CryptoAPI-bench: A comprehensive benchmark on java cryptographic API misuses

Sharmin Afrose; Sazzadur Rahaman; Danfeng Daphne Yao

doi:10.1109/SecDev.2019.00017

CryptoAPI-bench: A comprehensive benchmark on java cryptographic API misuses

Sharmin Afrose, Sazzadur Rahaman, Danfeng Daphne Yao

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

29 Scopus citations

Abstract

Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. In order to compare their accuracy and security guarantees, we develop a comprehensive benchmark named CryptoAPI-Bench. CryptoAPI-Bench consists of 171 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false positive rates. We evaluate CryptoAPI-Bench on four tools, namely, SpotBugs, CryptoGuard, CrySL, and Coverity and present their performance and comparative analysis. Our benchmark is useful for advancing state-of-the-art solutions in the space of misuse detection.

Original language	English (US)
Title of host publication	Proceedings - 2019 IEEE Secure Development, SecDev 2019
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	49-61
Number of pages	13
ISBN (Electronic)	9781538672891
DOIs	https://doi.org/10.1109/SecDev.2019.00017
State	Published - Sep 2019
Externally published	Yes
Event	2019 IEEE Secure Development, SecDev 2019 - McLean, United States Duration: Sep 25 2019 → Sep 27 2019

Publication series

Name	Proceedings - 2019 IEEE Secure Development, SecDev 2019

Conference

Conference	2019 IEEE Secure Development, SecDev 2019
Country/Territory	United States
City	McLean
Period	9/25/19 → 9/27/19

Keywords

Accuracy
Benchmark
Cryptographic API misuses

ASJC Scopus subject areas

Computer Networks and Communications
Software
Safety, Risk, Reliability and Quality

Access to Document

10.1109/SecDev.2019.00017

Cite this

CryptoAPI-bench: A comprehensive benchmark on java cryptographic API misuses. / Afrose, Sharmin; Rahaman, Sazzadur; Yao, Danfeng Daphne.
Proceedings - 2019 IEEE Secure Development, SecDev 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 49-61 8901573 (Proceedings - 2019 IEEE Secure Development, SecDev 2019).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Afrose, S, Rahaman, S & Yao, DD 2019, CryptoAPI-bench: A comprehensive benchmark on java cryptographic API misuses. in Proceedings - 2019 IEEE Secure Development, SecDev 2019., 8901573, Proceedings - 2019 IEEE Secure Development, SecDev 2019, Institute of Electrical and Electronics Engineers Inc., pp. 49-61, 2019 IEEE Secure Development, SecDev 2019, McLean, United States, 9/25/19. https://doi.org/10.1109/SecDev.2019.00017

@inproceedings{d2f1e26bf37541febc77adc94f1152e2,

title = "CryptoAPI-bench: A comprehensive benchmark on java cryptographic API misuses",

abstract = "Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. In order to compare their accuracy and security guarantees, we develop a comprehensive benchmark named CryptoAPI-Bench. CryptoAPI-Bench consists of 171 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false positive rates. We evaluate CryptoAPI-Bench on four tools, namely, SpotBugs, CryptoGuard, CrySL, and Coverity and present their performance and comparative analysis. Our benchmark is useful for advancing state-of-the-art solutions in the space of misuse detection.",

keywords = "Accuracy, Benchmark, Cryptographic API misuses",

author = "Sharmin Afrose and Sazzadur Rahaman and Yao, {Danfeng Daphne}",

note = "Publisher Copyright: {\textcopyright} 2019 IEEE.; 2019 IEEE Secure Development, SecDev 2019 ; Conference date: 25-09-2019 Through 27-09-2019",

year = "2019",

month = sep,

doi = "10.1109/SecDev.2019.00017",

language = "English (US)",

series = "Proceedings - 2019 IEEE Secure Development, SecDev 2019",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "49--61",

booktitle = "Proceedings - 2019 IEEE Secure Development, SecDev 2019",

}

TY - GEN

T1 - CryptoAPI-bench

T2 - 2019 IEEE Secure Development, SecDev 2019

AU - Afrose, Sharmin

AU - Rahaman, Sazzadur

AU - Yao, Danfeng Daphne

PY - 2019/9

Y1 - 2019/9

N2 - Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. In order to compare their accuracy and security guarantees, we develop a comprehensive benchmark named CryptoAPI-Bench. CryptoAPI-Bench consists of 171 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false positive rates. We evaluate CryptoAPI-Bench on four tools, namely, SpotBugs, CryptoGuard, CrySL, and Coverity and present their performance and comparative analysis. Our benchmark is useful for advancing state-of-the-art solutions in the space of misuse detection.

AB - Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. In order to compare their accuracy and security guarantees, we develop a comprehensive benchmark named CryptoAPI-Bench. CryptoAPI-Bench consists of 171 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false positive rates. We evaluate CryptoAPI-Bench on four tools, namely, SpotBugs, CryptoGuard, CrySL, and Coverity and present their performance and comparative analysis. Our benchmark is useful for advancing state-of-the-art solutions in the space of misuse detection.

KW - Accuracy

KW - Benchmark

KW - Cryptographic API misuses

UR - http://www.scopus.com/inward/record.url?scp=85075792580&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85075792580&partnerID=8YFLogxK

U2 - 10.1109/SecDev.2019.00017

DO - 10.1109/SecDev.2019.00017

M3 - Conference contribution

AN - SCOPUS:85075792580

T3 - Proceedings - 2019 IEEE Secure Development, SecDev 2019

SP - 49

EP - 61

BT - Proceedings - 2019 IEEE Secure Development, SecDev 2019

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 25 September 2019 through 27 September 2019

ER -

CryptoAPI-bench: A comprehensive benchmark on java cryptographic API misuses

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this