SpanL: Creating Algorithms for Automatic API Misuse Detection with Program Analysis Compositions

Sazzadur Rahaman, Miles Frantz, Barton Miller, Danfeng (Daphne) Yao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

High-level language platforms provide APIs to aid developers in easily integrating security-relevant features in their code. Prior research shows that improper use of these APIs is a major source of insecurity in various application domains. Automatic code screening holds lots of potential to enable secure coding. However, building domain-specific security analysis tools requires both application domain and program analysis expertise. Interestingly, most of the prior works in developing domain-specific security analysis tools leverage some form of data flow analysis in the core. We leverage this insight to build a specification language named SpanL1 for domain-specific security screening. The expressiveness analysis shows that a rule requiring any composition of dataflow analysis can be modeled in our language. Our evaluation on four cryptographic API misuse problems shows that our prototype implementation of SpanL does not introduce any imprecision due to the expressiveness of the language(1 SpanL stands for Security sPecificAtioN Language.).

Original languageEnglish (US)
Title of host publicationApplied Cryptography and Network Security Workshops - ACNS 2023 Satellite Workshops, ADSC, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings
EditorsJianying Zhou, Lejla Batina, Stjepan Picek, Zengpeng Li, Jingqiang Lin, Eleonora Losiouk, Suryadipta Majumdar, Daisuke Mashima, Weizhi Meng, Mohammad Ashiqur Rahman, Jun Shao, Masaki Shimaoka, Ezekiel Soremekun, Chunhua Su, Je Sen Teh, Aleksei Udovenko, Cong Wang, Leo Zhang, Yury Zhauniarovich
PublisherSpringer Science and Business Media Deutschland GmbH
Pages515-529
Number of pages15
ISBN (Print)9783031411809
DOIs
StatePublished - 2023
Event21st International Conference on Applied Cryptography and Network Security, ACNS 2023 - Kyoto, Japan
Duration: Jun 19 2023Jun 22 2023

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13907 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference21st International Conference on Applied Cryptography and Network Security, ACNS 2023
Country/TerritoryJapan
CityKyoto
Period6/19/236/22/23

Keywords

  • API Misuse
  • Program Analysis
  • Specification Language

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'SpanL: Creating Algorithms for Automatic API Misuse Detection with Program Analysis Compositions'. Together they form a unique fingerprint.

Cite this