APICAD: Augmenting API Misuse Detection Through Specifications From Code And Documents
Using API should follow its specifications. Otherwise, it can bring security impacts while the functionality is damaged. To detect API misuse, we need to know what its specifications are. In addition to being provided manually, current tools usually mine the majority usage in the existing codebase as specifications, or capture specifications from its relevant texts in human language. However, the former depends on the quality of the codebase itself, while the latter is limited to the irregularity of the text. In this work, we observe that the information carried by code and documents can complement each other. To mitigate the demand for a high-quality codebase and reduce the pressure to capture valid information from texts, we present APICAD to detect API misuse bugs of C/C++ by combining the specifications mined from code and documents. On the one hand, we effectively build the contexts for API invocations and mine specifications from them through a frequency-based method. On the other hand, we acquire the specifications from documents by using lightweight keyword-based and NLP-assisted techniques. Finally, the combined specifications are generated for bug detection. Experiments show that APICAD can handle diverse API usage semantics to deal with different types of API misuse bugs. With the help of APICAD, we report 153 new bugs in Curl, Httpd, OpenSSL and Linux kernel, 145 of which have been confirmed and 126 have applied our patches.
Wed 17 MayDisplayed time zone: Hobart change
11:00 - 12:30 | APIs and librariesTechnical Track / Journal-First Papers / SEIP - Software Engineering in Practice at Meeting Room 105 Chair(s): Sarah Nadi University of Alberta | ||
11:00 15mTalk | UpCy: Safely Updating Outdated Dependencies Technical Track Andreas Dann Paderborn University, Ben Hermann TU Dortmund, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM Pre-print | ||
11:15 15mTalk | APICAD: Augmenting API Misuse Detection Through Specifications From Code And Documents Technical Track DOI Pre-print | ||
11:30 15mTalk | Compatibility Issue Detection for Android Apps Based on Path-Sensitive Semantic Analysis Technical Track Sen Yang Army Engineering University of PLA, Sen Chen Tianjin University, Lingling Fan Nankai University, Sihan Xu Nankai University, China, Zhanwei Hui Academy of Military Science, Song Huang Army Engineering University of PLA | ||
11:45 15mTalk | OSSFP: Precise and Scalable C/C++ Third-Party Library Detection using Fingerprinting Functions Technical Track Wu Jiahui Nanyang Technological University, Zhengzi Xu Nanyang Technological University, Wei Tang Tsinghua University, Lyuye Zhang Nanyang Technological University, Yueming Wu Nanyang Technological University, Chengyue Liu Scantist, Kairan Sun Singapore University of Technology and Design, Lida Zhao Nanyang Technological University, Yang Liu Nanyang Technological University | ||
12:00 15mTalk | Scaling Web API Integrations SEIP - Software Engineering in Practice Pre-print | ||
12:15 7mTalk | Giving Back: Contributions Congruent to Library Dependency Changes in a Software Ecosystem Journal-First Papers Supatsara Wattanakriengkrai Nara Institute of Science and Technology, Dong Wang Kyushu University, Japan, Raula Gaikovina Kula Nara Institute of Science and Technology, Christoph Treude University of Melbourne, Patanamon Thongtanunam University of Melbourne, Takashi Ishio Future University Hakodate, Kenichi Matsumoto Nara Institute of Science and Technology Link to publication | ||
12:22 7mTalk | Breaking Bad? Semantic Versioning and Impact of Breaking Changes in Maven Central Journal-First Papers Lina Ochoa Eindhoven University of Technology, Thomas Degueule CNRS, LaBRI, Jean-Rémy Falleri Bordeaux INP, Jurgen Vinju CWI; Eindhoven University of Technology | ||