research-article

Inferring crypto API rules from code changes

Authors:

Veselin Raychev,

Martin VechevAuthors Info & Claims

PLDI 2018: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 450 - 464

https://doi.org/10.1145/3192366.3192403

Published: 11 June 2018 Publication History

Abstract

Creating and maintaining an up-to-date set of security rules that match misuses of crypto APIs is challenging, as crypto APIs constantly evolve over time with new cryptographic primitives and settings, making existing ones obsolete.

To address this challenge, we present a new approach to extract security fixes from thousands of code changes. Our approach consists of: (i) identifying code changes, which often capture security fixes, (ii) an abstraction that filters irrelevant code changes (such as refactorings), and (iii) a clustering analysis that reveals commonalities between semantic code changes and helps in eliciting security rules.

We applied our approach to the Java Crypto API and showed that it is effective: (i) our abstraction effectively filters non-semantic code changes (over 99% of all changes) without removing security fixes, and (ii) over 80% of the code changes are security fixes identifying security rules. Based on our results, we identified 13 rules, including new ones not supported by existing security checkers.

Supplementary Material

WEBM File (p450-paletov.webm)

Download
118.14 MB

References

[1]

2013. Some SecureRandom Thoughts. https://android-developers. googleblog.com/2013/08/some-securerandom-thoughts.html

[2]

2015. The Right Way to Use SecureRandom. https://tersesystems. com/2015/12/17/the-right-way-to-use-securerandom/

[3]

2016. Which security implementation should I use: Bouncy Castle or JCA? https://blog.idrsolutions.com/2016/08/ which-security-implementation-should-i-use-bouncy-castle-or-jca/

[4]

2017. FindSecBugs Bugs Patterns. https://find-sec-bugs.github.io/ bugs.htm

[5]

2017. OWASP Source Code Analysis Tools. https://www.owasp.org/ index.php/Source_Code_Analysis_Tools.

[6]

2017. Top 10 developer Crypto mistakes. https://littlemaninmyhead. wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/

[7]

Martín Abadi and Bogdan Warinschi. 2005. Password-Based Encryption Analyzed. Springer Berlin Heidelberg, Berlin, Heidelberg, 664–676.

Digital Library

[8]

Mikhail J. Atallah and Susan Fox (Eds.). 1998. Algorithms and Theory of Computation Handbook (1st ed.). CRC Press, Inc., Boca Raton, FL, USA.

Digital Library

[9]

M. Bellare and P. Rogaway. 2017. Course notes for introduction to modern cryptography. cseweb.ucsd.edu/users/mihir/cse207/classnotes. html

[10]

Patrick Cousot and Nicolas Halbwachs. 1978. Automatic Discovery of Linear Restraints Among Variables of a Program. In Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’78). ACM, New York, NY, USA, 84–96.

Digital Library

[11]

Somak Das, Vineet Gopal, Kevin King, and Amruth Venkatraman. {n. d.}. IV = 0 Security Cryptographic Misuse of Libraries. Technical Report. MIT.

[12]

Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer &#38; Communications Security (CCS ’13). ACM, New York, NY, USA, 73–84.

Digital Library

[13]

Dawson Engler, David Yu Chen, Seth Hallem, Andy Chou, and Benjamin Chelf. 2001. Bugs As Deviant Behavior: A General Approach to Inferring Errors in Systems Code. SIGOPS Oper. Syst. Rev. 35, 5 (Oct. 2001), 57–72.

Digital Library

[14]

Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS ’12). ACM, New York, NY, USA, 50–61.

Digital Library

[15]

Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The Most Dangerous Code in the World: Validating SSL Certificates in Non-browser Software. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS ’12). ACM, New York, NY, USA, 38–49.

Digital Library

[16]

Andrew Johnson, Lucas Waye, Scott Moore, and Stephen Chong. 2015. Exploring and Enforcing Security Guarantees via Program Dependence Graphs. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’15). ACM, New York, NY, USA, 291–302.

Digital Library

[17]

David Kaplan, Sagi Kedmi, Roee Hay, and Avi Dayan. 2014. Attacking the Linux PRNG On Android: Weaknesses in Seeding of Entropic Pools and Low Boot-Time Entropy. In 8th USENIX Workshop on Offensive Technologies (WOOT ’14). USENIX Association, San Diego, CA. https://www.usenix.org/conference/woot14/workshop-program/ presentation/kaplan

Digital Library

[18]

Ted Kremenek, Paul Twohey, Godmar Back, Andrew Ng, and Dawson Engler. 2006. From Uncertainty to Belief: Inferring the Specification Within (OSDI ’06). USENIX Association, Berkeley, CA, USA, 161–176. http://dl.acm.org/citation.cfm?id=1298455.1298471

Digital Library

[19]

Ondrej LhotÃąk. 2002. Spark: a flexible points-to analysis framework for Java.

[20]

Yong Li, Yuanyuan Zhang, Juanru Li, and Dawu Gu. 2014. iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications. In Network and System Security: 8th International Conference. 349–362.

[21]

Fan Long and Martin Rinard. 2016. Automatic Patch Generation by Learning Correct Code. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’16). ACM, New York, NY, USA, 298–312.

Digital Library

[22]

Siqi Ma, David Lo, Teng Li, and Robert H. Deng. 2016. CDRep: Automatic Repair of Cryptographic Misuses in Android Applications. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (ASIA CCS ’16). ACM, New York, NY, USA, 711–722.

Digital Library

[23]

Dhruv Mohindra. 2016. Do not use insecure or weak cryptographic algorithms. https://www.securecoding.cert.org/confluence/display/ java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+ algorithms

[24]

Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. Jumping Through Hoops: Why Do Java Developers Struggle with Cryptography APIs?. In Proceedings of the 38th International Conference on Software Engineering (ICSE ’16). ACM, New York, NY, USA, 935–946.

Digital Library

[25]

Anh Tuan Nguyen, Michael Hilton, Mihai Codoban, Hoan Anh Nguyen, Lily Mast, Eli Rademacher, Tien N. Nguyen, and Danny Dig. 2016. API Code Recommendation Using Statistical Learning from Fine-grained Changes. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2016). ACM, New York, NY, USA, 511–522.

Digital Library

[26]

Oracle. 2017. Java Cryptography Architecture ( JCA) Reference Guide. http://docs.oracle.com/javase/7/docs/technotes/guides/ security/crypto

[27]

Veselin Raychev, Martin Vechev, and Eran Yahav. 2014. Code Completion with Statistical Language Models. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). ACM, 419–428.

Digital Library

[28]

Amit Sethi. 2016. Proper use of Java SecureRandom. https://www.synopsys.com/blogs/software-security/ proper-use-of-javas-securerandom/

[29]

Shao Shuai, Dong Guowei, Guo Tao, Yang Tianchang, and Shi Chenjie. 2014. Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications. In Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC ’14). IEEE Computer Society, Washington, DC, USA, 75–80.

Digital Library

[30]

Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov, Alex Petit Bianco, and Clement Baisse. 2017. Announcing the first SHA1 collision.

[31]

Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14). ACM, New York, NY, USA, 1329–1341.

Digital Library

[32]

Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, and Mayur Naik. 2016. APISan: Sanitizing API Usages through Semantic Cross-Checking. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 363–378. https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/yun

Digital Library

[33]

Thomas Zimmermann, Peter Weisgerber, Stephan Diehl, and Andreas Zeller. 2004. Mining Version Histories to Guide Software Changes. In Proceedings of the 26th International Conference on Software Engineering (ICSE ’04). IEEE Computer Society, Washington, DC, USA, 563–572. http://dl.acm.org/citation.cfm?id=998675.999460

Digital Library

Cited By

Pujar SZheng YBuratti LLewis BChen YLaredo JMorari AEpstein ELin TYang BSu Z(2024)Analyzing source code vulnerabilities in the D2A dataset with ML ensembles and C-BERTEmpirical Software Engineering10.1007/s10664-023-10405-929:2Online publication date: 22-Feb-2024
https://doi.org/10.1007/s10664-023-10405-9
Grazia LBredl PPradel M(2023)DiffSearch: A Scalable and Precise Search Engine for Code ChangesIEEE Transactions on Software Engineering10.1109/TSE.2022.321885949:4(2366-2380)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3218859
Effendi SÇirisci BMukherjee RNguyen HTripp OLiu AMuccini H(2023)A Language-Agnostic Framework for Mining Static Analysis Rules from Code ChangesProceedings of the 45th International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP58684.2023.00035(327-339)Online publication date: 17-May-2023
https://dl.acm.org/doi/10.1109/ICSE-SEIP58684.2023.00035
Show More Cited By

Index Terms

Inferring crypto API rules from code changes
1. Security and privacy

Recommendations

Inferring crypto API rules from code changes
PLDI '18

Creating and maintaining an up-to-date set of security rules that match misuses of crypto APIs is challenging, as crypto APIs constantly evolve over time with new cryptographic primitives and settings, making existing ones obsolete.

To address this ...
Inferring higher level policies from firewall rules
LISA'07: Proceedings of the 21st conference on Large Installation System Administration Conference

Packet filtering firewall is one of the most important mechanisms used by corporations to enforce their security policy. Recent years have seen a lot of research in the area of firewall management. Typically, firewalls use a large number of low-level ...
Identifying bug-inducing changes for code additions
ESEM '18: Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement

Background. SZZ algorithm has been popularly used to identify bug-inducing changes in version history. It is still limited to link a fixing change to an inducing one, when the fix constitutes of code additions only. Goal. We improve the original SZZ by ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI 2018: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2018

825 pages

ISBN:9781450356985

DOI:10.1145/3192366

General Chair:
Jeffrey S. Foster
University of Maryland at College Park, USA
,
Program Chair:
Dan Grossman
University of Washington, USA

ACM SIGPLAN Notices Volume 53, Issue 4
PLDI '18
April 2018
834 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/3296979
Editor:
Matthew Fluet
Rodchester Institude of Technology
Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '18

Sponsor:

SIGPLAN

PLDI '18: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 18 - 22, 2018

PA, Philadelphia, USA

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
458
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)3

Reflects downloads up to 14 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pujar SZheng YBuratti LLewis BChen YLaredo JMorari AEpstein ELin TYang BSu Z(2024)Analyzing source code vulnerabilities in the D2A dataset with ML ensembles and C-BERTEmpirical Software Engineering10.1007/s10664-023-10405-929:2Online publication date: 22-Feb-2024
https://doi.org/10.1007/s10664-023-10405-9
Grazia LBredl PPradel M(2023)DiffSearch: A Scalable and Precise Search Engine for Code ChangesIEEE Transactions on Software Engineering10.1109/TSE.2022.321885949:4(2366-2380)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3218859
Effendi SÇirisci BMukherjee RNguyen HTripp OLiu AMuccini H(2023)A Language-Agnostic Framework for Mining Static Analysis Rules from Code ChangesProceedings of the 45th International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP58684.2023.00035(327-339)Online publication date: 17-May-2023
https://dl.acm.org/doi/10.1109/ICSE-SEIP58684.2023.00035
Sun CXu XWu YZeng DTan GMa SWang P(2023)CryptoEvalIET Information Security10.1049/ise2.1211717:4(582-597)Online publication date: 24-May-2023
https://dl.acm.org/doi/10.1049/ise2.12117
Garg PSengamedu S(2022)Synthesizing code quality rules from examplesProceedings of the ACM on Programming Languages10.1145/35633506:OOPSLA2(1757-1787)Online publication date: 31-Oct-2022
https://dl.acm.org/doi/10.1145/3563350
Tony CDíaz Ferreyra NScandariato R(2022)GitHub Considered Harmful? Analyzing Open-Source Projects for the Automatic Generation of Cryptographic API Call Sequences2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00094(896-906)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00094
Xing WCheng YDietl WCok D(2021)Ensuring correct cryptographic algorithm and provider usage at compile timeProceedings of the 23rd ACM International Workshop on Formal Techniques for Java-like Programs10.1145/3464971.3468418(43-50)Online publication date: 13-Jul-2021
https://dl.acm.org/doi/10.1145/3464971.3468418
He JLee CRaychev VVechev MFreund SYahav E(2021)Learning to find naming issues with big code and small supervisionProceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3453483.3454045(296-311)Online publication date: 19-Jun-2021
https://dl.acm.org/doi/10.1145/3453483.3454045
Kruger SSpath JAli KBodden EMezini M(2021)CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIsIEEE Transactions on Software Engineering10.1109/TSE.2019.294891047:11(2382-2400)Online publication date: 1-Nov-2021
https://doi.org/10.1109/TSE.2019.2948910
Zheng YPujar SLewis BBuratti LEpstein EYang BLaredo JMorari ASu ZEldh SFalessi D(2021)D2AProceedings of the 43rd International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP52600.2021.00020(111-120)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1109/ICSE-SEIP52600.2021.00020
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents