Abstract
High-level language platforms provide APIs to aid developers in easily integrating security-relevant features in their code. Prior research shows that improper use of these APIs is a major source of insecurity in various application domains. Automatic code screening holds lots of potential to enable secure coding. However, building domain-specific security analysis tools requires both application domain and program analysis expertise. Interestingly, most of the prior works in developing domain-specific security analysis tools leverage some form of data flow analysis in the core. We leverage this insight to build a specification language named SpanL\(^{1}\) for domain-specific security screening. The expressiveness analysis shows that a rule requiring any composition of dataflow analysis can be modeled in our language. Our evaluation on four cryptographic API misuse problems shows that our prototype implementation of SpanL does not introduce any imprecision due to the expressiveness of the language(\(^{1}\) SpanL stands for Security sPecificAtioN Language.).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
JCA, JCE, and JSSE stand for Java Cryptography Architecture, Java Cryptography Extension, and Java Secure Socket Extension, respectively.
References
Antlr: Quick start. https://www.antlr.org/. Accessed 20 Feb 2023
Apache struts. https://struts.apache.org/. Accessed 20 Feb 2023
Hybernate: Everything data. https://hibernate.org/. Accessed 20 Feb 2023
Mybatis 3: Introduction. https://mybatis.org/mybatis-3/. Accessed 20 Feb 2023
Payment Card Industry (PCI) Data Security Standard: Requirements and security assessment procedures. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf(2018)
Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: IEEE S &P 2017, pp. 154–171 (2017)
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: the impact of information sources on code security. In: IEEE S &P 2016, pp. 289–305 (2016)
Afrose, S., Rahaman, S., Yao, D.: CryptoAPI-Bench: a comprehensive benchmark on java cryptographic API misuses. In: 2019 IEEE Cybersecurity Development, SecDev 2019, Tysons Corner, VA, USA, 23–25 September 2019, pp. 49–61 (2019)
Afrose, S., Xiao, Y., Rahaman, S., Miller, B.P., Yao, D.: Evaluation of static vulnerability detection tools with java cryptographic API benchmarks. IEEE Trans. Softw. Eng. 49(2), 485–497 (2023)
Annas, G.J.: HIPAA regulations: a new era of medical-record privacy? N. Engl. J. Med. 348, 1486 (2003)
Backus, J.W.: The syntax and semantics of the proposed international algebraic language of the zurich ACM-GAMM conference. In: Information Processing, Proceedings of the 1st International Conference on Information Processing, UNESCO, Paris 15–20 June 1959, pp. 125–131 (1959)
Bianchi, A., et al.: Broken fingers: on the usage of the fingerprint API in android. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018 (2018)
Bosu, A., Liu, F., Yao, D.D., Wang, G.: Collusive data leak and more: large-scale threat analysis of inter-app communications. In: AsiaCCS 2017, pp. 71–85 (2017)
Department of Justice: Securing your “internet of things” devices (2017). https://www.justice.gov/criminal-ccips/page/file/984001/download
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in Android applications. In: ACM CCS 2013, pp. 73–84 (2013)
European Union Agency for Network and Information Security: Baseline security recommendations for IoT in the context of critical information infrastructures (2017). https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/@@download/fullReport
Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why eve and mallory love android: an analysis of android SSL (in) security. In: ACM CCS 2012, pp. 50–61 (2012)
Islam, M., Rahaman, S., Meng, N., Hassanshahi, B., Krishnan, P., Yao, D.D.: Coding practices and recommendations of spring security for enterprise applications. In: 2020 IEEE Cybersecurity Development, SecDev 2020 (2020). (to appear)
Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: an extensible approach to validating the correct usage of cryptographic APIs. In: 32nd European Conference on Object-Oriented Programming, ECOOP 2018, 16–21 July 2018, Amsterdam, The Netherlands, pp. 10:1–10:27 (2018)
Mahmud, S.Y., Acharya, A., Andow, B., Enck, W., Reaves, B.: Cardpliance: PCI DSS compliance of android applications. In: Capkun, S., Roesner, F. (eds.) 29th USENIX Security Symposium, USENIX Security 2020, 12–14 August 2020, pp. 1517–1533. USENIX Association (2020)
Meng, N., Nagy, S., Yao, D., Zhuang, W., Argoty, G.A.: Secure coding practices in java: challenges and vulnerabilities. In: ACM ICSE 2018. Gothenburg, Sweden (2018)
Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do java developers struggle with cryptography APIs? In: ICSE 2016, pp. 935–946 (2016)
Nan, Y., Yang, Z., Wang, X., Zhang, Y., Zhu, D., Yang, M.: Finding clues for your secrets: semantics-driven, learning-based privacy discovery in mobile apps. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018 (2018)
National Institute of Standards and Technology: IoT device cybersecurity guidance for the federal government: Establishing IoT device cybersecurity requirements (2021). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213.pdf
Rahaman, S., Wang, G., Yao, D.D.: Security certification in payment card industry: testbeds, measurements, and recommendations. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019, pp. 481–498. ACM (2019)
Rahaman, S., et al.: Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized java projects. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019, pp. 2455–2472 (2019)
US Chamber of Commerce: The IoT revolution and our digital security: principles for IoT security (2017). https://scglegal.com/wp-content/uploads/2018/02/2017-Denver-TR-1550-PP-The.IoT_.Revolution..Our_.Digital.Security.Final-002-WILEY-REIN.pdf
Zuo, C., Lin, Z., Zhang, Y.: Why does your data leak? Uncovering the data leakage in cloud from mobile apps. In: IEEE S &P 2016 (2019)
Acknowledgements
This work has been supported in part by the National Science Foundation under Grant No. CNS-1929701.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Rahaman, S., Frantz, M., Miller, B., Yao, D.(. (2023). SpanL: Creating Algorithms for Automatic API Misuse Detection with Program Analysis Compositions. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham. https://doi.org/10.1007/978-3-031-41181-6_28
Download citation
DOI: https://doi.org/10.1007/978-3-031-41181-6_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41180-9
Online ISBN: 978-3-031-41181-6
eBook Packages: Computer ScienceComputer Science (R0)