Bonifacio, Rodrigo ; Narasimhan, Krishna ; Bodden, Eric ; Mezini, Mira ; Krüger, Stefan (2021)
Dealing with Variability in API Misuse Specification.
35th European Conference on Object-Oriented Programming. virtual Conference (11.07.2021-17.07.2021)
doi: 10.4230/LIPIcs.ECOOP.2021.19
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
APIs are the primary mechanism for developers to gain access to externally defined services and tools. However, previous research has revealed API misuses that violate the contract of APIs to be prevalent. Such misuses can have harmful consequences, especially in the context of cryptographic libraries. Various API-misuse detectors have been proposed to address this issue - including CogniCrypt, one of the most versatile of such detectors and that uses a language (CrySL) to specify cryptographic API usage contracts. Nonetheless, existing approaches to detect API misuse had not been designed for systematic reuse, ignoring the fact that different versions of a library, different versions of a platform, and different recommendations/guidelines might introduce variability in the correct usage of an API. Yet, little is known about how such variability impacts the specification of the correct API usage. This paper investigates this question by analyzing the impact of various sources of variability on widely used Java cryptographic libraries (including JCA/JCE, Bouncy Castle, and Google Tink). The results of our investigation show that sources of variability like new versions of the API and security standards significantly impact the specifications. We then use the insights gained from our investigation to motivate an extension to the CrySL language (named MetaCrySL), which builds on meta-programming concepts. We evaluate MetaCrySL by specifying usage rules for a family of Android versions and illustrate that MetaCrySL can model all forms of variability we identified and drastically reduce the size of a family of specifications for the correct usage of cryptographic APIs.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2021 |
| Autor(en): | Bonifacio, Rodrigo ; Narasimhan, Krishna ; Bodden, Eric ; Mezini, Mira ; Krüger, Stefan |
| Art des Eintrags: | Bibliographie |
| Titel: | Dealing with Variability in API Misuse Specification |
| Sprache: | Englisch |
| Publikationsjahr: | 6 Juli 2021 |
| Verlag: | Leibniz-Zentrum für Informatik |
| Buchtitel: | European Conference on Object-Oriented Programming (ECOOP 2021) |
| Reihe: | Leibniz International Proceedings in Informatics |
| Band einer Reihe: | 194 |
| Veranstaltungstitel: | 35th European Conference on Object-Oriented Programming |
| Veranstaltungsort: | virtual Conference |
| Veranstaltungsdatum: | 11.07.2021-17.07.2021 |
| DOI: | 10.4230/LIPIcs.ECOOP.2021.19 |
| URL / URN: | https://drops.dagstuhl.de/opus/portals/lipics/index.php?semn... |
| Kurzbeschreibung (Abstract): | APIs are the primary mechanism for developers to gain access to externally defined services and tools. However, previous research has revealed API misuses that violate the contract of APIs to be prevalent. Such misuses can have harmful consequences, especially in the context of cryptographic libraries. Various API-misuse detectors have been proposed to address this issue - including CogniCrypt, one of the most versatile of such detectors and that uses a language (CrySL) to specify cryptographic API usage contracts. Nonetheless, existing approaches to detect API misuse had not been designed for systematic reuse, ignoring the fact that different versions of a library, different versions of a platform, and different recommendations/guidelines might introduce variability in the correct usage of an API. Yet, little is known about how such variability impacts the specification of the correct API usage. This paper investigates this question by analyzing the impact of various sources of variability on widely used Java cryptographic libraries (including JCA/JCE, Bouncy Castle, and Google Tink). The results of our investigation show that sources of variability like new versions of the API and security standards significantly impact the specifications. We then use the insights gained from our investigation to motivate an extension to the CrySL language (named MetaCrySL), which builds on meta-programming concepts. We evaluate MetaCrySL by specifying usage rules for a family of Android versions and illustrate that MetaCrySL can model all forms of variability we identified and drastically reduce the size of a family of specifications for the correct usage of cryptographic APIs. |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Softwaretechnik DFG-Sonderforschungsbereiche (inkl. Transregio) DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen |
| TU-Projekte: | DFG|SFB1119|E1SFB1119 Mezini |
| Hinterlegungsdatum: | 05 Okt 2021 06:39 |
| Letzte Änderung: | 05 Mär 2024 15:34 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum