DLR Secure Software Engineering - Position and Vision Paper

DLR as research organization increasingly faces the task to share its self-developed software with partners or publish openly. Hence, it is very important to harden the softwares to avoid opening attack vectors. Especially since DLR software is typically not developed by software engineering or security experts. In this paper we describe the data-oriented approach of our new found secure software engineering group to improve the software development process towards more secure software. Therefore, we have a look at the automated security evaluation of software as well as the possibilities to capture information about the development process. Our aim is to use our information sources to improve software development processes to produce high quality secure software

Scientific Developers v/s Static Analysis Tools: Vision and Position Paper

Usability and the use of automated static analysis tools in the software development process have been an evolving subject of research in the last decades. Several studies shed light on issues like high false positive rates and low comprehensibility, which hinder tool adoption for even software engineers. Yet, the tools' perceived usefulness and ease of use play a much larger role when it comes to untrained software developers, as is usually the case in scientific software development. In this paper, we outline a multi-stage interview study to learn more about how scientists come to accept and use static analysis tools

High frequency atomic tunneling yields ultralow and glass-like thermal conductivity in chalcogenide single crystals

Crystalline solids exhibiting glass-like thermal conductivity have attracted substantial attention both for fundamental interest and applications such as thermoelectrics. In most crystals, the competition of phonon scattering by anharmonic interactions and crystalline imperfections leads to a non-monotonic trend of thermal conductivity with temperature. Defect-free crystals that exhibit the glassy trend of low thermal conductivity with a monotonic increase with temperature are desirable because they are intrinsically thermally insulating while retaining useful properties of perfect crystals. However, this behavior is rare, and its microscopic origin remains unclear. Here, we report the observation of ultralow and glass-like thermal conductivity in a hexagonal perovskite chalcogenide single crystal, BaTiS₃, despite its highly symmetric and simple primitive cell. Elastic and inelastic scattering measurements reveal the quantum mechanical origin of this unusual trend. A two-level atomic tunneling system exists in a shallow double-well potential of the Ti atom and is of sufficiently high frequency to scatter heat-carrying phonons up to room temperature. While atomic tunneling has been invoked to explain the low-temperature thermal conductivity of solids for decades, our study establishes the presence of sub-THz frequency tunneling systems even in high-quality, electrically insulating single crystals, leading to anomalous transport properties well above cryogenic temperatures

Effects of antiplatelet therapy on stroke risk by brain imaging features of intracerebral haemorrhage and cerebral small vessel diseases: subgroup analyses of the RESTART randomised, open-label trial

Background Findings from the RESTART trial suggest that starting antiplatelet therapy might reduce the risk of recurrent symptomatic intracerebral haemorrhage compared with avoiding antiplatelet therapy. Brain imaging features of intracerebral haemorrhage and cerebral small vessel diseases (such as cerebral microbleeds) are associated with greater risks of recurrent intracerebral haemorrhage. We did subgroup analyses of the RESTART trial to explore whether these brain imaging features modify the effects of antiplatelet therapy

Effects of antiplatelet therapy after stroke due to intracerebral haemorrhage (RESTART): a randomised, open-label trial

Background: Antiplatelet therapy reduces the risk of major vascular events for people with occlusive vascular disease, although it might increase the risk of intracranial haemorrhage. Patients surviving the commonest subtype of intracranial haemorrhage, intracerebral haemorrhage, are at risk of both haemorrhagic and occlusive vascular events, but whether antiplatelet therapy can be used safely is unclear. We aimed to estimate the relative and absolute effects of antiplatelet therapy on recurrent intracerebral haemorrhage and whether this risk might exceed any reduction of occlusive vascular events. Methods: The REstart or STop Antithrombotics Randomised Trial (RESTART) was a prospective, randomised, open-label, blinded endpoint, parallel-group trial at 122 hospitals in the UK. We recruited adults (≥18 years) who were taking antithrombotic (antiplatelet or anticoagulant) therapy for the prevention of occlusive vascular disease when they developed intracerebral haemorrhage, discontinued antithrombotic therapy, and survived for 24 h. Computerised randomisation incorporating minimisation allocated participants (1:1) to start or avoid antiplatelet therapy. We followed participants for the primary outcome (recurrent symptomatic intracerebral haemorrhage) for up to 5 years. We analysed data from all randomised participants using Cox proportional hazards regression, adjusted for minimisation covariates. This trial is registered with ISRCTN (number ISRCTN71907627). Findings: Between May 22, 2013, and May 31, 2018, 537 participants were recruited a median of 76 days (IQR 29–146) after intracerebral haemorrhage onset: 268 were assigned to start and 269 (one withdrew) to avoid antiplatelet therapy. Participants were followed for a median of 2·0 years (IQR [1·0– 3·0]; completeness 99·3%). 12 (4%) of 268 participants allocated to antiplatelet therapy had recurrence of intracerebral haemorrhage compared with 23 (9%) of 268 participants allocated to avoid antiplatelet therapy (adjusted hazard ratio 0·51 [95% CI 0·25–1·03]; p=0·060). 18 (7%) participants allocated to antiplatelet therapy experienced major haemorrhagic events compared with 25 (9%) participants allocated to avoid antiplatelet therapy (0·71 [0·39–1·30]; p=0·27), and 39 [15%] participants allocated to antiplatelet therapy had major occlusive vascular events compared with 38 [14%] allocated to avoid antiplatelet therapy (1·02 [0·65–1·60]; p=0·92). Interpretation: These results exclude all but a very modest increase in the risk of recurrent intracerebral haemorrhage with antiplatelet therapy for patients on antithrombotic therapy for the prevention of occlusive vascular disease when they developed intracerebral haemorrhage. The risk of recurrent intracerebral haemorrhage is probably too small to exceed the established benefits of antiplatelet therapy for secondary prevention

Effects of antiplatelet therapy after stroke due to intracerebral haemorrhage (RESTART): a randomised, open-label trial

Background: Antiplatelet therapy reduces the risk of major vascular events for people with occlusive vascular disease, although it might increase the risk of intracranial haemorrhage. Patients surviving the commonest subtype of intracranial haemorrhage, intracerebral haemorrhage, are at risk of both haemorrhagic and occlusive vascular events, but whether antiplatelet therapy can be used safely is unclear. We aimed to estimate the relative and absolute effects of antiplatelet therapy on recurrent intracerebral haemorrhage and whether this risk might exceed any reduction of occlusive vascular events. Methods: The REstart or STop Antithrombotics Randomised Trial (RESTART) was a prospective, randomised, open-label, blinded endpoint, parallel-group trial at 122 hospitals in the UK. We recruited adults (≥18 years) who were taking antithrombotic (antiplatelet or anticoagulant) therapy for the prevention of occlusive vascular disease when they developed intracerebral haemorrhage, discontinued antithrombotic therapy, and survived for 24 h. Computerised randomisation incorporating minimisation allocated participants (1:1) to start or avoid antiplatelet therapy. We followed participants for the primary outcome (recurrent symptomatic intracerebral haemorrhage) for up to 5 years. We analysed data from all randomised participants using Cox proportional hazards regression, adjusted for minimisation covariates. This trial is registered with ISRCTN (number ISRCTN71907627). Findings: Between May 22, 2013, and May 31, 2018, 537 participants were recruited a median of 76 days (IQR 29–146) after intracerebral haemorrhage onset: 268 were assigned to start and 269 (one withdrew) to avoid antiplatelet therapy. Participants were followed for a median of 2·0 years (IQR [1·0– 3·0]; completeness 99·3%). 12 (4%) of 268 participants allocated to antiplatelet therapy had recurrence of intracerebral haemorrhage compared with 23 (9%) of 268 participants allocated to avoid antiplatelet therapy (adjusted hazard ratio 0·51 [95% CI 0·25–1·03]; p=0·060). 18 (7%) participants allocated to antiplatelet therapy experienced major haemorrhagic events compared with 25 (9%) participants allocated to avoid antiplatelet therapy (0·71 [0·39–1·30]; p=0·27), and 39 [15%] participants allocated to antiplatelet therapy had major occlusive vascular events compared with 38 [14%] allocated to avoid antiplatelet therapy (1·02 [0·65–1·60]; p=0·92). Interpretation: These results exclude all but a very modest increase in the risk of recurrent intracerebral haemorrhage with antiplatelet therapy for patients on antithrombotic therapy for the prevention of occlusive vascular disease when they developed intracerebral haemorrhage. The risk of recurrent intracerebral haemorrhage is probably too small to exceed the established benefits of antiplatelet therapy for secondary prevention

Effects of antiplatelet therapy after stroke due to intracerebral haemorrhage (RESTART): a randomised, open-label trial

BACKGROUND: Antiplatelet therapy reduces the risk of major vascular events for people with occlusive vascular disease, although it might increase the risk of intracranial haemorrhage. Patients surviving the commonest subtype of intracranial haemorrhage, intracerebral haemorrhage, are at risk of both haemorrhagic and occlusive vascular events, but whether antiplatelet therapy can be used safely is unclear. We aimed to estimate the relative and absolute effects of antiplatelet therapy on recurrent intracerebral haemorrhage and whether this risk might exceed any reduction of occlusive vascular events. METHODS: The REstart or STop Antithrombotics Randomised Trial (RESTART) was a prospective, randomised, open-label, blinded endpoint, parallel-group trial at 122 hospitals in the UK. We recruited adults (≥18 years) who were taking antithrombotic (antiplatelet or anticoagulant) therapy for the prevention of occlusive vascular disease when they developed intracerebral haemorrhage, discontinued antithrombotic therapy, and survived for 24 h. Computerised randomisation incorporating minimisation allocated participants (1:1) to start or avoid antiplatelet therapy. We followed participants for the primary outcome (recurrent symptomatic intracerebral haemorrhage) for up to 5 years. We analysed data from all randomised participants using Cox proportional hazards regression, adjusted for minimisation covariates. This trial is registered with ISRCTN (number ISRCTN71907627). FINDINGS: Between May 22, 2013, and May 31, 2018, 537 participants were recruited a median of 76 days (IQR 29-146) after intracerebral haemorrhage onset: 268 were assigned to start and 269 (one withdrew) to avoid antiplatelet therapy. Participants were followed for a median of 2·0 years (IQR [1·0- 3·0]; completeness 99·3%). 12 (4%) of 268 participants allocated to antiplatelet therapy had recurrence of intracerebral haemorrhage compared with 23 (9%) of 268 participants allocated to avoid antiplatelet therapy (adjusted hazard ratio 0·51 [95% CI 0·25-1·03]; p=0·060). 18 (7%) participants allocated to antiplatelet therapy experienced major haemorrhagic events compared with 25 (9%) participants allocated to avoid antiplatelet therapy (0·71 [0·39-1·30]; p=0·27), and 39 [15%] participants allocated to antiplatelet therapy had major occlusive vascular events compared with 38 [14%] allocated to avoid antiplatelet therapy (1·02 [0·65-1·60]; p=0·92). INTERPRETATION: These results exclude all but a very modest increase in the risk of recurrent intracerebral haemorrhage with antiplatelet therapy for patients on antithrombotic therapy for the prevention of occlusive vascular disease when they developed intracerebral haemorrhage. The risk of recurrent intracerebral haemorrhage is probably too small to exceed the established benefits of antiplatelet therapy for secondary prevention. FUNDING: British Heart Foundation

Benchmarking Open-Source Static Analyzers for Security Testing for C

As the number of available static analysis security testing (SAST) tools grows, the more difficult it becomes for developers to decide which tool(s) to use. We report on our evaluation of 11 open-source general-purpose SAST tools for the C programming language on the SARD Juliet Test Suite and of six tools on the Wireshark software. In line with the previous work, we find that there is no single superior tool, though sound tools performed the best on the Juliet test cases

Data Science roadmap: An insight to achieve secure software engineering

The research in software engineering towards security is getting rich attention. New security breaches are reported by media on an almost daily basis. According to a research survey tailored by SEI, more than 9 out of 10 security vulnerabilities are occurring by exploiting known software defects. The analysis of 45 e-business applications showed that 7 out of 10 security defects were caused by poor software design. We, at the German Aerospace Center (DLR), are involved in various research activities across space, aeronautics, transportation, and energy that involve software development by domain scientists. Missing any security training and having little knowledge in software engineering, these scientists introduce defects unknowingly. As a result, scientific software provides attack vectors that can be exploited by internal and external penetrators. We believe that a lot of security issues could be avoided by following a security-centered development process. With our newly formed Secure Software Engineering group we want to tackle this problem by supporting the scientists during development. Therefore we want to capture software engineering processes, evaluate the security of software produced by those processes, and finally provide inputs on how to improve software engineering practices with respect to security. We want to follow a data driven approach that combines various current techniques covering different aspects of IT security and software engineering. The development process as well as the quality of the resulting software is captured by combining different state of the art approaches. For evaluation of the software quality with respect to security there are several static and dynamic analysis tools available. On the dynamic side our approach focuses on fuzzing and application of exploitation frameworks like Metasploit. For static analysis we use rule based syntax tree matching and intermediate language evaluation. This should be combined with manual audits and evaluated in a common, comparable scoring system. To capture characteristics of the software engineering process we aim at recording full artifact provenance using specialized IDE extensions. To get started we are also mining our repositories for historic information about pro cesses and gather information from developers using surveys