Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?
The Java platform provides various cryptographic APIs to facilitate secure coding. However, correctly using these APIs is challenging for developers who lack cybersecurity training. Prior work shows that many developers misused APIs and consequently introduced vulnerabilities into their software. To eliminate such vulnerabilities, people created tools to detect and/or fix cryptographic API misuses. However, it is still unknown (1) how current tools are designed to detect cryptographic API misuses, (2) how effectively the tools work to locate API misuses, and (3) how developers perceive the usefulness of tools’ outputs. For this paper, we conducted an empirical study to investigate the research questions mentioned above. Specifically, we first conducted a literature survey on existing tools and compared their approach design from different angles. Then we applied six of the tools to three popularly used benchmarks to measure tools’ effectiveness of API-misuse detection. Next, we applied the tools to 200 Apache projects and sent 57 vulnerability reports to developers for their feedback. Our study revealed interesting phenomena. For instance, none of the six tools was found universally better than the others; however, CogniCrypt, CogniGuard, and Xanitizer outperformed SonarQube. More developers rejected tools’ reports than those who accepted reports (30 vs. 9) due to their concerns on tools’ capabilities, the correctness of suggested fixes, and the exploitability of reported issues. This study reveals a significant gap between the state-of-the-art tools and developers’ expectations; it sheds light on future research in vulnerability detection.
Thu 13 OctDisplayed time zone: Eastern Time (US & Canada) change
10:00 - 12:00 | Technical Session 23 - SecurityTool Demonstrations / Journal-first Papers / Late Breaking Results / Research Papers at Ballroom C East Chair(s): John-Paul Ore North Carolina State University | ||
10:00 10mDemonstration | V-Achilles: An Interactive Visualization of Transitive Security Vulnerabilities Tool Demonstrations Vipawan Jarukitpipat Mahidol University, Xiao Peng China EverBright Bank, Xiao Peng China EverBright Bank, Chaiyong Ragkhitwetsagul Mahidol University, Thailand, Morakot Choetkiertikul Mahidol University, Thailand, Thanwadee Sunetnanta Mahidol University, Raula Gaikovina Kula Nara Institute of Science and Technology, Bodin Chinthanet Nara Institute of Science and Technology, Takashi Ishio Nara Institute of Science and Technology, Kenichi Matsumoto Nara Institute of Science and Technology | ||
10:10 20mPaper | Automatic Detection of Java Cryptographic API Misuses: Are We There Yet? Journal-first Papers Ying Zhang Virginia Tech, USA, Md Mahir Asef Kabir Virginia Tech, Ya Xiao Virginia Tech, Daphne Yao Virginia Tech, Na Meng Virginia Tech DOI Pre-print | ||
10:30 10mDemonstration | A transformer-based IDE plugin for vulnerability detectionVirtual Tool Demonstrations Cláudia Mamede FEUP, U.Porto, Eduard Pinconschi FEUP, U.Porto, Rui Abreu Faculty of Engineering, University of Porto, Portugal | ||
10:40 10mDemonstration | Quacky: Quantitative Access Control Permissiveness Analyzer Tool Demonstrations William Eiers University of California at Santa Barbara, USA, Ganesh Sankaran University of California Santa Barbara, Albert Li University of California Santa Barbara, Emily O'Mahony University of California Santa Barbara, Benjamin Prince University of California Santa Barbara, Tevfik Bultan University of California, Santa Barbara | ||
10:50 10mPaper | Towards Robust Models of Code via Energy-Based Learning on Auxiliary DatasetsVirtual Late Breaking Results | ||
11:00 10mDemonstration | Xscope: Hunting for Cross-Chain Bridge AttacksVirtual Tool Demonstrations Jiashuo Zhang Peking University, China, Jianbo Gao Peking University, Yue Li Peking University, Ziming Chen Peking University, Zhi Guan Peking University, Zhong Chen | ||
11:10 20mResearch paper | Reentrancy Vulnerability Detection and Localization: A Deep Learning Based Two-phase ApproachVirtual Research Papers Zhuo Zhang Chongqing University, Yan Lei Chongqing University, Meng Yan Chongqing University, Yue Yu College of Computer, National University of Defense Technology, Changsha 410073, China, Jiachi Chen Sun Yat-Sen University, Shangwen Wang National University of Defense Technology, Xiaoguang Mao National University of Defense Technology |