Logo des Repositoriums

Auflistung nach Autor:in "Eichberg, Michael"

1 - 5 von 5
  • Konferenzbeitrag
    Call Graph Construction for Java Libraries
    (Software Engineering und Software Management 2018, 2018) Reif, Michael; Eichberg, Michael; Mezini, Mira
    Proceeding FSE 2016 Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. Today, every application uses software libraries. Yet, while a lot of research exists w.r.t. analyzing applications, research that targets the analysis of extensible libraries and frameworks as such is scarce. This is unfortunate because developers of libraries (e.g. the Java Development Kit) want to ensure that the library behaves as intended regardless of how it is used. To fill this gap, we discuss the construction of call graphs that abstract over all potential usages of the respective library. Additionally, we show that the current practice of using call graph algorithms designed for applications leads to call graphs that, at the same time, lack relevant call edges and contain unnecessary edges when used for libraries. Unlike algorithms for applications, call graph construction algorithms for libraries must also take the goals of subsequent analyses into consideration. We will discuss the differences between an analysis for vulnerabilities vs. one for general software quality attributes, e.g., dead methods. This distinction affects the decision about what constitutes the library-private implementation, which, therefore, needs special treatment.
  • Konferenzbeitrag
    CodeMatch
    (Software Engineering und Software Management 2018, 2018) Glanz, Leonid; Amann, Sven; Eichberg, Michael; Reif, Michael; Mezini, Mira
    ESEC/FSE 2017 Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Popular mobile apps are regularly installed by millions of users. This fact attracts malicious actors to create altered, repackaged versions of those apps to steal the original owner’s revenue or to trick users to infect their devices with malware. Detecting such repackaged apps is, therefore, necessary for a secure and viable app market but is challenging due to the use of code obfuscation and the widespread usage of libraries. Due to the recent fact, non-repackaged, legitimate apps often share a majority of their code base and are classified as repackaged by state-of-the-art detectors. We, therefore, propose a new library filtering approach that relies on code representations at five different abstraction levels to achieve resilience against code obfuscation. Additionally, we propose to use the most abstract representation in combination with fuzzy-hashing to detect repackaged apps. Our evaluation shows that the overall approach leads to a better detection rate up to 50%.
  • Konferenzbeitrag
    Getting to know you: towards a capability model for Java
    (Software Engineering 2016, 2016) Hermann, Ben; Reif, Michael; Eichberg, Michael; Mezini, Mira
    Developing software from reusable libraries lets developers face a security dilemma: Ei- ther be efficient and reuse libraries as they are or inspect them, know about their resource usage, but possibly miss deadlines as reviews are a time consuming process. In this paper, we propose a novel capability inference mechanism for libraries written in Java. It uses a coarse-grained capability model for system resources that can be presented to developers. We found that the capability inference agrees by 86 81\% on expectations towards capabilities that can be derived from project . documentation. Moreover, our approach can find capabilities that cannot be discovered using project documentation. It is thus a helpful tool for developers mitigating the aforementioned dilemma.
  • Konferenzbeitrag
    Hidden Truths in Dead Software Paths
    (Software Engineering 2016, 2016) Eichberg, Michael; Hermann, Ben; Mezini, Mira; Glanz, Leonid
    Approaches and techniques for statically finding a multitude of issues in source code have been developed in the past. A core property of these approaches is that they are usually targeted towards finding only a very specific kind of issue and that the effort to develop such an analysis is significant. This strictly limits the number of kinds of issues that can be detected. In this paper, we discuss a generic approach - based on the detection of infeasible paths in code - that can discover a wide range of code smells ranging from useless code that hinders comprehension to real bugs. The issues are identified by computing the difference between the control-flow graph that contains all technically possible edges and the corresponding graph recorded while performing a more precise analysis using abstract interpretation. The approach was evaluated using the Java Development Kit as well as the Qualitas Corpus (a collection of over 100 Java Applications) and enabled us to find thousands of issues.
  • Konferenzbeitrag
    A Unified Lattice Model and Framework for Purity Analyses
    (Software Engineering and Software Management 2019, 2019) Helm, Dominik; Kübler, Florian; Eichberg, Michael; Reif, Michael; Mezini, Mira
    This paper was presented in 2018 at the 33rd ACM/IEEE International Conference on Automated Software Engineering and proposes a framework for purity analyses. Analyzing methods in object-oriented programs whether they are side-effect free and also deterministic, i.e., mathematically pure, has been the target of extensive research. Identifying such methods helps to find code smells and security related issues, and helps analyses detecting concurrency bugs. Pure methods are further used for formal specifications and proving the pureness is necessary to ensure correct specifications. However, no common terminology exists which describes the purity of methods. Furthermore, some terms (e.g., pure or side-effect free) are used inconsistently. Further, all current approaches only report selected purity information making them only suitable for a smaller subset of the potential use cases. We present a fine-grained unified lattice model which puts the purity levels found in the literature into relation and which adds a new level that generalizes existing definitions. We have also implemented a scalable, modularized purity analysis which produces significantly more precise results for real-world programs than the best-performing related work. The analysis shows that all defined levels are found in real-world projects.