Inferring crypto API rules from code changes

Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation Pub Date : 2018-06-11 DOI:10.1145/3192366.3192403

Rumen Paletov, Petar Tsankov, Veselin Raychev, Martin T. Vechev

{"title":"Inferring crypto API rules from code changes","authors":"Rumen Paletov, Petar Tsankov, Veselin Raychev, Martin T. Vechev","doi":"10.1145/3192366.3192403","DOIUrl":null,"url":null,"abstract":"Creating and maintaining an up-to-date set of security rules that match misuses of crypto APIs is challenging, as crypto APIs constantly evolve over time with new cryptographic primitives and settings, making existing ones obsolete. To address this challenge, we present a new approach to extract security fixes from thousands of code changes. Our approach consists of: (i) identifying code changes, which often capture security fixes, (ii) an abstraction that filters irrelevant code changes (such as refactorings), and (iii) a clustering analysis that reveals commonalities between semantic code changes and helps in eliciting security rules. We applied our approach to the Java Crypto API and showed that it is effective: (i) our abstraction effectively filters non-semantic code changes (over 99% of all changes) without removing security fixes, and (ii) over 80% of the code changes are security fixes identifying security rules. Based on our results, we identified 13 rules, including new ones not supported by existing security checkers.","PeriodicalId":20583,"journal":{"name":"Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2018-06-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"38","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3192366.3192403","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 38

Abstract

Creating and maintaining an up-to-date set of security rules that match misuses of crypto APIs is challenging, as crypto APIs constantly evolve over time with new cryptographic primitives and settings, making existing ones obsolete. To address this challenge, we present a new approach to extract security fixes from thousands of code changes. Our approach consists of: (i) identifying code changes, which often capture security fixes, (ii) an abstraction that filters irrelevant code changes (such as refactorings), and (iii) a clustering analysis that reveals commonalities between semantic code changes and helps in eliciting security rules. We applied our approach to the Java Crypto API and showed that it is effective: (i) our abstraction effectively filters non-semantic code changes (over 99% of all changes) without removing security fixes, and (ii) over 80% of the code changes are security fixes identifying security rules. Based on our results, we identified 13 rules, including new ones not supported by existing security checkers.

查看原文本刊更多论文

从代码更改推断加密API规则

创建和维护一组最新的安全规则来匹配加密api的滥用是具有挑战性的，因为加密api随着时间的推移不断发展，出现了新的加密原语和设置，使现有的加密原语和设置过时。为了应对这一挑战，我们提出了一种从数千个代码更改中提取安全修复的新方法。我们的方法包括:(i)识别代码更改，通常捕获安全修复;(ii)过滤不相关代码更改(如重构)的抽象;(iii)揭示语义代码更改之间的共性并帮助引出安全规则的聚类分析。我们将我们的方法应用于Java Crypto API，并证明了它是有效的:(i)我们的抽象有效地过滤了非语义代码更改(超过99%的更改)，而不会删除安全修复;(ii)超过80%的代码更改是识别安全规则的安全修复。根据我们的结果，我们确定了13条规则，包括现有安全检查器不支持的新规则。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

自引率

0.00%

发文量

文献相关原料

公司名称	产品信息	采购帮参考价格