Authors:
(1) Mohammadreza Hazhirpasand, University of Bern, Bern, Switzerland;
(2) Oscar Nierstrasz, University of Bern, Bern, Switzerland;
(3) Mohammad Ghafari, University of Auckland, Auckland, New Zealand. Table of Links Abstract and I. Introduction
II. Methodology
III. Results and Discussion
IV. Threats to Validity
V. Related Work
VI. Conclusions
VII. Acknowledgments and References VII. ACKNOWLEDGMENTS We gratefully acknowledge the financial support of the Swiss National Science Foundation for the project “Agile Software Assistance” (SNSF project No. 200020-181973, Feb. 1, 2019 - April 30, 2022). We also thank CHOOSE, the Swiss Group for Original and Outside-the-box Software Engineering of the Swiss Informatics Society, for its financial contribution to the presentation of this paper. REFERENCES [1] M. Hazhirpasand, M. Ghafari, S. Krüger, E. Bodden, and O. Nierstrasz, “The impact of developer experience in using Java cryptography,” in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). IEEE, 2019, pp. 1–6. [2] S. Rahaman, Y. Xiao, S. Afrose, F. Shaon, K. Tian, M. Frantz, M. Kantarcioglu, and D. Yao, “Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 2455–2472. [3] M. Green and M. Smith, “Developers are not the enemy!: The need for usable security APIs,” IEEE Security & Privacy, vol. 14, no. 5, pp. 40–46, 2016. [4] M. Hazhirpasand, O. Nierstrasz, M. Shabani, and M. Ghafari, “Hurdles for developers in cryptography,” in 37th International Conference on Software Maintenance and Evolution (ICSME), 2021. [5] D. Lazar, H. Chen, X. Wang, and N. Zeldovich, “Why does cryptographic software fail? a case study and open problems,” in Proceedings of 5th Asia-Pacific Workshop on Systems, 2014, pp. 1–7. [6] N. Patnaik, J. Hallett, and A. Rashid, “Usability smells: An analysis of developers’ struggle with crypto libraries,” in Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019), 2019, pp. 245–257. [7] K. Cairns, H. Halpin, and G. Steel, “Security analysis of the W3C web cryptography api,” in International Conference on Research in Security Standardisation. Springer, 2016, pp. 112–140. [8] Y. Yarom, D. Genkin, and N. Heninger, “Cachebleed: a timing attack on OpenSSL constant-time RSA,” Journal of Cryptographic Engineering, vol. 7, no. 2, pp. 99–112, 2017. [9] J. Somorovsky, “Systematic fuzzing and testing of TLS libraries,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1492–1504. [10] V. Braun and V. Clarke, “Using thematic analysis in psychology,” Qualitative research in psychology, vol. 3, no. 2, pp. 77–101, 2006. [11] S. Lewis, “Qualitative inquiry and research design: Choosing among five approaches,” Health promotion practice, vol. 16, no. 4, pp. 473– 475, 2015. [12] J. Cohen, “A coefficient of agreement for nominal scales,” Educational and psychological measurement, vol. 20, no. 1, pp. 37–46, 1960. [13] S. Kafader and M. Ghafari, “Fluentcrypto: Cryptography in easy mode,” in 37th International Conference on Software Maintenance and Evolution (ICSME), 2021. [14] C. Parnin, C. Treude, L. Grammel, and M.-A. Storey, “Crowd documentation: Exploring the coverage and the dynamics of API discussions on stack overflow,” Georgia Institute of Technology, Tech. Rep, vol. 11, 2012. [15] D. Hou and L. Li, “Obstacles in using frameworks and APIs: An exploratory study of programmers’ newsgroup discussions,” in 2011 IEEE 19th International Conference on Program Comprehension. IEEE, 2011, pp. 91–100. [16] M. Hazhirpasand, M. Ghafari, and O. Nierstrasz, “Java cryptography uses in the wild,” in Proceedings of the 14th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), 2020, pp. 1–6. [17] M. Hazhirpasand, O. Nierstrasz, and M. Ghafari, “Worrisome patterns in developers: A survey in cryptography,” in Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering Workshops, 2021. This paper is available on arxiv under CC BY 4.0 DEED license. Authors: (1) Mohammadreza Hazhirpasand, University of Bern, Bern, Switzerland; (2) Oscar Nierstrasz, University of Bern, Bern, Switzerland; (3) Mohammad Ghafari, University of Auckland, Auckland, New Zealand. Authors: Authors: (1) Mohammadreza Hazhirpasand, University of Bern, Bern, Switzerland; (2) Oscar Nierstrasz, University of Bern, Bern, Switzerland; (3) Mohammad Ghafari, University of Auckland, Auckland, New Zealand. Table of Links Abstract and I. Introduction II. Methodology III. Results and Discussion IV. Threats to Validity V. Related Work VI. Conclusions VII. Acknowledgments and References Abstract and I. Introduction Abstract and I. Introduction II. Methodology II. Methodology III. Results and Discussion III. Results and Discussion IV. Threats to Validity IV. Threats to Validity V. Related Work V. Related Work VI. Conclusions VI. Conclusions VII. Acknowledgments and References VII. Acknowledgments and References VII. ACKNOWLEDGMENTS We gratefully acknowledge the financial support of the Swiss National Science Foundation for the project “Agile Software Assistance” (SNSF project No. 200020-181973, Feb. 1, 2019 - April 30, 2022). We also thank CHOOSE, the Swiss Group for Original and Outside-the-box Software Engineering of the Swiss Informatics Society, for its financial contribution to the presentation of this paper. REFERENCES [1] M. Hazhirpasand, M. Ghafari, S. Krüger, E. Bodden, and O. Nierstrasz, “The impact of developer experience in using Java cryptography,” in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). IEEE, 2019, pp. 1–6. [2] S. Rahaman, Y. Xiao, S. Afrose, F. Shaon, K. Tian, M. Frantz, M. Kantarcioglu, and D. Yao, “Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 2455–2472. [3] M. Green and M. Smith, “Developers are not the enemy!: The need for usable security APIs,” IEEE Security & Privacy, vol. 14, no. 5, pp. 40–46, 2016. [4] M. Hazhirpasand, O. Nierstrasz, M. Shabani, and M. Ghafari, “Hurdles for developers in cryptography,” in 37th International Conference on Software Maintenance and Evolution (ICSME), 2021. [5] D. Lazar, H. Chen, X. Wang, and N. Zeldovich, “Why does cryptographic software fail? a case study and open problems,” in Proceedings of 5th Asia-Pacific Workshop on Systems, 2014, pp. 1–7. [6] N. Patnaik, J. Hallett, and A. Rashid, “Usability smells: An analysis of developers’ struggle with crypto libraries,” in Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019), 2019, pp. 245–257. [7] K. Cairns, H. Halpin, and G. Steel, “Security analysis of the W3C web cryptography api,” in International Conference on Research in Security Standardisation. Springer, 2016, pp. 112–140. [8] Y. Yarom, D. Genkin, and N. Heninger, “Cachebleed: a timing attack on OpenSSL constant-time RSA,” Journal of Cryptographic Engineering, vol. 7, no. 2, pp. 99–112, 2017. [9] J. Somorovsky, “Systematic fuzzing and testing of TLS libraries,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1492–1504. [10] V. Braun and V. Clarke, “Using thematic analysis in psychology,” Qualitative research in psychology, vol. 3, no. 2, pp. 77–101, 2006. [11] S. Lewis, “Qualitative inquiry and research design: Choosing among five approaches,” Health promotion practice, vol. 16, no. 4, pp. 473– 475, 2015. [12] J. Cohen, “A coefficient of agreement for nominal scales,” Educational and psychological measurement, vol. 20, no. 1, pp. 37–46, 1960. [13] S. Kafader and M. Ghafari, “Fluentcrypto: Cryptography in easy mode,” in 37th International Conference on Software Maintenance and Evolution (ICSME), 2021. [14] C. Parnin, C. Treude, L. Grammel, and M.-A. Storey, “Crowd documentation: Exploring the coverage and the dynamics of API discussions on stack overflow,” Georgia Institute of Technology, Tech. Rep, vol. 11, 2012. [15] D. Hou and L. Li, “Obstacles in using frameworks and APIs: An exploratory study of programmers’ newsgroup discussions,” in 2011 IEEE 19th International Conference on Program Comprehension. IEEE, 2011, pp. 91–100. [16] M. Hazhirpasand, M. Ghafari, and O. Nierstrasz, “Java cryptography uses in the wild,” in Proceedings of the 14th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), 2020, pp. 1–6. [17] M. Hazhirpasand, O. Nierstrasz, and M. Ghafari, “Worrisome patterns in developers: A survey in cryptography,” in Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering Workshops, 2021. This paper is available on arxiv under CC BY 4.0 DEED license. This paper is available on arxiv under CC BY 4.0 DEED license. available on arxiv

Part of HackerNoon's growing list of open-source research papers, promoting free access to academic material.

Dazed and Confused: What’s Wrong with Crypto
Libraries? — Results and Discussion

Dazed and Confused: What’s Wrong with Crypto
Libraries? — Conclusions

Read My Stories

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

Dazed and Confused: What’s Wrong with Crypto Libraries? — Acknowledgments and References

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Dazed and Confused: What’s Wrong with Crypto Libraries? — Abstract and Introduction

Dazed and Confused: What’s Wrong with Crypto Libraries? — Related Work

Dazed and Confused: What’s Wrong with Crypto Libraries? — Methodology

Dazed and Confused: What’s Wrong with Crypto Libraries? — Conclusions

Dazed and Confused: What’s Wrong with Crypto Libraries? — Results and Discussion

Dazed and Confused: What’s Wrong with Crypto Libraries? — Abstract and Introduction

Dazed and Confused: What’s Wrong with Crypto Libraries? — Related Work

Dazed and Confused: What’s Wrong with Crypto Libraries? — Methodology

Dazed and Confused: What’s Wrong with Crypto Libraries? — Conclusions

Dazed and Confused: What’s Wrong with Crypto Libraries? — Results and Discussion

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps