TY - JOUR
T1 - Evaluation of Static Vulnerability Detection Tools With Java Cryptographic API Benchmarks
AU - Afrose, Sharmin
AU - Xiao, Ya
AU - Rahaman, Sazzadur
AU - Miller, Barton P.
AU - Yao, Danfeng
N1 - Publisher Copyright:
© 1976-2012 IEEE.
PY - 2023/2/1
Y1 - 2023/2/1
N2 - Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. To compare their accuracy and security guarantees, we develop two comprehensive benchmarks named CryptoAPI-Bench and ApacheCryptoAPI-Bench. CryptoAPI-Bench consists of 181 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false-positive rates. The ApacheCryptoAPI-Bench consists of 121 cryptographic cases from 10 Apache projects. We evaluate four tools, namely, SpotBugs, CryptoGuard, CrySL, and another tool (anonymous) using both benchmarks. We present their performance and comparative analysis. The ApacheCryptoAPI-Bench also examines the scalability of the tools. Our benchmarks are useful for advancing state-of-the-art solutions in the space of misuse detection.
AB - Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. To compare their accuracy and security guarantees, we develop two comprehensive benchmarks named CryptoAPI-Bench and ApacheCryptoAPI-Bench. CryptoAPI-Bench consists of 181 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false-positive rates. The ApacheCryptoAPI-Bench consists of 121 cryptographic cases from 10 Apache projects. We evaluate four tools, namely, SpotBugs, CryptoGuard, CrySL, and another tool (anonymous) using both benchmarks. We present their performance and comparative analysis. The ApacheCryptoAPI-Bench also examines the scalability of the tools. Our benchmarks are useful for advancing state-of-the-art solutions in the space of misuse detection.
KW - Cryptographic API misuses
KW - Java
KW - benchmark
UR - http://www.scopus.com/inward/record.url?scp=85125299643&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85125299643&partnerID=8YFLogxK
U2 - 10.1109/TSE.2022.3154717
DO - 10.1109/TSE.2022.3154717
M3 - Article
AN - SCOPUS:85125299643
SN - 0098-5589
VL - 49
SP - 485
EP - 497
JO - IEEE Transactions on Software Engineering
JF - IEEE Transactions on Software Engineering
IS - 2
ER -