Time for Addressing Software Security Issues: Prediction Models and Impacting Factors

The second paper resulting from our collaboration with SAP on developing models for estimating the time to fix security issues is published by the Data Science and Engineering journal, Springer. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process, and we show how the issue fix time could be used to monitor the fixing process. The work shows that the time it takes to fix an issue seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. The models could be used to implement a continuous improvement of the secure software development processes and to measure the impact of individual improvements. The paper is published as open source and is available here.

An In-Depth Study of More Than Ten Years of Java Exploitation

I am happy and proud to present our first CCS paper! Co-authored with Philipp Holzinger, Stefan Triller and Alexandre Bartel, we present an in-depth study of all available Java exploits we were able to find online. The exploits cover all different sorts of attack vectors and more than 15 years, they highlight important weaknesses in the Java runtime. The study explains in detail the different weaknesses the exploits exploit. The paper is available here already. Further, we will soon make available some artifacts on this website (not the exploits, though).

Thanks to Marco Pistoia for his constructive feedback and Julian Dolby for providing us with the IBM JDKs we required for our study! Thanks also to Oracle which supported us through a Collaborative Research Grant and to the DFG’s Priority Program 1496 Reliably Secure Software Systems who funded the work through its project INTERFLOW!

See you all at Vienna!

Making Static Analysis More Accessible to Software Developers

Fraunhofer research fellow selected for the Grand Finals of the »ACM Student Research Competition 2016«

For her contribution to this year´s Student Research Competition of the »37th annual ACM SIGPLAN conference on Programming Language Design and Im-plementation (PLDI)«, a Fraunhofer research fellow scored first place in the PLDI Student Research Competition, and is therefore selected for the Grand Finals of the »ACM Student Research Competition.«

In industrial settings, static analysis is widely used to ensure code quality and security. It is still largely considered to be a batch-style activity, where code developers run static analysis tools, wait for it to finish, and then examine the results. This process often takes hours to complete, prompting development teams to run static analysis tools as part of nightly builds. During this time, the code often has evolved further, causing some errors to be obsolete already when they are reported. Additionally, end-user experience shows that developers have to deal with numerous results, and spend considerable effort in sorting false positives and prioritizing the warnings they would correct. The classification techniques offered by many tools allow developers to have a better overview of the analysis results, but the problem remains that an analysis is still treated as a black box, and software developers have a limited influence and understanding of what the analysis finds, and why it finds it.

Thien-Duyen Lisa Nguyen Quang Do, research fellow at Fraunhofer IEM (Department Software Engineering, Prof. Dr. Eric Bodden), researches the field of User-Centric Static Analysis. She advocates that static analyses should be able to accommodate specific users’ requirements about the behavior of the analysis in specific situations.

One of her ideas towards this goal, in collaboration with TU Darmstadt, Paderborn University, Microsoft Research, and NC State University, introduces a layered analysis framework in which the developer can explicitly direct the analysis, and control which paths it visits first. Analyses written in a layered manner deliver results of interest to the user in a short time, thus addressing the shortcomings of batch-style analyses. Layered analyses can be easily integrated in an Integrated Development Environment like the Eclipse IDE in a way that is more closely interacting with the code developer.

Lisa Nguyen presented her research at the Student Research Competition of the »37th annual ACM SIGPLAN conference on Programming Language Design and Implementation« (PLDI). PLDI was held from 13-17 June 2016 in Santa Barbara, California, United States.

PLDI is the premier conference in the field of programming languages, covering the topics of design, implementation, theory, and efficient use of programming languages. ACM’s Student Research Competition is an internationally recognized venue enabling undergraduate and graduate students to present research results and exchange ideas with other students, judges, and conference attendees. It spans over several premier conferences (such as PLDI, ICSE, CHI or FSE) where students present their research, first as an abstract, then, as a poster, and finally, in a presentation. The first graduate and undergraduate students selected at each conference are then invited to participate in the Grand Finals of the following year. Lisa Nguyen scored first place in the graduate category.

Become a Post-Doc Researcher at Paderborn University!

We are still looking for one to two postdoctoral researchers to complement our research group at Paderborn university. For further information, please consult our previous announcement here. As stated, please direct your applications to se-jobs.cs@upb.de

If you have a deep interest in software engineering, especially software security, the I am very much looking forward to your application! In particular, I am interested in candidates with a proven track record (at least two papers at very reputable venues) in any of those subject areas:

  • Static and/or dynamic program analysis
  • Software Security
  • Systems Security
  • Applied (!) cryptography and/or cryptanalysis

Should we reject papers with bogus artifacts?

Yesterday I blogged about the accepted artifacts at ISSTA. I think it is worthwhile noting that out of the ten papers that got accepted and which had artifacts submitted there seven for which the artifacts checked out. That is a good thing!

What worries me, however, are the three papers for which Artifact evaluation failed. For those three papers, we were largely unable to reproduce their results, and yet the papers made it into the program. Moreover, for two of those three, the fact that they failed artifact evaluation was already known before the PC meeting, i.e., there would have been a chance to reject them.

The reason for why the PC did not is that only positive reviews were taken into account this time, in order not to discourage people from submitting artifacts in the future. We as a community should really think about whether we cannot find a way to make artifact evaluation the default so that people have no other chance than to submit all the evidence they have to back up their claims.

ICSE Distinguished Reviewer Award

I was very pleasantly surprised when I received the ICSE Distinguished Reviewer Award today, especially given that out of the 19 papers I reviewed only two were finally accepted. I guess there must also be a helpful way to reject papers after all. So thanks a lot to the ICSE authors for their positive vote! And more thanks go also to Alexandre Bartel, Mauro Baluda, Philipp Holzinger, Siegfried Rasthofer, Stephan Huber and Steven Arzt for assisting my reviews. Thanks a lot guys, we all share this award!

Boomerang accepted at ECOOP 2016

We are happy to announce, that a paper on our new algorithm for demand-driven context- and flow-sensitive points-to analysis, called Boomerang, has been accepted at the ECOOP 2016 conference. Download the paper here.

Boomerang is the first points-to analysis algorithm which on demand delivers in addition to computing points-to sets also the reverse information. Along with an allocation site, the analysis delivers all possible pointers in the current scope which point-to that particular allocation site. This feature is crucial for state-of-the-art clients such as taint and typestate analysis. On top of that, Boomerang enables client-driven context-resolution: The client can limit the search scope for the points-to analysis to the methods of interest.

For the evaluation we introduce PointerBench, the first benchmark suite to evaluate precision and soundness of points-to analyses. We hope for contributions to further enhance the benchmark suite and make points-to analyses comparable more easily.

Boomerang also received the artifact evaluation award.

Smart cyber-physical systems: Too big to fail, too smart to be secure?

Attending ICSE? Then consider coming two days earlier to attend SEsCPS, the 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems, where I will be giving a keynote on the current state and challenges of CPS security. Abstract:

Many industrialized nations are currently pushing for smart cyber-physical systems as a major hope for new revenue models. But such systems become smart through connectivity, which opens them up to a whole range of new attack vectors. One may ask: why are current software-heavy cyber-physical systems as insecure as they are? My answer would be: why shouldn’t they be? Many such systems are designed and engineered by companies who never developed software engineering as a core competency. And how should such companies succeed where even the most prominent software vendors struggle? In this talk I will discuss my view of the challenges in secure software engineering and how the inclusion of hardware brings a whole new set of challenges to the game. I will outline my vision of secure systems engineering and raise a set of challenges that need to be addressed to make this vision become reality.