Authors:
(1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de);
(2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de);
(3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de);
(4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de). Table of Links Abstract and 1 Introduction 2 Background 3 Design and Implementation of Licma and 3.1 Design 3.2 Implementation 4 Methodology and 4.1 Searching and Downloading Python Apps 4.2 Comparison with Previous Studies 5 Evaluation and 5.1 GitHub Python Projects 5.2 MicroPython 6 Comparison with previous studies 7 Threats to Validity 8 Related Work 9 Conclusion, Acknowledgments, and References 4.2 Comparison with Previous Studies To understand the differences between crypto misuses for §1 to §6, cf. Table 1, in Python and previous studies in Java, with the analysis CryptoLint, [4] and C/C++, with the analysis CryptoREX, [13], we compared the reported results. As we concentrated on the same rule set, we only need a few adjustments to compare the results. First, for our meta-analysis we exclude §6 since the 5 analyzed Python modules avoid this misuse by design. Second, we merge the results for §1 of Egele et al. [4] as they split their result into two different cases: The explicit use of the block mode ECB on one side and the implicit use of this block mode due to the API design on the other. Third, due to the design of our analysis, we only consider definite findings. CryptoLint and CryptoREX do not distinguish between potential misuses and definite ones. Fourth, to enable a fair comparison, we compare only percentages rather than absolute numbers, as we are interested in the general distribution and the influence of API design on crypto misuses. We choose to compare the studies on the percentage of applications using crypto and having at least one misuse of a respective rule as introduced by Egele et al. [4]. Unfortunately, Zhang et al. [13] only reports details for the successfully unpacked firmware images before filtering for crypto usages. This paper is available on arxiv under CC BY 4.0 DEED license. Authors: (1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de); (2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de); (3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de); (4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de). Authors: Authors: (1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de); (2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de); (3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de); (4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de). Table of Links Abstract and 1 Introduction Abstract and 1 Introduction 2 Background 2 Background 3 Design and Implementation of Licma and 3.1 Design 3 Design and Implementation of Licma and 3.1 Design 3.2 Implementation 3.2 Implementation 4 Methodology and 4.1 Searching and Downloading Python Apps 4 Methodology and 4.1 Searching and Downloading Python Apps 4.2 Comparison with Previous Studies 4.2 Comparison with Previous Studies 5 Evaluation and 5.1 GitHub Python Projects 5 Evaluation and 5.1 GitHub Python Projects 5.2 MicroPython 5.2 MicroPython 6 Comparison with previous studies 6 Comparison with previous studies 7 Threats to Validity 7 Threats to Validity 8 Related Work 8 Related Work 9 Conclusion, Acknowledgments, and References 9 Conclusion, Acknowledgments, and References 4.2 Comparison with Previous Studies To understand the differences between crypto misuses for §1 to §6, cf. Table 1, in Python and previous studies in Java, with the analysis CryptoLint, [4] and C/C++, with the analysis CryptoREX, [13], we compared the reported results. As we concentrated on the same rule set, we only need a few adjustments to compare the results. First, for our meta-analysis we exclude §6 since the 5 analyzed Python modules avoid this misuse by design. Second, we merge the results for §1 of Egele et al. [4] as they split their result into two different cases: The explicit use of the block mode ECB on one side and the implicit use of this block mode due to the API design on the other. Third, due to the design of our analysis, we only consider definite findings. CryptoLint and CryptoREX do not distinguish between potential misuses and definite ones. Fourth, to enable a fair comparison, we compare only percentages rather than absolute numbers, as we are interested in the general distribution and the influence of API design on crypto misuses. We choose to compare the studies on the percentage of applications using crypto and having at least one misuse of a respective rule as introduced by Egele et al. [4]. Unfortunately, Zhang et al. [13] only reports details for the successfully unpacked firmware images before filtering for crypto usages. This paper is available on arxiv under CC BY 4.0 DEED license. This paper is available on arxiv under CC BY 4.0 DEED license. available on arxiv

Part of HackerNoon's growing list of open-source research papers, promoting free access to academic material.

Understanding Crypto API Misuse Patterns: A Comparative Study of Python, Java, and C/C++ Results

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

A Comparative Analysis of Crypto API Misuses Across Programming Languages

A Review of API Design Patterns: The Pros and Cons

The Role Of Affordance In Software Design

An API-First Approach For Designing Restful APIs

API Choice Overload

A Comparative Analysis of Crypto API Misuses Across Programming Languages

A Review of API Design Patterns: The Pros and Cons

The Role Of Affordance In Software Design

An API-First Approach For Designing Restful APIs

API Choice Overload

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps