SCG News

CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

Mohammadreza Hazhirpasand, Mohammad Ghafari, and Oscar Nierstrasz. CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs. In 27th edition of the IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), p. 632-636, March 2020. Details.


Research has shown that cryptographic APIs are hard to use. Consequently, developers resort to using code examples available in online information sources that are often not secure. We have developed a web platform, named CryptoExplorer, stocked with numerous real-world secure and insecure examples that developers can explore to learn how to use cryptographic APIs properly. This platform currently provides 3 263 secure uses, and 5 897 insecure uses of Java Cryptography Architecture mined from 2 324 Java projects on GitHub. A preliminary study shows that CryptoExplorer provides developers with secure crypto API use examples instantly, developers can save time compared to searching on the internet for such examples, and they learn to avoid using certain algorithms in APIs by studying misused API examples. We have a pipeline to regularly mine more projects, and, on request, we offer our dataset to researchers.

Posted by scg at 2 June 2020, 10:15 am comment link

Threats to Validity in TDD Research

Timm Gross. Threats to Validity in TDD Research. Bachelor’s thesis, University of Bern, May 2020. Details.


Context: Test driven development (TDD) is an iterative software development technique where unit tests are defined before production code. Recent quantitative empirical investigations into the effects of TDD have been contrasting and inconclusive. Additionally studies have shown that TDD is not as widely used as expected. At the same time the body of research contains anecdotal evidence about the usefulness of TDD in practice. This makes it difficult for decision makers in development teams to use the research as the basis for the decision of whether or not to apply TDD. Objective: We present a study designed to uncover the threats to validity in previous studies that prevent them being usable in decision making processes. In order to do that we first studied what values practitioners associate with software testing. Method: We first conducted 15 hours of ethnographically informed qualitative interviews with a small development team to capture the perceived benefits of testing. Then we analysed the threats to validity mentioned in the body of research in a literature review. Results: The interviewed developers put equal emphasis on quality related aspects (i.e. productivity, internal and external code quality) and non quality related aspects (i.e. collaboration, confidence, knowledge transfer, etc.) of testing. In contrast the analyzed research papers focus almost exclusively on quality related aspects of TDD. In addition we identified the common threats to validity in the following areas: participants selection, task selection, context of the study, threats to validity regarding quality, length of observation, amount of iteration, comparisons to other techniques, measuring the adherence to TDD and a lack of qualitative research. Conclusion: Contrasting the views of practitioners on testing and the common threats to validity in TDD research allows us to highlight opportunities for further research. Especially for researchers aiming to provide scientific support for decision making processes of how and when to apply TDD in practice, this study summarizes important aspects to consider.

Posted by scg at 27 May 2020, 9:15 am comment link

An Investigation into Vulnerability Databases

Brian Schweigler. An Investigation into Vulnerability Databases. Bachelor’s thesis, University of Bern, May 2020. Details.


The vulnerability databases’ affiliations and contributions are non-trivial and have not yet been studied in depth. This raises a major concern regarding the correctness of the data used in numerous existing studies. To investigate this problem, we first collected publicly available data from the websites of five major database providers, and then we normalized and correlated the individual entries to track them within different vulnerability databases. 370,298 security reports were extracted, 89% of which were accessible at more than one provider. Surprisingly, many reports were inconsistent with respect to scores and detail descriptions. In the scoring system CVSS version 3.0, for example, we found on average a difference of 0.8 on NVD and Snyk, whereas CVSS version 2.0 remains largely consistent with a difference of only 0.1 between NVD and RAPID7. Furthermore, we discovered that the security-related popularity differs for widely used software, and we show that shared code bases but not library usages can be predicted by aggregating security reports over periods of time. Finally in visualizations, software release cycles become visible.

Posted by scg at 25 May 2020, 1:47 pm comment link

Investigating Phishing on Demand

Pascal Gerig. Investigating Phishing on Demand. Bachelor’s thesis, University of Bern, May 2020. Details.


Gathering protected information by disguising an attacker as a trustworthy contact in electronic communication, also known as “phishing, is the primary technique attackers use to steal sensitive data. Phishing websites are mainly static and barely synchronize with the original website. We investigate “Phishing on Demand, a technique to dynamically replicate any website for phishing purposes. The replicas are available with a few clicks and are always in sync with the original web pages. Our studies with a proof of concept show that this phishing technique is highly effective. For instance, we could successfully run phishing campaigns against major Swiss e-banking websites with two-factor authentication. With this thesis, we show that there is a demand for more robust visual similarity algo- rithms for websites that are able to track changes applied to original sites such as insertions of banners, rewritings of text, or alterations to graphics.

Posted by scg at 22 May 2020, 9:15 am comment link

Debugging Spark Applications — A Study on Debugging Techniques of Spark Developers

Melike Geçer. Debugging Spark Applications — A Study on Debugging Techniques of Spark Developers. Masters thesis, University of Bern, May 2020. Details.


Debugging is the main activity to investigate software failures, identify their root causes, and eventually fix them. Debugging distributed systems in particular is burdensome, due to the challenges of managing numerous devices and concurrent operations, detecting the problematic node, lengthy log files, and real-world data being inconsistent. Apache Spark is a distributed framework which is used to run analyses on large-scale data. Debugging Apache Spark applications is difficult as no tool, apart from log files, is available on the market. However, an application may produce a lengthy log file, which is challenging to examine. In this thesis, we aim to investigate various techniques used by developers on a distributed system. In order to achieve that, we interviewed Spark application developers, presented them with buggy applications, and observed their debugging behaviors. We found that most of the time, they formulate hypotheses to allay their suspicions and check the log files as the first thing to do after obtaining an exception message. Afterwards, we use these findings to compose a debugging flow that can help us to understand the way developers debug a project.

Posted by scg at 20 May 2020, 10:15 am comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by admin on 21 April 2009