research-article

Inferring crypto API rules from code changes

Authors:

Veselin Raychev,

Martin VechevAuthors Info & Claims

ACM SIGPLAN Notices, Volume 53, Issue 4

Pages 450 - 464

https://doi.org/10.1145/3296979.3192403

Published: 11 June 2018 Publication History

Abstract

Creating and maintaining an up-to-date set of security rules that match misuses of crypto APIs is challenging, as crypto APIs constantly evolve over time with new cryptographic primitives and settings, making existing ones obsolete.

To address this challenge, we present a new approach to extract security fixes from thousands of code changes. Our approach consists of: (i) identifying code changes, which often capture security fixes, (ii) an abstraction that filters irrelevant code changes (such as refactorings), and (iii) a clustering analysis that reveals commonalities between semantic code changes and helps in eliciting security rules.

We applied our approach to the Java Crypto API and showed that it is effective: (i) our abstraction effectively filters non-semantic code changes (over 99% of all changes) without removing security fixes, and (ii) over 80% of the code changes are security fixes identifying security rules. Based on our results, we identified 13 rules, including new ones not supported by existing security checkers.

Supplementary Material

WEBM File (p450-paletov.webm)

Download
118.14 MB

References

[1]

2013. Some SecureRandom Thoughts. https://android-developers. googleblog.com/2013/08/some-securerandom-thoughts.html

[2]

2015. The Right Way to Use SecureRandom. https://tersesystems. com/2015/12/17/the-right-way-to-use-securerandom/

[3]

2016. Which security implementation should I use: Bouncy Castle or JCA? https://blog.idrsolutions.com/2016/08/ which-security-implementation-should-i-use-bouncy-castle-or-jca/

[4]

2017. FindSecBugs Bugs Patterns. https://find-sec-bugs.github.io/ bugs.htm

[5]

2017. OWASP Source Code Analysis Tools. https://www.owasp.org/ index.php/Source_Code_Analysis_Tools.

[6]

2017. Top 10 developer Crypto mistakes. https://littlemaninmyhead. wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/

[7]

Martín Abadi and Bogdan Warinschi. 2005. Password-Based Encryption Analyzed. Springer Berlin Heidelberg, Berlin, Heidelberg, 664–676.

Digital Library

[8]

Mikhail J. Atallah and Susan Fox (Eds.). 1998. Algorithms and Theory of Computation Handbook (1st ed.). CRC Press, Inc., Boca Raton, FL, USA.

Digital Library

[9]

M. Bellare and P. Rogaway. 2017. Course notes for introduction to modern cryptography. cseweb.ucsd.edu/users/mihir/cse207/classnotes. html

[10]

Patrick Cousot and Nicolas Halbwachs. 1978. Automatic Discovery of Linear Restraints Among Variables of a Program. In Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’78). ACM, New York, NY, USA, 84–96.

Digital Library

[11]

Somak Das, Vineet Gopal, Kevin King, and Amruth Venkatraman. {n. d.}. IV = 0 Security Cryptographic Misuse of Libraries. Technical Report. MIT.

[12]

Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer &#38; Communications Security (CCS ’13). ACM, New York, NY, USA, 73–84.

Digital Library

[13]

Dawson Engler, David Yu Chen, Seth Hallem, Andy Chou, and Benjamin Chelf. 2001. Bugs As Deviant Behavior: A General Approach to Inferring Errors in Systems Code. SIGOPS Oper. Syst. Rev. 35, 5 (Oct. 2001), 57–72.

Digital Library

[14]

Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS ’12). ACM, New York, NY, USA, 50–61.

Digital Library

[15]

Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The Most Dangerous Code in the World: Validating SSL Certificates in Non-browser Software. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS ’12). ACM, New York, NY, USA, 38–49.

Digital Library

[16]

Andrew Johnson, Lucas Waye, Scott Moore, and Stephen Chong. 2015. Exploring and Enforcing Security Guarantees via Program Dependence Graphs. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’15). ACM, New York, NY, USA, 291–302.

Digital Library

[17]

David Kaplan, Sagi Kedmi, Roee Hay, and Avi Dayan. 2014. Attacking the Linux PRNG On Android: Weaknesses in Seeding of Entropic Pools and Low Boot-Time Entropy. In 8th USENIX Workshop on Offensive Technologies (WOOT ’14). USENIX Association, San Diego, CA. https://www.usenix.org/conference/woot14/workshop-program/ presentation/kaplan

Digital Library

[18]

Ted Kremenek, Paul Twohey, Godmar Back, Andrew Ng, and Dawson Engler. 2006. From Uncertainty to Belief: Inferring the Specification Within (OSDI ’06). USENIX Association, Berkeley, CA, USA, 161–176. http://dl.acm.org/citation.cfm?id=1298455.1298471

Digital Library

[19]

Ondrej LhotÃąk. 2002. Spark: a flexible points-to analysis framework for Java.

[20]

Yong Li, Yuanyuan Zhang, Juanru Li, and Dawu Gu. 2014. iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications. In Network and System Security: 8th International Conference. 349–362.

[21]

Fan Long and Martin Rinard. 2016. Automatic Patch Generation by Learning Correct Code. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’16). ACM, New York, NY, USA, 298–312.

Digital Library

[22]

Siqi Ma, David Lo, Teng Li, and Robert H. Deng. 2016. CDRep: Automatic Repair of Cryptographic Misuses in Android Applications. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (ASIA CCS ’16). ACM, New York, NY, USA, 711–722.

Digital Library

[23]

Dhruv Mohindra. 2016. Do not use insecure or weak cryptographic algorithms. https://www.securecoding.cert.org/confluence/display/ java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+ algorithms

[24]

Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. Jumping Through Hoops: Why Do Java Developers Struggle with Cryptography APIs?. In Proceedings of the 38th International Conference on Software Engineering (ICSE ’16). ACM, New York, NY, USA, 935–946.

Digital Library

[25]

Anh Tuan Nguyen, Michael Hilton, Mihai Codoban, Hoan Anh Nguyen, Lily Mast, Eli Rademacher, Tien N. Nguyen, and Danny Dig. 2016. API Code Recommendation Using Statistical Learning from Fine-grained Changes. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2016). ACM, New York, NY, USA, 511–522.

Digital Library

[26]

Oracle. 2017. Java Cryptography Architecture ( JCA) Reference Guide. http://docs.oracle.com/javase/7/docs/technotes/guides/ security/crypto

[27]

Veselin Raychev, Martin Vechev, and Eran Yahav. 2014. Code Completion with Statistical Language Models. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). ACM, 419–428.

Digital Library

[28]

Amit Sethi. 2016. Proper use of Java SecureRandom. https://www.synopsys.com/blogs/software-security/ proper-use-of-javas-securerandom/

[29]

Shao Shuai, Dong Guowei, Guo Tao, Yang Tianchang, and Shi Chenjie. 2014. Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications. In Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC ’14). IEEE Computer Society, Washington, DC, USA, 75–80.

Digital Library

[30]

Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov, Alex Petit Bianco, and Clement Baisse. 2017. Announcing the first SHA1 collision.

[31]

Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14). ACM, New York, NY, USA, 1329–1341.

Digital Library

[32]

Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, and Mayur Naik. 2016. APISan: Sanitizing API Usages through Semantic Cross-Checking. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 363–378. https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/yun

Digital Library

[33]

Thomas Zimmermann, Peter Weisgerber, Stephan Diehl, and Andreas Zeller. 2004. Mining Version Histories to Guide Software Changes. In Proceedings of the 26th International Conference on Software Engineering (ICSE ’04). IEEE Computer Society, Washington, DC, USA, 563–572. http://dl.acm.org/citation.cfm?id=998675.999460

Digital Library

Cited By

Mousavi ZIslam CMoore KAbuadbba ABabar MQuek TGao DZhou JCardenas A(2024)An Investigation into Misuse of Java Security APIs by Large Language ModelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661134(1299-1315)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661134
Yu ZMartinez MChen ZBissyandé TMonperrus M(2023)Learning the Relation Between Code Features and Code Transforms With Structured PredictionIEEE Transactions on Software Engineering10.1109/TSE.2023.327538049:7(3872-3900)Online publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3275380
Zhang YKabir MXiao YYao DMeng N(2023)Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?IEEE Transactions on Software Engineering10.1109/TSE.2022.315030249:1(288-303)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TSE.2022.3150302
Show More Cited By

Index Terms

Inferring crypto API rules from code changes
1. Security and privacy

Recommendations

Inferring crypto API rules from code changes
PLDI 2018: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

Creating and maintaining an up-to-date set of security rules that match misuses of crypto APIs is challenging, as crypto APIs constantly evolve over time with new cryptographic primitives and settings, making existing ones obsolete.

To address this ...
Inferring higher level policies from firewall rules
LISA'07: Proceedings of the 21st conference on Large Installation System Administration Conference

Packet filtering firewall is one of the most important mechanisms used by corporations to enforce their security policy. Recent years have seen a lot of research in the area of firewall management. Typically, firewalls use a large number of low-level ...
Inferring Specifications of Object Oriented APIs from API Source Code
APSEC '08: Proceedings of the 2008 15th Asia-Pacific Software Engineering Conference

API libraries are becoming increasingly popular in modern software industries because these libraries provide various methods and classes for reuse. However, as pointed out by researchers, libraries are typically difficult to use. It is desirable to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 53, Issue 4

PLDI '18

April 2018

834 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/3296979

Editor:
Matthew Fluet
Rodchester Institude of Technology

Issue’s Table of Contents

PLDI 2018: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2018
825 pages
ISBN:9781450356985
DOI:10.1145/3192366
General Chair:
Jeffrey S. Foster
University of Maryland at College Park, USA
,
Program Chair:
Dan Grossman
University of Washington, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2018

Published in SIGPLAN Volume 53, Issue 4

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
468
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)7

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mousavi ZIslam CMoore KAbuadbba ABabar MQuek TGao DZhou JCardenas A(2024)An Investigation into Misuse of Java Security APIs by Large Language ModelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661134(1299-1315)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661134
Yu ZMartinez MChen ZBissyandé TMonperrus M(2023)Learning the Relation Between Code Features and Code Transforms With Structured PredictionIEEE Transactions on Software Engineering10.1109/TSE.2023.327538049:7(3872-3900)Online publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3275380
Zhang YKabir MXiao YYao DMeng N(2023)Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?IEEE Transactions on Software Engineering10.1109/TSE.2022.315030249:1(288-303)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TSE.2022.3150302
Lin PChen PShang JQiu QHuang Z(2023)Mining Potential Defect Patterns in Unmanned Systems from A Large Amount of Open Source Code2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00123(861-862)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00123
Effendi SÇirisci BMukherjee RNguyen HTripp OLiu AMuccini H(2023)A Language-Agnostic Framework for Mining Static Analysis Rules from Code ChangesProceedings of the 45th International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP58684.2023.00035(327-339)Online publication date: 17-May-2023
https://dl.acm.org/doi/10.1109/ICSE-SEIP58684.2023.00035
Janovsky AMaiorca DMacko DMatyas VGiacinto G(2023)Explaining the Use of Cryptographic API in Android MalwareE-Business and Telecommunications10.1007/978-3-031-45137-9_4(69-97)Online publication date: 30-Sep-2023
https://doi.org/10.1007/978-3-031-45137-9_4
An CZhang DGao XZhu X(2022)CryptoDetection: A Cryptography Misuse Detection Method Based on Bi-LSTM2022 IEEE 8th International Conference on Computer and Communications (ICCC)10.1109/ICCC56324.2022.10065788(1244-1249)Online publication date: 9-Dec-2022
https://doi.org/10.1109/ICCC56324.2022.10065788
Zheng YPujar SLewis BBuratti LEpstein EYang BLaredo JMorari ASu ZEldh SFalessi D(2021)D2AProceedings of the 43rd International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP52600.2021.00020(111-120)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1109/ICSE-SEIP52600.2021.00020
Liu WChen BPeng XSun QZhao W(2021)Identifying change patterns of API misuses from code changesScience China Information Sciences10.1007/s11432-019-2745-564:3Online publication date: 7-Feb-2021
https://doi.org/10.1007/s11432-019-2745-5
Gao JKong PLi LBissyandé TKlein JStorey MAdams BHaiduc S(2019)Negative results on mining crypto-API usage rules in Android appsProceedings of the 16th International Conference on Mining Software Repositories10.1109/MSR.2019.00065(388-398)Online publication date: 26-May-2019
https://dl.acm.org/doi/10.1109/MSR.2019.00065
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents