happy to announce that DroidBench 2.0 is now available from Github. It features 120 test cases in 13 categories including aliasing, implicit data flows, Android lifecycle handling, inter-component communication, and reflective method calls. We would like to thank all the researchers world wide that have contributed to DroidBench and would like to extend this call: Feel free to propose and/or submit new test cases to extend the suite even further so that it can continue to serve as a standardized benchmark suite for research in the field of static taint tracking.

All kinds of contributions are welcome. We have started to also add test cases challenging dynamic analysis tools, for instance emulator-detection mechanisms. In the future, we also plan to add test cases that leverage native code to hide data flows.

DroidSearch accepted at SAI Conference

We are happy to announce that our paper “DroidSearch: A Tool for Scaling Android App Triage to Real-World App Stores” has been accepted for publication at the IEEE Technically Co-Sponsored “Science and Information Conference 2015” (SAI) in London, UK.

While many precise analysis tools for detecting malware and finding vulnerabilities in Android applications exist, they usually do not scale to the large number of applications in today’s real-world markets such as Google Play. We therefore present DroidSearch, a search engine that aids a multi-staged analysis in which fast pre-filtering techniques allow security experts to quickly retrieve candidate applications that should be subjected to further automated and/or manual analysis. DROIDSEARCH is supported by DROIDBASE, a middleware and back-end database which associates apps with metadata and the results of lightweight analyses on bytecode and configuration files that DROIDBASE automatically manages and executes.

Continue reading

New Course Secure Software Development (SecDev)

Next Semester, the Secure Software Engineering Group will offer a new seminar course “Secure Software Development (SecDev)”. The goal of the course is to provide software developers with the knowledge and first experience they need for developing secure software. Additionally, they will learn how to develop knowledge and share it and how to investigate a research problem on secure software development.The main topics are:

  1. Secure software development life-cycle
  2. Threat modeling
  3. Risk assessment
  4. Security requirements
  5. Security architecture
  6. Secure coding standards
  7. Security code analysis
  8. Security testing
  9. Security code review
  10. Empirical analysis for secure software development

More information can be found on the course website.


SOAP 2014: Program is available

The program for the third ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis  (SOAP 2014)  is now available at The workshop will take place on June 12th, 2014, and is co-located with PLDI in Edinburgh, Scotland.

Besides invited talks by Mayur Naik and Eric Bodden, the workshop features paper presentations on static analyses for software product lines, novel points-to-analyses, slicing approaches, typestate analyses, and taint flow analyses for mobile operating systems. This year’s SOAP workshop is organized by Raul Santelices from the University of Notre Dame and Steven Arzt from the Secure Software Engineering Group.

SOAP 2014 – Call for Papers

Third ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis (SOAP 2014)

Sponsor: ACM SIGPLAN, co-located with PLDI 2014
When: June 12, 2014 in Edinburgh, UK

Publication: ACM Digital Library

Continue reading

FlowDroid Now Supports Implicit Flows

FlowDroid is our taint analysis tool to automatically scan Android applications for privacy-sensitive data leaks. While we have already shown FlowDroid to be highly precise and effective for explicit data flows through assignments and method calls, the tool now also supports the detection of leaks through control-flow dependencies. This protects against malware trying to disguise data flows through conditionals. If an app for instance does not directly send out the number 123, but sends 123-times the word “hello”, the attacker gains the same information as if the app had directly sent the value directly. The new version of FlowDroid derives that the “hello” message depends on the secret numeric value and therefore treats it as a leak as well though the data being sent does not directly contain any sensitive characters. To use this support for implicit flow, check out the develop branch on GitHub.

The feature can be activated using the “–implicit” option in the command-line tool or by programatically calling “Infoflow.setEnableImplicitFlows(true)”.