Keywords:
Astract: IT systems' integration in manufacturing companies is currently investigated in both academia and industry. While there can be found specialized systems and standards that tackle specific, e.g., production relevant problems, little has been done in the alignment of and transformation between such industrial standards. We will present the alignment of two specialized international standards, which will foster vertical system integration through detailed mapping of related concepts: (i) the Automation Markup Language (AML) standardizes the modeling of factory shop floors on top of the XML-based Computer Aided Engineering Exchange (CAEX) data format and (ii) ISA-95 is a series of standards targeting the integration of enterprise control systems, most prominent enterprise resource planning systems and manufacturing execution systems. In order to provide higher level semantics to lower level system descriptions, we have (i) aligned elements from AML and ISA-95 in order to make explicit both overlaps and complementary concepts and (ii) defined a ruleset for referencing external ISA-95 documents/elements from AML documents. Finally, we have developed a scenario that shows the potential use case for such an entwined use of AML and ISA-95.

Keywords:
Astract: Smart manufacturing requires deeply integrated IT systems in order to foster flexibility in the setup, re-arrangement and use of attached manufacturing systems. In a vertical integration scenario, IT systems of different vendors might be in use and proprietary interfaces need to defined in order to allow the exchange of relevant information from one system to another. In this paper we present a model-driven approach for vertical integration of IT systems. It is based on the application of industry standards for the representation of hierarchy level specific system properties and an alignment of their key concepts in order to provide bridging functions for the transformation between the different systems.

Keywords:
Astract: "Industrie 4.0" aims at flexible production networks that require horizontal integration across companies. Evidently, any production related information exchanged in the network must be vertically forwarded to the corresponding service endpoints of the local production system. Accordingly, there is a need to align information that flows between companies and within each company. The Resource-Event-Agent (REA) business ontology describes a metamodel for internal business activities (e.g., production) and for inter-organizational exchange constellations on the enterprise resource planning (ERP) level. ISA-95 is a series of standards targeting the integration of enterprise control systems on the interface between ERP systems and manufacturing execution systems. Consequently, we align elements of REA and ISA-95 and define conversion rules for the transformation of elements from one system to the other. By interleaving the semantics of both standards, we formally strengthen the links between the services of the business level and the production level, and support multi-system adaptation in flexible production environments.

Keywords:
Astract: People frequently use internet-based messaging systems to coordinate. In order to achieve that, it is sufficient for them to exchange natural language messages. The message history they generate can be seen as a shared database that can be tapped into by personal assistive systems; moreover, messaging is increasingly used for human-computer communication. However, if natural language understanding is required for such systems to function properly, the cost of developing them is high and only few market players will be able to compete. If, on the other hand, it is possible to mix machine-interpretable data with natural language conversations, assistive or conversational programs may be developed more easily. As a first important challenge, we tackle the problem of negotiating agreements and unambiguously represent what has been agreed upon in a machine-readable form. In this paper, we propose an extension of the Web of Needs, a decentralized, Linked Data based matching and messaging system, to allow conversation partners to produce a mutually agreed-upon RDF dataset.

Keywords:
Astract: The level of digitalization within transport companies is much higher than the level of digitalization across organization boundaries. This fact suggests that there is room for improvement. However, this situation is not likely to change as long as there is no financial incentive for the whole sector to cooperate in establishing a shared communication infrastructure. In this paper, we present our approach for building such an infrastructure using the method of design science. The goal is an open, Web based, de-centralized network operated by transport organizations themselves. Based on expert interviews, we argue that the current situation causes frictions that our approach may help reduce, thereby providing the incentive to participate. The proposed system is described in terms of its existing technologicial base, the Web of Needs, and the extensions needed to provide the required functionality, giving an overview of the current state of implementation.

Keywords: web applications, security, model based testing, test data generation, automated testing
Astract: Modern web applications are used in order to communicate with others, to carry out banking transactions, to do shopping, and more. The complexity of these applications contributes to the increasing number of security vulnerabilities found, which endangers not only the data of users, but also the business of companies operating the applications. A technique to make applications more secure is security testing. Since a large number of vulnerabilities is caused by unanticipated input, security testing requires submitting large amounts of possibly dangerous input to an application. Thus, it is desirable to automate this process. In this thesis, a framework for test data generation designed for both functional testing and security testing will be designed and implemented. It uses a model-based approach: The structure of an application is expressed by a tester in a test model. Security professionals create application- independent, reusable testing strategies, which can then generate test data for a model. The framework is evaluated by conducting a proof-of-concept. A simple security test data generation strategy is implemented. An open source application containing known vulnerabilities is selected. Functional tests are performed on this application. The models created for the functional tests are then reused for performing security tests using the implemented strategy. These tests found three potential security vulnerabilities and two bugs in the application. The contributions of this thesis are as follows: First, the framework separates the concerns between testers, who create test models based on their domain knowledge, and security professionals, who implement test data generation strategies. Second, the framework provides opportunities for code reuse, since it is suitable for both functional and security testing. Third, it allows to perform security testing earlier in the development lifecycle, since security tests can be performed as soon as models have been developed.

Keywords:
Astract: Model Driven Engineering (MDE) aims to raise the level of abstraction in software engineering by moving from code-centric approaches to model-centric ones, which means that the main artifacts in the software development process are models. Thereby, MDE can be used for both creating new software as well as modernizing or extending existing software. The latter usage scenario of MDE requires the reverse engineering (RE) of existing software into higher-level models. The main aim of RE is to extract information of existing software and obtain a more abstract view for further analysis. Model Driven Reverse Engineering (MDRE) is the application of MDE techniques to perform RE tasks. While many MDRE approaches for reverse engineering the structure of a system already exist, there is a lack of approaches for also reverse engineering the behavior of a system, especially detailed behavior descriptions including algorithmic details of the software. This work proposes an approach for overcoming this gap by using MDE techniques to reverse engineer the detailed behavior of a system. The goal of this work is to elaborate a mapping between code written in the general purpose programming language C# and UML models conformant to fUML, by using an MDRE approach. The OMG standard Semantics of a Foundational Subset for Executable UML Models or foundational UML (fUML) is chosen because it is possible to precisely and completely define the behavior of a software system with fUML models. Thus, fUML is a suitable candidate for serving as target language for MDRE approaches that aim to reverse engineer the detailed behavior of a software system. A prototype has been developed in this thesis, which is able to reverse engineer code written in C# to models conformant to fUML, and store them in the UML modeling environment Enterprise Architect.

Keywords: Android, mobile apps, IT-security, data privacy, data security, medical- & health-apps, IT-security analysis
Astract: Especially data privacy and app security are challenges of mobile technologies. Recently, the number of reports that deal with data leakage and exploits is increasing constantly and the difficulties of these challenges are frequently addressed in political and legal discussions. Within these dis- cussions, sensitive data like financial-, medical- or other datasets with personal identification are of particular importance. This diploma thesis sets a focus on the protection of such datasets, since an increasing number of mobile applications utilize such data. In order to gain an insight in the level of data security of current mobile applications, an overview on basic security principles and mechanisms is given. In respect to the distribution of market shares in operating systems for smartphones, a focus is set on Android, the leading software system. At the beginning of this thesis, basic principles of IT-security and the architecture of the Android operating system are discussed. Based upon this basic principles, critical threats and risks for Android systems are presented and a concept for testing the data security of Android apps in the medical & health-related category is elaborated. Finally, a set of 5 applications, that are obtained within Google’s Play Store and are free of charge, is tested against the given concept. During the analysis of the chosen apps, several potential weaknesses and vulnerabilities of both, the apps and their backends, are discovered. An example for an uncovered weakness of an App is a lack in the implementation of mechanisms that provide a reliable protection against advanced man-in-the-middle attacks like certificate pinning. Another finding of this thesis is an uncovered vulnerability on the backend of a popular Android app. The web interface, that is used by the app to store and retrieve user databases, left the server prone to brute force attacks. A successful attack would potentially empower an attacker to obtain an unencrypted, full-featured copy of such a stored user database. Starting from the results of the conducted analysis, several approaches lead to further work. One possible course would be the deepening of the practical analysis by adding a detailed static and dynamic code analysis to the testing concept that is elaborated within this thesis. A different approach for further work could focus on designing mandatory guidelines and rulesets for the development of mobile applications that need to be fulfilled to gain permission for publishing a mobile app on Google’s Play Store. Furthermore, the extension of the analysis in terms of operating systems would be another example for a further work. Such research could apply the testing concept onto different mobile operating systems and strive for a meta-analysis. The results of such an analysis could be used to create a universal statement of data security across multiple mobile systems.

Keywords: IT security, methodology, Android, mobile malware, static analysis, dynamic analysis
Astract: For decades malware has been a threat to many software systems and their users. Until today, no generically applicable scheme exists to protect these systems from malware. The first known malware to be considered a threat to mobile devices was Android.FakePlayer, which was circulated by cyber criminals in 2010. Similar to the desktop versions of Windows, Android became the primary target of malware on mobile devices due to its dominant market share of 87.6% as documented in IDC [73]. In contrast to notebooks and desktop computers, smartphones have become our everyday and all-day companion for accessing and managing our digital life. Due to this strong tie between human and machine, personal, secret and even sensitive data is stored on these devices. Doubtlessly this fact makes them primary targets for cyber criminals and their malicious software. Both industrial and research communities try to solve this issue by developing automatic malware detection systems, but often research results are unsuitable for real-life application and industrial approaches are fault-prone and do not provide comprehensive protection. Manual analysis, executed by skilled professionals, is needed to drive and support the development of malware countermeasures, deconstructing malicious software to show its goals and internal mechanisms. Furthermore, the result of such analysis helps to judge imminent risks and provide possible solutions to limit hazards. This thesis elaborates on appropriate techniques and tools to analyze Android malware. Android protection schemes are derived from generic state-of-the-art malware analysis approaches. Also, known malware and anti-virus characteristics are discussed to form an appropriate mindset for malware analyses. The discussion of different obfuscation strategies shows the complexity of malicious mobile applications and identifies techniques that are used by malware authors to hinder analyses. To ensure an efficient and goal-oriented approach, this thesis suggests ways to combine techniques into an Android malware analysis methodology, which is derived from existing analysis models. This methodology allows an efficient and structured analysis without restricting the usage of creative approaches. To conclude the thesis, a case study on the analysis of Android.FakePlayer demonstrates the practice-oriented application of the methodology described.

Keywords:
Astract: Business documents directly exchanged between applications usually follow a certain business document standard. No matter whether these standards are traditional EDI standards or XML-based, they are very generic including all elements that may be of need to any company in this world. Before being used in a partnership, a subset of these elements has to be defined based on the business context (geopolitical region, industry, etc.). Usually the definition of these subsets-called Message Implementation Guidelines-starts from scratch, and, thus, is very time-consuming. In this paper we present an approach to explicitly assign context to the definition of Message Implementation Guidelines. This contextual information is also used to calculate a subset for to-be-developed Message Implementation Guidelines based on existing ones. The corresponding approach is supported by a prototype implementation.