Logo des Repositoriums

Auflistung nach Schlagwort "Abstract Syntax Trees"

1 - 2 von 2
  • Konferenzbeitrag
    Generating Accurate and Compact Edit Scripts using Tree Differencing
    (Software Engineering 2020, 2020) Frick, Veit; Grassauer, Thomas; Beck, Fabian; Pinzger, Martin
    For analyzing changes in source code, edit scripts are used to describe the differences between two versions of a file. These scripts consist of a list of actions that, applied to the source file, result in the new version of the file. In contrast to line-based source code differencing, tree-based approaches such as GumTree, MTDIFF, or ChangeDistiller extract changes by comparing the abstract syntax trees (AST) of two versions of a source file. One benefit of tree-based approaches is their ability to capture moved (sub)trees in the AST. Our approach, the Iterative Java Matcher (IJM), builds upon GumTree and aims at generating more accurate and compact edit scripts that capture the developer's intent. This is achieved by improving the quality of the generated move and update actions, which are the main source of inaccurate actions generated by previous approaches. To evaluate our approach, we conducted a study with 11 external experts and manually analyzed the accuracy of 2400 randomly selected edit actions. Comparing IJM to GumTree and MTDIFF, the results show that IJM provides better accuracy for move and update actions and is more beneficial to understanding the changes.
  • Konferenzbeitrag
    You Can Run But You Can’t Hide: Runtime Protection Against Malicious Package Updates For Node.js
    (Sicherheit 2024, 2024) Pohl, Timo; Ohm, Marc; Boes, Felix; Meier, Michael
    Malicious software packages are often used in software supply chain attacks. Detecting these packages is a top priority, and there have been many academic and commercial approaches developed for this purpose. In the event of an attack, it is essential to have resilience against malicious code. To address this issue, we introduce a runtime protection for Node.js that automatically limits the capabilities of packages to a minimum level. The implementation and evaluation of the detection and enforcement of necessary capabilities at runtime was conducted against known malicious attacks. Our approach successfully prevented 90 % of historical attacks with a median install-time overhead of less than 0.6 seconds and a median runtime overhead of less than 0.2 seconds.