paint-brush
MASC's Three Mutation Scopes for Comprehensive Crypto-API Misuse Analysisby@mutation

MASC's Three Mutation Scopes for Comprehensive Crypto-API Misuse Analysis

tldt arrow

Too Long; Didn't Read

MASC uses three mutation scopes—Main, Similarity, and Exhaustive—to place crypto-API misuse cases in target applications, improving the reachability and evaluation of crypto-detectors.
featured image - MASC's Three Mutation Scopes for Comprehensive Crypto-API Misuse Analysis
Mutation Technology Publications HackerNoon profile picture

Authors:

(1) Amit Seal Ami, Computer Science Department, William & Mary Williamsburg, Virginia, USA, and this author contributed equally to this paper ([email protected]);

(2) Syed Yusuf Ahmed, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper ([email protected]);

(3) Radowan Mahmud Redoy, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper ([email protected]);

(4) Nathan Cooper, Computer Science Department, William & Mary Williamsburg, Virginia, USA ([email protected]);

(5) Kaushal Kafle, Computer Science Department, William & Mary Williamsburg, Virginia, USA ([email protected]);

(6) Kevin Moran, Department of Computer Science, University of Central Florida Orlando, Florida, USA ([email protected]);

(7) Denys Poshyvanyk, Computer Science Department, William & Mary Williamsburg, Virginia, USA ([email protected]);

(8) Adwait Nadkarni, Computer Science Department, William & Mary Williamsburg, Virginia, USA ([email protected]).

Abstract and 1 Introduction

2 Overview of MASC

3 Design Goals

4 Implementation of MASC

4.1 Mutation Operators

4.2 Mutation Scopes

5 Using MASC

6 Future Work and Conclusion, Acknowledgments, and References

4.2 Mutation Scopes

To emulate vulnerable crypto-API misuse placement by benign and evasive developers, we designed three mutation scopes to be used with MASC:


• Main Scope represents the simplest scope, where it seeds mutants at the beginning of the main method of a simple Java or Android template app, ensuring reachability.


• Similarity Scope, which is extended from MDroid+ [13, 14], seeds mutants in the source code of an input application where a similar crypto-API is found. Note that it does not modify the existing crypto-API, and only appends the said mutant misuse case


• Exhaustive Scope, which is extended 𝜇SE [4, 5, 7], seeds mutants at all syntactically possible locations in the target app, such as class definition, conditional segments, method bodies and anonymous inner class object declarations. This helps evaluate the reachability of the target crypto-detector.


This paper is available on arxiv under CC BY-NC-SA 4.0 DEED license.