Das Oberseminar "Secure Software Engineering" ist hochschulöffentlich.

Es findet jeden zweiten Mittwoch von 16 - 17 Uhr statt. Zur Zeit wird das Oberseminar online über Skype durchgeführt.

Um einen Termin zu buchen, senden Sie bitte die folgende Antwort per E-Mail mindestens eine Woche vor dem gewünschten Termin an Jonas Klauke:

1. Titel Ihres Vortrags

2. Zusammenfassung Ihres Vortrags

3. Erlauben Sie uns, Ihren Namen auf dieser Webseite zu veröffentlichen (Ja/Nein)?

4. Der Name des Betreuer der Bachelor- oder Masterarbeit

5. Der Name des Erst- und Zweitgutachters bei Abschlussvorträgen

¹  Interprocedural Finite Distributive Subset (IFDS) is a powerful and versatile static analysis technique that enables the analysis of complex software systems by tracking the flow of data across multiple functions and statements. IFDS is flow and context-sensitive. Its runtime behaviour is intricately linked to two key factors : D (size of data-flow facts) and E (size of edges). The preservation of precision D is crucial for accurate analysis results. One effective strategy employed to enhance the efficiency of IFDS-based static analysis is Sparsification. Sparsification focuses on reducing the number of edges (E) in the CFG. During this process, the call and return statements are intentionally preserved, under the assumption that they significantly contribute to the final analysis result. Fact-specific sparsification takes this step further by intelligently pruning the irrelevant statements within a procedure's CFG. It does so while ensuring that the data-flow facts are soundly propagated to the procedures they are meant to map to. These mapping procedures are determined by call graph (CG) algorithms. The key insight is that the call graph (CG) 's precision directly influences the analysis's performance. By increasing CG precision, we aim to explore how it impacts the efficiency and accuracy of the IFDS-based static analyses.

²  The past few years have seen a growth in demand for software products harnessing AI capabilities in various domains as AI techniques significantly improve products and services offered to customers. Out of other domains, manufacturing and production plants have also seen a subtle increase in AI solutions due to digitalization and the rapid transition to Industry 4.0. However, the use of AI features creates a range of issues like lack of transparency and explainability, the bias problem, ethical decision-making, and trust deficit, which arise due to the black box effect of AI. The manufacturing lants generate an immense amount of data but don’t trust AI to improve product quality and operational efficiency. To solve these problems, XMANAI (Explainable AI for Manufacturing), an XAI platform, is used that provides glass box explainable models and also assists humans in the loop for better decision-making. The XMANAI platform makes use of a software component called the ‘API Data Harvester’ (ADH), which extracts datasets from external APIs. The XMANAI platform subsequently uses this data to train and refine its AI models for various use cases like demand forecasting and predictive maintenance. The data harvested from various external APIs can vary drastically in structure, content, and size. Therefore, the data needs to be transformed into the XMANAI data model before storing it in the central XMANAI database. The data transformation is a crucial step as the data received from manufacturing plants do not conform to the XMANAI data standard. This critical data conversion is carried out by the transformer, a subcomponent of the ADH. Presently, the transformer only comprises a backend component, and it requires the development of a frontend component. Also, at present, the transformation is done via coding, posing a constraint for individuals without programming backgrounds employed at manufacturing plants. To overcome these limitations, the primary focus of this thesis is the development of a frontend component (GUI) for the transformer. The GUI’s objective is to make data transformation both feasible and transparent for people working in the manufacturing sector, thereby striving to make data engineering accessible to non-developers. This GUI will be embedded into an overarching frontend of the whole API Data Harvester. The GUI is designed in a way such that it is intuitive and user-friendly and provides simple drag-and-drop options for transforming the data. Furthermore, the GUI generates a transformation script that can be saved and reused during subsequent harvesting processes.

³  Type inference is a key feature in static analysis that aids in detecting errors early on, thereby improving code quality, and enhancing maintainability. Python being a dynamically typed language, where types are inferred at runtime, poses a challenge for developers to ensure type safety. Although several tools have been developed to help overcome this, the effectiveness and efficiency of these tools depend on various factors, such as the complexity of the code and the nature of the problem being solved. Hence, having a benchmark framework to evaluate and compare the performance of these tools is quite essential. Existing research has primarily focused on evaluating type inference tools using real-world benchmarks or custom benchmarks created by the researchers. Although these methods are helpful, they have neglected the significance of micro-benchmarks. Moreover, a standardized result format that can be used to compare and interpret benchmark results across all tools is absent. To address these challenges we have developed “TyppeEvalPy” that serves as a common evaluation framework for type inference tools. The research aims to provide a comprehensive and accurate assessment of the tools' performance with the assistance of micro benchmarks. Additionally, it includes a common framework for analyzing tools that will enable easier comparison of results obtained across different tools.

⁴  Cyber resilience is the ability to detect security incidents, initiate countermeasures, recover efficiently from damage, and continue to achieve its objectives. This is especially important for CRITIS entities that provide essential services to society. Since complete protection against cyber attacks is not possible and successful attacks are only a matter of time, KRITIS institutions in particular must continuously improve their cyber resilience to minimize damage and achieve rapid recovery. Currently, however, many KRITIS organizations across industries are not aware of how well they or their products and services are positioned in terms of cyber resilience. In addition, since most employees lack competence and there is a lack of tailored training opportunities, a systematic improvement of cyber resilience is currently not possible. In the CyRille project, we develop new services for the Cybersecurity Training Lab, especially for KRITIS institutions and their products, in order to strengthen the respective cyber resilience. Specifically, we develop assessments to efficiently determine the current state of cyber resilience and design training courses to systematically increase the awareness and competencies of employees. With regard to further training, we design and develop a basic training course and, building on this, sector-specific and facility-specific expert training courses for facilities and product teams. For selected facilities and products, we pilot and evaluate our new assessments and trainings.

⁵  Research findings indicate the prevalence of unused or partially utilized open source dependencies in applications. To tackle this issue, a reachability-based approach is employed, utilizing both static and dynamic call graph generation to identify reachable vulnerable methods while eliminating unreachable ones. The presentation will discuss the challenges, progress, and planned solution for a hybrid reachability-based vulnerability assessment and attack surface reduction in open source dependencies.

Die Spalte Type gibt Auskunft über die Art des Vortrages.

• Masterarbeit (M),
• Antrittsvortrag für eine Masterarbeit (AM)
• Bachelorarbeit (B),
• Antrittsvortrag für eine Bachelorarbeit (AB)
• Dissertation (Diss),
• Zwischenbericht über die Dissertation (ZDiss),
• Projektgruppenbericht (PG),
• Zwischenbericht der Projektgruppe (ZPG)
• Eingeladenen Vortrag (EV)
• Sonstiges (S)

handelt. Zwischenberichte sind meist kürzer angelegt und sollen die Thematik und evtl. erste Lösungsideen vorstellen.