IT Security

© Fraunhofer IEM

Developing and operating software-intensive products to be safe from attacks

Downstream rectification of security vulnerabilities in software-intensive products is laborious and expensive. Developers of these products can use security by design methods in the early phases of a project to explicitly document IT security requirements and take suitable action. Many statistics confirm that by applying this procedure, developers can not only protect their customers, but also achieve significant cost savings. Moreover, companies can proactively anticipate the introduction of norms and standards in this field.

Fraunhofer IEM researches and develops processes, methods and tools to implement security by design in companies with as little intervention and added cost as possible. To do this, the institute cooperates with the world’s leading software development companies and passes on the findings to businesses in the region.  

Facts & Figures

Fraunhofer IEM belongs to the world’s leading research institutions in the area of secure software engineering. Each year there are publications at the top conferences within IT security and software engineering, prepared in collaboration with researchers from all over the world.

© Fraunhofer IEM

 

Disclosure of vulnerabilities

Researchers at Fraunhofer IEM and the Heinz Nixdorf Institute regularly discover previously unknown vulnerabilities in IT products. In 2018 alone, they detected security-critical misuse of cryptographic interfaces in thousands of Android apps and Java artifacts using the CogniCrypt tool. Whenever possible, researchers are committed to notify the product manufacturers of these vulnerabilities within the framework of a coordinated disclosure process. This means that manufacturers are informed of the vulnerabilities prior to publication and therefore receive sufficient time and support to rectify the deficiencies before they are made public.

Here are a few anonymized examples of security vulnerabilities that we identified and fixed:

  • Inadequate symmetrical cryptography in a password safe app by a leading, international antivirus vendor (>500.000 downloads on Google Play, CVE-2018-12240)
  • Inadequate key derivation from a user password in a banking app by a leading German bank (>1 million downloads on Google Play)
  • Use of the obsolete crypto-algorithm RC4 in an open source library for Kerberos-based authentication.

Fraunhofer IEM also advises companies on the implementation of incident response processes, i.e. the coordinated management of vulnerability reporting and the initiation of suitable measures.   

Tools

Researchers at Fraunhofer IEM have also developed some of the world’s leading software tools, of which we will only list the most important here.

CogniCrypt

The CogniCrypt tool was developed as part of the special research area CROSSING at Technische Universität Darmstadt and in cooperation with the Heinz Nixdorf Institute at Paderborn University. CogniCrypt helps developers identify security-critical misuse of cryptographic libraries quickly and reliably. Fraunhofer IEM has now developed this tool to market maturity and is making it available as an open source Eclipse project.  

© Fraunhofer IEM

Soot

Soot is the world’s leading framework for the static and dynamic analysis of Java and Android applications. As a generic framework, it is the basis for many other tools by Fraunhofer IEM and more than 1500 research groups worldwide. Soot was created by the Sable Research Group at McGill University in the late 90s. Its ongoing development has been overseen by Prof. Bodden’s research group since 2006. Soot is available as open source.

 

FlowDroid

FlowDroid is the world’s leading static data flow analysis tool for Java and Android applications. It is essentially based on Soot, but adds highly efficient and precise data flow analysis and supports the analysis of Android apps. FlowDroid is used by hundreds of research groups worldwide and in commercial settings as well, for instance as the basis for security analyses in one of the world’s largest app stores. Like Soot, FlowDroid is available as open source software.  

Phasar

Phasar is the first open source framework for static program analysis based on the compiler framework LLVM. Phasar is used above all to analyze C/C++ source text, but is also suitable for other programming languages and binary formats that support LLVM. Unlike LLVM itself, Phasar also includes call graph and pointer analyses, as well as a framework for the efficient implementation of inter-procedural data flow analyses. Phasar is available as open source.

Boomerang und IDEal

Boomerang is used for highly efficient and precise static pointer analysis. The analysis is “demand-driven” and therefore designed in such a way that it only analyzes the parts of the program code for which this is currently necessary. This procedure, as well as the algorithms and program abstractions developed at Fraunhofer IEM, finally allow the efficient resolution of pointer relationships.

IDEal is a generic framework that enables the extremely simple use of data flow analysis to resolve pointer relationships with Boomerang.  

Videos

Why IT security research?

Not only are our experts at the vanguard of research, they also receive regular requests to prepare research topics to suit particular target groups in different situations. In the videos shown here, Prof. Bodden walks viewers through a few important contexts within IT security.

In our series “Discussions with Experts,” Prof. Eric Bodden explains why innovative IT solutions for software-intensive systems still need to be developed even after years of research, and which measures can help obstruct cyber attacks..

Discussions with Experts: IT security for SMEs

Not only are our experts at the vanguard of research, they also receive regular requests to prepare research topics to suit particular target groups in different situations. In the videos shown here, Prof. Bodden walks viewers through a few important contexts within IT security.

Hacker attacks on production processes, the theft of sensitive customer data, digital eavesdropping on trade secrets − often it takes just one point of entry to put IT security at risk. In our series “Discussions with Experts”, Prof. Eric Bodden explains how small-to medium-sized enterprises can protect themselves against IT attacks and which aspects are essential to an effective security package. He also outlines the importance of quality seals.

Discussions with Experts: Secure software thanks to automation

Not only are our experts at the vanguard of research, they also receive regular requests to prepare research topics to suit particular target groups in different situations. In the videos shown here, Prof. Bodden walks viewers through a few important contexts within IT security.

Spellcheckers for developers? In the series “Discussions with Experts”, Prof. Eric Bodden explains how automated program analysis helps to detect security vulnerabilities even during development and can therefore support programmers in their work.

Tutorial: State of the Systems Security

The ACM/IEEE International Conference on Software Engineering is the world’s leading conference on software engineering. Even the most prestigious scientists apply to present their papers at this conference. Prof. Bodden was invited to give a 90-minute tutorial on IT security in 2018.

In the tutorial, Prof. Bodden explains why IT security is a problem that needs to be solved primarily by software engineers, and not by cryptography experts or network engineers. He also addresses the issue of how software engineers can tackle the problem.

Scientific publications

Here you will find a selection of scientific publications that deal with the wider issue of IT security and were prepared at Fraunhofer IEM.

2019

Context-, Flow- and Field-Sensitive Data-Flow Analysis using Synchronized Pushdown Systems (Johannes Späth, Karim Ali, Eric Bodden), In Principles of Programming Languages (POPL), 2019 (To appear.)

2018

Gamifying Static Analysis (Lisa Nguyen Quang Do, Eric Bodden), In ESEC/FSE ’18: Joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering – New Ideas Track, 2018.
Do Android Taint Analysis Tools Keep their Promises? (Felix Pauck, Eric Bodden, Heike Wehrheim), In ESEC/FSE ’18: Joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, 2018. (To appear.) Awarded: Distinguished Paper Award, Artifact Evaluation Award
The Secret Sauce in Efficient and Precise Static Analysis (Eric Bodden), In Proceedings of the 7th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis, SOAP 2018, 2018. (To appear.)
Towards Ensuring Security by Design in Cyber-Physical Systems Engineering Processes (Johannes Geismann, Christopher Gerking, Eric Bodden), In International Conference on Software and System Processes (ICSSP), 2018. (To appear.) 
VISUFLOW, a Debugging Environment for Static Analyses (Lisa Nguyen Quang Do, Stefan Krüger, Patrick Hill, Karim Ali, Eric Bodden), In International Conference for Software Engineering (ICSE), Tool Demonstrations Track, 2018. (To appear.)
State of the systems security (Eric Bodden), In International Conference for Software Engineering (ICSE), Technical Briefing, 2018. 
Self-adaptive static analysis (Eric Bodden), In International Conference for Software Engineering (ICSE), New Ideas and Emerging Results Track, 2018.
CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs (Stefan Krüger, Johannes Späth, Karim Ali, Eric Bodden, Mira Mezini), In European Conference on Object-Oriented Programming (ECOOP), 2018. (To appear.) Awarded: Artifact Evaluation Award

2017

Hardening Java's Access Control by Abolishing Implicit Privilege Elevation (Philipp Holzinger, Ben Hermann, Johannes Lerch, Eric Bodden, Mira Mezini), In 2017 IEEE Symposium on Security and Privacy (Oakland S&P), IEEE Press, 2017. 
IDEal: Efficient and Precise Alias-aware Dataflow Analysis (Johannes Späth, Karim Ali, Eric Bodden), In 2017 International Conference on Object-Oriented Programming, Languages and Applications (OOPSLA/SPLASH), ACM Press, 2017. Awarded: Artifact Evaluation Award 
Just-in-Time Static Analysis (Lisa Nguyen Quang Do, Karim Ali, Benjamin Livshits, Eric Bodden, Justin Smith, Emerson Murphy-Hill), In International Symposium on Software Testing and Analysis (ISSTA), 2017. (To appear.) Awarded: Distinguished Paper Award, Artifact Evaluation Award
Cheetah: Just-in-Time Taint Analysis for Android Apps (Lisa Nguyen Quang Do, Karim Ali, Benjamin Livshits, Eric Bodden, Justin Smith, Emerson Murphy-Hill), In International Conference for Software Engineering (ICSE), Tool Demonstrations Track, 2017. 
CrySL: Validating Correct Usage of Cryptographic APIs (Stefan Krüger, Johannes Späth, Karim Ali, Eric Bodden, Mira Mezini), Technical report arXiv:1710.00564, arXiv.org, 2017.
CogniCrypt: Supporting Developers in using Cryptography (Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, Ram Kamath), In International Conference on Automated Software Engineering (ASE 2017), Tool Demo Track, 2017.
Industrial Security by Design (Christopher Gerking, Eric Bodden, Wilhelm Schäfer), Chapter in (Günter W. Maier, Gregor Engels, Eckhard Steffen, eds.), pages 1-24, Springer Berlin Heidelberg, 2017. 

2016

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques (Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden), In Network and Distributed System Security Symposium (NDSS), 2016.
StubDroid: Automatic Inference of Precise Data-flow Summaries for the Android Framework (Steven Arzt, Eric Bodden), In International Conference for Software Engineering (ICSE), 2016.
Jumping Through Hoops: Why do Java Developers Struggle With Cryptography APIs? (Sarah Nadi, Stefan Kröger, Mira Mezini, Eric Bodden), In International Conference for Software Engineering (ICSE), pages 935-946, 2016.
Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java (Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, Eric Bodden), In European Conference on Object-Oriented Programming (ECOOP), 2016. Awarded: Artifact Evaluation Award 
Harvester - Vollautomatische Extraktion von Laufzeitwerten aus obfuskierten Android-Applikationen (Siegfried Rasthofer, Steven Arzt, Eric Bodden, Marc Miltenberger), In Datenschutz und Datensicherheit, pages 718-722, 2016. 
An In-Depth Study of More Than Ten Years of Java Exploitation (Philipp Holzinger, Stefan Triller, Alexandre Bartel, Eric Bodden), In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 779-790, CCS '16, 2016. 
Just-in-Time Static Analysis (Lisa Nguyen Quang Do, Karim Ali, Benjamin Livshits, Eric Bodden, Justin Smith, Emerson Murphy-Hill), Technical report, University of Alberta Dataverse, 2016.

2015

Mining Apps for Abnormal Usage of Sensitive Data (Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, Eric Bodden), In 2015 International Conference on Software Engineering (ICSE), pages 426-436, 2015. Awarded: Best paper award at the 2016 Spanish Cybersecurity Days (Jornadas Nacionales de Investigación en Ciberseguridad)
IccTA: Detecting Inter-Component Privacy Leaks in Android Apps (Li Li, Alexandre Bartel, Tegawende F. Bissyande, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, Patrick McDaniel), In 2015 International Conference on Software Engineering (ICSE), pages 280-291, 2015. 
(In)Security of Backend-as-a-Service (Steven Arzt Robert Hahn Max Kohlhagen Eric Bodden Siegfried Rasthofer), In blackhat europe 2015, 2015. 
Access-Path Abstraction: Scaling Field-Sensitive Data-Flow Analysis With Unbounded Access Paths (Johannes Lerch, Johannes Späth, Eric Bodden, Mira Mezini), In IEEE/ACM International Conference on Automated Software Engineering (ASE 2015), pages 619-629, 2015.
Sicherheitsanalyse TrueCrypt (Mauro Baluda, Andreas Fuchs, Philipp Holzinger, Lotfi ben Othmane, Andreas Poller, Jürgen Repp, Johannes Späth, Jan Steffan, Stefan Triller, Eric Bodden), Technical report, Bundesamt für Sicherheit in der Informationstechnik, 2015.

2014

A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks (Siegfried Rasthofer, Steven Arzt, Eric Bodden), In 2014 Network and Distributed System Security Symposium (NDSS), 2014. 
FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps (Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, Patrick McDaniel), In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259-269, PLDI '14, ACM, 2014. Awarded: Artifact Evaluation Award 
FlowTwist: Efficient Context-sensitive Inside-out Taint Analysis for Large Codebases (Johannes Lerch, Ben Hermann, Eric Bodden, Mira Mezini), In Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 98-108, FSE 2014, ACM, 2014.