TU Darmstadt / ULB / TUbiblio

Dealing with Variability in API Misuse Specification

Bonifacio, Rodrigo ; Narasimhan, Krishna ; Bodden, Eric ; Mezini, Mira ; Krüger, Stefan (2021)
Dealing with Variability in API Misuse Specification.
35th European Conference on Object-Oriented Programming. virtual Conference (11.-17.07.2021)
doi: 10.4230/LIPIcs.ECOOP.2021.19
Conference or Workshop Item, Bibliographie

Abstract

APIs are the primary mechanism for developers to gain access to externally defined services and tools. However, previous research has revealed API misuses that violate the contract of APIs to be prevalent. Such misuses can have harmful consequences, especially in the context of cryptographic libraries. Various API-misuse detectors have been proposed to address this issue - including CogniCrypt, one of the most versatile of such detectors and that uses a language (CrySL) to specify cryptographic API usage contracts. Nonetheless, existing approaches to detect API misuse had not been designed for systematic reuse, ignoring the fact that different versions of a library, different versions of a platform, and different recommendations/guidelines might introduce variability in the correct usage of an API. Yet, little is known about how such variability impacts the specification of the correct API usage. This paper investigates this question by analyzing the impact of various sources of variability on widely used Java cryptographic libraries (including JCA/JCE, Bouncy Castle, and Google Tink). The results of our investigation show that sources of variability like new versions of the API and security standards significantly impact the specifications. We then use the insights gained from our investigation to motivate an extension to the CrySL language (named MetaCrySL), which builds on meta-programming concepts. We evaluate MetaCrySL by specifying usage rules for a family of Android versions and illustrate that MetaCrySL can model all forms of variability we identified and drastically reduce the size of a family of specifications for the correct usage of cryptographic APIs.

Item Type: Conference or Workshop Item
Erschienen: 2021
Creators: Bonifacio, Rodrigo ; Narasimhan, Krishna ; Bodden, Eric ; Mezini, Mira ; Krüger, Stefan
Type of entry: Bibliographie
Title: Dealing with Variability in API Misuse Specification
Language: English
Date: 6 July 2021
Publisher: Leibniz-Zentrum für Informatik
Book Title: European Conference on Object-Oriented Programming (ECOOP 2021)
Series: Leibniz International Proceedings in Informatics
Series Volume: 194
Event Title: 35th European Conference on Object-Oriented Programming
Event Location: virtual Conference
Event Dates: 11.-17.07.2021
DOI: 10.4230/LIPIcs.ECOOP.2021.19
URL / URN: https://drops.dagstuhl.de/opus/portals/lipics/index.php?semn...
Abstract:

APIs are the primary mechanism for developers to gain access to externally defined services and tools. However, previous research has revealed API misuses that violate the contract of APIs to be prevalent. Such misuses can have harmful consequences, especially in the context of cryptographic libraries. Various API-misuse detectors have been proposed to address this issue - including CogniCrypt, one of the most versatile of such detectors and that uses a language (CrySL) to specify cryptographic API usage contracts. Nonetheless, existing approaches to detect API misuse had not been designed for systematic reuse, ignoring the fact that different versions of a library, different versions of a platform, and different recommendations/guidelines might introduce variability in the correct usage of an API. Yet, little is known about how such variability impacts the specification of the correct API usage. This paper investigates this question by analyzing the impact of various sources of variability on widely used Java cryptographic libraries (including JCA/JCE, Bouncy Castle, and Google Tink). The results of our investigation show that sources of variability like new versions of the API and security standards significantly impact the specifications. We then use the insights gained from our investigation to motivate an extension to the CrySL language (named MetaCrySL), which builds on meta-programming concepts. We evaluate MetaCrySL by specifying usage rules for a family of Android versions and illustrate that MetaCrySL can model all forms of variability we identified and drastically reduce the size of a family of specifications for the correct usage of cryptographic APIs.

Divisions: 20 Department of Computer Science
20 Department of Computer Science > Software Technology
DFG-Collaborative Research Centres (incl. Transregio)
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres > CRC 1119: CROSSING – Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments
TU-Projects: DFG|SFB1119|E1SFB1119 Mezini
Date Deposited: 05 Oct 2021 06:39
Last Modified: 05 Mar 2024 15:34
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details