Prof. Dr. Eric Bodden

We have recently discovered and reported a security vulnerability in JFrog’s Artifactory Pro software. The Artifactory is a product used to manage build artifacts and dependencies in a central enterprise repository. Due to the vulnerability, attackers could not only gain credentials for accessing the repository, but under some circumstances to the company-wide single-sign-on (SSO) system. In this worst case, attackers could access arbitrary systems with the identity of the victim.

Artifacts are usually not manually deployed to the Artifactory, but by automatic build processes. With JFrog’s official plugin for Atlassian’s Bamboo continuous integration server, the developer can configure the deployment as an after-build task to be performed once a build succeeded. For this to work, one needs to the specify the credentials of an account with “deploy” privileges on the Artifactory. This combination of user name and password was, however, stored in plain text in the configuration of the build job. Every user with the privilege to configure the build job can obtain it by simply inspecting the HTML source of the build job’s configuration web page. Since a build job is usually not managed by one person alone but, e.g., by a build maintenance / system integration team, this vulnerability allowed everyone in the team to view the Artifactory credentials that have been entered. If the person who created the job put in his personal credentials, his colleagues could then impersonate him against the Artifactory.

Even worse, these hijacked accounts might not even have been restricted to the Artifactory. The JFrog Artifactory can be configured to use a central directory such as a Jira user directory or an LDAP server for authentication. Organizations use this feature to integrate the Artifactory into the organization-wide single-sign-on (SSO) system. This, however, means that the credentials at risk were SSO credentials. Attackers could then not only impersonate the user against the Artifactory, but against any other system or service in the organization. They could, for instance, log into machines, the internal wiki, or other resources.

JFrog has fixed the issue in Version 1.8.1 of the plugin.

Cross-posted from SEEBlog

We are looking for an interested student who wants to write her/his bachelor-thesis at the Secure Software Engineering Group about Android Security.

Title: Evaluating the Effectiveness of Android Malware Detection Approaches

Cross-posted from SEEBlog

To facilitate an early dissemination, we are today making available the following technical report. It outlines our vision of how static security code-analysis tools can be made more interactive, by allowing for just-in-time interactions. This is a collaboration with Ben Livshits from MSR.

Toward a Just-in-Time Static Analysis (Lisa Nguyen Quang Do, Karim Ali, Eric Bodden, Benjamin Livshits), Technical report TUD-CS-2015-1167, EC SPRIDE, 2015.

Cross-posted from SEEBlog

We are a group of researchers from TU Darmstadt, Germany, who work on creating tools to help developers use cryptography in their Java applications. 

We are looking for developers who use Java cryptography APIs to answer a short 10-minute survey. 

Our goal is to understand what cryptography tasks are usually performed, any difficulties developers face, and what would help Java developers use cryptography more correctly/efficiently.

Your participation is voluntary and completely anonymous. To participate, please fill in the survey at the following link http://tiny.cc/java_crypto_survey
Thanks!

Please feel free to forward this invitation to any Java developers you might know.

Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden

Cross-posted from SEEBlog

I am happy to announce that for 2016 I have confirmed membership in the program committees in all of the major software engineering conferences, i.e., ICSE, FSE and ASE. ISSTA disallows invitations for the third time in a row, which is why I will contribute as co-chair of the artifact evaluation. Also I will be a member of the CODASPY PC. For ASPLOS, the reviewing period clashes with the one of ICSE, which is why I decided to only contribute to the ERC. Let there be many good submissions!

Cross-posted from SEEBlog

A few weeks ago, the German edition of Technology Review interviewed me on the state of software security. The article is available now.

Cross-posted from SEEBlog

Please consider submitting your research papers to ESSOS’16 which will take place in April at Royal Holloway London. We have been able to put together an excellent program committee. Submission deadline is October 2nd.

Cross-posted from SEEBlog

On our website we have now available two new papers accepted at ISC. The first paper originated out of our collaboration with SAP. It reports on a qualitative empirical study determining Factors Impacting the Effort Required to Fix Security Vulnerabilities. Thanks to our collaborators for the great work! The second work is on Dynamically Provisioning Isolation in Hierarchical Architectures, a novel, lightweight and effective means to counter side channels and covert channels in the cloud. Enjoy!

Cross-posted from SEEBlog

Steven will give a talk about CodeInspect at the leading international conference on software development GOTO Copenhagen. We are looking forward for a great conference.

Title of the talk: “All Your Code Belongs To Us – Dismantling Android Secrets With CodeInspect”

Abstract of the talk:

Android malware is getting more and more sophisticated. So-called “sleeper” applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option – a very difficult and time-consuming undertaking.

To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. With features such as interactive debugging on a human readable representation of the application’s bytecode, CodeInspect aims to greatly reduce the time an analyst requires to understand and judge applications. Using CodeInspect, the engineer can debug an app in combination with the Android Open Source Project (AOSP) live, can rename (obfuscated) identifiers, jump to definitions, remove or add statements and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.

CodeInspect also includes new code-analysis techniques that, to the best of our knowledge, are not available in any other reverse-engineering tool. These techniques include a fully-automatic de-obfuscation of reflective method calls, string de-obfuscation and a very precise data-flow tracking component that shows suspicious flows from sensitive sources to public sinks, all of which can be easily used in combination. Aside from malware, these features of CodeInspect also allow an analyst to assess the security of closed-source libraries, detect unwanted behaviors in advertisement SDKs, and check apps for security vulnerabilities such as hard-coded secrets.

This talk is aimed at Software Engineers as well as Security Experts. For Software Engineers we will demonstrate how fast users of CodeInspect can extract data from their apps’ bytecode, demonstrating that trying to hide secrets in the code is not secure. If you include keys or passwords in your app code, they are lost – even if you obfuscate them. We will also show how to easily upgrade a trial-version of an application to a full (paid) version with CodeInspect, circumventing prevalent mechanisms for in-app purchases. The goal is to sensitize developers for the risks posed by current technologies.

Cross-posted from SEEBlog

Several new papers written by members of the Secure Software Engineering Group have now been accepted at renowned international venues. The papers cover topics such as the reduction of false positives in static data flow analysis, the in-depth analysis of modern, sophisticated malware applications, and the challenges of developing secure software using agile techniques.

The paper “Using Targeted  Symbolic Execution for Reducing False-Positives in Dataflow Analysis” describes a technique for pruning false alarms from the result list of static data flow analysis tools such as FlowDroid. It will appear at the 4th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis (SOAP 2015), co-located with PLDI 2015 in Portland, Oregon.

The paper “An Investigation of the Android/BadAccents Malware which Exploits a new Android Tapjacking Attack” describes in detail a new and sophisticated malware application for Android. This malware has infected about 20,000 Korean users and stole banking details from their smartphones. The paper has been accepted for publication at The 9th WISTP International Conference on Information Security Theory and Practice (WISTP’2015).

In a paper called “Analysis of the Challenges of Developing Secure Software Using the Agile Approach”, researchers from the Secure Software Engineering Group investigate the key challenges that arise when using modern agile software development processes for security-critical applications. The paper will be presented at The First International Workshop on Agile Secure Software Development (ASSD) at ARES 2015.

Cross-posted from SEEBlog