Current static code analysis tools still show many problems. For instance, in practice these tools are not well accepted by developers. One of the reasons for that is that the developers face many warnings when using these tools. Due to a lack of precision, a lot of the reported warnings are even false, so-called false-positives. This greatly demotivates the developers to deal with security issues. Hence, many software development processes still treat software security as incidental. The goal of this project is to improve the usability of static analysis tools according to the needs of developers. This requires the research of new technologies especially in the following areas:

  • Optimized analysis mechanisms
  • Optimized representation of analysis results
  • Flexible adjustments to the context of use
  • Accompanying studies

In this project, software developers are particularly considered. Initially, studies will be carried out to unveil the reasons for why developers make mistakes and introduce security issues during the implementation of software systems. Later then, static analysis tools will be developed to support developers in the development process, to detect security vulnerabilities more easily in the early stage of software development.

Principal Investigators (PIs)

Prof. Dr. Eric Bodden
Fachgruppe Softwaretechnik
Heinz Nixdorf Institut
Universität Paderborn

Prof. Dr. Matthew Smith
Arbeitsgruppe Usable Security and Privacy
Institut für Informatik 4
Rheinischen-Friedrich-Wilhelms-Universität Bonn

PhD Students

Linghui Luo
Fachgruppe Softwaretechnik
Heinz Nixdorf Institut
Universität Paderborn
@LinguiLuo

Mischa Meier
Institut für Informatik 4
Universität Bonn

Publications

  • Linghui Luo, Julian Dolby, Eric Bodden “MagpieBridge: A General Approach to Integrating Static Analyses into IDEs and Editors”, ECOOP 2019
  • Linghui Luo, Eric Bodden, Johannes Späth “A Qualitative Analysis of Android Taint-Analysis Results”, The 34th IEEE/ACM International Conference on Automated Software Engineering (ASE) 2019, San Diego, California, United States.
  • Manuel Benz, Erik Krogh Kristensen, Linghui Luo, Nataniel P. Borges Jr., Eric Bodden, Andreas Zeller “Heaps’n Leaks: How Heap Snapshots Improve Android Taint Analysis“, The 42nd International Conference on Software Engineering (ICSE) 2020, Seoul, South Korea.