Prof. Dr. Eric Bodden
Secure Software Engineering
22nd March 2022, 4:00pm - 5:00pm (GST)
How to Statically Detect Insecure Uses of Cryptography - At Scale and with almost Perfect Precision
For decades, static code analysis has been notorious for being ineffective, due to high false positive rates. Yet, recent algorithmic breakthroughs have now given us the capability to build static analysis tools that not only rapidly analyze code bases with millions of lines of code, but also yield perfect precision in most practical cases. In particular, by engineering novel program abstractions and accompanying algorithmic tricks, we were able to show that context-sensitive and field-sensitive static analysis, although undecidable in theory, is actually computable for all practical purposes - and even efficiently so.
Excitingly, this leap in analysis technology now allows us to build automated analysis tools that can pinpoint devastating security vulnerabilities within seconds, even in large code bases, for the first time giving us the opportunity to draw a precise map of vulnerability distributions on a large scale. As an example, I will demonstrate CogniCrypt, a recent security code analysis tool that precisely identifies insecure uses of cryptography. I will report on a study in which we have applied CogniCrypt to all 2.7 million software artifacts on Maven Central, and hundreds of security-critical Android apps, leading to the coordinated disclosure of vulnerabilities, for instance, in Symantec Norton Identity Safe and the VR-Banking app.
Eric Bodden is one of the leading experts on secure software engineering, with a specialty in building highly precise tools for automated program analysis. He is Professor for Secure Software Engineering at Paderborn University and director for Software Engineering and IT-Security at Fraunhofer IEM, where he is collaborating with the leading national and international software development companies. Further, he is a member of the directorate of the Collaborative Research Center CROSSING at TU Darmstadt.
Prof. Bodden's research was awarded numerous times. 2019, Bodden was named ACM Distinguished Member. At the German IT-Security Price, his group scored 1st place in 2016 and 2nd place in 2014. In 2014, the DFG awarded Bodden the Heinz Maier-Leibnitz-Preis, Germany's highest honour for young scientists. Prof. Bodden's research has received five ACM Distinguished Paper Awards in different communities. Prof. Bodden is member of the editorial boards of ACM Transactions on Software Engineering and Methodology (TOSEM) and Springer Empirical Software Engineering (EMSE). In 2020, Bodden was elected into the Working Group 2.4 Software Implementation Technology of the International Federation for Information Processing (IFIP), a UNESCO organization.