Cryptographic APIs (Crypto APIs) provide the foundations for the development of secure applications. Unfortunately, most applications do not use Crypto APIs securely and end up being insecure, e.g., by the usage of an outdated algorithm, a constant initialization vector, or an inappropriate hashing algorithm. Two different studies have recently shown that 88% to 95% of those applications using Crypto APIs are insecure due to misuses. To facilitate further research on these kinds of misuses, a set of real-world misuses is useful.
In this talk, we present our dataset of parametric cryptographic misues found in real-world Java applications along with a classification of those misuses. In our dataset, each misuse consists of the corresponding open-source project, the project’s build information, a description of the misuse, and the misuse’s location. Further, we show how we integrated our dataset in MUBench, a benchmark for API misuse detection. We will show and discuss how one can use this benchmark to evaluate the precision and recall of detection tools, as a foundation for studies related to Crypto API misuses, or as a training set..
Anna-Katharina is a Ph.D. candidate in Prof. Mira Mezini's group „Software Technology“ and part of project E1. Her current research focuses on the security of applications and tools to support developers in using APIs in a correct (and secure) way.