Authors:
(1) Amit Seal Ami, Computer Science Department, William & Mary Williamsburg, Virginia, USA, and this author contributed equally to this paper (aami@wm.edu);
(2) Syed Yusuf Ahmed, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper (bsse1013@iit.du.ac.bd);
(3) Radowan Mahmud Redoy, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper (bsse1002@iit.du.ac.bd);
(4) Nathan Cooper, Computer Science Department, William & Mary Williamsburg, Virginia, USA (nacooper01@wm.edu);
(5) Kaushal Kafle, Computer Science Department, William & Mary Williamsburg, Virginia, USA (kkafle@wm.edu);
(6) Kevin Moran, Department of Computer Science, University of Central Florida Orlando, Florida, USA (kpmoran@ucf.edu);
(7) Denys Poshyvanyk, Computer Science Department, William & Mary Williamsburg, Virginia, USA (denys@cs.wm.edu);
(8) Adwait Nadkarni, Computer Science Department, William & Mary Williamsburg, Virginia, USA (apnadkarni@wm.edu). Table of Links Abstract and 1 Introduction 2 Overview of MASC 3 Design Goals 4 Implementation of MASC 4.1 Mutation Operators 4.2 Mutation Scopes 5 Using MASC 6 Future Work and Conclusion, Acknowledgments, and References 6 FUTURE WORK AND CONCLUSION We discussed the overview, design goals, implementation details and usage of MASC, a user-friendly tool for mutation-based evaluation of static crypto-API misuse detectors. While we do not report any additional crypto-detector evaluation in this demonstration paper, evaluation results of the original implementation of MASC are available in the original paper [3]. We plan to evaluate additional crypto-detectors with the current implementation of MASC, and aim to extend the customization support to the additional scopes, i.e., exhaustive scope and similarity scope. We hope that the current implementation of MASC will help crypto-detector stakeholders, i.e., security researchers, developers and users, to systematically evaluate crypto-detectors. Furthermore, we envision that that opensource enthusiasts will augment the mutation operators of MASC further, empowered by its easy to extend architecture, thus helping improve crypto-detectors by finding novel flaws. ACKNOWLEDGMENTS This work is supported in part by NSF-1815336, NSF-1815186, NSF1955853 grants and Coastal Virginia Center for Cyber Innovation and the Commonwealth Cyber Initiative, an investment in the advancement of cyber R&D, innovation, and workforce development. For more information about COVA CCI and CCI, visit www.covacci.org and www.cyberinitiative.org. REFERENCES [1] Secure Platforms Lab 2022. MASC Artifact. Secure Platforms Lab. Retrieved May, 2023 from https://github.com/Secure-Platforms-Lab-W-M/MASC-Artifact [2] Secure Platforms Lab 2023. MASC. Secure Platforms Lab. Retrieved May, 2023 from https://github.com/Secure-Platforms-Lab-W-M/MASC [3] Amit Seal Ami, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni. 2022. Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques. In 2022 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, San Francisco, CA, USA, 397–414. https://doi.org/10.1109/SP46214.2022.9833582 [4] Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2021. Demo: Mutation-based Evaluation of Security-focused Static Analysis Tools for Android. In Proceedings of the 43rd IEEE/ACM International Conference on Software Engineering (ICSE’21), Formal Tool Demonstration, Virtual (originally Madrid, Spain), May 25th - 28th, 2021. [5] Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2021. Systematic Mutation-Based Evaluation of the Soundness of SecurityFocused Android Static Analysis Techniques. ACM Transactions on Privacy and Security 24, 3 (Feb. 2021), 15:1–15:37. https://doi.org/10.1145/3439802 [6] Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World. Commun. ACM 53, 2 (Feb. 2010), 66–75. https://doi.org/10.1145/1646353.1646374 [7] Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 1263–1280. https://www.usenix.org/conference/usenixsecurity18/presentation/bonett [8] CogniCrypt. 2020. CogniCrypt - Secure Integration of Cryptographic Software | CogniCrypt. https://www.eclipse.org/cognicrypt/ Accessed June, 2020. [9] CryptoGuard. 2020. Oracle - Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases. https://labs.oracle.com/pls/apex/f?p=94065: 40150:0::::P40150_PUBLICATION_ID:6629 Accessed July, 2020. [10] GitHub. 2020. Announcing third-party code scanning tools: static analysis & developer security training - The GitHub Blog. https://github.blog/2020-10-05- announcing-third-party-code-scanning-tools-static-analysis-and-developersecurity-training/ Accessed Nov, 2020. [11] "Java". 2020. Java Cryptography Architecture (JCA) Reference Guide. https: //docs.oracle.com/en/java/javase/11/security/java-cryptography-architecturejca-reference-guide.html#GUID-815542FE-CF3D-407A-9673-CAE9840F6231 [12] lgtm. 2020. LGTM - Continuous Security Analysis. https://lgtm.com/ Accessed Nov, 2020. [13] Mario Linares-Vásquez, Gabriele Bavota, Michele Tufano, Kevin Moran, Massimiliano Di Penta, Christopher Vendome, Carlos Bernal-Cárdenas, and Denys Poshyvanyk. 2017. Enabling Mutation Testing for Android Apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). Association for Computing Machinery, New York, NY, USA, 233–244. https://doi.org/10.1145/3106237.3106275 [14] Kevin Moran, Michele Tufano, Carlos Bernal-Cárdenas, Mario Linares-Vásquez, Gabriele Bavota, Christopher Vendome, Massimiliano Di Penta, and Denys Poshyvanyk. 2018. MDroid+: A Mutation Testing Framework for Android. Proceedings of the 40th International Conference on Software Engineering Companion Proceeedings - ICSE ’18 (2018), 33–36. https://doi.org/10.1145/3183440.3183492 [15] OASIS. 2021. The Static Analysis Results Interchange Format (SARIF). https: //sarifweb.azurewebsites.net/ Accessed Jul, 2021. [16] owasp. 2020. Test Cases for Risky or Broken Cryptographic Algorithm Erroneously Labeled as Not Vulnerable · Issue #92 · OWASP/Benchmark. https: //github.com/OWASP/Benchmark/issues/92 Accessed Nov, 2020. [17] Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng (Daphne) Yao. 2019. CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security - CCS ’19. ACM Press, London, United Kingdom, 2455–2472. https://doi.org/10.1145/3319535.3345659 [18] Xanitizer. 2020. Xanitizer by RIGS IT - Because Security Matters. https: //www.rigs-it.com/xanitizer/ Accessed May, 2020. This paper is available on arxiv under CC BY-NC-SA 4.0 DEED license. Authors: (1) Amit Seal Ami, Computer Science Department, William & Mary Williamsburg, Virginia, USA, and this author contributed equally to this paper (aami@wm.edu); (2) Syed Yusuf Ahmed, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper (bsse1013@iit.du.ac.bd); (3) Radowan Mahmud Redoy, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper (bsse1002@iit.du.ac.bd); (4) Nathan Cooper, Computer Science Department, William & Mary Williamsburg, Virginia, USA (nacooper01@wm.edu); (5) Kaushal Kafle, Computer Science Department, William & Mary Williamsburg, Virginia, USA (kkafle@wm.edu); (6) Kevin Moran, Department of Computer Science, University of Central Florida Orlando, Florida, USA (kpmoran@ucf.edu); (7) Denys Poshyvanyk, Computer Science Department, William & Mary Williamsburg, Virginia, USA (denys@cs.wm.edu); (8) Adwait Nadkarni, Computer Science Department, William & Mary Williamsburg, Virginia, USA (apnadkarni@wm.edu). Authors: Authors: (1) Amit Seal Ami, Computer Science Department, William & Mary Williamsburg, Virginia, USA, and this author contributed equally to this paper (aami@wm.edu); (2) Syed Yusuf Ahmed, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper (bsse1013@iit.du.ac.bd); (3) Radowan Mahmud Redoy, Institute for Information Technology, University of Dhaka Dhaka, Bangladesh, and this author contributed equally to this paper (bsse1002@iit.du.ac.bd); (4) Nathan Cooper, Computer Science Department, William & Mary Williamsburg, Virginia, USA (nacooper01@wm.edu); (5) Kaushal Kafle, Computer Science Department, William & Mary Williamsburg, Virginia, USA (kkafle@wm.edu); (6) Kevin Moran, Department of Computer Science, University of Central Florida Orlando, Florida, USA (kpmoran@ucf.edu); (7) Denys Poshyvanyk, Computer Science Department, William & Mary Williamsburg, Virginia, USA (denys@cs.wm.edu); (8) Adwait Nadkarni, Computer Science Department, William & Mary Williamsburg, Virginia, USA (apnadkarni@wm.edu). Table of Links Abstract and 1 Introduction Abstract and 1 Introduction 2 Overview of MASC 2 Overview of MASC 3 Design Goals 3 Design Goals 4 Implementation of MASC 4 Implementation of MASC 4.1 Mutation Operators 4.1 Mutation Operators 4.2 Mutation Scopes 4.2 Mutation Scopes 5 Using MASC 5 Using MASC 6 Future Work and Conclusion, Acknowledgments, and References 6 Future Work and Conclusion, Acknowledgments, and References 6 FUTURE WORK AND CONCLUSION We discussed the overview, design goals, implementation details and usage of MASC, a user-friendly tool for mutation-based evaluation of static crypto-API misuse detectors. While we do not report any additional crypto-detector evaluation in this demonstration paper, evaluation results of the original implementation of MASC are available in the original paper [3]. We plan to evaluate additional crypto-detectors with the current implementation of MASC, and aim to extend the customization support to the additional scopes, i.e., exhaustive scope and similarity scope. We hope that the current implementation of MASC will help crypto-detector stakeholders, i.e., security researchers, developers and users, to systematically evaluate crypto-detectors. Furthermore, we envision that that opensource enthusiasts will augment the mutation operators of MASC further, empowered by its easy to extend architecture, thus helping improve crypto-detectors by finding novel flaws. ACKNOWLEDGMENTS This work is supported in part by NSF-1815336, NSF-1815186, NSF1955853 grants and Coastal Virginia Center for Cyber Innovation and the Commonwealth Cyber Initiative, an investment in the advancement of cyber R&D, innovation, and workforce development. For more information about COVA CCI and CCI, visit www.covacci.org and www.cyberinitiative.org. REFERENCES [1] Secure Platforms Lab 2022. MASC Artifact. Secure Platforms Lab. Retrieved May, 2023 from https://github.com/Secure-Platforms-Lab-W-M/MASC-Artifact [2] Secure Platforms Lab 2023. MASC. Secure Platforms Lab. Retrieved May, 2023 from https://github.com/Secure-Platforms-Lab-W-M/MASC [3] Amit Seal Ami, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni. 2022. Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques. In 2022 IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, San Francisco, CA, USA, 397–414. https://doi.org/10.1109/SP46214.2022.9833582 [4] Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2021. Demo: Mutation-based Evaluation of Security-focused Static Analysis Tools for Android. In Proceedings of the 43rd IEEE/ACM International Conference on Software Engineering (ICSE’21), Formal Tool Demonstration, Virtual (originally Madrid, Spain), May 25th - 28th, 2021. [5] Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2021. Systematic Mutation-Based Evaluation of the Soundness of SecurityFocused Android Static Analysis Techniques. ACM Transactions on Privacy and Security 24, 3 (Feb. 2021), 15:1–15:37. https://doi.org/10.1145/3439802 [6] Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World. Commun. ACM 53, 2 (Feb. 2010), 66–75. https://doi.org/10.1145/1646353.1646374 [7] Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 1263–1280. https://www.usenix.org/conference/usenixsecurity18/presentation/bonett [8] CogniCrypt. 2020. CogniCrypt - Secure Integration of Cryptographic Software | CogniCrypt. https://www.eclipse.org/cognicrypt/ Accessed June, 2020. [9] CryptoGuard. 2020. Oracle - Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases. https://labs.oracle.com/pls/apex/f?p=94065: 40150:0::::P40150_PUBLICATION_ID:6629 Accessed July, 2020. [10] GitHub. 2020. Announcing third-party code scanning tools: static analysis & developer security training - The GitHub Blog. https://github.blog/2020-10-05- announcing-third-party-code-scanning-tools-static-analysis-and-developersecurity-training/ Accessed Nov, 2020. [11] "Java". 2020. Java Cryptography Architecture (JCA) Reference Guide. https: //docs.oracle.com/en/java/javase/11/security/java-cryptography-architecturejca-reference-guide.html#GUID-815542FE-CF3D-407A-9673-CAE9840F6231 [12] lgtm. 2020. LGTM - Continuous Security Analysis. https://lgtm.com/ Accessed Nov, 2020. [13] Mario Linares-Vásquez, Gabriele Bavota, Michele Tufano, Kevin Moran, Massimiliano Di Penta, Christopher Vendome, Carlos Bernal-Cárdenas, and Denys Poshyvanyk. 2017. Enabling Mutation Testing for Android Apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). Association for Computing Machinery, New York, NY, USA, 233–244. https://doi.org/10.1145/3106237.3106275 [14] Kevin Moran, Michele Tufano, Carlos Bernal-Cárdenas, Mario Linares-Vásquez, Gabriele Bavota, Christopher Vendome, Massimiliano Di Penta, and Denys Poshyvanyk. 2018. MDroid+: A Mutation Testing Framework for Android. Proceedings of the 40th International Conference on Software Engineering Companion Proceeedings - ICSE ’18 (2018), 33–36. https://doi.org/10.1145/3183440.3183492 [15] OASIS. 2021. The Static Analysis Results Interchange Format (SARIF). https: //sarifweb.azurewebsites.net/ Accessed Jul, 2021. [16] owasp. 2020. Test Cases for Risky or Broken Cryptographic Algorithm Erroneously Labeled as Not Vulnerable · Issue #92 · OWASP/Benchmark. https: //github.com/OWASP/Benchmark/issues/92 Accessed Nov, 2020. [17] Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng (Daphne) Yao. 2019. CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security - CCS ’19. ACM Press, London, United Kingdom, 2455–2472. https://doi.org/10.1145/3319535.3345659 [18] Xanitizer. 2020. Xanitizer by RIGS IT - Because Security Matters. https: //www.rigs-it.com/xanitizer/ Accessed May, 2020. This paper is available on arxiv under CC BY-NC-SA 4.0 DEED license. This paper is available on arxiv under CC BY-NC-SA 4.0 DEED license. available on arxiv

Part of HackerNoon's growing list of open-source research papers, promoting free access to academic material.

The Road Ahead for MASC: Expanding Crypto-API Misuse Detection

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

A Comprehensive Comparison of Tools for Fitting Mutational Signatures

Crypto APIs' Role within Blockchain as a Service (BaaS)

How to Import Crypto APIs into Excel

The 5 Best Cryptocurrency Data APIs in 2022

Top 5 Crypto APIs for Developers

The #crypto-api Writing Contest by CoinGecko and HackerNoon

A Comprehensive Comparison of Tools for Fitting Mutational Signatures

Crypto APIs' Role within Blockchain as a Service (BaaS)

How to Import Crypto APIs into Excel

The 5 Best Cryptocurrency Data APIs in 2022

Top 5 Crypto APIs for Developers

The #crypto-api Writing Contest by CoinGecko and HackerNoon

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps