New paper on Just-in-time Code Analysis

In a collaborative effort with Karim Ali (University of Alberta), Ben Livshits (Imperial College London), Justin Smith and Emerson Murphy-Hill (North Caroline State University), my Ph.D. student Lisa Nguyen and myself have just concluded a new piece of research on Just-in-time (JIT) static code analysis. The approach, which we exemplify with a JIT taint analysis for Android, can be applied to most static analyses and allows those analyses to execute more efficiently in integrated development environments. In particular, the analysis is tuned such that it executes first in code recently edited by the programmer and then searches its way further “outward” from there. As our experiments indicate, this decreases round-trip times for programmers and hence increases their productivity during the fixing of security vulnerabilities.

A preprint of the work, accepted for publication at ISSTA, is now available online, as is our implementation and data set:

Just-in-Time Static Analysis (Lisa Nguyen Quang Do, Karim Ali, Benjamin Livshits, Eric Bodden, Justin Smith, Emerson Murphy-Hill), In International Symposium on Software Testing and Analysis (ISSTA), 2017. (To appear.)

Official inauguration of Fraunhofer IEM

Today we were very happy to host NRW’s minister of science Svenja Schulze and Fraunhofer’s Director of Science Dr. Raoul Klingner for the official inauguration of Fraunhofer IEM. The new institute is the first to be founded within NRW within the past 20 years, and was bootstrapped in just about seven years – a new record in the Fraunhofer Society.

IEEE S&P Paper on Hardening the Java Runtime is now available

Our new S&P paper Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation is now available online. It is a follow-up work to our previous CCS’16 paper An In-Depth Study of More Than Ten Years of Java Exploitation. In this former paper we classified a large number of history Java exploits. In doing so, we found that the largest class of exploits was made possible by shortcuts in Java’s implementation of access control. In the S&P paper we now show that it is possible to go without those shortcuts, without any loss of performance. We also discuss the usability implications that this removal of shortcuts would have.

New Paper “The Soot-based Toolchain For Analyzing Android Apps”

Steven, Siegfried and I have just completed our invited paper for MOBILESoft’17. The paper The Soot-based Toolchain For Analyzing Android Apps summarizes for the first time the Soot-based tool chain for analyzing Android apps that we have built up over the past years. We hope you will enjoy the read!

And if you attend ICSE, maybe consider attending MOBILESoft as well, and you will be able to attend my keynote talk.

Help us improve Soot by giving us your feedback!

Soot LogoOver the past years, Soot has seen a larger and larger user base. It makes us happy that so many people find Soot useful, and we particularly enjoy also the help we have received in terms of feedback, bug reports, bug fixes or even newly contributed features. Thanks for giving back!

Early 2017 we plan to apply for government funding to aid the future development and maintenance of Soot. 

Sounds great? Then please support us by filling out this little web form.

That way you can help us in two ways:

  • By letting us know how we can improve Soot you can directly help us prioritize newly planned features.
  • By stating your name and affiliation you help us showcasing Soot’s large user base.

Thanks!

Harvester scores 1st place at German IT-Sicherheitspreis

Copyright: Catharina Frank

Copyright: Catharina Frank

Harvester has scored 1st place at this year’s German IT-Sicherheitspreis! Every two years, the Horst Görtz Foundation awards EUR 200,000 to the three winners, with the first place being awarded EUR 100,000. More at Heise (in German)

Many thanks to the judges and the foundation! Harvester will is planned to be available soon as a plugin into our CodeInspect framework. We are further thinking of providing a command-line version to interested customers.