paint-brush
The Road Ahead for MASC: Expanding Crypto-API Misuse Detectionby@mutation

The Road Ahead for MASC: Expanding Crypto-API Misuse Detection

tldt arrow

Too Long; Didn't Read

MASC will expand by evaluating more crypto-detectors and enhancing customization, aiming to assist researchers, developers, and open-source enthusiasts in improving crypto-API misuse detection and security.
featured image - The Road Ahead for MASC: Expanding Crypto-API Misuse Detection
Mutation Technology Publications HackerNoon profile picture

Authors:

(1) Amit Seal Ami, Computer Science Department, William & Mary Williamsburg, Virginia, USA, and this author contributed equally to this paper ([email protected]);

(2) Syed Yusuf Ahmed, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper ([email protected]);

(3) Radowan Mahmud Redoy, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper ([email protected]);

(4) Nathan Cooper, Computer Science Department, William & Mary Williamsburg, Virginia, USA ([email protected]);

(5) Kaushal Kafle, Computer Science Department, William & Mary Williamsburg, Virginia, USA ([email protected]);

(6) Kevin Moran, Department of Computer Science, University of Central Florida Orlando, Florida, USA ([email protected]);

(7) Denys Poshyvanyk, Computer Science Department, William & Mary Williamsburg, Virginia, USA ([email protected]);

(8) Adwait Nadkarni, Computer Science Department, William & Mary Williamsburg, Virginia, USA ([email protected]).

Abstract and 1 Introduction

2 Overview of MASC

3 Design Goals

4 Implementation of MASC

4.1 Mutation Operators

4.2 Mutation Scopes

5 Using MASC

6 Future Work and Conclusion, Acknowledgments, and References

6 FUTURE WORK AND CONCLUSION

We discussed the overview, design goals, implementation details and usage of MASC, a user-friendly tool for mutation-based evaluation of static crypto-API misuse detectors. While we do not report any additional crypto-detector evaluation in this demonstration paper, evaluation results of the original implementation of MASC are available in the original paper [3]. We plan to evaluate additional crypto-detectors with the current implementation of MASC, and aim to extend the customization support to the additional scopes, i.e., exhaustive scope and similarity scope. We hope that the current implementation of MASC will help crypto-detector stakeholders, i.e., security researchers, developers and users, to systematically evaluate crypto-detectors. Furthermore, we envision that that opensource enthusiasts will augment the mutation operators of MASC further, empowered by its easy to extend architecture, thus helping improve crypto-detectors by finding novel flaws.

ACKNOWLEDGMENTS

This work is supported in part by NSF-1815336, NSF-1815186, NSF1955853 grants and Coastal Virginia Center for Cyber Innovation and the Commonwealth Cyber Initiative, an investment in the advancement of cyber R&D, innovation, and workforce development. For more information about COVA CCI and CCI, visit www.covacci.org and www.cyberinitiative.org.

REFERENCES

[1] Secure Platforms Lab 2022. MASC Artifact. Secure Platforms Lab. Retrieved May, 2023 from https://github.com/Secure-Platforms-Lab-W-M/MASC-Artifact


[2] Secure Platforms Lab 2023. MASC. Secure Platforms Lab. Retrieved May, 2023 from https://github.com/Secure-Platforms-Lab-W-M/MASC


[3] Amit Seal Ami, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni. 2022. Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques. In 2022 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, San Francisco, CA, USA, 397–414. https://doi.org/10.1109/SP46214.2022.9833582


[4] Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2021. Demo: Mutation-based Evaluation of Security-focused Static Analysis Tools for Android. In Proceedings of the 43rd IEEE/ACM International Conference on Software Engineering (ICSE’21), Formal Tool Demonstration, Virtual (originally Madrid, Spain), May 25th - 28th, 2021.


[5] Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2021. Systematic Mutation-Based Evaluation of the Soundness of SecurityFocused Android Static Analysis Techniques. ACM Transactions on Privacy and Security 24, 3 (Feb. 2021), 15:1–15:37. https://doi.org/10.1145/3439802


[6] Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World. Commun. ACM 53, 2 (Feb. 2010), 66–75. https://doi.org/10.1145/1646353.1646374


[7] Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 1263–1280. https://www.usenix.org/conference/usenixsecurity18/presentation/bonett


[8] CogniCrypt. 2020. CogniCrypt - Secure Integration of Cryptographic Software | CogniCrypt. https://www.eclipse.org/cognicrypt/ Accessed June, 2020.


[9] CryptoGuard. 2020. Oracle - Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases. https://labs.oracle.com/pls/apex/f?p=94065: 40150:0::::P40150_PUBLICATION_ID:6629 Accessed July, 2020.


[10] GitHub. 2020. Announcing third-party code scanning tools: static analysis & developer security training - The GitHub Blog. https://github.blog/2020-10-05- announcing-third-party-code-scanning-tools-static-analysis-and-developersecurity-training/ Accessed Nov, 2020.


[11] "Java". 2020. Java Cryptography Architecture (JCA) Reference Guide. https: //docs.oracle.com/en/java/javase/11/security/java-cryptography-architecturejca-reference-guide.html#GUID-815542FE-CF3D-407A-9673-CAE9840F6231


[12] lgtm. 2020. LGTM - Continuous Security Analysis. https://lgtm.com/ Accessed Nov, 2020.


[13] Mario Linares-Vásquez, Gabriele Bavota, Michele Tufano, Kevin Moran, Massimiliano Di Penta, Christopher Vendome, Carlos Bernal-Cárdenas, and Denys Poshyvanyk. 2017. Enabling Mutation Testing for Android Apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). Association for Computing Machinery, New York, NY, USA, 233–244. https://doi.org/10.1145/3106237.3106275


[14] Kevin Moran, Michele Tufano, Carlos Bernal-Cárdenas, Mario Linares-Vásquez, Gabriele Bavota, Christopher Vendome, Massimiliano Di Penta, and Denys Poshyvanyk. 2018. MDroid+: A Mutation Testing Framework for Android. Proceedings of the 40th International Conference on Software Engineering Companion Proceeedings - ICSE ’18 (2018), 33–36. https://doi.org/10.1145/3183440.3183492


[15] OASIS. 2021. The Static Analysis Results Interchange Format (SARIF). https: //sarifweb.azurewebsites.net/ Accessed Jul, 2021.


[16] owasp. 2020. Test Cases for Risky or Broken Cryptographic Algorithm Erroneously Labeled as Not Vulnerable · Issue #92 · OWASP/Benchmark. https: //github.com/OWASP/Benchmark/issues/92 Accessed Nov, 2020.


[17] Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng (Daphne) Yao. 2019. CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security - CCS ’19. ACM Press, London, United Kingdom, 2455–2472. https://doi.org/10.1145/3319535.3345659


[18] Xanitizer. 2020. Xanitizer by RIGS IT - Because Security Matters. https: //www.rigs-it.com/xanitizer/ Accessed May, 2020.


This paper is available on arxiv under CC BY-NC-SA 4.0 DEED license.