static analysis

Conclusion slide of the presentation

Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability

Our paper suggests an adapted algorithm that can report error chains between API misuses. The empirical study onn 471 GitHub repositories showed that 50% of projects are affected by connected cryptographic API misuses. Further, the runtime overhead is minimal, and developers appreciate the adaption.

March 2024 · Anna-Katharina Wickert, Michael Schlichtig, Marvin Vogel, Lukas Winter, Mira Mezini, Eric Bodden
Last slide of the talk and an overview of the work.

To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild

Empirial study of cryptographic misuses on enterprise-driven applications that identified several potential effective false positives, such as the use of hash algorithms in a non-security context. Further, we introduced a theoretical model of vulnerabilities caused by API misuses.

December 2022 · Anna-Katharina Wickert, Lars Baumgärtner, Michael Schlichtig, Krishna Narasimhan, Mira Mezini
Last slide of the talk and an overview of the work.

CamBench - Cryptographic API Misuse Detection Tool Benchmark Suite

So far, benchmarks for cryptographic API misuses only focused on a subset of issues or tools. To drive future development in this domain, we will openly generate a benchmark. We will derive the generation of this novel benchmark from best practices.

May 2022 · Michael Schlichtig, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden, Mira Mezini
Conclusion slide of the presentation

Python crypto misuses in the wild

Our study analyzes cryptographic API misuses in over 900 Python and MicroPython projects, revealing that 52% of the projects have at least one misuse. The findings indicate a positive impact of good API design in reducing misuses compared to Java and C.

October 2021 · Anna-Katharina Wickert, Lars Baumgärtner, Florian Breitfelder, Mira Mezini

Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild

We conducted an empirical study to understand how frequently the unsafe API is used in Go. We show that 38% of the analyzed projects directly use the unsafe API. Further, we introduce go-geiger and go-safer to assess usages of the API.

December 2020 · Johannes Lauinger, Lars Baumgärtner, Anna-Katharina Wickert, Mira Mezini
Last slide of the talk and an overview of the work.

A Dataset of Parametric Cryptographic Misuses

Cryptographic APIs are often misused. Our dataset of 201 real-world misuses aids research & tool evaluation that aim to mitigate cryptographic API misuses.

May 2019 · Anna-Katharina Wickert, Michael Reif, Michael Eichberg, Anam Dodhy, Mira Mezini

Don’t let data Go astray

This paper presents a static taint analysis for Go, a statically typed language with concurrent programming features like goroutines and channel communication. The analysis focuses on secure information flow to prevent vulnerabilities caused by unchecked user input, offering solutions for both context-sensitive taint analysis and channel communication in Go.

October 2016 · Ka I Pun, Martin Steffen, Volker Stolz, Anna-Katharina Wickert, Eric Bodden, Michael Eichberg

Information Flow Analysis for Go

This paper presents current information flow analyses for Go applications, discussing future uses of static analysis at runtime to enhance precision and optimize checks. It focuses on unique Go features like closures and message-based communication via channels

October 2016 · Eric Bodden, Ka I. Pun, Martin Steffen, Volker Stolz, Anna-Katharina Wickert