CROSSING Research Seminar: FUM – A Framework for API Usage constraint and Misuse Classification
2022/05/05 13:00-14:00
Speaker: Michael Schlichtig, Heinz Nixdorf Institut, Universität Paderborn | Location: online
Organizer: Jacqueline Brendel, CROSSING
Abstract
Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography.
Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM — a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors’ capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools.
Speaker Bio
Michael Schlichtig studied computer science at the University of Paderborn with a semester abroad at the University of Oklahoma and graduated with a Master of Science in 2018. Following his studies, Mr. Schlichtig first started a PhD position in Computer Education Research and moved to the Secure Software Engineering department under the supervision of Prof. Dr. Eric Bodden at the Heinz Nixdorf Institute in 2019. Within his PhD, Mr. Schlichtig is working on the usability of static program analysis.
Since 2020, Mr. Schlichtig is a member of the Collaborative Research Center 1119 CROSSING at the TU Darmstadt. Within the CRC, Mr. Schlichtig is working on the secure integration of cryptographic code in subproject E1 and supervises the development of the static analysis tool CogniCrypt for the detection of misuse of cryptogrpahic APIs.
Links
- Talk: Zoom link
