CRC 901 - Automated risk analysis with respect to open-source dependencies (Hektor) (Transfer project T3)

Overview

This transfer project builds on top of research from the collaborative research center 901 “On-The-Fly Computing”. It researches how techniques from the quality assurance of services in On-The-Fly service markets can be applied to the pressing problem of securely managing open-source dependencies in large software development ecosystems. Particularly, the project aims to research, develop and assess novel techniques to efficiently and precisely detect and mitigate the inclusion of known-to-be-vulnerable third-party dependencies within software compositions. The project seeks to build an open-source toolchain called HEKTOR, which will support the secure development of applications and services. To this end, the project directly builds on top of recent developments in the CRC’s subproject B4, which is co-headed by the PI Prof. Bodden. These developments, in principle, should allow for the precise and efficient analysis of software artifacts on a massive scale. The project seeks to extend the developed techniques and validate their efficacy in a real-world setting at the partner company SAP SE. The tool HEKTOR will enable developers to assess the risk associated with the use of third-party dependencies. Using newly discovered techniques for effective fingerprinting, HEKTOR will be able to reliably identify vulnerabilities even in situations in which the code in question has been repackaged or recompiled from source code—a challenge frequently encountered in practice. Moreover, through countermeasures such as automated library minimization, HEKTOR will allow developers to minimize their applications’ attack surface, effectively safeguarding their execution even against certain kinds of yet unknown vulnerabilities. In collaboration with SAP, a world-leader for the development and provision of cloud services for business-to-business, we aim to implement and evaluate HEKTOR such that it is ready to be applied on a large scale and to a large and diverse set of real-world software development projects.

Key Facts

Project type:
Research
Project duration:
08/2021 - 09/2024
Contribution to sustainability:
Industry, Innovation and Infrastructure, Reduced Inequality, Peace and Justice Strong Institutions
Funded by:
DFG
Website:
Homepage

More Information

Principal Investigators

contact-box image

Prof. Dr. Eric Bodden

Heinz Nixdorf Institute

About the person

Cooperating Institutions

SAP

Cooperating Institution

Go to website

Publications

SootUp: A Redesign of the Soot Static Analysis Framework
K. Karakaya, S. Schott, J. Klauke, E. Bodden, M. Schmidt, L. Luo, D. He, in: Tools and Algorithms for the Construction and Analysis of Systems, Springer Nature Switzerland, Cham, 2024.
Java Bytecode Normalization for Code Similarity Analysis
S. Schott, S.E. Ponta, W. Fischer, J. Klauke, E. Bodden, in: 38th European Conference on Object-Oriented Programming (ECOOP 2024), 2024.
Benchmark Fuzzing for Android Taint Analyses
S. Schott, F. Pauck, in: 2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM), IEEE, 2023.
UpCy: Safely Updating Outdated Dependencies
A.P. Dann, B. Hermann, E. Bodden, (2023).
Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite
A.P. Dann, H. Plate, B. Hermann, S.E. Ponta, E. Bodden, IEEE Transactions on Software Engineering (2021) 1–1.
Show all publications