Dealing with Variability in API Misuse Specification

Authors Rodrigo Bonifácio , Stefan Krüger, Krishna Narasimhan, Eric Bodden , Mira Mezini



PDF
Thumbnail PDF

File

LIPIcs.ECOOP.2021.19.pdf
  • Filesize: 1.1 MB
  • 27 pages

Document Identifiers

Author Details

Rodrigo Bonifácio
  • Computer Science Department, University of Brasília, Brazil
Stefan Krüger
  • Independent Researcher, Munich, Germany
Krishna Narasimhan
  • Technical University of Darmstadt, Germany
Eric Bodden
  • Paderborn University, Germany
  • Fraunhofer IEM, Paderborn, Germany
Mira Mezini
  • Technical University of Darmstadt, Germany

Cite As Get BibTex

Rodrigo Bonifácio, Stefan Krüger, Krishna Narasimhan, Eric Bodden, and Mira Mezini. Dealing with Variability in API Misuse Specification. In 35th European Conference on Object-Oriented Programming (ECOOP 2021). Leibniz International Proceedings in Informatics (LIPIcs), Volume 194, pp. 19:1-19:27, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2021) https://doi.org/10.4230/LIPIcs.ECOOP.2021.19

Abstract

APIs are the primary mechanism for developers to gain access to externally defined services and tools. However, previous research has revealed API misuses that violate the contract of APIs to be prevalent. Such misuses can have harmful consequences, especially in the context of cryptographic libraries. Various API-misuse detectors have been proposed to address this issue - including CogniCrypt, one of the most versatile of such detectors and that uses a language (CrySL) to specify cryptographic API usage contracts. Nonetheless, existing approaches to detect API misuse had not been designed for systematic reuse, ignoring the fact that different versions of a library, different versions of a platform, and different recommendations/guidelines might introduce variability in the correct usage of an API. Yet, little is known about how such variability impacts the specification of the correct API usage. This paper investigates this question by analyzing the impact of various sources of variability on widely used Java cryptographic libraries (including JCA/JCE, Bouncy Castle, and Google Tink). The results of our investigation show that sources of variability like new versions of the API and security standards significantly impact the specifications. We then use the insights gained from our investigation to motivate an extension to the CrySL language (named MetaCrySL), which builds on meta-programming concepts. We evaluate MetaCrySL by specifying usage rules for a family of Android versions and illustrate that MetaCrySL can model all forms of variability we identified and drastically reduce the size of a family of specifications for the correct usage of cryptographic APIs.

Subject Classification

ACM Subject Classification
  • Software and its engineering
  • Software and its engineering → Domain specific languages
  • Software and its engineering → API languages
  • Theory of computation → Cryptographic protocols
Keywords
  • API misuse
  • cryptographic API misuse detection
  • code generation
  • domain engineering
  • cryptographic standards

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Y. Acar, M. Backes, S. Fahl, S. Garfinkel, D. Kim, M. L. Mazurek, and C. Stransky. Comparing the usability of cryptographic apis. In 2017 IEEE Symposium on Security and Privacy (SP), pages 154-171. IEEE Press, May 2017. URL: https://doi.org/10.1109/SP.2017.52.
  2. S. Amann, H. A. Nguyen, S. Nadi, T. N. Nguyen, and M. Mezini. A systematic evaluation of static api-misuse detectors. IEEE Transactions on Software Engineering, 45(12):1170-1188, 2019. Google Scholar
  3. S. Amann, H. A. Nguyen, S. Nadi, T. N. Nguyen, and M. Mezini. A systematic evaluation of static api-misuse detectors. IEEE Transactions on Software Engineering, 45(12):1170-1188, 2019. URL: https://doi.org/10.1109/TSE.2018.2827384.
  4. Sven Apel, Don Batory, Christian Kstner, and Gunter Saake. Feature-Oriented Software Product Lines: Concepts and Implementation. Springer Publishing Company, Incorporated, 2013. Google Scholar
  5. A. Bhardwaj and S. Som. Study of different cryptographic technique and challenges in future. In 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH), pages 208-212, 2016. Google Scholar
  6. Aline Brito, Marco Tulio Valente, Laerte Xavier, and André C. Hora. You broke my code: understanding the motivations for breaking changes in apis. Empirical Software Engineering, 25(2):1458-1492, 2020. URL: https://doi.org/10.1007/s10664-019-09756-z.
  7. Aline Brito, Laerte Xavier, André C. Hora, and Marco Tulio Valente. Apidiff: Detecting API breaking changes. In Rocco Oliveto, Massimiliano Di Penta, and David C. Shepherd, editors, 25th International Conference on Software Analysis, Evolution and Reengineering, SANER 2018, Campobasso, Italy, March 20-23, 2018, pages 507-511. IEEE Computer Society, 2018. URL: https://doi.org/10.1109/SANER.2018.8330249.
  8. Aline Brito, Laerte Xavier, André C. Hora, and Marco Tulio Valente. Why and how Java developers break APIs. In Rocco Oliveto, Massimiliano Di Penta, and David C. Shepherd, editors, 25th International Conference on Software Analysis, Evolution and Reengineering, SANER 2018, Campobasso, Italy, March 20-23, 2018, pages 255-265. IEEE Computer Society, 2018. URL: https://doi.org/10.1109/SANER.2018.8330214.
  9. Kingsum Chow and David Notkin. Semi-automatic update of applications in response to library changes. In 1996 International Conference on Software Maintenance (ICSM '96), 4-8 November 1996, Monterey, CA, USA, Proceedings, page 359. IEEE Computer Society, 1996. URL: https://doi.org/10.1109/ICSM.1996.565039.
  10. Krzysztof Czarnecki and Ulrich W. Eisenecker. Generative Programming: Methods, Tools, and Applications. ACM Press/Addison-Wesley Publishing Co., USA, 2000. Google Scholar
  11. Danny Dig and Ralph Johnson. How do apis evolve? a story of refactoring: Research articles. J. Softw. Maint. Evol., 18(2):83–107, March 2006. Google Scholar
  12. Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS '13, pages 73-84, New York, NY, USA, 2013. ACM. URL: https://doi.org/10.1145/2508859.2516693.
  13. Michel Abdalla et al. Algorithms, key size and protocols report. Technical report, ECRYPT – Coordination and Support Action, European Union’s H2020 programme, 2018. Google Scholar
  14. Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing, 2010. Google Scholar
  15. F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, and S. Fahl. Stack overflow considered harmful? the impact of copy amp;paste on android application security. In 2017 IEEE Symposium on Security and Privacy (SP), pages 121-136, May 2017. URL: https://doi.org/10.1109/SP.2017.31.
  16. German Federal Office for Information Security. Cryptographic mechanisms: Recommendations and key lengths. Technical Report BSI TR-02102-1, German Federal Office for Information Security, 2020. Google Scholar
  17. William Frakes, Ruben Prieto, Christopher Fox, et al. Dare: Domain analysis and reuse environment. Annals of software engineering, 5(1):125-141, 1998. Google Scholar
  18. Johannes Henkel and Amer Diwan. Catchup! capturing and replaying refactorings to support api evolution. In Proceedings of the 27th International Conference on Software Engineering, ICSE '05, page 274–283, New York, NY, USA, 2005. Association for Computing Machinery. URL: https://doi.org/10.1145/1062455.1062512.
  19. A. Hora, R. Robbes, N. Anquetil, A. Etien, S. Ducasse, and M. Tulio Valente. How do developers react to api evolution? the pharo ecosystem case. In 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 251-260, 2015. URL: https://doi.org/10.1109/ICSM.2015.7332471.
  20. David Hovemeyer and William Pugh. Finding bugs is easy. SIGPLAN Not., 39(12):92–106, 2004. URL: https://doi.org/10.1145/1052883.1052895.
  21. Oracle Inc. Java cryptography architecture (JCA), 2020. URL: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html.
  22. Maria Kechagia, Xavier Devroey, Annibale Panichella, Georgios Gousios, and Arie van Deursen. Effective and efficient api misuse detection via exception propagation and search-based testing. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2019, page 192–203, New York, NY, USA, 2019. Association for Computing Machinery. URL: https://doi.org/10.1145/3293882.3330552.
  23. Paul Klint, Tijs van der Storm, and Jurgen J. Vinju. RASCAL: A domain specific language for source code analysis and manipulation. In Ninth IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2009, Edmonton, Alberta, Canada, September 20-21, 2009, pages 168-177. IEEE Computer Society, 2009. URL: https://doi.org/10.1109/SCAM.2009.28.
  24. S. Krüger, J. Späth, K. Ali, E. Bodden, and M. Mezini. Crysl: An extensible approach to validating the correct usage of cryptographic apis. IEEE Transactions on Software Engineering, pages 1-1, 2019. URL: https://doi.org/10.1109/TSE.2019.2948910.
  25. Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, and Ram Kamath. Cognicrypt: Supporting developers in using cryptography. In Proceedings of the 32Nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017, pages 931-936. IEEE Press, 2017. Google Scholar
  26. A. Leonard. Spring Boot Persistence Best Practices: Optimize Java Persistence Performance in Spring Boot Applications. Apress, 2020. URL: https://books.google.com.br/books?id=dIvgDwAAQBAJ.
  27. Yong Li, Yuanyuan Zhang, Juanru Li, and Dawu Gu. icryptotracer: Dynamic analysis on misuse of cryptography functions in ios applications. In Man Ho Au, Barbara Carminati, and C.-C. Jay Kuo, editors, Network and System Security, pages 349-362, Cham, 2014. Springer International Publishing. Google Scholar
  28. Liana Barachisio Lisboa, Vinicius Cardoso Garcia, Daniel Lucrédio, Eduardo Santana de Almeida, Silvio Romero de Lemos Meira, and Renata Pontin de Mattos Fortes. A systematic review of domain analysis tools. Information and Software Technology, 52(1):1-13, 2010. URL: https://doi.org/10.1016/j.infsof.2009.05.001.
  29. Qingzhou Luo, Yi Zhang, Choonghwan Lee, Dongyun Jin, Patrick O'Neil Meredith, Traian Florin ŞerbănuŢă, and Grigore Roşu. Rv-monitor: Efficient parametric runtime verification with simultaneous properties. In Borzoo Bonakdarpour and Scott A. Smolka, editors, Runtime Verification, pages 285-300, Cham, 2014. Springer International Publishing. Google Scholar
  30. Dustin Marx. Basic java persistence api best practices. Technical report, Oracle, 2008. Google Scholar
  31. Mira Mezini. Maintaining the consistency of class libraries during their evolution. SIGPLAN Not., 32(10):1–21, 1997. URL: https://doi.org/10.1145/263700.263701.
  32. Martin Monperrus and Mira Mezini. Detecting missing method calls as violations of the majority rule. ACM Trans. Softw. Eng. Methodol., 22(1), 2013. URL: https://doi.org/10.1145/2430536.2430541.
  33. Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. Jumping through hoops: Why do java developers struggle with cryptography apis? In Proceedings of the 38th International Conference on Software Engineering, ICSE '16, pages 935-946. ACM, 2016. URL: https://doi.org/10.1145/2884781.2884790.
  34. National Institute of Standards and Technology. Security requirements for cryptographic modules. Technical report, National Institute of Standards and Technology, 2019. Google Scholar
  35. Terence Parr. Language Implementation Patterns: Create Your Own Domain-Specific and General Programming Languages. Pragmatic Bookshelf, 1st edition, 2009. Google Scholar
  36. Klaus Pohl, Günter Böckle, and Frank J. van der Linden. Software Product Line Engineering: Foundations, Principles and Techniques. Springer-Verlag, Berlin, Heidelberg, 2005. Google Scholar
  37. Michael Pradel and Thomas R. Gross. Leveraging test generation and specification mining for automated bug detection without false positives. In Proceedings of the 34th International Conference on Software Engineering, ICSE '12, page 288–298. IEEE Press, 2012. Google Scholar
  38. Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng (Daphne) Yao. Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized java projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS '19, page 2455–2472, New York, NY, USA, 2019. Association for Computing Machinery. URL: https://doi.org/10.1145/3319535.3345659.
  39. Romain Robbes, Mircea Lungu, and David Röthlisberger. How do developers react to api deprecation? the case of a smalltalk ecosystem. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE '12, New York, NY, USA, 2012. Association for Computing Machinery. URL: https://doi.org/10.1145/2393596.2393662.
  40. M. A. Saied, O. Benomar, H. Abdeen, and H. Sahraoui. Mining multi-level api usage patterns. In 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER), pages 23-32, 2015. URL: https://doi.org/10.1109/SANER.2015.7081812.
  41. A. A. Sawant, R. Robbes, and A. Bacchelli. On the reaction to deprecation of 25,357 clients of 4+1 popular java apis. In 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 400-410, 2016. URL: https://doi.org/10.1109/ICSME.2016.64.
  42. Anand Ashok Sawant, Romain Robbes, and Alberto Bacchelli. On the reaction to deprecation of clients of 4+ 1 popular java apis and the jdk. Empirical Software Engineering, 23(4):2158-2197, 2018. Google Scholar
  43. Thorsten Schäfer, Jan Jonas, and Mira Mezini. Mining framework usage changes from instantiation code. In Proceedings of the 30th International Conference on Software Engineering, ICSE '08, page 471–480, New York, NY, USA, 2008. Association for Computing Machinery. URL: https://doi.org/10.1145/1368088.1368153.
  44. Bruce Schneier. Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Inc., New York, NY, USA, 1st edition, 2000. Google Scholar
  45. Johannes Späth, Karim Ali, and Eric Bodden. Ide^al: efficient and precise alias-aware dataflow analysis. PACMPL, 1(OOPSLA):99:1-99:27, 2017. URL: https://doi.org/10.1145/3133923.
  46. Johannes Späth, Karim Ali, and Eric Bodden. Context-, flow-, and field-sensitive data-flow analysis using synchronized pushdown systems. PACMPL, 3(POPL):48:1-48:29, 2019. Google Scholar
  47. Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, and Eric Bodden. Boomerang: Demand-driven flow- and context-sensitive pointer analysis for java. In Shriram Krishnamurthi and Benjamin S. Lerner, editors, 30th European Conference on Object-Oriented Programming, ECOOP 2016, July 18-22, 2016, Rome, Italy, volume 56 of LIPIcs, pages 22:1-22:26. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2016. URL: https://doi.org/10.4230/LIPIcs.ECOOP.2016.22.
  48. Andrzej Wasylkowski, Andreas Zeller, and Christian Lindig. Detecting object usage anomalies. In Proceedings of the the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering, ESEC-FSE '07, page 35–44, New York, NY, USA, 2007. Association for Computing Machinery. URL: https://doi.org/10.1145/1287624.1287632.
  49. L. Xavier, A. Brito, A. Hora, and M. T. Valente. Historical and impact analysis of api breaking changes: A large-scale study. In 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 138-147, February 2017. URL: https://doi.org/10.1109/SANER.2017.7884616.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail