Skip to main content
SpringerLink
Log in

SpanL: Creating Algorithms for Automatic API Misuse Detection with Program Analysis Compositions

  • Conference paper
  • First Online:
Applied Cryptography and Network Security Workshops (ACNS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13907))

Included in the following conference series:

  • 380 Accesses

Abstract

High-level language platforms provide APIs to aid developers in easily integrating security-relevant features in their code. Prior research shows that improper use of these APIs is a major source of insecurity in various application domains. Automatic code screening holds lots of potential to enable secure coding. However, building domain-specific security analysis tools requires both application domain and program analysis expertise. Interestingly, most of the prior works in developing domain-specific security analysis tools leverage some form of data flow analysis in the core. We leverage this insight to build a specification language named SpanL\(^{1}\) for domain-specific security screening. The expressiveness analysis shows that a rule requiring any composition of dataflow analysis can be modeled in our language. Our evaluation on four cryptographic API misuse problems shows that our prototype implementation of SpanL does not introduce any imprecision due to the expressiveness of the language(\(^{1}\) SpanL stands for Security sPecificAtioN Language.).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    JCA, JCE, and JSSE stand for Java Cryptography Architecture, Java Cryptography Extension, and Java Secure Socket Extension, respectively.

References

  1. Antlr: Quick start. https://www.antlr.org/. Accessed 20 Feb 2023

  2. Apache struts. https://struts.apache.org/. Accessed 20 Feb 2023

  3. Hybernate: Everything data. https://hibernate.org/. Accessed 20 Feb 2023

  4. Mybatis 3: Introduction. https://mybatis.org/mybatis-3/. Accessed 20 Feb 2023

  5. Payment Card Industry (PCI) Data Security Standard: Requirements and security assessment procedures. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf(2018)

  6. Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: IEEE S &P 2017, pp. 154–171 (2017)

    Google Scholar 

  7. Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: the impact of information sources on code security. In: IEEE S &P 2016, pp. 289–305 (2016)

    Google Scholar 

  8. Afrose, S., Rahaman, S., Yao, D.: CryptoAPI-Bench: a comprehensive benchmark on java cryptographic API misuses. In: 2019 IEEE Cybersecurity Development, SecDev 2019, Tysons Corner, VA, USA, 23–25 September 2019, pp. 49–61 (2019)

    Google Scholar 

  9. Afrose, S., Xiao, Y., Rahaman, S., Miller, B.P., Yao, D.: Evaluation of static vulnerability detection tools with java cryptographic API benchmarks. IEEE Trans. Softw. Eng. 49(2), 485–497 (2023)

    Article  Google Scholar 

  10. Annas, G.J.: HIPAA regulations: a new era of medical-record privacy? N. Engl. J. Med. 348, 1486 (2003)

    Article  Google Scholar 

  11. Backus, J.W.: The syntax and semantics of the proposed international algebraic language of the zurich ACM-GAMM conference. In: Information Processing, Proceedings of the 1st International Conference on Information Processing, UNESCO, Paris 15–20 June 1959, pp. 125–131 (1959)

    Google Scholar 

  12. Bianchi, A., et al.: Broken fingers: on the usage of the fingerprint API in android. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018 (2018)

    Google Scholar 

  13. Bosu, A., Liu, F., Yao, D.D., Wang, G.: Collusive data leak and more: large-scale threat analysis of inter-app communications. In: AsiaCCS 2017, pp. 71–85 (2017)

    Google Scholar 

  14. Department of Justice: Securing your “internet of things” devices (2017). https://www.justice.gov/criminal-ccips/page/file/984001/download

  15. Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in Android applications. In: ACM CCS 2013, pp. 73–84 (2013)

    Google Scholar 

  16. European Union Agency for Network and Information Security: Baseline security recommendations for IoT in the context of critical information infrastructures (2017). https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/@@download/fullReport

  17. Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why eve and mallory love android: an analysis of android SSL (in) security. In: ACM CCS 2012, pp. 50–61 (2012)

    Google Scholar 

  18. Islam, M., Rahaman, S., Meng, N., Hassanshahi, B., Krishnan, P., Yao, D.D.: Coding practices and recommendations of spring security for enterprise applications. In: 2020 IEEE Cybersecurity Development, SecDev 2020 (2020). (to appear)

    Google Scholar 

  19. Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: an extensible approach to validating the correct usage of cryptographic APIs. In: 32nd European Conference on Object-Oriented Programming, ECOOP 2018, 16–21 July 2018, Amsterdam, The Netherlands, pp. 10:1–10:27 (2018)

    Google Scholar 

  20. Mahmud, S.Y., Acharya, A., Andow, B., Enck, W., Reaves, B.: Cardpliance: PCI DSS compliance of android applications. In: Capkun, S., Roesner, F. (eds.) 29th USENIX Security Symposium, USENIX Security 2020, 12–14 August 2020, pp. 1517–1533. USENIX Association (2020)

    Google Scholar 

  21. Meng, N., Nagy, S., Yao, D., Zhuang, W., Argoty, G.A.: Secure coding practices in java: challenges and vulnerabilities. In: ACM ICSE 2018. Gothenburg, Sweden (2018)

    Google Scholar 

  22. Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do java developers struggle with cryptography APIs? In: ICSE 2016, pp. 935–946 (2016)

    Google Scholar 

  23. Nan, Y., Yang, Z., Wang, X., Zhang, Y., Zhu, D., Yang, M.: Finding clues for your secrets: semantics-driven, learning-based privacy discovery in mobile apps. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018 (2018)

    Google Scholar 

  24. National Institute of Standards and Technology: IoT device cybersecurity guidance for the federal government: Establishing IoT device cybersecurity requirements (2021). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213.pdf

  25. Rahaman, S., Wang, G., Yao, D.D.: Security certification in payment card industry: testbeds, measurements, and recommendations. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019, pp. 481–498. ACM (2019)

    Google Scholar 

  26. Rahaman, S., et al.: Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized java projects. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019, pp. 2455–2472 (2019)

    Google Scholar 

  27. US Chamber of Commerce: The IoT revolution and our digital security: principles for IoT security (2017). https://scglegal.com/wp-content/uploads/2018/02/2017-Denver-TR-1550-PP-The.IoT_.Revolution..Our_.Digital.Security.Final-002-WILEY-REIN.pdf

  28. Zuo, C., Lin, Z., Zhang, Y.: Why does your data leak? Uncovering the data leakage in cloud from mobile apps. In: IEEE S &P 2016 (2019)

    Google Scholar 

Download references

Acknowledgements

This work has been supported in part by the National Science Foundation under Grant No. CNS-1929701.

Author information

Authors and Affiliations

  1. University of Arizona, Tucson, USA

    Sazzadur Rahaman

  2. Virginia Tech, Blacksburg, USA

    Miles Frantz & Danfeng (Daphne) Yao

  3. University of Wisconsin-Madison, Madison, USA

    Barton Miller

Authors
  1. Sazzadur Rahaman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Miles Frantz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Barton Miller
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Danfeng (Daphne) Yao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sazzadur Rahaman .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. Radboud University Nijmegen, Nijmegen, The Netherlands

    Lejla Batina

  3. Shandong University of Science and Technology, Qingdao, China

    Zengpeng Li

  4. University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  5. University of Padua, Padua, Italy

    Eleonora Losiouk

  6. Concordia University, Montreal, QC, Canada

    Suryadipta Majumdar

  7. Illinois at Singapore Pte Ltd., Singapore, Singapore

    Daisuke Mashima

  8. Technical University Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  9. Radboud University Nijmegen, Nijmegen, The Netherlands

    Stjepan Picek

  10. Florida International University, Miami, FL, USA

    Mohammad Ashiqur Rahman

  11. Zhejiang Gongshang University, Hangzhou, China

    Jun Shao

  12. SECOM Co., Ltd., University of Tsukuba, Tokyo / Ibaraki, Japan

    Masaki Shimaoka

  13. Royal Holloway University of London, Egham, UK

    Ezekiel Soremekun

  14. University of Aizu, Aizuwakamatsu, Fukushima, Japan

    Chunhua Su

  15. Universiti Sains Malaysia, Gelugor, Malaysia

    Je Sen Teh

  16. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Aleksei Udovenko

  17. City University of Hong Kong, Hong Kong, Hong Kong

    Cong Wang

  18. Griffith University, Southport, QLD, Australia

    Leo Zhang

  19. Delft University of Technology, Delft, The Netherlands

    Yury Zhauniarovich

Appendix

Appendix

figure b
figure c
figure d

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rahaman, S., Frantz, M., Miller, B., Yao, D.(. (2023). SpanL: Creating Algorithms for Automatic API Misuse Detection with Program Analysis Compositions. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham. https://doi.org/10.1007/978-3-031-41181-6_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-41181-6_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-41180-9

  • Online ISBN: 978-3-031-41181-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation