Scrutinizing and Appraising the Usages of Cryptographic API

Abstract

Developing and maintaining an appropriate series of safety regulations that balance the abuse of cryptographic APIs is a daunting task as cryptographic APIs are continually changing with new primeval and cryptographic settings, rendering current versions balanced. We are proposing a new approach to eliminating security patches from thousands of code changes in order to resolve this challenge. Our approach involves (i) detecting program modifications that sometimes cause security fixes, (ii) an abstraction that filters trivial code changes (such as refactoring), and (iii) a cluster analysis that recognizes similarities between semantine program modifications and helps to obtain safety laws. We used our approach to the Java Crypto API and demonstrated that it is effective: (i) effectively filter changes in non-modification code (more than 99% of all changes) without removing them from our abstraction, and (ii) over 80 percent of code changes are security fixes that define security rules. We have established 13 rules, including new ones, based on our findings, that are not supported by existing security checks. CCS COCEPTS: Security and privacy → Systems security; Cryptanalysis and other attacks; Software security engineering;