Logo des Repositoriums

Auflistung nach Autor:in "Hermann, Ben"

1 - 9 von 9
  • Konferenzbeitrag
    Community Expectations for Research Artifacts and Evaluation Processes
    (Software Engineering 2023, 2023) Hermann, Ben; Winter, Stefan; Siegmund, Janet
    Artifact evaluation has been introduced into the software engineering and programming languages research community with a pilot at ESEC/FSE 2011 and has since then enjoyed a healthy adoption throughout the conference landscape. We conducted a survey including all members of artifact evaluation committees of major conferences in the software engineering and programming language field from 2011 to 2019 and compared the answers to expectations set by calls for artifacts and reviewing guidelines. While we find that some expectations exceed the ones expressed in calls and reviewing guidelines, there is no consensus on a quality threshold for artifacts in general. We observe very specific quality expectations for specific artifact types for review and later usage, but also a lack of their communication in calls. We also find problematic inconsistencies in the terminology used to express artifact evaluation’s most important purpose. We derive several actionable suggestions which can help to mature artifact evaluation in the inspected community and also to aid its introduction into other communities in computer science.
  • Konferenzbeitrag
    Getting to know you: towards a capability model for Java
    (Software Engineering 2016, 2016) Hermann, Ben; Reif, Michael; Eichberg, Michael; Mezini, Mira
    Developing software from reusable libraries lets developers face a security dilemma: Ei- ther be efficient and reuse libraries as they are or inspect them, know about their resource usage, but possibly miss deadlines as reviews are a time consuming process. In this paper, we propose a novel capability inference mechanism for libraries written in Java. It uses a coarse-grained capability model for system resources that can be presented to developers. We found that the capability inference agrees by 86 81\% on expectations towards capabilities that can be derived from project . documentation. Moreover, our approach can find capabilities that cannot be discovered using project documentation. It is thus a helpful tool for developers mitigating the aforementioned dilemma.
  • Konferenzbeitrag
    Hidden Truths in Dead Software Paths
    (Software Engineering 2016, 2016) Eichberg, Michael; Hermann, Ben; Mezini, Mira; Glanz, Leonid
    Approaches and techniques for statically finding a multitude of issues in source code have been developed in the past. A core property of these approaches is that they are usually targeted towards finding only a very specific kind of issue and that the effort to develop such an analysis is significant. This strictly limits the number of kinds of issues that can be detected. In this paper, we discuss a generic approach - based on the detection of infeasible paths in code - that can discover a wide range of code smells ranging from useless code that hinders comprehension to real bugs. The issues are identified by computing the difference between the control-flow graph that contains all technically possible edges and the corresponding graph recorded while performing a more precise analysis using abstract interpretation. The approach was evaluated using the Java Development Kit as well as the Qualitas Corpus (a collection of over 100 Java Applications) and enabled us to find thousands of issues.
  • Konferenzbeitrag
    Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite (Short Summary)
    (Software Engineering 2022, 2022) Dann, Andreas; Plate, Henrik; Hermann, Ben; Ponta, Serena Elisa; Bodden, Eric
    This short paper presents a study investigating the impact of typical development practices, like re-compilation, re-bundling, on the performance of vulnerability scanners to detect known vulnerabilities in used open-source dependencies. In particular, the paper studies (i) types of modifications that affect the detection of vulnerable open-source dependencies and (ii) their impact on the performance of vulnerability scanners through an empirical study on 7024 Java projects developed at SAP.
  • ConferencePaper
    ModGuard: Identifying Integrity & Confidentiality Violations in Java Modules
    (Software Engineering 2021, 2021) Dann, Andreas; Hermann, Ben; Bodden, Eric
    This short paper presents a static analysis for the novel challenge of analyzing Java modules. Since modules have only been recently introduced with Java 9, we point out the impact of modules both from the security and the static code analysis perspective. In particular, we introduce a static analysis that allows developers to assess if a module successfully encapsulates internal data, along with a formal definition of a module's entrypoints.
  • Konferenzbeitrag
    Persisting and Reusing Results of Static Program Analyses on a Large Scale
    (Software Engineering 2024 (SE 2024), 2024) Düsing, Johannes; Hermann, Ben
  • Konferenzbeitrag
    A Retrospective Study of one Decade of Artifact Evaluations
    (Software Engineering 2024 (SE 2024), 2024) Winter, Stefan; Timperley, Christopher; Hermann, Ben; Cito, Jürgen; Bell, Jonathan; Hilton, Michael; Beyer, Dirk
  • Konferenzbeitrag
    TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses
    (Software Engineering 2022, 2022) Luo, Linghui; Pauck, Felix; Piskachev, Goran; Benz, Manuel; Pashchenko, Ivan; Mory, Martin; Bodden, Eric; Hermann, Ben; Massacci, Fabio
    Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world applications, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. Our recent study fills this gap. It first defines a set of sensible construction criteria for such a benchmark suite. It further proposes the TaintBench benchmark suite designed to fulfil these construction criteria. Along with the suite, this paper introduces the TaintBench framework, which allows tool-assisted benchmark suite construction, evaluation and inspection. Our experiments using TaintBench reveal new insights of popular Android taint analysis tools.
  • Konferenzbeitrag
    UpCy: Safely Updating Outdated Dependencies (Summary)
    (Software Engineering 2024 (SE 2024), 2024) Dann, Andreas; Hermann, Ben; Bodden, Eric