The Java libraries JCA and JSSE provide various cryptographic APIs to facilitate secure coding. Prior work shows that many developers misuse some of the APIs, and consequently implement security features in insecure ways; such security-API misuses can introduce vulnerabilities into codebases, causing software vulnerable to cyber attacks. To eliminate the API-related vulnerabilities, tools were built to automatically detect security-API misuses via pattern matching. However, most of these tools do not (1) automatically fix misuses or (2) support users to extend the pattern set inside tools. To overcome both limitations, we developed Seader—an example-based approach that detects and repairs security-API misuses. Given an exemplar insecure code snippet and its secure counterpart, Seader compares the snippets to infer any API-misuse template and corresponding fixing edit. Based on the inferred information, given a program, Seader performs inter-procedural static analysis to search for security-API misuses and to propose customized fixes.

For evaluation, we applied Seader to 28 ⟨insecure, secure⟩ code pairs, and Seader successfully inferred 21 unique API-misuse templates as well as related fixes. With these ⟨vulnerability, fix⟩ patterns, we applied Seader to a third-party program benchmark that contains in total 86 known vulnerabilities. Our experiment shows that Seader detected vulnerabilities with 95% precision, 72% recall, and 82% F-score. Additionally, we applied Seader to 100 Apache open-source projects and sampled 77 of the suggested repairs for manual inspection; we found that Seader often customized repairs correctly. Seader can help reduce the technical barrier for developers to correctly use security APIs.