Visible to the public Highly Configurable Systems - July 2016Conflict Detection Enabled

Submitted by Jamie Presken on Wed, 06/15/2016 - 8:58am

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): Jurgen Pfeffer
Co-PI(s): Christian Kastner

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)

Scalability and compositionality

We address scalability of assurances for highly configurable systems with exponentially growing configuration spaces. A compositional analysis of options will allow to scale the analysis; for this it's important to investigate how options are implemented and how they interact. In addition, modular and timely recertification of changes and variations is essential to make security judgements scale in practice.

2) PUBLICATIONS

G. Ferreira, M. Malik, C. Kastner, J. Pfeffer, and S. Apel. Do #ifdefs Influence the Occurrence of Vulnerabilities? An Empirical Study of the Linux Kernel. In Proceedings of the 20th International Software Product Line Conference (SPLC), New York, NY: ACM Press, September 2016.

Jens Meinicke, Chu-Pan Wong, Christian Kastner, Thomas Thum, Gunter Saake. On Essential Configuration Complexity: Measuring Interactions In Highly-Configurable Systems. In Proceedings Int'l Conf. Automated Software Engineering (ASE). 2016

C. Bogart, C. Kastner, J. Herbsleb, and F. Thung. How to Break an API: Cost Negotiation and Community Values in Three Software Ecosystems. In Proceedings of the ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), New York, NY: ACM Press, November 2016.

3) KEY HIGHLIGHTS

* Analyzed how data flows within applications are influenced by configuration options. Developed measurement framework and measurement infrastructure (using a variational execution engine), finding that interactions on data flow are common but their analysis is tractable due to common sharing characteristics. This work can lead to a better understanding of interactions and toward analysis tools that can exploit typical interaction characteristics to identify security issues caused by interactions (such as leaking of data in specific combinations of configuration options). To be published at ASE 2016.

* Interviewed 10 developers, reviewers, and policy makers regarding software security and safety certification practices using Common Criteria and DO178, classifying challenges and opportunities, especially
with regard to security-related recertification and compositional
certification.

* Presented invited keynote at VACE workshop (Workshop on Variability and
Complexity in Software Design) on quality assurance for highly configurable
software systems (including security issues) in Austin, TX (May 2016).

Groups: