Logo des Repositoriums

Auflistung nach Autor:in "Reif, Michael"

1 - 5 von 5
  • Konferenzbeitrag
    Call Graph Construction for Java Libraries
    (Software Engineering und Software Management 2018, 2018) Reif, Michael; Eichberg, Michael; Mezini, Mira
    Proceeding FSE 2016 Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. Today, every application uses software libraries. Yet, while a lot of research exists w.r.t. analyzing applications, research that targets the analysis of extensible libraries and frameworks as such is scarce. This is unfortunate because developers of libraries (e.g. the Java Development Kit) want to ensure that the library behaves as intended regardless of how it is used. To fill this gap, we discuss the construction of call graphs that abstract over all potential usages of the respective library. Additionally, we show that the current practice of using call graph algorithms designed for applications leads to call graphs that, at the same time, lack relevant call edges and contain unnecessary edges when used for libraries. Unlike algorithms for applications, call graph construction algorithms for libraries must also take the goals of subsequent analyses into consideration. We will discuss the differences between an analysis for vulnerabilities vs. one for general software quality attributes, e.g., dead methods. This distinction affects the decision about what constitutes the library-private implementation, which, therefore, needs special treatment.
  • Konferenzbeitrag
    CiFi: Versatile Analysis of Class and Field Immutability
    (Software Engineering 2022, 2022) Roth, Tobias; Helm, Dominik; Reif, Michael; Mezini, Mira
    This paper was accepted in 2021 at the 36th IEEE/ACM International Conference on Automated Software Engineering and proposes a model for immutability analysis. Reasoning about immutability is important for preventing bugs, e.g., in multi-threaded software. Static analysis to infer immutability properties has mostly focused on individual objects and references. Reasoning about fields and entire classes, while significantly simpler, has gained less attention. A consistently used terminology is missing, which makes it difficult to implement analyses that rely on immutability information. We propose a model for class and field immutability that unifies terminology for immutability flavors considered by previous work and covers new levels of immutability to handle lazy initialization and immutability dependent on generic type parameters. Using the OPAL static analysis framework, we implement CiFi, a set of modular, collaborating analyses for different flavors of immutability, inferring the properties defined in our model. We propose a benchmark of representative test cases for class and field immutability. We use the benchmark to showcase CiFi's precision and recall in comparison to state of the art and use CiFi to study the prevalence of immutability in real-world libraries, showcasing the practical quality and relevance of our model.
  • Konferenzbeitrag
    CodeMatch
    (Software Engineering und Software Management 2018, 2018) Glanz, Leonid; Amann, Sven; Eichberg, Michael; Reif, Michael; Mezini, Mira
    ESEC/FSE 2017 Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Popular mobile apps are regularly installed by millions of users. This fact attracts malicious actors to create altered, repackaged versions of those apps to steal the original owner’s revenue or to trick users to infect their devices with malware. Detecting such repackaged apps is, therefore, necessary for a secure and viable app market but is challenging due to the use of code obfuscation and the widespread usage of libraries. Due to the recent fact, non-repackaged, legitimate apps often share a majority of their code base and are classified as repackaged by state-of-the-art detectors. We, therefore, propose a new library filtering approach that relies on code representations at five different abstraction levels to achieve resilience against code obfuscation. Additionally, we propose to use the most abstract representation in combination with fuzzy-hashing to detect repackaged apps. Our evaluation shows that the overall approach leads to a better detection rate up to 50%.
  • Konferenzbeitrag
    Getting to know you: towards a capability model for Java
    (Software Engineering 2016, 2016) Hermann, Ben; Reif, Michael; Eichberg, Michael; Mezini, Mira
    Developing software from reusable libraries lets developers face a security dilemma: Ei- ther be efficient and reuse libraries as they are or inspect them, know about their resource usage, but possibly miss deadlines as reviews are a time consuming process. In this paper, we propose a novel capability inference mechanism for libraries written in Java. It uses a coarse-grained capability model for system resources that can be presented to developers. We found that the capability inference agrees by 86 81\% on expectations towards capabilities that can be derived from project . documentation. Moreover, our approach can find capabilities that cannot be discovered using project documentation. It is thus a helpful tool for developers mitigating the aforementioned dilemma.
  • Konferenzbeitrag
    A Unified Lattice Model and Framework for Purity Analyses
    (Software Engineering and Software Management 2019, 2019) Helm, Dominik; Kübler, Florian; Eichberg, Michael; Reif, Michael; Mezini, Mira
    This paper was presented in 2018 at the 33rd ACM/IEEE International Conference on Automated Software Engineering and proposes a framework for purity analyses. Analyzing methods in object-oriented programs whether they are side-effect free and also deterministic, i.e., mathematically pure, has been the target of extensive research. Identifying such methods helps to find code smells and security related issues, and helps analyses detecting concurrency bugs. Pure methods are further used for formal specifications and proving the pureness is necessary to ensure correct specifications. However, no common terminology exists which describes the purity of methods. Furthermore, some terms (e.g., pure or side-effect free) are used inconsistently. Further, all current approaches only report selected purity information making them only suitable for a smaller subset of the potential use cases. We present a fine-grained unified lattice model which puts the purity levels found in the literature into relation and which adds a new level that generalizes existing definitions. We have also implemented a scalable, modularized purity analysis which produces significantly more precise results for real-world programs than the best-performing related work. The analysis shows that all defined levels are found in real-world projects.