Prof. Dr. Eric Bodden

Today we conducted a little case study on OpenSSL to see how frequently people use #ifdef directives. This word cloud shows the relative distribution. There are currently 391 different flags being used in altogether 1874 #ifdef directives (not counting #ifndef etc.). The most prominent one is __cplusplus, occurring 214 times. I wonder how many people actually understand all their different side effects and combinations and how many combinations are actually being used in actual compiled products…

Frequency of occurrence of different #ifdef directives in OpenSSL as of Oct. 25th, 2012

P.S. Thanks to Kevin Falzon for helping out with this graphic!

Our work Challenges in defining a programming language for provably correct dynamic analyses, to be presented at ISOLA next week, describes the challenges involved in designing a new programming language that we plan to develop. This new language is at the core of my new project RUNSECURE. The language is meant to target security experts, who can use it to implement enforcement monitors that when applied to a potentially insecure program will automatically secure the program against certain classes of attacks. Read the rest of this entry »

Quite a while ago, when I was still a student, Malte Clasen, Joachim Kneis and I developed an Arithmetic Coder, written in C++. Brent Scriver has now developed a C# Version on top of it, with some improvements.

Bret Victor has a great essay on Programming Languages and Environments. For anyone interested in software engineering I think it should be a very useful read. And I would love to see some of those concepts pop up in real-world programming environments! (Although some of them would be hard to efficiently implement, it seems.)

Join us for a day-long hands-on lab

Date: Oct. 23rd 2012, Place: Mornewegstr. 30 / S4|14, Room 3.1.01

If you can, bring your own laptop!

This lab is open to members of CASED and TU Darmstadt. If you wish to attend, sign up here. By signing up you commit to attending! Attendance is free of charge.

Soot is one of the most widely-used frameworks for analyzing and transforming Java programs. Recently it has been extended to further support the analysis and transformation of Dalvik/Android bytecode. This day-long interactive hands-on lab has the goal of teaching attendees the basic principles behind Soot and its design, the major components and how they are used, but also how to extend Soot to implement analyses and transformations that are tailored to the user’s needs. The day will be split in three parts. In Part 1, the instructor will give a presentation on the history and API of Soot. Attendees will be able to follow parts of the presentation through examples on their own laptop. In Part 2, attendees will attempt to implement some example program analyses from scratch, both on the intra-procedural and inter-procedural level. During Part 3 (optional) we will split into smaller groups in which attendees can ask questions about projects they would like to implement on their own. They can then start this implementation under the instructor’s guidance. If you wish to discuss a particular topic, it may be useful to email the instructor in advance.

We just released Version 2.0.1 of TamiFlex. This is a bugfix release, fixing a possible segmentation fault caused by incorrect instrumentation.

We got the good news last night… The paper RefaFlex: Safer Refactorings for Reflective Java Programs by Andreas Thies from Fernuni Hagen and myself has won an ACM SIGSOFT Distinguished Paper Award. Other awards go to the papers Remedying the Eval that Men Do by Simon Holm Jensen, Peter A. Jonsson, and Anders Møller and Residual Investigation: Predictive and Precise Bug Detection by Kaituo Li, Christoph Reichenbach, Christoph Csallner, and Yannis Smaragdakis. Congrats!

RUNSECURE is the acronym for a new research project on Provably secure program executions through declaratively defined dynamic program analyses, which the DFG is now funding for up to five years through its prestigious Emmy Noether Fellowship program. As the DFG writes, “The Emmy Noether Program supports young researchers in achieving independence at an early stage of their scientific careers. Young postdocs gain the qualifications required for a university teaching career during a DFG-funded period, usually lasting five years, in which they lead their own independent junior research group. As a rule, researchers who have acquired between two and four years of postdoctoral research experience are eligible to apply. Applicants must have international research experience.”

Project RUNSECURE

Modern software systems are rich in functionality but also prone to bugs and vulnerabilities that threaten the security and privacy of users and their data. In the past years, researchers have made significant progress in the static analysis of such systems, which allows developers to recognize and remove programming errors prior to deployment. Many vulnerabilities, however, can only be recognized as a piece of software executes, last but not least because also malicious attackers can use static-analysis tools to craft exploits in such a way that they circumvent static detection. A truly secure execution environment must therefore combine static analyses with just-in-time runtime analyses.

The project RUNSECURE will develop methods, techniques and tools that will allow software developers to reliably detect and security vulnerabilities and prevent them from being exploited. No matter how much an exploit tries to conceal its malicious intent, it can always be recognized when it is about to execute. At this point in time, one must be sure, however, that the executing exploit can be recognized and prevented from succeeding. To this end, the project will develop a novel programming language that allows developers to define dynamic program analyses and security monitors in a highly declarative manner. Analyses defined that way are then amenable to highly efficient automatic code generation and can easily be proven correct, due to their high level of abstraction.

This project is initially funded for three years, with possible extension up to five years. Thanks to everyone who supported my application!

Press Coverage

• FAZ, 19.07.2012
• SearchSecurity, 13.7.2012
• ProLOEWE, 11.7.2012
• Echo Online, 11.7.2012
• TU Darmstadt, 11.7.2012
• CASED, 11.7.2012
• EC SPRIDE, 11.7.2012