Yesterday our center was visited by the two federal ministers Wanka (minister of education and research) and De Maiziere (minister of the interior). They spent a few hours, discussing IT-security research in Darmstadt’s – as they coined it – “security valley”, and also educated themselves through a range of exhibits we had prepared on the security of the Internet of Things, but also mobile security, encryption etc. More information is available in German here.
Our paper on “Secure Integration of Cryptographic Software” has been accepted at OOSPLA Onward!. In this paper we propose a new approach for implementing software that uses cryptographic algorithms in a way that is secure by design. With our approach, developers can avoid the pitfalls of complex crypto APIs without having to study crypto theory and implementations first. Instead, they select their high-level goals (e.g., “encrypt a file on disk” or “transmit data over a secure channel”) and let the OpenCCE expert system create implementation blueprints for them. After they have integrated the blueprints into their applications, automatically-derived static analyses make sure that no new issues have accidentally been introduced. This research is performed within the CROSSING CRC.
We have recently discovered and reported a security vulnerability in JFrog’s Artifactory Pro software. The Artifactory is a product used to manage build artifacts and dependencies in a central enterprise repository. Due to the vulnerability, attackers could not only gain credentials for accessing the repository, but under some circumstances to the company-wide single-sign-on (SSO) system. In this worst case, attackers could access arbitrary systems with the identity of the victim.
We are looking for an interested student who wants to write her/his bachelor-thesis at the Secure Software Engineering Group about Android Security.
Title: Evaluating the Effectiveness of Android Malware Detection Approaches
To facilitate an early dissemination, we are today making available the following technical report. It outlines our vision of how static security code-analysis tools can be made more interactive, by allowing for just-in-time interactions. This is a collaboration with Ben Livshits from MSR.
Toward a Just-in-Time Static Analysis , Technical report TUD-CS-2015-1167, EC SPRIDE, 2015.
We are a group of researchers from TU Darmstadt, Germany, who work on creating tools to help developers use cryptography in their Java applications.
We are looking for developers who use Java cryptography APIs to answer a short 10-minute survey.
Our goal is to understand what cryptography tasks are usually performed, any difficulties developers face, and what would help Java developers use cryptography more correctly/efficiently.
Your participation is voluntary and completely anonymous. To participate, please fill in the survey at the following link http://tiny.cc/java_crypto_survey
Thanks!
Please feel free to forward this invitation to any Java developers you might know.
Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden
I am happy to announce that for 2016 I have confirmed membership in the program committees in all of the major software engineering conferences, i.e., ICSE, FSE and ASE. ISSTA disallows invitations for the third time in a row, which is why I will contribute as co-chair of the artifact evaluation. Also I will be a member of the CODASPY PC. For ASPLOS, the reviewing period clashes with the one of ICSE, which is why I decided to only contribute to the ERC. Let there be many good submissions!
A few weeks ago, the German edition of Technology Review interviewed me on the state of software security. The article is available now.
Please consider submitting your research papers to ESSOS’16 which will take place in April at Royal Holloway London. We have been able to put together an excellent program committee. Submission deadline is October 2nd.
On our website we have now available two new papers accepted at ISC. The first paper originated out of our collaboration with SAP. It reports on a qualitative empirical study determining Factors Impacting the Effort Required to Fix Security Vulnerabilities. Thanks to our collaborators for the great work! The second work is on Dynamically Provisioning Isolation in Hierarchical Architectures, a novel, lightweight and effective means to counter side channels and covert channels in the cloud. Enjoy!