Next Seminar on 26.04.2023
Written on 20.04.2023 10:47 by Niklas Medinger
The next seminar(s) take place on 26.04.2023 at 14:00 (Session A) and 14:00 (Session B).
Session A: (14:00-15:00)
Niklas Flentje, Dominic Troppmann
Meeting-ID: 967 8620 5841
Session B: (14:00-14:30)
14:00 - 14:30
Speaker: Niklas Flentje
No information provided.
14:30 - 15:00
Speaker: Dominic Troppmann
Type of talk: Master Intro
Advisor: Dr. Cristian-Alexandru Staicu
Title: Trust is good, control is better: Shedding light on typing practices in gradually typed scripting languages.
Research Area: RA5
But does this happen in practice, or might developers even be fooled into thinking their scripts become type-safe by simply annotating them? This study aims to address this question and better understand typing-related practices. More specifically, we want to learn how much developers rely on type annotations/checks, where developers are most likely to implement them, as well as trying to discern whether type annotations/checks, or rather lack thereof, can be used as an indicator for typing related bugs and vulnerabilities. To this end, we develop a static analysis based on CodeQL, which we use to analyze several tens of thousands of real-world github projects.
With this work, we hope to provide sufficient evidence about the importance of implementing solid type checks, even in the presence of type annotation, for developers to continuously adopt safer programming practices.
14:00 - 14:30
Speaker: Nils Hagen
Type of talk: Bachelor Intro
Advisor: Prof. Andreas Zeller, Leon Bettscheider
Title: Semantic fuzzing with I/O contracts
Research Area: RA5: Empirical and Behavioural Security
Grammar-based fuzzing with context-free grammars is a common technique to make fuzzers
more program-specific and to increase coverage. This has proven to be an especially
successful test generation method in black-box settings with target programs that require
highly-structured inputs. However, context-free grammars are limited to the expression
of syntactic constraints which makes them unsuitable for input/output affiliations (like
in a client/server architecture or other reactive systems) where input and output are
semantically linked. Most fuzzers therefore rely solely on generic test oracles for bug
detection that either detect program crashes or output on standard error ports.
To express more powerful oracles we additionally want to consider the aforementioned input-
output relations. In this work we present a method to describe these semantically linked
interactions through I/O contracts where syntactic and semantic properties are expressed
through intertwined context-free grammars (termed I/O grammars) and semantic ISLa
constraints. Furthermore, we show how to apply these methods in practice on a real-world
server implementation of the IRC protocol and compare them to traditional context-free