Conclusion slide of the presentation

Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability

Our paper suggests an adapted algorithm that can report error chains between API misuses. The empirical study onn 471 GitHub repositories showed that 50% of projects are affected by connected cryptographic API misuses. Further, the runtime overhead is minimal, and developers appreciate the adaption.

March 2024 · Anna-Katharina Wickert, Michael Schlichtig, Marvin Vogel, Lukas Winter, Mira Mezini, Eric Bodden

Securing Your Crypto-API Usage Through Tool Support - A Usability Study

Our user study shows that the Eclipse plugin CogniCrypt reduces misuses and speeds development, enhancing security and efficiency for cryptographic API usage. Through a controlled experiment with 24 Java developers, we found that CogniCrypt significantly improves code security and development speed for cryptography-related tasks. Developers appreciate CogniCrypt’s code generation and static analysis, though integrating the generated code remains a challenge.

October 2023 · Stefan Krüger, Michael Reif, Anna-Katharina Wickert, Sarah Nadi, Karim Ali, Eric Bodden, Mira Mezini, Yasemin Acar, Sascha Fahl

Algebraic Replicated Data Types: Programming Secure Local-First Software date

This paper presents programming support for local-first applications, enabling automatic synchronization and end-to-end encryption using algebraic data types. It addresses challenges in availability, privacy, and security, ensuring data integrity and eventual consistency without complex solutions.

July 2023 · Christian Kuessner, Ragnar Mogk, Anna-Katharina Wickert, Mira Mezini
Conclusion slide of presentation

UNGOML: Automated Classification of unsafe Usages in Go

UNGOML, an automated classifier for Go’s unsafe package, uses deep learning to classify the purpose of unsafe usages. It achieves over 86% accuracy, aiding in tasks like refactoring and security audits by identifying what is done with the unsafe package and why.

May 2023 · Anna-Katharina Wickert, Clemens Damke, Lars Baumgärtner, Eyke Hüllermeier, Mira Mezini
Last slide of the talk and an overview of the work.

To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild

Empirial study of cryptographic misuses on enterprise-driven applications that identified several potential effective false positives, such as the use of hash algorithms in a non-security context. Further, we introduced a theoretical model of vulnerabilities caused by API misuses.

December 2022 · Anna-Katharina Wickert, Lars Baumgärtner, Michael Schlichtig, Krishna Narasimhan, Mira Mezini

A Fine-grained Data Set and Analysis of Tangling in Bug Fixing Commits

This study examines the prevalence of tangled commits in bug fixes, revealing that 66-87% of changes in production code files actually fix bugs. Using a crowdsourcing approach, we found significant noise in data due to tangling, suggesting that unvalidated data is likely very noisy and can alter research results.

July 2022 · Steffen Herbold, Alexander Trautsch, Benjamin Ledel, Alireza Aghamohammadi, Taher Ahmed Ghaleb, Kuljit Kaur Chahal, Tim Bossenmaier, Bhaveet Nagaria, Philip Makedonski, Matin Nili Ahmadabadi, Kristof Szabados, Helge Spieker, Matej Madeja, Nathaniel Hoy, Valentina Lenarduzzi, Shangwen Wang, Gema Rodríguez-Pérez, Ricardo Colomo-Palacios, Roberto Verdecchia, Paramvir Singh, Yihao Qin, Debasish Chakroborti, Willard Davis, Vijay Walunj, Hongjun Wu, Diego Marcilio, Omar Alam, Abdullah Aldaeej, Idan Amit, Burak Turhan, Simon Eismann, Anna-Katharina Wickert, Ivano Malavolta, Matus Sulir, Fatemeh Fard, Austin Z. Henley, Stratos Kourtzanidis, Eray Tuzun, Christoph Treude, Simin Maleki Shamasbi, Ivan Pashchenko, Marvin Wyrich, James Davis, Alexander Serebrenik, Ella Albrecht, Ethem Utku Aktas, Daniel Strüber, Johannes Erbel
Last slide of the talk and an overview of the work.

CamBench - Cryptographic API Misuse Detection Tool Benchmark Suite

So far, benchmarks for cryptographic API misuses only focused on a subset of issues or tools. To drive future development in this domain, we will openly generate a benchmark. We will derive the generation of this novel benchmark from best practices.

May 2022 · Michael Schlichtig, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden, Mira Mezini
Conclusion slide of the presentation

Python crypto misuses in the wild

Our study analyzes cryptographic API misuses in over 900 Python and MicroPython projects, revealing that 52% of the projects have at least one misuse. The findings indicate a positive impact of good API design in reducing misuses compared to Java and C.

October 2021 · Anna-Katharina Wickert, Lars Baumgärtner, Florian Breitfelder, Mira Mezini

Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild

We conducted an empirical study to understand how frequently the unsafe API is used in Go. We show that 38% of the analyzed projects directly use the unsafe API. Further, we introduce go-geiger and go-safer to assess usages of the API.

December 2020 · Johannes Lauinger, Lars Baumgärtner, Anna-Katharina Wickert, Mira Mezini
Last slide of the talk and an overview of the work.

A Dataset of Parametric Cryptographic Misuses

Cryptographic APIs are often misused. Our dataset of 201 real-world misuses aids research & tool evaluation that aim to mitigate cryptographic API misuses.

May 2019 · Anna-Katharina Wickert, Michael Reif, Michael Eichberg, Anam Dodhy, Mira Mezini