Schlichtig, Michael ; Sassalla, Steffen ; Narasimhan, Krishna ; Bodden, Eric (2022)
FUM - A Framework for API Usage constraint and Misuse Classification.
29th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). virtual Conference (15.03.2022 - 18.03.2022)
doi: 10.1109/SANER53432.2022.00085
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2022 |
| Autor(en): | Schlichtig, Michael ; Sassalla, Steffen ; Narasimhan, Krishna ; Bodden, Eric |
| Art des Eintrags: | Bibliographie |
| Titel: | FUM - A Framework for API Usage constraint and Misuse Classification |
| Sprache: | Englisch |
| Publikationsjahr: | 21 Juli 2022 |
| Verlag: | IEEE |
| Buchtitel: | Proceedings: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering: SANER 2022 |
| Veranstaltungstitel: | 29th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) |
| Veranstaltungsort: | virtual Conference |
| Veranstaltungsdatum: | 15.03.2022 - 18.03.2022 |
| DOI: | 10.1109/SANER53432.2022.00085 |
| URL / URN: | https://ieeexplore.ieee.org/abstract/document/9825763 |
| Kurzbeschreibung (Abstract): | Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools. |
| Freie Schlagworte: | E1 |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Softwaretechnik DFG-Sonderforschungsbereiche (inkl. Transregio) DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche DFG-Graduiertenkollegs DFG-Graduiertenkollegs > Graduiertenkolleg 2050 Privacy and Trust for Mobile Users 20 Fachbereich Informatik > EC SPRIDE 20 Fachbereich Informatik > EC SPRIDE > Secure Software Engineering DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen |
| Hinterlegungsdatum: | 25 Okt 2024 13:22 |
| Letzte Änderung: | 25 Okt 2024 13:22 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum